From unicorn at schloss.li Mon Apr 1 00:05:38 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 1 Apr 1996 16:05:38 +0800 Subject: Blue Water spooks In-Reply-To: Message-ID: On Sat, 30 Mar 1996, Jonathon Blake wrote: > Alan: > > On Sat, 30 Mar 1996, Alan Horowitz wrote: > > > metaphor} spook services) could do better than the Japanese did in > > sigint'ing against human speakers of Navajoe? > > Have the Chinese turned their thought towards cryptography, > or cryptanalysis yet? If so, I suspect the answer is > yes, If not, then the answer is a definate No. > > The Chinese Intelligence Service traditionally has > not looked outward, preferring to ply its trade domestically. > That said, the earliest extant text on espionage is Chinese. This is not strictly true. The Chinese are widely reputed to have penetrated both Japanese and Russian services quite completely. Their industrial espionage has been far reaching (United States, U.K., Germany) and their political disruptive and fund raising activites have included fully funding arms dealers in California and all over the western United States. In the mid 80s several "former" Chinese intelligence officers appeared in California and opened gun shops. Their prices on Chinese made weapons were so low that compeditors couldn't figure out how it was done. Finally someone did some poking around and found that the Chinese government was literally giving the weapons to the agents, allowing them to keep something like 80% of the profits. Really quite a clever (and typically communist) scheme. "The capitalist pigs will destroy themselves with our guns and pay us for the favor. Muahahah!" 20/20 and Frontline both did pieces on the operation. Bottom line: The Chinese have often extended their intelligence operations beyond their borders, even boldly. > xan > > jonathon > grafolog at netcom.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From perry at piermont.com Mon Apr 1 00:07:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Apr 1996 16:07:08 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <01I2ZZ718SXE001O2D@ALPHA1.RESTON.MCI.NET> Message-ID: <199604010012.TAA20951@jekyll.piermont.com> Randy Catoe writes: > The proof would be in the pudding, would it not? Are their > documented cases of smartcard scavenging? There are documented cases of similar reverse engineering. I don't know of any specific cases of smartcard scavenging but its all essentially the same tools. Whether it is financially worthwhile to do this is another story. .pm From tcmay at got.net Mon Apr 1 00:07:58 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 16:07:58 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks (fwd) Message-ID: At 7:54 PM 3/31/96, Jim Choate wrote: >Forwarded message: > >> > Presumedly the state of the EEPROM cannot be deduced by any >> > external examination of the card, and any attempt to >> > incrementally abrade the card down to the relevent circuit >> > elements should completely obliterate the minute charge >> > differences which represent the data. >> >> They aren't immune to the laws of physics. If it can be put together, >> it can be taken apart. I can even surmise HOW it can be taken apart. > >You wouldn't even have to take it apart. Just subject it to analysis using >SQUID's. Using this technology you would not even have to physicaly touch >the card, let alone remove any parts of it. Well, I worked on SQUIDs (Superconducting quantum-interferometric devices) in 1972-3, and also worked on electron-beam analysis of microprocessors and memory device in 1980-84, and I can assure you that SQUIDs cannot do what you want them to do. I'll be happy to supply additional details if there's sufficient interest. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From roger at coelacanth.com Mon Apr 1 00:12:48 1996 From: roger at coelacanth.com (Roger Williams) Date: Mon, 1 Apr 1996 16:12:48 +0800 Subject: That's MR. SQUID to YOU In-Reply-To: <199603312132.PAA18565@einstein.ssz.com> Message-ID: <9604010311.AA0286@sturgeon.coelacanth.com> >>>>> Jim Choate writes: > Conductus ... > The product under suggestion is called 'Mr. SQUID'... It's cool ;-) Although they haven't got a Web page yet, they've got plenty of press in various places around the net. Or you can always get product info from info at conductus.com (or Scott Sachtjen , if info doesn't work). -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From thecrow at iconn.net Mon Apr 1 00:14:32 1996 From: thecrow at iconn.net (Jack Mott) Date: Mon, 1 Apr 1996 16:14:32 +0800 Subject: cryptanalysis questions Message-ID: <315F4DCA.271C@iconn.net> What are the general methods used for statistical analysis of ciphers? Should I just use conventional stat analysis and look for patterns? Does anyone have any source or programs that do some of these kinds of things? -- thecrow at iconn.net "It can't rain all the time" From tcmay at got.net Mon Apr 1 00:25:32 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 16:25:32 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 8:14 PM 3/31/96, Rev. Ben wrote: >I won't post my opinions upon whom I think is an Agent Provocateur, but >Uni isn't one. For what it's worth, I don't think there's a single agent provacateur on the list. At least not a vocal one (which sort of defeats the point). While I expect there may be a few government types who subscribe just to see what's going on (and I don't mean more active subscribers, such as Brian Davis, even though he's an Assistant District Attorney--he openly admits his role and makes contributions openly), I've seen no evidence that anyone is a provacateur. We're fairly open in our approaches, and are not plotting in secret, so the role of an agent provacateur is not clear. Disruptors, yes. But one man's disruption is another man's lively debate. So what else is new. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Mon Apr 1 00:35:46 1996 From: jya at pipeline.com (John Young) Date: Mon, 1 Apr 1996 16:35:46 +0800 Subject: EMO_ney Message-ID: <199604010321.WAA09278@pipe2.nyc.pipeline.com> 3-30-96 Economist, three related E-money reports: "Trials of digital cash and smart cards seem to be going on everywhere. Who will win the race to control tomorrow's money?" "Digitising dollars." Citicorp's Electronic Monetary System could make all forms of physical money redundant, and, if it wins broad acceptance, could help to solve some of the financial industry's most intractable problems. "The foreign exchange market: illiquid lunch." Diminishing liquidity; settlement risk; impact of electronic brokering. EMO_ney From mpd at netcom.com Mon Apr 1 00:59:52 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Apr 1996 16:59:52 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: Message-ID: <199604010508.VAA03496@netcom13.netcom.com> tcmay at got.net (Timothy C. May) writes: > The surface layers above the active portion of a chip can > be stripped away and chip remains functional. This includes > the outer packaging layers (epoxy, or of course, ceramic > with metal lids) and parts of the so-called "scratch > protection," usually a type of silicate glass. > The active capacitors are not affected by removal of these > layers. True, but removing packaging materials and protective layers is a long way from imaging the charges tunneled to and from the floating gates of EEPROM cells, which is the particular application we are discussing. Also bear in mind that in a real device, the tamper-resistant packaging will be considerably more intractable than conventional semiconductor packaging, and these devices are often designed to automatically erase all data if signs of tampering are detected. > Actually, we did it all the time in my lab at Intel, and I > understand from my former co-workers that the technology has > only gotten better. (This does not mean voltage contrast is > easy. For one thing, modern chips have 3-5 metal layers, due > to spectacular advances in chem-mechanical polishing, and > each metal layer acts as a ground plane shielding the lower > layers from visibility and inspection with electron beams. Yes. This is truely impressive technology which continues to improve with leaps and bounds. SEM/TEM/STEM voltage-contrast techniques are a major tool for failure analysis of semiconductor devices, and AFM instruments can do voltage measurements on running devices down to nanometer and picosecond resolutions. > And EPROM and EEPROM cells are effectively impossible to > analyze, for various reasons.) Correct. Which is one of the reasons why they are currently the favored mode of storage for smart card applications. > This does not mean I think reverse-engineering of smart > cards or satellite boxes is easy. While I don't necessarily disagree with Perry that sufficiently advanced technology can reverse-engineer almost anything (the kind of advanced technology that is indistinguishable from magick), I think there are practical engineering difficulties in doing such things today which are either insurmountable or at the very least a strong indication that there are better ways to approach the problem. > SQUIDs won't do it, either. At the risk of offending Mr. Squid, I must say that SQUIDs were a big disappointment given the initial hype and expended research funds. BTW, I attempted to read all your writings on "Tamper-Resistant Modules" in the list archives, but as fate would have it, hks.net has taken the archives offline for a few days to do some sort of upgrade. I did get this very nice Cyber Wallet thing off their Web Page, however, which uses "DES and Full 768 Bit RSA." Although I must admit I'm not exactly sure what "full" means in this particular context. :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From pgut001 at cs.auckland.ac.nz Mon Apr 1 01:24:20 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Mon, 1 Apr 1996 17:24:20 +0800 Subject: New release of SFS available Message-ID: <199604010448.QAA25352@cs26.cs.auckland.ac.nz> I have just uploaded version 1.19 of SFS to the grumbo.uwasa.fi FTP site as: 551004 Apr 01 01:19 grumbo.uwasa.fi:/pc/crypt/sfs119.zip This release contains a number of major improvements over previous versions. The most important is that it follows recommendations on the use of encryption software to be released later today in a joint announcement by the Committee of Ministers of the Council of Europe and the US State Department. To this end the new version of SFS will abandon the use of MDC/SHS in favour of a classified algorithm which the both NSA and GCHQ are confident will protect non- confidential data. Although the exact algorithm details cannot be published due to its classified nature, it can be revealed that it uses prime number cycle wheels, a system still employed today at the highest levels. This algorithm improves on MDC/SHS by using a massive 2048-bit key, which would take billions of years to exhaust via a brute-force search. However in order to satisfy the requirements of various organizations such as the Chinese government (who need to ensure that no nasty outside influences pollute the minds of their citizens) and to allow the originators of the 83.5% of all Usenet traffic which contains porn to be prosecuted (a recent example being the widely publicised move by the Office of the Bavarian Illuminati to force Compuserve to drop all sex-related newsgroups), SFS 1.19 will store 2032 bits of the key in the clear along with the encrypted data. The head of the FBI Louis Freeh has been quoted as saying that "this will provide adequate protection against your little sister or your mother, while allowing law enforcement agencies to investigate people using encryption for illegal purposes". The head of the French DSSI agrees: "There have been too many cases of industrial espionage by foreign government intelligence agencies. For example in 1993 one such agency acquired over $1 billion worth of business for their own countries' companies in this manner. SFS 1.19 will protect against this problem, while allowing us to maintain control over French national security interests". The German government has tentatively approved SFS 1.19 for public use provided that it undergo a few small changes to comply with an updated form of the the Fernmeldeanlagen Ueberwachungs-Verordung (FUeV), which will require that all German users of SFS be connected to a central system to which copies of all keys used, times of encryption and decryption, identities of users, and copies of all encrypted data, be automatically forwarded. The Minister of the Interior Manfred Kanther stated that "this should fulfil the requirements of the German government for monitoring possible criminal use, although I might change my mind about this in a minute or two". Peter. From jf_avon at citenet.net Mon Apr 1 01:25:15 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 1 Apr 1996 17:25:15 +0800 Subject: What backs up digital money? Message-ID: <9604010051.AA13126@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- >Mark Neely - accessnt at ozemail.com.au said: >Well, doesn't this beg the question - the "desire" by people to own them >is not as a result of advertising, but the fact that society has long >fixed them as standard units of "currency". > >If all those centuries ago marble was decided upon as a central >unit of currency, we'd all be killing ourselves to get some, not because >of any aestetic beauty. I do not think so. The common never holds value because value, especially in a crude civilisation, is related to rarity or difficulty to produce and obtain. AFAIK, gold was considered a value in every civilisation. If some did not consider it a value, then, they either ignored it's existence or had so much that it was not a value. Marbles are easy to make in most civilisations. They therefore cannot be used as a value standard. One problem with e-$, as pointed out by many, is that it has to have a *perceivable* value. Backing it by something physical that is already valued might be the best way to launch it. Otherwise, it will have the statute, if not legally, at least in the mind of the average Joe, the same as junks bonds. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMV7fLMiycyXFit0NAQEGfAf8C3/kwoJ4Fnk7W7UP0P92+TGtgn3HAf/q AJ9V13iZVuX9hI96lP9PPixWryz0olI6D2df6c509peCoND4JUUXj2eBhJ0U/tHz 3Xw2D2oCep0fgm8NC6TzBBobrzcTExM41N5BG8H76SAJk9bz9zoHRx5OH2HVNCvu WyRXA0g2C9N6v0FpmQaQ2C0ose5c/WVQ9Yk/JmMgc0kw0HaT6VVVDfAkz+jTjCbj +0fh3gLREUdkx3pHXQ6ulfrZ4VoSz1qHSXCVKLy5kODieIYAMkZ0k/aYnbxPZRyX oHmk5kIKP9dO5Ao064ViJACi8gAYlwFp7YOSCexpJRDz0b7UMtO9/g== =a251 -----END PGP SIGNATURE----- PGP key at: http://w3.citenet.net/users/jf_avon Jean-Francois Avon ID:C58ADD0D 96/03/01 fingerprint: 52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 Unsollicited commercial e-mail will be proofread at a rate of 165 $ U.S. per hours. Any sender of unsollicited commercial e-mail will be considered as to have accepted the above ment- ionned terms. From hal9001 at panix.com Mon Apr 1 01:25:48 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 1 Apr 1996 17:25:48 +0800 Subject: What backs up digital money? Message-ID: At 15:25 3/28/96, Black Unicorn wrote: >> > At 1:46 PM 3/27/96, Scott Schryvers wrote: >> Between those times the net amount >> of money in bank accounts was reduced, by exactly the amount of >> circulating dcash. > >Ditto uncashed checks. Only Teller's/Cashier's and Traveler's Checks. These represent the conversion of Cash into a promise to pay when the Check is presented. This is the same as dcash. An Uncashed Personal Check (unless it has been certified [which withdraws the money from the account at Certification time]) only represents an unsecured claim on the monies in the account (ie: the Bank has no knowledge of its existence or amount until it is presented for payment/clearance). From jamesd at echeque.com Mon Apr 1 03:45:23 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 1 Apr 1996 19:45:23 +0800 Subject: Question about integrity of Blind Signature Message-ID: <199604010615.WAA05677@mail1.best.com> At 11:51 PM 3/31/96 +0800, Chein-hsinLiu wrote: > Hi! >I have some question about ecash protocol. In ecash protocol, we represent >money by a sequence number which is signed by bank. And for privacy, we >use blind signature. But when we send bank a pesudo sequence number-- >X*PK(r) (X:sequence number we want, r :random number to cheat bank) >then we can get SK(X*PK(r)) from bank, and get money by SK(X*PK(r))/r=SK(X). >But if we divide SK(X*PK(r)) with r', we can get another money? It confuses >me. How does it preserve the integrity of the money, and let people divide >r on the SK(X*PK(r)) ? The sequence number is not a sequence number, nor is it just any random number. It is a random number of some special form, so that the chance that the "other money" will be of this special form is remote. For example one might demand that every second hex digit was the number 7, and the other digits were random. When we divide a valid money number by r, we will not get another valid money number. > It confuses me very long time. Thanks for any help! > Chein-hsin Liu 4/1/96 > > --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Mon Apr 1 03:48:38 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 19:48:38 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: At 7:36 PM 3/31/96, Mike Duvos wrote: >We aren't talking about IC masks here. We are talking about >electrostatic charges which would instantly leak away if the >insulation around them were in the least bit compromised. The surface layers above the active portion of a chip can be stripped away and chip remains functional. This includes the outer packaging layers (epoxy, or of course, ceramic with metal lids) and parts of the so-called "scratch protection," usually a type of silicate glass. The active capacitors are not affected by removal of these layers. >Such data wouldn't even survive the preparation for scanning >microscopy, much less the actual inspection process. Actually, we did it all the time in my lab at Intel, and I understand from my former co-workers that the technology has only gotten better. (This does not mean voltage contrast is easy. For one thing, modern chips have 3-5 metal layers, due to spectacular advances in chem-mechanical polishing, and each metal layer acts as a ground plane shielding the lower layers from visibility and inspection with electron beams. And EPROM and EEPROM cells are effectively impossible to analyze, for various reasons.) This does not mean I think reverse-engineering of smart cards or satellite boxes is easy. SQUIDs won't do it, either. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Mon Apr 1 04:13:49 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 1 Apr 1996 20:13:49 +0800 Subject: Witch Hunts Message-ID: At 04:15 PM 3/31/96 -0500, Bruce Zambini wrote: >On Sun, 31 Mar 1996 JonWienke at aol.com wrote: > >> >My preferred and soon to be permanent e-mail address:unicorn at schloss.li >> >"In fact, had Unicorn not existed, potestas scientiae in usu est >> >Detweiler might not have had to invent him." in nihilum nil posse reverti >> >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information >> >> Unicorn = Detweiler = Agent Provocateur > >Well, I won't say it's impossible. > >However, for those of you who are relatively new to the list, Mr. Unicorn >has been a regular (and useful) contributor to the list. My belief in >this has been unwavering. Excepting, of course, the recent Unicorn/Bell >flamefest, which we all get sucked into occasionally. The fact that you are willing to include the name "Unicorn" in that "flamefest" should hold a clue as to the source of the problem. >My opinion of Mr. Bell on the same issue has varied widely; however, he >has participated (in recent times) in more flamewars on the list than >anyone, including the usual flamers (ie Perry, me, etc.). I do, however, promote one of the most controversial ideas you've probably ever seen discussed on the computer networks. You might well imagine that doing so would tend to attract people who are like moths attracted to a flame. Thus, a "flamewar." Notice that Unicorn tries to flame me on practically every subject he can, which should be another clue as to his motivations. If you've ever had a controversial work published in a mass-media outlet (and the Internet is turning into just such a thing) you'll notice that you'll get unsolicited letters from people, some of whom aren't quite "all there", and people who obviously have their own ax to grind. Often both. (I had a guest editorial published in the Portland Oregonian newspaper about six years ago, so I speak from experience.) Usually that ends quickly; people have short memories and are distracted by newer events. In the computer network area, however, the opportunity for follow-ups is ever-present. That's why I'm not surprised about people like Unicorn. It would probably be excessive to say "he's crazed," but he clearly spends an unusual amount of effort. Check out the CP archives a few days ago; I did an experiment, choosing to not to respond to nearly all of his notes. He kept writing! >It is also interesting to note that Mr. Unicorn talks knowledgably about >several fields; Mr. Bell talks about one field, and there are those who >would dispute his knowledge about it. Quite the contrary: While my degree is in Chemistry, most particularly Organic Chemistry (but also Physical chemistry, solid-state chemistry, and inorganic chemistry), I am rather knowledgeable about physics (including nuclear, high-energy, semiconductor, astrophysics, etc), electronics (analog and digital; I was frequently mistaken for a EE student during my college years), optics, computer hardware, a smattering of computer software, radio (I'm a ham) and a few other fields. This, however, is the "Cypherpunks" area, and with the exception of some bomb-trigger discussions a few weeks ago, much of that knowledge isn't commonly shown in the majority of the discussions here. It's odd, therefore, that you would suggest that I "talk about one field," as if that was somehow my limit. If anything, it shows that I (at least in your eyes) pay more attention to the subject of the list than Unicorn. If you really want to start talking about some of these other fields, I'd be happy to, but I don't think that would improve the specificity of the list. Other people might object, as well. We go on enough tangents as it is. >I have had an e-mail correspondence with Mr. Bell that lasted several >messages. In it, we were both civil and friendly; I post this now not to >take sides in the flamewar, but merely to note that, in my opinion, it is >improbable that Black Unicorn is Detweiller, and that, although I missed >the origin of this thread, it is likely a suggestion from Mr. Bell or one >of his associates, intended to discredit him. This sounds like a conspiracy theory. I don't have any "associates." And I have never posted on any list, echo, USENET group, or bbs under an alias, and I am posting with my real name. I'm listed in the phone directory for Vancouver, Washington, and I've never had an unlisted telephone number. Until Unicorn is willing to identify himself with the same amount of verifiable detail, it is in his direction you should look for conspiracies. >If Mr. Unicorn is indeed Detweiller, it is in the mold of Vlad Z. Nuri, >who (while almost certainly Detweiller) has produced useful contributions >on the list, while refraining from acting out. What, exactly, is your definition of a "useful contribution"? >It is also worth noting that the original Detweiller, in a sense, played >De Sade to Tim May's Rousseau, in that he used an unorthodox, but >effective, critical technique. (This is, in fact, one reading of De >Sade's "pornography" -- an interesting counterexample to what was >trumpeted on _Both_ sides of the recent Firing Line debate: that >pornography or obscenity is, whether or not protected, devoid of any >intellectual content.) Somebody ( I don't recall who) once opined to me that Unicorn behaves toward me somewhat like Detweiler behaved towards Tim May. I probably missed most of that, but I can see the similaries. This doesn't make him Detweiler, but it suggests that his motivations are similar. One last thing: On re-reading your note, I noticed that your writing style is rather... how shall I say... familiar. Care to discuss how you did it? Did you use a program? Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Mon Apr 1 07:41:11 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 1 Apr 1996 23:41:11 +0800 Subject: [NOISE] Nasty-Quibble-Punks Message-ID: At 04:06 PM 3/31/96 -0800, Mike Duvos wrote: >"Perry E. Metzger" writes: >Uh huh. > > > Incidently, EEPROMs don't work by simply charging a > > capacitor or something silly like that. No insulator is > > perfect, no dielectric is perfect, and charge would > > eventually leak away were that the case. However, if it > > were, it would be fairly easy to determine the state of a > > cell without having to get particularly close to it. Beyond > > that, there is this insane notion you seem to have that a > > charged object will lose its charge if the "insulator" is > > "stripped off" -- I wasn't under the impression a vacuum, > > for instance, was a particularly good charge carrier. > >Uh huh. Turns out Perry is wrong about this. I believe that UV EPROMs and probably EEPROMs do indeed work by storing charge on a buried, totally-isolated capacitor. The capacitor is charged with a system called "Fowler-Nordheim tunneling," which involves placing a relatively high voltage on a nearby electrode and causing the thin interface to temporarily conduct. (It's odd. That's why it's called "tunnelling.") The charge, surprisingly enough, is stable for years, in fact decades, and probably (statistically) centuries at room temperature. The reason the charge stays around so long is that the insulator, silicon dioxide, is extremely good. It has to be. If the capacitor were, say, 1 picofarad, and the resistance was 10E18 ohms (a billion gigohms) the resulting time constant would be 1E6 seconds, or about 12 days. Since EPROMs obviously hold data far longer than this (well over 100 times longer, or else our computers wouldn't work!), and since the capacitance is probably not nearly 1 pf, that tells you that the effective resistance is far above 1E20 ohms. UVEPROMS are erased, naturally enough, by exposing them to UV light, which is usually produced by a mercury vapor lamp. This UV causes enough electrons to be excited into upper electron shells in the insulator to temporarily turn it into a slight conductor, and the charge dissipates. I think EEPROMs are erased by, more or less, reversing the voltage on the charging electrode. As for keeping the charge when that insulator is stripped off, that would be a problem. It isn't that a vacuum isn't a good enough insulator; it is, but it would be hard to imagine a technique to strip off an SiO2 insulator that doesn't also allow a substantial amount of charge to flow. You could strip it off with HF (hydrofluoric acid) but that's electrically conductive. Even a gas-phase process would probably result in enough conductive products to discharge the capacitor. Ion-beam milling would also remove SiO2, but as the name implies that's applying a current to the system. Fortunately, all this is moot: Since the floating gate is inherently part of a transistor, it isn't necessary to expose it to detect its charge state: Just activate the transistor in-circuit BTW, some PLD's have a so-called "security bit" which (when set) is designed to prevent reading of the state of the rest of the programmed bits. Years ago it occurred to me that if you knew where this particular bit was stored, you could expose this bit location alone to a UV source through a tiny mask to discharge it. Finding that location wouldn't be all that hard: Just expose the chip with a series of exposures, moving a linear mask slightly, and eventually the security bit will erase. Note the location of the mask, and rotate the mask 90 degrees and repeat the process. At that point, you've located the bit (this may require a few iterations), so you expose the target part through a tiny pinhole (Edmund Scientific sells them in many different sizes, exposing only that security bit location. Jim "Mr. Bell talks about one field" Bell (Let's see, I covered solid, liquid, and vapor phase chemistry, a bit of particle physics (ion-beam milling), semiconductor physics, minor optics, electronics, some trivial math, and maybe even some detective work!) jimbell at pacifier.com From mpd at netcom.com Mon Apr 1 08:20:43 1996 From: mpd at netcom.com (Mike Duvos) Date: Tue, 2 Apr 1996 00:20:43 +0800 Subject: [NOISE] Nasty-Quibble-Punks In-Reply-To: Message-ID: <199604010642.WAA27208@netcom20.netcom.com> jim bell writes: > Turns out Perry is wrong about this. Shhhh. Never say the "w-word" in front of Perry. :) > I believe that UV EPROMs and probably EEPROMs do indeed > work by storing charge on a buried, totally-isolated > capacitor. That is correct. A very thin layer of dielectric material is placed on top of a MOS gate. This "floating gate" can be charged by applying enough voltage for electrons to tunnel through the dielectric and charge the gate, which switches the transistor. In the EPROM, the stored electrons can be given enough energy from exposure to ultraviolet light to tunnel back out which erases the device. Unfortunately, as the geometry shrinks, a longer and longer exposure to the light is required for erasure, which becomes annoyingly long for sub-micron technologies. > The capacitor is charged with a system called > "Fowler-Nordheim tunneling," which involves placing a > relatively high voltage on a nearby electrode and causing > the thin interface to temporarily conduct. Almost. The EEPROM is an advance over the EPROM which permits the device to be erased electrically. Fowler-Nordheim Tunneling is an effect whereby low energy electrons can sneak through the dielectric in the presence of a very high electric field. In the EEPROM, this is used to discharge the floating gates in place of the UV exposure. Programming is still done by applying a voltage high enough to tunnel through the dielectric as in the EPROM. > The charge, surprisingly enough, is stable for years, in > fact decades, and probably (statistically) centuries at room > temperature. I've never done any calculations, but the charge stays around "long enough." The major drawback is that the dielectric is very thin, and degrades after after hundreds of thousands or millions of write cycles to the point where the floating gate can no longer retain a charge. Therefore such devices are limited in the number of write cycles they can undergo before wearing out. > UVEPROMS are erased, naturally enough, by exposing them to > UV light, which is usually produced by a mercury vapor > lamp. This UV causes enough electrons to be excited into > upper electron shells in the insulator to temporarily turn > it into a slight conductor, and the charge dissipates. I > think EEPROMs are erased by, more or less, reversing the > voltage on the charging electrode. It's more of a case of the trapped electrons absorbing a high energy photon and getting enough energy to tunnel through the dielectric, but you have the general idea. EEPROM erasure is as described above. > As for keeping the charge when that insulator is stripped > off, that would be a problem. It isn't that a vacuum isn't > a good enough insulator; it is, but it would be hard to > imagine a technique to strip off an SiO2 insulator that > doesn't also allow a substantial amount of charge to flow. > You could strip it off with HF (hydrofluoric acid) but > that's electrically conductive. Even a gas-phase process > would probably result in enough conductive products to > discharge the capacitor. The charge is minute, the dielectric is thin, and damage to the dielectric would leak the charge. I'm not sure what a secondary electron spectrum from a beam that penetrated the dielectric would disclose about the charge on the gate, but I would tend to think the dielectric would interfere with tunneling or atomic force instruments trying to take such measurements. Again, this is Tim's area of expertise, and he can probably give you the gory details on why the state of such devices is difficult to image. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jya at pipeline.com Mon Apr 1 10:47:37 1996 From: jya at pipeline.com (John Young) Date: Tue, 2 Apr 1996 02:47:37 +0800 Subject: NYT on CFP Message-ID: <199604011124.GAA17323@pipe4.nyc.pipeline.com> The New York Times, April 1, 1996, p. A14. Pioneers of Cyberspace Move Into Wider Arena By Peter H. Lewis Cambridge, Mass., March 30 -- Cyberspace is dead, many of its electronic pioneers said at a conference here this week. As the Internet population has grown into the millions, what was once a small, self-regulating society of academics and computer wizards has been engulfed by mainstream culture. But in their efforts to preserve the libertarian spirit of the electronic frontier, the original members of the cyberspace community have emerged as a political and social force. "Last year, it was still possible for people to say cyberspace is a different place, subject to different laws and different rules and that there is a Net culture," said Hal Abelson, a professor of computer science and engineering at the Massachusetts Institute of Technology here. "Now you have such a large percentage of the population on the Net, it just is not sensible to talk about this as some other place anymore. What you are really talking about now is the communications fabric of the country." In what was seen as a clear sign of Internet users new power, several members of Congress announced, by telephone and through the Internet, new legislation and initiatives at the gathering here, the annual Computers, Freedom and Privacy Conference. The proposals include the formation of an Internet Caucus in Congress and a Senate blll to relax the Government's laws restricting the transmission of secrets over the global information network. "Washington is coming to thls conference in droves," said Daniel J. Weltzner, deputy dlrector of the Center for Democracy and Technology, one of several public-interest groups that seek to influence Government policy related to cyberspace, "and I think it's very exciting and promising. It's the coming of age of this community." The members of Congress were wooing more than 500 of the Internet's most prominent champions, who had gathered to discuss issues that were once esoteric but are now affecting millions of people worldwide: questions of privacy, electronic copyrights, computer crime, the nature of free speech, digital pornography, electronic cash and grassroots electronic democracy. The Computers, Freedom and Privacy crowd included its usual assortment of computer hackers, academics and self- described crypto-anarchists, and even one man wearing video goggles with an antenna apparently sprouting from his head. But it also included others who wanted to assess the fusion of cyberspace and real space: Federal judges, lawmakers, White House policy experts, corporate executives and law-enforcement agents. Senator Conrad Burns, a Republican from the real frontier state of Montana, chose the conference to announce, by telephone, new legislation that would remove nearly all current Government restrictions on the export of mass-market encryption software, which is used to send secret messages over computer and telephone networks. Senator Burns's legislation would also block the Administration from imposing as a Government standard any form of data encryption that would give law-enforcement agencies the ability to decode messages. The Senator's bill places him squarely at odds with the Clinton Administration and the Justice Department. But Mr. Burns said the use of robust data encryption would foster the rise of electronic commerce, distance education and digital communicatlons, which his large, rural state desperately needs in the 21st century. While the bill might have little chance of passage this year, conference participants were heartened by what appears to be growing support in Congress for a relaxation of the Government's cryptography policy. The proposal drew some opposition. "I think we'll regret it down the road," said Dorothy E. Denning, a professor of computer sciences at Georgetown University and a computer security consultant to the military. Dr. Denning and others have argued that the use of unrestricted encryption would thwart the ability of law-enforcement and intelligence agencies to conduct wiretaps on messages sent by foreign spies, terrorists, child pornographers and other criminals. On Friday, a bipartisan group of wired lawmakers addressed the conference by telephone and Internet to announce the formation of a Congressional Internet Caucus. Fewer than half of all members of Congress are now on line. Representative Rick White, Republican of Washington, said, "The idea behind the Internet Caucus is to do two things: increase members understanding of the Internet and get more members on-line so that people can contact their elected representatives on the Internet." [End] From jamesd at echeque.com Tue Apr 2 07:44:44 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 2 Apr 1996 07:44:44 -0800 (PST) Subject: Chaumian ecash without RSA Message-ID: <199604021544.HAA26145@dns2.noc.best.net> At 08:10 AM 3/31/96 -0800, David Wagner wrote: > The bank picks a secret value k, and publishes g^k. > > To withdraw a coin, Alice picks an x, sets > y = x | hash(x), [ | is concatenation ] > chosen so that y is in G. Alice chooses a random secret blinding factor b, > sends to the bank > A->B: y g^b, > and the bank returns > B->A: (y g^b)^k, > debiting Alice's account. > > Note that this is a (blinded) Diffie-Hellman key exchange with public > exponentials g^k and y g^b; the bank returns the exchanged "secret". > > Alice unblinds this value, computing > z = (y g^b)^k (g^k)^{-b} > and now c = (x,z) is a coin in the digital cash system. Note z = y^k. > > We use the traditional online clearing protocol; to deposit the coin, a > shop S sends > S->B: x, z. > The bank checks to make sure the coin hasn't already been spent, and then > computes > y = x | MD5(x), > checking whether y^k = z. Two irritations with this protocol: 1: A coin is almost twice the size of a coin in the RSA protocol 2: Nobody except the bank can verify that a coin has face validity. The second point is more serious than you might think, as most of us want to see a world where everyone is his own bank and his own credit rating agency, as well as his own publisher. It will obstruct contracts of the form "Anne promises to provide numbers with certain cryptographic properties, provided Bob provides numbers with certain cryptographic properties." With RSA crypto cash, Anne can construct a blinded unsigned coin, and ask Bob to have it signed. For this to be reasonably convenient and practical, we need to have locally verifiable signatures. For computer mediated management of contracts, transactions, and credit ratings, we need contracts such that all intermediate transactions can be reduced to locally verifiable cryptographic protocols. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From danisch at ira.uka.de Mon Apr 1 18:05:03 1996 From: danisch at ira.uka.de (Hadmut Danisch) Date: Tue, 2 Apr 1996 10:05:03 +0800 Subject: gnutar + pgp filter mode Message-ID: <199604011522.RAA09571@elysion.eiss.ira.uka.de> -----BEGIN PGP SIGNED MESSAGE----- The gnu tar archiver allows to use an arbitrary compression program (option --use-compress-program=PROG). This works well with pgp if a small wrapper is used: #!/bin/csh -fb if ("$1" == "-d") then exec pgp -d -f else exec pgp -e -f endif The only problem is that this doesn't work well for larger amounts of data, because pgp reads in all data before starting with its work. Perhaps a future release of pgp will have a real filter mode. Hadmut BTW: Does this "crypto-hook" cause export restrictions to apply on gtar ? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMV/0tmc1jG5vDiNxAQFtAAP/TMuYeYf5q7k1Y8DrBjb6XFKYYFANH3RH FvThWq1BUgI+unH97EZkNkCzZJYT5qmLGk3+JLufCAw/o9YR7jKcldm2LNYJ96t2 BDcSGDF3qx/IUzQBa5NV+gUerNRVSwA3LzkTbXufOxYH0cB3KNcsx3B0bE1rEDa/ GCcJ1L6T+2s= =FMiZ -----END PGP SIGNATURE----- From owner-cypherpunks at toad.com Mon Apr 1 20:05:44 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Tue, 2 Apr 1996 12:05:44 +0800 Subject: Cylink gives away encryption kit Message-ID: <199604011653.KAA18559@foo.garply.com> Cylink to offer free SDK for embedding encryption security By Jessica Davis InfoWorld Electric Posted at 1:21 PM PT, Mar 29, 1996 Lobbing the latest bomb in a patent war over public key/private key encryption technology, Cylink Corp. will offer a Software Developers Kit (SDK) free-of-charge so that software companies can embed security and encryption technologies in their products. Cylink's move to offer Passport Gold for free follows a failed attempt in federal court to stop another company, RSA Data Security Inc., from selling a similar kit allegedly based on Cylink patents. The two companies have been engaged in a public relations feud, as well as a federal court patent dispute and IS mind share war over public key/private key/certificate authority encryption technology. Cylink lost the latest round in federal court in early March. Cylink and RSA both participated in the creation of public key/private key technologies through their partnership, Public Key Partners. PKP was formed in 1990 to establish security standards to license to software vendors. The partnership fell apart over the patent dispute. Cylink's PassportGold modules and APIs allow software developers to enable their applications to access national certificate authority electronic commerce and correspondence services that are planned by the U.S. Postal Service's ECS system and other commercial certificate authority facilities. Cylink expects its revenue stream to come from a series of products, existing and planned, that enhance the speed and effectiveness of such encryption technologies. Cylink has also announced SecureFrame, one of those products that provides a high-speed data encryption and security system for frame relay-based Wide Area Network environments. Working in conjunction with any public or private frame relay network, Secure Frame dynamically encrypts data while authenticating its source and destination, delivering throughput of up to 2.048 Mbps. SecureFrame is priced at $5,995 and will ship in April. Cylink also introduced SecureNode, an SNMP and TCP/IP-based data security hardware and software card for secure end-to-end data transfer and communication. The PC card is available now and provides network independent security management at the desktop level without hitting users with crippled CPU performance by acting as an "encryption and authentication accelerator." SecureNode cards for ISA or for PCI are priced at $595 and $695 respectively. The standalone software product is priced at $199. Sunnyvale, Calif.-based Cylink can be reached at (800) 533-3958 or http://www.cylink.com/. Please direct your comments to InfoWorld Electric News Editor Dana Gardner. Copyright � 1996 InfoWorld Publishing Company From rmartin at aw.sgi.com Mon Apr 1 20:57:47 1996 From: rmartin at aw.sgi.com (Richard Martin) Date: Tue, 2 Apr 1996 12:57:47 +0800 Subject: PICS makes headline in ET Message-ID: <9604011222.ZM11573@glacius.alias.com> -----BEGIN PGP SIGNED MESSAGE----- The electronic Telegraph is an electronic version of the British daily, the Telegraph. I actually went through the bother of filling out their online registration a few months ago. The `headline' of today's edition is an article on PICS, the Platform for Internet Content Selection, boosting it as a method for screening [actually, they use the term `policing'] content on the internet. http://www.telegraph.co.uk/et/access?ac=130174817686&pg=home.html Feel free to use the above url for reading the one article. I'm somewhat undecided on whether i think it would be good idea for several folks to be using my identity to read et--it obfuscates any tracking of my reading habits they may be doing--so i'll just ask folks to not tell me if they do. richard -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWAQpR1gtCYLvIJ1AQGEHwP/dzTNcc1FcWz4ydKMX5MctyWfjBf82ka+ qSZenBZ4tjgCYCbyTDFYG/Hx3c0y5NTpwskTVwzCkZ7RFvVwAFFSsPOGrHSAAA09 b6FiC1Vvct3XJg3mjDlZhImiF04LKI2oPcsHAHmNhOomjK+tdJtN3Wuwhs6fvv90 pW17rnxvZ5o= =IqxK -----END PGP SIGNATURE----- -- Richard Martin [not speaking for a|w] rmartin at aw.sgi.com http://reality.sgi.com/rmartin_aw/ Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] From tcmay at got.net Mon Apr 1 23:18:59 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 2 Apr 1996 15:18:59 +0800 Subject: (fwd) Russians Break RSA? Message-ID: Friends, I just grabbed this of the ClariNet news feed on Netcom...I'm not supposed to forward anything from this service (so don't tell Brad Templeton!), but this appeared to be too important not to pass on as quickly as possible. Apparently those rumors that the Russians, always topnotch mathematicians, had developed public key crypto in the 1950s or early 60s are true--my hero Kolmogorov developed this when he was technical director at Kryptogorodok, the secret city of Soviet cryptographers hidden in the Urals (and first visited by an outsider, Stephen Wolfram, only a couple of years ago). Here's the report on a news conference announcing the cracking of their Kolmogorov system, which is equivalent to our own RSA. I haven't had a chance to talk to John Markoff, who was at the press conference, to get his comments. --Tim > Xref: netcom.com clari.world.europe.eastern:2783 > clari.news.hot.ussr:3792 > clari. > news.trouble:3258 clari.science.crypto > Path: netcom.com!bass!clarinews > Approved: doug at clarinet.com > From: clarinews at clarinet.com (AP) > Newsgroups: > clari.world.europe.eastern,clari.news.hot.ussr,clari.news.trouble,clari.sc > ience.crypto > Distribution: clari.apo > Subject: Russian Mathematicians Announce Breakthrough > Keywords: Europe Cryptography RSA > Copyright: 1996 by The Associated Press, R > Message-ID: > Date: Mon, 1 Apr 96 10:40:19 PST > Expires: Mon, 7 Apr 96 12:40:19 PDT > ACategory: international > Slugword: Russia-Crypto > Priority: regular > ANPA: Wc: 116/0; Id: V0255; Src: ap; Sel: -----; Adate: 03-14-N/A > Codes: APO-1103 > > > MOSCOW (AP) -- At a press conference held minutes ago in a > crowded hall, Russian mathematicians announced that a breakthrough had > been made nearly a decade ago in the arcane branch of mathematics > known as "cryptography," the science of making messages that are > unreadable to others. > Leonid Vladwylski, Director of the prestigious Moscow Academy > of Sciences, called the press conference yesterday, after rumors began > circulating that noted Russian-American reporter John Markoff was in > Russia to interview academicians at the previously secret city of > Soviet cryptographers, Kryptogorodok. The existence of Kryptogorodok, > sister city to Akademogorodok, Magnetogorsk, and to the rocket cities > of Kazhakstan, had been shrouded in secrecy since its establishment in > 1954 by Chief of Secret Police L. Beria. Its first scientific > director, A. Kolmogorov, developed in 1960 what is called in the West > "public key cryptography." The existence of Kryptogorodok was unknown > to the West until 1991, when Stephen Wolfram disclosed its existence. > American cryptographers initially scoffed at the rumors that > the Russians had developed public-key cryptography as early as 1960, > some 15 years prior to the first American discovery. After interviews > last year at Kryptogorodok, noted American cryptographers Professor > D. Denning and D. Bowdark admitted that it did seem to be > confirmed. Professor Denning was quoted at the time saying that she > did not think this meant the Russians could actually break the > Kolmogorov system, known in the West as RSA, because she had spent > more than a full weekend trying to do this and had not > succeeded. "Believe me, RSA is still unbreakable," she said in her > evaluation report. > Russia's top mathematicians set out to break Kolmogorov's new > coding system. This required them to determine that "P = NP" (see > accompanying article). Details are to be published next month in the > journal "Doklady.Krypto," but a few details are emerging. > The Kolmogorov system is broken by computing the prime numbers > which form what is called the modulus. This is done by randomly > guessing the constituent primes and then detonating all of the > stockpiled nuclear weapons in the former Soviet Union for each "wrong > guess." In the Many Worlds Interpretation of quantum mechanics, > invented in 1949 by Lev Landau (and later, independently by Everett > and Wheeler in the U.S.), all possible outcomes of a quantum > experiment are realized. > As Academician Leonid Vladwylski explained, "In all the > universes in which we guessed the wrong factors, we were destroyed > completely. But since we are obviously here, talking to you at this > press conference, in this universe we have an unbroken record of > successfully factoring even the largest of imaginable numbers. Since > we are so optimistic about this method, we say the computation runs in > "Nondeterministic Pollyanna Time." Allow me to demonstrate..." > > [Press Conference will be continued if the experiment is a success.] > > MOSCOW (AP), ITAR-Tass, 1 April 1996 > > > Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From warlord at MIT.EDU Mon Apr 1 23:23:11 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 2 Apr 1996 15:23:11 +0800 Subject: gnutar + pgp filter mode In-Reply-To: <199604011522.RAA09571@elysion.eiss.ira.uka.de> Message-ID: <199604011916.OAA18585@toxicwaste.media.mit.edu> > The only problem is that this doesn't work well for > larger amounts of data, because pgp reads in all > data before starting with its work. > > Perhaps a future release of pgp will have a real filter > mode. The problem is not with PGP but with the PGP message formatsa. With the current message formats you need to know the size of data before you can output the header that precedes it. As a result, whole messages must somehow be buffered before PGP can output them. The fix is to create new, one-pass packets, which will allow PGP to generate messages in a single pass. These new packet formats are still in the design stage and will probably not be supported in PGP 3.0. -derek From talon57 at well.com Mon Apr 1 23:26:20 1996 From: talon57 at well.com (Brian D Williams) Date: Tue, 2 Apr 1996 15:26:20 +0800 Subject: Navajo code-talkers Message-ID: <199604012155.NAA00640@well.com> Tim May comments: >According to an episode of "The X Files," which dealt with Navajo >code-talkers, the answer is that young Navajo men are losing their >fluency in Navajo, especially of the nuances and double entendres >that code-talkers relied upon. (For those who scoff at using a >television show as a source, writers for shows like this often do >more interesting research than, say, the average encyclopedia >article will report.) Navajo also has something now it didn't have before WWII, a written language, and I believe a rudimentary dictionary. Brian From banisar at epic.org Mon Apr 1 23:54:58 1996 From: banisar at epic.org (Dave Banisar) Date: Tue, 2 Apr 1996 15:54:58 +0800 Subject: ACM/IEEE Letter on Crypto Message-ID: Reply to: ACM/IEEE Letter on Crypto Association For Computing Machinery Office of US Public Policy 666 Pennsylvania Avenue SE Suite 301 Washington, DC 20003 USA (tel) 202/298-0842 (fax) 202/547-5482 Institute of Electronics and Electrical Engineers United States Activities 1828 L Street NW Suite 1202 Washington, DC 20036-5104 USA (tel) 202/785-0017 (fax) 202/785-0835 April 2, 1996 Honorable Conrad Burns Chairman, Subcommittee on Science, Technology and Space Senate Commerce, Science and Transportation Committee US Senate SD-508 Washington, DC 20510 Dear Chairman Burns: On behalf of the nation's two leading computing and engineering associations, we are writing to support your efforts, and the efforts of the other cosponsors of the Encrypted Communications Privacy Act, to remove unnecessarily restrictive controls on the export of encryption technology. The Encrypted Communications Privacy Act sets out the minimum changes that are necessary to the current export controls on encryption technology. However, we believe that the inclusion of issues that are tangential to export, such as key escrow and encryption in domestic criminal activities, is not necessary. The relaxation of export controls is of great economic importance to industry and users, and should not become entangled in more controversial matters. Current restrictions on the export of encryption technology harm the interests of the United States in three ways: they handicap American producers of software & hardware, prevent the development of a secure information infrastructure, and limit the ability of Americans using new online services to protect their privacy. The proposed legislation will help mitigate all of these problems, though more will need to be done to assure continued US leadership in this important hi-tech sector. Technological progress has moved encryption from the realm of national security into the commercial sphere. Current policies, as well as the policy-making processes, should reflect this new reality. The legislation takes a necessary first step in shifting authority to the Commerce Department and removing restrictions on certain encryption products. Future liberalization of export controls will allow Americans to excel in this market. The removal of out-dated restrictions on exports will also enable the creation of a Global Information Infrastructure sufficiently secure to provide seamless connectivity to customers previously unreachable by American companies. The United States is a leader in Internet commerce. However, Internet commerce requires cryptography. Thus American systems have been hindered by cold-war restraints on the necessary cryptography as these systems have moved from the laboratory to the marketplace. This legislation would open the market to secure, private, ubiquitous electronic commerce. The cost of not opening the market may include the loss of leadership in computer security technologies, just at the time when Internet users around the world will need good security to launch commercial applications. For this legislation to fulfill its promise the final approval of export regulations must be based on analysis of financial and commercial requirements and opportunities, not simply on the views of experts in national security cryptography. Therefore, we urge you to look at ways to further relax restrictive barriers. Finally, the legislation will serve all users of electronic information systems by supporting the development of a truly global market for secure desktop communications. This will help establish private and secure spaces for the work of users, which is of particular interest to the members of the IEEE/USA and the USACM. On behalf of the both the USACM and the IEEE/USA we look forward to working with you on this important legislation to relax export controls and promote the development of a robust, secure, and reliable communications infrastructure for the twenty-first century. Please contact Deborah Rudolph in the IEEE Washington Office at (202) 785-0017 or Lauren Gelman in the ACM Public Policy Office at (202) 298-0842 for any additional information. Sincerely, Barbara Simons, Ph.D.3 Chair, U.S. Public Policy Committee of ACM Joel B. Snyder, P.E. Vice President, Professional Activities and Chair, United States Activities Board cc: Members of the Subcommittee on Science, Technology and Space From sales at elementrix.co.il Tue Apr 2 00:05:40 1996 From: sales at elementrix.co.il (sales at elementrix.co.il) Date: Tue, 2 Apr 1996 16:05:40 +0800 Subject: Elementrix Technology Announces Power Quantum Cryptography Message-ID: <9604010051591.The_Win-D.jacktech@delphi.com> Elementrix Technology Announces Power Quantum Cryptography Elementrix Technology, a leading developer of security software, including the well-known Power One Time Pad (POTP(TM)) today announced the first commercial release of a next-generation unbreakable security product. Power Quantum Cryptography pushes data security into the modern world of quantum physics. Elementrix PQC(TM) is your best choice for securing your sensitive data against Hackers, Crackers, Snoops, NSA, and other Evil People. Elementrix, long recognized as an innovator in unconventional data security technology, combines absolute security with utility, performance and ease of use. Our remarkably simple algorithm gives you unprecedented speed in a software-only implementation. PQC requires no additional hardware, and no knowledge of quantum physics. By using a novel method (covered by trade secret law and now patent-pending in 26 countries) our server software transmits packets onto your local network without reading them, thus preserving their unique quantum properties. Any attempt to read the packet, except by the intended recipient will destroy the quantum waveform of the packet. Our sophisticated error-recovery system will detect this and re-initialize with a predefined Emergency Quantum State, which has all the same characteristics as the Normal Quantum State, but has not been compromised by the attempted eavesdropper. PQC provides you with fast, reliable, and secure data transmissions, XOR encrypted with unbreakable quantum randomness. Our Plug-and-Play installation assures that you can have secure transmissions within minutes. PQC ensures that your data transmissions are absolutely unbreakable, guaranteed by the Laws of Physics. The innovative PQC technology requires no public or private Keys, no master or session key, no key management, no key escrow or trusted third parties, no key distribution servers, no access codes, no substantial overhead, no special training for users, and no waiting. PQC gives you total security from anyone without the aid of an object code disassembler. Elemntrix PQC(tm) version 1.0 requires 80386 or higher IBM PC (or 100% compatible), 4MB RAM, MS-Windows 3.1, Windows For Workgroups, or Windows 95, a MODEM or LAN connection, and any TCP/IP stack for Windows. For more information: Tel: +972-4-550963 Fax: +972-4-550356 Within the US and Canada, phone: 1-212-888-8879 fax: 1-212-935-3882 e-mail: sales at elementrix.co.il info at elementrix.co.il for customer and technical support: support at elementrix.co.il From unicorn at schloss.li Tue Apr 2 00:11:01 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 2 Apr 1996 16:11:01 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban onPGP) In-Reply-To: Message-ID: Following my new policy on Jim Bell posts, the below represents my new form of reply. These 'terse' replies should cut down on bandwidth and still serve as some basic protection to the list readership as to the mis and dis-information which eminates in quantity from Mr. Bell's account. Those parties interested in a more detailed discussion, aside of course Mr. Bell, should ask for clarification where they feel it necessary and I will then expound on my points. On Sun, 31 Mar 1996, jim bell wrote: > I hope by now you've seen my reply about the treaty issue. I wasn't > particularly focussing on the question of what Europe will do qua Europe, > but how the treaty issue could be abused in the US. Here is the section of > the US Constitution which is relevant, and which I mentioned by reference before: > > Article VI > ... > > This Constitution, and the Laws of the United States which shall be made in > Pursuance thereof; and all Treaties made, or which shall be made, under the > Authority of the United States, shall be the supreme Law of the land; and > the Judges in every State shall be bound thereby, any Thing in the > Constituion or Laws of any State to the Contrary notwithstanding. > ... > > > I do not believe that this section was intended to mean that the _citizens_ > of the US are bound by treaty obligations; You are incorrect. That would be illogical, treaties > are agreements between governments. Treaties are inherently intended to > govern relations with foreign countries, not legal or political > circumstances within a particular country. Treaties may AFFECT citizens, > such as extradition treaties, immigration/emigration treaties, and passport > requirements, but the citizen doesn't "agree" with them. You are, again, incorrect. > That's evidenced by the fact that treaties are ratified by only the US > Senate, the body with two Senators from each state. (The House has > proportional representation, based on the population of each state.) The > intent, I suggest, was that treaties were supposed to be interpreted as > applying to the country, while laws applied to the individual. You need to study the history of this structural decision. > (Since you're Canadian, and for other non-US readers, I should point out > that when the US Constitution was being drafted and debated, [Yadda yadda yadda.] > In any case, since laws can be declared unconstitutional I think it's > implicit that there can be such a thing as an "unconstitutional treaty," or > at least one if declared to be binding on the citizens would be in violation > of the Constitution. If, for example, the US government decided that it > wanted to take away free speech rights from its citizens, to name an > obviously fantastic example, it could arguably write a treaty with, say, > Mexico, "agreeing" that free-speech rights will not apply to the citizens of > each country. You need to study the difference between non-executing and self-executing treaties. It is left as an exercise to the reader to determine why, in this context, what Mr. Bell suggests would not work. > merely the government. I believe there was a treaty in the middle 1960's called > something like "Single Issue Treaty on Narcotics" which led directly to a > massive re-write of the drug laws in the US. In view of the fact that > today, probably 70% of the inmates in US prisons are there on drug charges, > it is obvious that this treaty had a long-lasting internal effect, far > beyond what a person might have expected at the time. Se above reference to self-executing treaties as to why Mr. Bell is again passing the wrong mark. > Whether or not this interpretation could still work in today's changed [Yadda yadda yadda]. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Tue Apr 2 00:40:07 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 2 Apr 1996 16:40:07 +0800 Subject: NYT on CFP Message-ID: At 06:24 AM 4/1/96 -0500, John Young wrote: > The New York Times, April 1, 1996, p. A14. > Pioneers of Cyberspace Move Into Wider Arena, By Peter H. Lewis Cambridge, Mass., March 30 -- Cyberspace is dead, many of > its electronic pioneers said at a conference here this > week. [stuff deleted] > The proposals include the formation of > an Internet Caucus in Congress and a Senate blll to relax > the Government's laws restricting the transmission of > secrets over the global information network. This goes to show that export controls on encryption are going to have to go, Leahy bill or not. > "Washington is coming to thls conference in droves," said > Daniel J. Weltzner, deputy dlrector of the Center for > Democracy and Technology, one of several public-interest > groups that seek to influence Government policy related to > cyberspace, "and I think it's very exciting and promising. > It's the coming of age of this community." I don't think they have any choice! Washington is already bombarded with email within hours every time they do something stupid. > The Computers, Freedom and Privacy crowd included its usual > assortment of computer hackers, academics and self- > described crypto-anarchists, and even one man wearing video > goggles with an antenna apparently sprouting from his head. > But it also included others who wanted to assess the fusion > of cyberspace and real space: Federal judges, lawmakers, > White House policy experts, corporate executives and > law-enforcement agents. Some of whom might even be aware that they could easily lose their jobs as a consequence of what's happening now on the 'net. > Senator Conrad Burns, a Republican from the real frontier > state of Montana, chose the conference to announce, by > telephone, new legislation that would remove nearly all > current Government restrictions on the export of > mass-market encryption software, which is used to send > secret messages over computer and telephone networks. I sure wish they'd hurry up on this legislation. Hope it's not just vaporware...er... vaporbill, or whatever. > Senator Burns's legislation would also block the > Administration from imposing as a Government standard any > form of data encryption that would give law-enforcement > agencies the ability to decode messages. Gee, I thought the 1st amendment did that? Are our freedoms dependant on a bill that hasn't yet been passed, and may not even yet exist? > The Senator's bill places him squarely at odds with the > Clinton Administration and the Justice Department. But Mr. > Burns said the use of robust data encryption would foster > the rise of electronic commerce, distance education and > digital communicatlons, which his large, rural state > desperately needs in the 21st century. While the bill might > have little chance of passage this year, conference > participants were heartened by what appears to be growing > support in Congress for a relaxation of the Government's > cryptography policy. I'm anxious to see how many self-proclaimed supporters of the Leahy bill are going to do the right thing and drop their support of it once the text of this Burns bill has been released. (assuming the Burns bill turns out to be satisfactory, of course, and that it covers all the "good" parts that we wanted from Leahy as well as leaving out all the bad ones.) Though I was never happy about that "list of shame" idea, one of the tests that would partially confirm or deny the proper placement of any given name on that list would be that the person named would shift his support to a repaired bill. I can't see any logical reason to continue to support a flawed bill if and when a corrected bill appears. > The proposal drew some opposition. "I think we'll regret it > down the road," said Dorothy E. Denning, a professor of > computer sciences at Georgetown University and a computer > security consultant to the military. Dr. Denning and others > have argued that the use of unrestricted encryption would > thwart the ability of law-enforcement and intelligence > agencies to conduct wiretaps on messages sent by foreign > spies, terrorists, child pornographers and other criminals. Damn! They keep leaving me out of their short list! Maybe they meant to lump me in with the groups they mentioned. I'm an American, so I can't be a "foreign spy," and my supply of child pornography is at a constant zero level. I'd sure hate to be lumped into an ignominious position with the "other criminals," however: What an unimpressive title! Maybe I'll just have to settle for being called a terrorist. Harrumph! Jim Bell jimbell at pacifier.com From brianbr at together.net Tue Apr 2 00:42:08 1996 From: brianbr at together.net (Brian B. Riley) Date: Tue, 2 Apr 1996 16:42:08 +0800 Subject: Why Americans feel no compulsion ... In-Reply-To: Message-ID: <315F53DC.4685@together.net> -----BEGIN PGP SIGNED MESSAGE----- Timothy C. May wrote: > > At 12:21 AM 3/28/96, Syed Yusuf wrote: > >If a person who speaks three languages is tri-lingual > >If a person who speaks two languages is bi-lingual > > > >What do you call a person who only speaks one language? > > > >---------------------answer follows: > > > >An American. > > Or our version: > > What do you call a person who has to learn English as a second language in > order to compete in the world? > > A foreigner. > > (Sorry for the insult, but it seems that this thread is bringing out > insults from foreigners of all sorts.) > > --Tim I suppose this thing could go on and on and on and be argued in many ways, but I have to side with Tim here. I would add that America started out a scant 300 or so years ago, we are what we are because we worked at it. If we speak a language and most of the 200+ million Americans do, and we are a dominant factor in the world today .... why should we learn another language. I learned VietNamese when I went off to war. I learned Russian for the hell of it after taking several courses in Russian history. I have learned some French out of courtesy and survival when I go to Montreal (but a 90 minute drive from here). If I were not going any of these places why would I learn another language, why waste the time? Let me turn it around; If I were in downtown Moscow what moral highground could justify that I demand the locals speak English to me? By what right does anyone demand that the 70-80% of Americans who will never have a need for a second langauge learn one? - -- Brian B. Riley --> http://www.together.com/~brianbr "If this is the first day of the rest of my life, I am in DEEP trouble!" -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Chance smiles upon the prepared mind Comment: PGP Key IDs: 2047/0x17c2b699 1024/0x662A7641 iQCVAwUBMV9TwjTEZIFmKnZBAQEqKwQAqo9pHdxO4jZAvS+HsoZkiNQIX+zSN3PV bTWt/ro/Xs2BCFSQy8eI/1K0iNNqXkrHyoH4WymCD+zKXKB5ex3CqV3B7Kuqm4te HbupKSPfXw9FbCteqmgMBjytBSDKWqa82gHv7SKrPyKhxr+jvJP1enHDvZRAeNW9 gMc6GxZYrdI= =8Rg9 -----END PGP SIGNATURE----- From hfinney at shell.portal.com Tue Apr 2 00:43:02 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 2 Apr 1996 16:43:02 +0800 Subject: Java flaw is in bytecode verifier Message-ID: <199604020006.QAA21649@jobe.shell.portal.com> >From http://java.sun.com/sfaq/960327.html: > Researchers at Princeton recently found an implementation bug in the Java > bytecode Verifier. The Verifier is a part of Java's runtime system which > certifies that applets downloaded over the Internet adhere to Java's > language safety rules. Through a sophisticated attack, a malicious applet > can exploit this bug to delete a file or do other damage. This is one of the more worrisome places for a bug to exist. Much of Java's security rests in the claim that it can screen for and detect bad bytecode sequences. This screening code is extremely critical for Java security and I am surprised to see that it was implemented in a flawed manner. I've been writing Java quite a bit in the last couple of weeks, and I find that I have crashed my browser, whether Netscape or appletviewer, many times. Granted some of my code has been pretty buggy, but it's still not supposed to crash the browser. Obviously some of the runtime checks are not being done properly. I had expected that the bug would be in these areas, something like the stack overflows that we have seen cause problems in the past. A simple error in the bytecode verifier (if that is what this really is) seems like a more fundamental security flaw. The researchers have still not released full details on the bug, although they had planned to do so by the end of March. Maybe they are waiting for the fix to be distributed. Hal From phantom at u.washington.edu Tue Apr 2 00:51:36 1996 From: phantom at u.washington.edu (M. Thomlinson) Date: Tue, 2 Apr 1996 16:51:36 +0800 Subject: PsychicCash IPO Message-ID: PsychicCash(TM) Announces Initial Public Offering PsychicCash, a leading developer of electronic commerce systems, today announced that it will sell 4.5 Million shares of common stock at a price of $25 a share. "This IPO will make me very rich" said co-founder Dan Thompson, "but of course you already knew that." PsychicCash pushes secure, thought-driven commerce into the modern world. PsychicCash is the holder of a number of crucial psychic commerce patents, including those on psychic blinding, psychic key-exchange, and psychic anonymity. The PsychicCash technology is based on the idea that there is no need for paper bills or plastic cards. Instead, a user simply thinks to exchange money. PsychicCash requires no hardware, and little knowledge of cryptography, however, it does require doing 1024-bit modular exponentiation in your head. "This is the logical progression of things," said PsychicCash supporter Dionne Warwick. "The use of PsychicCash(TM) to secure transactions should completely remove consumers' concerns about the safety of psychic commerce." Through the use of their patented technology, PsychicCash allows users to transmit value to any vendor, in any denomination, in any currency. With a future release of the protocol, a few additional multiplications will allow PsychicCash users to anonymize either party. The release is currently on hold due to problems in accidentally revealing (thinking) blinding factors. "Psychic debit" technology allows secure transmission of value across time as well as space. That is, one can deduct amounts from payee's bank accounts before the idea to purchase has even been conceived. (A similar use of this technique overcomes prior art claims on PsychicCash patents by shifting the date of filing back as far as needed.) As with all cryptographic solutions, PsychicCash must first get export approval from the US government for each of its' products. However, an ingenious system, called telepathic key escrow (TKE), should allow the company expedited commodities jurisdiction approval. Using TKE, a user simply thinks his key to the National TKE Center, which will then allow access to the key only with a court order. Whether or not other countries will allow the NTKEC to escrow their citizens' keys is still unclear. For more information: Tel: 206-936-0123 Within the US and Canada, phone: 1-212-888-8879 fax: 1-212-935-3882 e-mail: sales at psychiccash.mil for customer and technical support: think Matt Thomlinson University of Washington, Seattle, Washington. Check my home page -- http://weber.u.washington.edu/~phantom From dlv at bwalk.dm.com Tue Apr 2 01:38:52 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 2 Apr 1996 17:38:52 +0800 Subject: (fwd) Russians Break RSA? In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: ... > Here's the report on a news conference announcing the cracking of > their Kolmogorov system, which is equivalent to our own RSA. I haven't > had a chance to talk to John Markoff, who was at the press conference, > to get his comments. ... You know, it was pretty funny last time Tim May announced that the Russians broke the RSA on April 1st. I guess those who haven't seen this before still might find it funny. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From quester at eskimo.com Tue Apr 2 01:57:16 1996 From: quester at eskimo.com (Charles Bell) Date: Tue, 2 Apr 1996 17:57:16 +0800 Subject: New release of SFS available In-Reply-To: <9604020207.AA07119@vampire.science.gmu.edu> Message-ID: Well I guess it wouldn't be much of a `fool' if it didn't fool *anyone.* But TIm, Tim.... your mother? Your sister? It wasn't halfway subtle. (If it had been the `Canadian library barcode' spoof, we could understand. That one was so credible I'm afraid it may give the bad guys ideas.) Charles Bell From dlv at bwalk.dm.com Tue Apr 2 02:00:43 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 2 Apr 1996 18:00:43 +0800 Subject: Witch Hunts In-Reply-To: Message-ID: Bruce Zambini writes: > On Sun, 31 Mar 1996 JonWienke at aol.com wrote: > > Unicorn = Detweiler = Agent Provocateur > > Well, I won't say it's impossible. Don't you get the hint -- Unicorn == Sir Lancelot == Lance. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From hayden at krypton.mankato.msus.edu Tue Apr 2 02:33:31 1996 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Tue, 2 Apr 1996 18:33:31 +0800 Subject: Complete Waste of Bandwidth Message-ID: -----BEGIN PGP SIGNED MESSAGE----- As you may remember, I wrote the Geek Code. Well, for those that care, run on out and pick up the April 18th issue of Rolling Stone (it has a 1/2 naked guy on the cover) and take a gander at page 20. It's and article about yours truly and the Geek Code. Cool, eh? *grin* -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMWB2LjokqlyVGmCFAQEX4gP/TRTZjtPrlF0mD6gGwz/qyc1+dQpzP/ae T9H/jojqSxX5o1BYC1DEQQtAW/K28VKMRvaAlx7tqIxMvNPyVHGIcDqSovzTDo8C D5P79xQR+NGuzWZFaOsIOT89vWw3JF8nw8ug2oqQIxlwqWqqk9ju6JRa+yywC6K9 xlAIYiDK3XM= =+X1Q -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GED/J d-- s:++>: a- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+ K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+** ------END GEEK CODE BLOCK------ From tfs at vampire.science.gmu.edu Tue Apr 2 03:13:45 1996 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Tue, 2 Apr 1996 19:13:45 +0800 Subject: New release of SFS available In-Reply-To: Message-ID: <9604020344.AA07783@vampire.science.gmu.edu> >Charles Bell > > > Well I guess it wouldn't be much of a `fool' if it didn't fool *anyone.* > > But TIm, Tim.... your mother? Your sister? It wasn't halfway subtle. > > (If it had been the `Canadian library barcode' spoof, we could understand. > That one was so credible I'm afraid it may give the bad guys ideas.) > heh, Hook, line, AND sinker. This is what happens when your link is down for 4 days and you try to get through c'punks back-mail at a fast pace, thinking that the stuff you're looking at is 3-4 days old. On the other hand, everyone in my family uses email, and my sister (the english major in the bunch) has asked about stuff like using pgp to send intimate mail to her boyfriend. And one of my brothers, (the cattle farmer) has asked 'if there's an easy way that I can mail some financial stuff without worrying about people reading it. Like useing that codes stuff you talk about'. They both just like privacy. Even my mom has said things like "go watch TV or something while I'm doing my mail". So the mother & sister part didn't really raise any flags. I've gotten over the culture shock of everyone (and their mother) wanting to be on the 'net awhile back. Course looking back at it I'm going "waitaminute" In any case I'm sitting here laughing about it. Being taken in now and then by a good joke is an ok thing. It's going to force me to plot something devious for next April fools day. ;) Tim From bart at netcom.com Tue Apr 2 03:14:21 1996 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 2 Apr 1996 19:14:21 +0800 Subject: Navajo Code-Talkers In-Reply-To: Message-ID: <199604020558.VAA07216@netcom5.netcom.com> Tim wrote: > > I'd venture that NSA also has large staffs of language experts, to > interpret the COMINT stuff vacuumed up. > A friend's next-apartment neighbor back in NYC in the late '60s was an ex-NSA type. Sat on a radio intercept feed near the USSR because he spoke Russian. b From fotiii at crl.com Tue Apr 2 03:15:40 1996 From: fotiii at crl.com (FRank O. Trotter, III) Date: Tue, 2 Apr 1996 19:15:40 +0800 Subject: What backs up digital money? Message-ID: <199604020424.AA05832@mail.crl.com> Quite a time to go on vacation and have the power supply to my laptop first show wires then break! A great series of rants about the backing of ecash, and I missed most of it (at least in real time). I'll add a few of my thoughts and see if it all goes any further. Ecash is a means of transferring value, currently USD at Mark Twain, betweeen parties. Ecash, however denominated, is not a currency in itself. Any "currency" or other "value units", be it USD, DEM, gold, silver, coupons, etc can be transferred by the ecash system. The Mint licensee must agree and then issue the units. This is, after all, software. The value unit or currency has value because people agree it has value. CyberBucks were (and still are) somewhat convertable to tangible goods - they are for sure convertable to intrinsic goods as demonstrated by the CyberBucks trial. USD and DEM have value only because we all accept them as payment - as fiat currencies there is no formal backing. Gold has value because ... One of the keys in any system is that users feel comfortable about the future value of the units or currency, be the units a national currency, a commodity, or a coupon. There are two components to this: 1) The user must believe that they will receive the units back from someone at a later date - this is plain old fashion credit risk. For example if I am running an ecash system with gold then you have to believe that I will give you gold upon request - same for USD and this is why banks for the time being should be the primary issuer to avoid a general credit risk. If users are unsure or unable to determine if the Mint operator will return the nominal value of the units then there is not enough confidence to run a system. Consider pre-FDIC days in US banking. 2) The user must believe that the units will have a value in the future. We can agree that FOT Units are each worth US$1.0 million today, but how will their value be determined tomorrow? Non-national currency, however attractive from a theoretical standpoint is weak under this guideline. I am a strong believer that ecash will support many national currencies, commodity based implementations such as gold and silver, as well as coupons and commercial equivalents. Use of ecash for payments will depend only on the creative uses presented by someone willing to sell at a profit a product that attracts customers. There is likely some point where a non-national currency will become attractive first to the internet community, then to the public at large. If done with low credit risk it can survive. You should consider that two of the key elements to determine value are precisely known in ecash and not in circulating money - money supply and velocity. One now has only to consider other factors like purchasing power to obtain a base value. Ecash puts banks back into the business of being banks - acting as a storehouse of value, and as a means to transfer this value, all for a fee. The early bank models were exclusively along these lines, with the various lending and investing functions added later. All for now, a start anyway. FOT Disclaimer - Personal not corporate thoughts. Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From llurch at networking.stanford.edu Tue Apr 2 03:22:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 2 Apr 1996 19:22:45 +0800 Subject: (fwd) Russians Break RSA? In-Reply-To: Message-ID: This is true. I read about it in The Spotlight. Or was it libernet? -rich Visit Propaganda on the Barbie! http://www-leland.stanford.edu/~llurch/potw2/ From merriman at arn.net Tue Apr 2 03:39:52 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 2 Apr 1996 19:39:52 +0800 Subject: New release of SFS available Message-ID: <2.2.32.19960401173939.0069af18@arn.net> At 09:07 PM 04/1/96 -0500, Tim Scanlon wrote: ^^^^^^^ >pgut001 at cs.auckland.ac.nz >> >> I have just uploaded version 1.19 of SFS to the grumbo.uwasa.fi FTP site as: ... >> The head of the FBI Louis Freeh has been quoted as saying that "this will >> provide adequate protection against your little sister or your mother, while >> allowing law enforcement agencies to investigate people using encryption for >> illegal purposes". The head of the French DSSI agrees: "There have been too >> many cases of industrial espionage by foreign government intelligence agencies. > >Remind me not to use this junk. Ever. Got one! Reeeeeeeeel 'im in! ROFLMAO Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From raph at CS.Berkeley.EDU Tue Apr 2 03:44:18 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 2 Apr 1996 19:44:18 +0800 Subject: List of reliable remailers Message-ID: <199604011450.GAA20116@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{'cubed'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 1 Apr 96 6:48:11 PST remailer email address history latency uptime ----------------------------------------------------------------------- ecafe cpunk at remail.ecafe.org -*#*######## :48 100.00% haystack haystack at holy.cow.net *-##+*****+* 2:09 100.00% cubed alias at alias.alias.net ***+#** 19:29 99.99% pamphlet pamphlet at idiom.com ++++++++++-+ 1:22:18 99.99% nymrod nymrod at nym.alias.net +++--*+*+--* 38:14 99.98% nemesis remailer at meaning.com **++******** 17:30 99.97% flame remailer at flame.alias.net .---.------ 5:25:05 99.97% shinobi remailer at shinobi.alias.net #*########*# 1:07 99.97% hacktic remailer at utopia.hacktic.nl ****+******* 8:11 99.97% alpha alias at alpha.c2.org ++++-++++**+ 46:53 99.92% vegas remailer at vegas.gateway.com .-*.-#*#+### 4:28:59 99.89% ncognito ncognito at gate.net #*# ##***-## 6:36 99.72% mix mixmaster at remail.obscura.com -+-___.--*-* 15:11:14 99.69% spook remailer at spook.alias.net +***+*+**+** 19:46 99.66% gondolin mix at remail.gondolin.org __.--*----- 13:53:43 99.64% gondonym alias at nym.gondolin.org __.--*--+-- 13:48:57 99.64% exon remailer at remailer.nl.com --***++**-* 13:59 99.59% replay remailer at replay.com ++**++*+**+ 8:46 99.57% vishnu mixmaster at vishnu.alias.net ++- - ***--+ 2:46:31 99.26% treehole remailer at mockingbird.alias.net --+++-- -+++ 3:47:33 98.96% amnesia amnesia at chardos.connix.com -- --+--+++ 1:57:42 98.49% portal hfinney at shell.portal.com *#-#####*## 1:30 96.59% alumni hal at alumni.caltech.edu _* #+# -### 1:08:06 96.24% penet anon at anon.penet.fi .___ -__.. 47:32:06 95.78% c2 remail at c2.org *****.+-+++ 37:24 94.43% extropia remail at miron.vip.best.com --------- 6:03:31 83.40% lead mix at zifi.genetics.utah.edu *+++++ 34:15 34.40% tjava remailer at tjava.com #* ** 1:02 25.24% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From talon57 at well.com Tue Apr 2 03:56:44 1996 From: talon57 at well.com (Brian D Williams) Date: Tue, 2 Apr 1996 19:56:44 +0800 Subject: Witch hunt Message-ID: <199604012154.NAA00130@well.com> >From: "Vladimir Z. Nuri" >Tim May == Rousseau??? hehehehehe. and I fail to comprehend how >anyone so universally despised as Detweiller could be considered >to have employed any "effective critical technique". maybe I >should send him some email, but alas I perceive that to be another >waste of time. Send HIM some E-mail? That's pretty funny Larry! What happened, someone sever your Corpus Callosum? Brian From haywire at haywire.org Tue Apr 2 04:01:40 1996 From: haywire at haywire.org (William Hayward) Date: Tue, 2 Apr 1996 20:01:40 +0800 Subject: gnutar + pgp filter mode Message-ID: <199604012131.NAA05812@mach3.directnet.com> -----BEGIN PGP SIGNED MESSAGE----- The gnu tar archiver allows to use an arbitrary compression program (option --use-compress-program=PROG). This works well with pgp if a small wrapper is used: #!/bin/csh -fb if ("$1" == "-d") then exec pgp -d -f else exec pgp -e -f endif The only problem is that this doesn't work well for larger amounts of data, because pgp reads in all data before starting with its work. Perhaps a future release of pgp will have a real filter mode. Hadmut BTW: Does this "crypto-hook" cause export restrictions to apply on gtar ? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMV/0tmc1jG5vDiNxAQFtAAP/TMuYeYf5q7k1Y8DrBjb6XFKYYFANH3RH FvThWq1BUgI+unH97EZkNkCzZJYT5qmLGk3+JLufCAw/o9YR7jKcldm2LNYJ96t2 BDcSGDF3qx/IUzQBa5NV+gUerNRVSwA3LzkTbXufOxYH0cB3KNcsx3B0bE1rEDa/ GCcJ1L6T+2s= =FMiZ -----END PGP SIGNATURE----- From raph at c2.org Tue Apr 2 04:07:02 1996 From: raph at c2.org (Raph Levien) Date: Tue, 2 Apr 1996 20:07:02 +0800 Subject: "Dead beef" attack against PGP's key management Message-ID: <199604011958.LAA19153@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- This post is signed by a forged key for Phil Zimmermann. I forged the key this morning. The key has the same user id and visible key id as an old key for Phil Zimmermann, which he has since revoked. I should stress that this attack does not in any way weaken the security of PGP's message formats. However, it does expose a problem in the user interface of its key management. Namely, it is fairly easy to forge a key that looks very similar to an existing key. In fact, the only way to distinguish between real and forged keys in general is by the fingerprint and keysize together. My purpose in posting this is to demonstrate that such forgeries are possible. The lesson is: please do not use the key id alone to identify keys. Another reason for the public posting of this forgery is to goad the PGP development team into improving the user interface in PGP 3.0, so as to make the detection of such a forgery much easier, if not routine. Derek Atkins has assured me that PGP 3.0 will include a cryptographic hash of the key, for use as a key id. If implemented properly, such a facility would address this attack. I am not the first to propose this attack. According to Derek Atkins, Paul Leyland first proposed the attack two years ago. Also, Greg Rose successfully mounted a similar attack six months ago, creating a key with user id 0xDEADBEEF, thereby giving rise to the name. The pseudocode for the attack is as follows: choose random 512 bit prime p choose random 480 odd x q = x * ((0xdeadbeef * (p * x) ^ -1) mod 2^32) do {q += 2^32} while q composite The above bit of pseudocode replaces the original selection of p and q, which are normally just random 512 bit primes. Without having done detailed analysis, I believe that the resulting forged keys are just as good as ordinary PGP keys. Further, the modified key generation is almost as fast as ordinary PGP key generation, and I think I could speed it up a bit more. The attack took me a few hours to design and code. Any good programmer familiar with PGP could duplicate it easily. One practical application of this attack is to implement a certain degree of "stealth." Since PGP includes the key id in encrypted messages, it is in most cases possible to identify the recipients of encrypted messages. However, if a lot of people generated keys with the same key id, then it would not be possible to tell from the encrypted message which one was the intended recipient. Here's the public key I forged, which can be used to check the signature of this message: Key for user ID: Philip R. Zimmermann 1024-bit key, Key ID FF67F70B, created 1992/07/22 Also known as: Philip R. Zimmermann - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAyptNMAAAAEEALRhS3ZCFKLPNF/fZeluh/rNfpgZ5a0ddTBtxJ+1yLIkVurb HWFFBsrmnA4hU4MhlA8DS/f2gnS0v3zyQ78JOY1SBIJrLdaIPIrh0ZTAZXWoQWDe Qknm1ZgyLkIRJlt5aDLp+iLJ5sc+LSO5N/DtrL+Htc5MF0AVAWtzPhz/Z/cLAAUR tCJQaGlsaXAgUi4gWmltbWVybWFubiA8cHJ6QGFjbS5vcmc+iQCVAwUQMWAremtz Phz/Z/cLAQE//AP/bg9gMOuiBYkFCiyarJ/DIARWDf7e4bWFJloXAyPeBXCITDIw tuHRJ41yFqnlLmdcuVhXQf/xrH248JyWpHqqED6eOU/PnBHo9IR6H0Fts+O3I+vk tOYRjuTJy+6JV0s/8VN/Sgh8y6Jm2FGhhzhCp6KHNcTHpUud6iGScaEs/CG0LFBo aWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAc2FnZS5jZ2QudWNhci5lZHU+ =Z1mf - -----END PGP PUBLIC KEY BLOCK----- Raph Levien -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWA2pGtzPhz/Z/cLAQELEQP/fam4tHS8TlMy7SFoUZvC0C4q0ID9Ze5W rY2D++df4UtAFDITGs4lQqzeq6YCqk51oT8gZAACK6D6UlFgr5roIbgwa74Fxso1 B5mquC9axlOlxZJI1PuK+NflBJqCokuQGtG95ER6vbm4n4RACW43In9SAatIvduN JfBSLYrAr14= =V5U6 -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Tue Apr 2 04:21:40 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 2 Apr 1996 20:21:40 +0800 Subject: Java flaw is in bytecode verifier In-Reply-To: <199604020006.QAA21649@jobe.shell.portal.com> Message-ID: My bet is currently on the flaw being due to a silly mistake in some part of the code dealing with returns from finally handlers. The Suspense Is Killing Me :) --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jimbell at pacifier.com Tue Apr 2 04:27:47 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 2 Apr 1996 20:27:47 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban onPGP) Message-ID: At 02:56 PM 4/1/96 -0500, Black Unicorn wrote: > >Following my new policy on Jim Bell posts, the below represents my new >form of reply. These 'terse' replies should cut down on bandwidth and >still serve as some basic protection to the list readership as to the >mis and dis-information which eminates in quantity from Mr. Bell's >account. Those parties interested in a more detailed discussion, aside >of course Mr. Bell, should ask for clarification where they feel it >necessary and I will then expound on my points. What you _really_ ought to do is to cut down your responses to ZERO, especially on material that was not sent to you. Until you're willing to talk intelligently about what you believe, you're just wasting peoples' time. Jim Bell jimbell at pacifier.com From rollo at artvark.com Tue Apr 2 04:46:36 1996 From: rollo at artvark.com (Rollo Silver) Date: Tue, 2 Apr 1996 20:46:36 +0800 Subject: "Random Sequence" Message-ID: >At 07:25 AM 3/31/96 -0700, Rollo Silver wrote: >>The paper "On the Effective Definition of 'Random Sequence'", by Michael >>Levin, Marvin Minsky, and Roland Silver can be viewed (and downloaded, and >>printed) from my website . > >Rollo, > > I read the paper and it's nice work -- but it departs from current >definitions of random sequences in that it assumes you specify the countable >set of machines trying to test for non-randomness first and then generate a >sequence to fool that set of machines. Current definitions of randomness >assume an infinite set of testing machines, often limited to polynomial time >and space, and a sequence generator that must defeat them all without >knowing anything about them. Such sequences are, in a sense, "more random" >than the ones your paper dealt with -- I believe. Did I miss something? * It's a bit anachronistic to say in 1996 that a paper written 30 years earlier "departs from current definitions of random sequences." The authors may have been brilliant, but they weren't prescient. I can't imagine how a computer could be smart enough to defeat an infinite set of guessing machines without knowing ANYTHING about them. In fact, what's wrong with this argument: call the "fooling" machine Frank, and one of the "guessing" machine Gert. You say that Frank doesn't need to know anything about Gert. Let me suppose however that Gert DOES know about Frank. In that case, Gert can simulate Frank and "guess" his output, thus foiling Frank's attempts to fool Gert! Maybe it's the "polynomial time & space". That restricts the guesser-domain considerably, compared with our very weak requirement that the guessers can be any Turing machines whatever -- as long as the set of them is effectively calculable. BTW, is the set of ALL finite automata effectively calculable? I suspect maybe so. If so, by essentially the argument given in the paper, there is a computer (Turing machine) that can fool them ALL. I hope it's okay to cc this note to coderpunks. It's not about coding per se, but it may shed some light on what "randomness" means, and on "computable randomness", which sounds appropriate for coderpunks to me. ------------------------------------------------------------------------ Rollo Silver | The CDA means | Artvark / PO Box 219 505-586-0197 | lost jobs and | San Cristobal, NM 87564 USA rollo at artvark.com | dead teenagers | http://www.artvark.com/artvark/ From stewarts at ix.netcom.com Tue Apr 2 04:53:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 2 Apr 1996 20:53:53 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <199604020804.AAA14605@ix2.ix.netcom.com> This happens any time anybody signs up with an an######@anon.penet.fi address. Ideally, someone could, in their copious spare time, hack majordomo to automatically translate all subscription requests of that form to na######@anon.penet.fi ; as an alternative, if majordomo has some sort of subscription blocking list an*@anon.penet.fi belongs on it. At 07:35 PM 3/30/96 -0800, Sandy wrote: >has anyone had the sort of problem mentioned below? >From: E. ALLEN SMITH >To: sandfort at crl.com >Subject: Re: A MODEST PROPOSAL >From: IN%"sandfort at crl.com" "Sandy Sandfort" 26-MAR-1996 16:57:18.92 >>Wilco. I'm collecting names for an addendum now. > Thanks. Incidentally, I recently had a problem with posting to >the cypherpunks list; it consisted of the message getting sent to anon.penet.fi >instead. This looks like someone trying to find out anon.penet.fi anon IDs; >however, it wouldn't work due to the password requirement. Have you heard >anything about this? #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From grafolog at netcom.com Tue Apr 2 05:03:11 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Tue, 2 Apr 1996 21:03:11 +0800 Subject: Navajo code-talkers In-Reply-To: <199604012155.NAA00640@well.com> Message-ID: Brian: On Mon, 1 Apr 1996, Brian D Williams wrote: > Navajo also has something now it didn't have before WWII, a > written language, and I believe a rudimentary dictionary. A couple of grammers, and three or four dictionaries. And classes are offered in it, by at least two colleges in the US. << It's one of the status languages to study, if you are a new ager --- along with Ancient Mayan, linear B and Egyptian Hieroglyphics. >> xan jonathon grafolog at netcom.com From jeffb at sware.com Tue Apr 2 05:05:26 1996 From: jeffb at sware.com (Jeff Barber) Date: Tue, 2 Apr 1996 21:05:26 +0800 Subject: (fwd) Russians Break RSA? In-Reply-To: Message-ID: <199604012059.PAA14716@jafar.sware.com> Timothy C. May writes: [ Russians developed PK crypto circa 1960 ] > > The Kolmogorov system is broken by computing the prime numbers > > which form what is called the modulus. This is done by randomly > > guessing the constituent primes and then detonating all of the > > stockpiled nuclear weapons in the former Soviet Union for each "wrong > > guess." In the Many Worlds Interpretation of quantum mechanics, > > invented in 1949 by Lev Landau (and later, independently by Everett > > and Wheeler in the U.S.), all possible outcomes of a quantum > > experiment are realized. So *that's* how you do quantum cryptography! Good article, Tim. Nice day for it too. -- Jeff From steve at aztech.net Tue Apr 2 05:06:29 1996 From: steve at aztech.net (Steve Gibbons) Date: Tue, 2 Apr 1996 21:06:29 +0800 Subject: Java flaw is in bytecode verifier Message-ID: <009A03A6.DE3AF020.818@aztech.net> In Article: <199604020006.QAA21649 at jobe.shell.portal.com>, Hal wrote: # From http://java.sun.com/sfaq/960327.html: # > Researchers at Princeton recently found an implementation bug in the Java # > bytecode Verifier. The Verifier is a part of Java's runtime system which # > certifies that applets downloaded over the Internet adhere to Java's # > language safety rules. Through a sophisticated attack, a malicious applet # > can exploit this bug to delete a file or do other damage. # This is one of the more worrisome places for a bug to exist. Much of # Java's security rests in the claim that it can screen for and detect bad # bytecode sequences. This screening code is extremely critical for Java # security and I am surprised to see that it was implemented in a flawed # manner. # I've been writing Java quite a bit in the last couple of weeks, and I # find that I have crashed my browser, whether Netscape or appletviewer, # many times. Granted some of my code has been pretty buggy, but it's # still not supposed to crash the browser. Obviously some of the runtime # checks are not being done properly. I had expected that the bug would # be in these areas, something like the stack overflows that we have seen # cause problems in the past. A simple error in the bytecode verifier # (if that is what this really is) seems like a more fundamental security # flaw. # The researchers have still not released full details on the bug, although # they had planned to do so by the end of March. Maybe they are waiting # for the fix to be distributed. As I keep saying (multiple times, in multiple forums) "Java is still in Beta-Test." Sun acks/grocks this, although Netscape ships most of their production-level browsers with Java enabled by default. The primary reason for releasing beta software is to catch any discrepancies between the documented behaviour and the implimented behaviour of a product. Bugs WILL be found in beta testing. To reiterate: "If you insist on being on the bleeding edge, you WILL bleed." This has been a test of the emergency reality-check service. Had this been a real reality-check, the software in question would be labeled "golden" and you would be provided with a "support at foo.bar.com" email address to contact for your product. Again this is only a test, and is (as such) non flamable. Any party that might take offense to this message should re-read the contents of the message, and either A) re-evaluate their perception of it, or B) re-evaluate their practices. -- Steve at AZTech.Net From jsw at netscape.com Tue Apr 2 05:38:00 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 2 Apr 1996 21:38:00 +0800 Subject: Test case for RSA t-shirts In-Reply-To: <315D7895.307AB61A@cs.berkeley.edu> Message-ID: <3160E64E.46C9@netscape.com> Dave Del Torto wrote: > > At 1:08 pm 3/30/96, Raph Levien wrote: > > While we're on the subject, I called Sam Capino's office regarding my > >CJR for this t-shirt, and he said they were still waiting for a response > >from the NSA. I think my next move will be a letter asking exactly when > >I can expect a response, and whether there's anything I can do to compel > >a response, It was originally filed (in October) as a 15-day expedited > >review. > > FYI, PRZ mentioned to me last night that the CJR on the OCR-able book of > PGP source is still pending. The "15 days" has stretched into about a year > in that case, if I don't have my dates/the facts wrong. Bob Prior at MIT > would know. > > So much for expediency in commerce. I don't think that either the book or the t-shirt qualify for the expedited review. My brief skimming of John Gilmore's CJR site a few months ago left me with the impression that only mass market commercial software that fit within the SPA/govt deal (40-bit RC2 or RC4 with RSA keys <= 512-bits) was eligible to be expedited. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From tfs at vampire.science.gmu.edu Tue Apr 2 05:39:49 1996 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Tue, 2 Apr 1996 21:39:49 +0800 Subject: New release of SFS available In-Reply-To: <199604010448.QAA25352@cs26.cs.auckland.ac.nz> Message-ID: <9604020207.AA07119@vampire.science.gmu.edu> pgut001 at cs.auckland.ac.nz > > I have just uploaded version 1.19 of SFS to the grumbo.uwasa.fi FTP site as: > take billions of years to exhaust via a brute-force search. However in order > to satisfy the requirements of various organizations such as the Chinese > government (who need to ensure that no nasty outside influences pollute the > minds of their citizens) and to allow the originators of the 83.5% of all > Usenet traffic which contains porn to be prosecuted (a recent example being the > widely publicised move by the Office of the Bavarian Illuminati to force > Compuserve to drop all sex-related newsgroups), SFS 1.19 will store 2032 bits > of the key in the clear along with the encrypted data. > > The head of the FBI Louis Freeh has been quoted as saying that "this will > provide adequate protection against your little sister or your mother, while > allowing law enforcement agencies to investigate people using encryption for > illegal purposes". The head of the French DSSI agrees: "There have been too > many cases of industrial espionage by foreign government intelligence agencies. Remind me not to use this junk. Ever. In the USA we still have a right to privacy. I don't give a damn about the "needs of law enforcement" simply becasue the perception of their needs has grown beyond the reality of what they actualy "need". If left up to many of the worlds LEO's, there would be taps on all phones and cameras on every corner. Their jobs would be easy, and that's what they want. The desires of law enforcment organizations are fundementaly at odds with a free populace and the actualization of liberty in the practice of law. Software like what has been described above serves only as an example of that in my mind. Tim Scanlon From reagle at mit.edu Tue Apr 2 05:44:00 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Tue, 2 Apr 1996 21:44:00 +0800 Subject: Ecash Article in ID Message-ID: <9604020237.AA20467@rpcp.mit.edu> This is a resend, but my subject didn't match the content in the last send { Found an interesting article on Ecash in Industrial (Internatioal) Design. / What is Money / Karrie Jacobs ID March/April 96 } _______________________ Regards, Those who would have nothing to do with thorns must never attempt to gather flowers. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From declan+ at CMU.EDU Tue Apr 2 07:39:27 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 2 Apr 1996 23:39:27 +0800 Subject: Cypherpunks investigated, FOIA? Message-ID: >From sgs at well.com: Have the cypherpunks requested data on whether they are being investigated by the same agencies under the FOIA individually or as a group listed by that name? If so, what are the results, if any, so far? Does anyone know if this has been done? The FOIA, that is. -Declan From jdcooley at ix.netcom.com Tue Apr 2 08:51:50 1996 From: jdcooley at ix.netcom.com (John D. Cooley) Date: Wed, 3 Apr 1996 00:51:50 +0800 Subject: ViaCrypt PGP 4.0 for Windows shipping In-Reply-To: <2.2.32.19960327060017.0090a994@mail.teleport.com> Message-ID: <4jnd37$6no@dfw-ixnews4.ix.netcom.com> Alan Olsen wrote: >I have not seen this here yet, so sorry if you have seen it... >ViaCrypt is claiming that they are now shipping the Windows version of their >PGP 4.0. (I tend to not believe marketing claims until I hear from people >who actually have it.) I have had my ViaCrypt PGP version 4.0 for windows for 1 week. >Does anyone know if there are plans for this version to be interoperable >with PGP 3.0? It is *supposed* to be interoperable with all PGP versions 2.6 and later. >Furthermore, has anyone tried the new version? I have used it, but so far have not been able to communicate with anyone that is using PGP 2.6.2. I have communicated with ViaCrypt and they are researching the problem. Yes, I used the option that is supposed to make the key interoperable with PGP 2.6.2. I followed the instructions in the book and the security note. Even did it again (generated a new key) just to make sure I did it correctly, still no go! I will not blame ViaCrypt until I know if it is my fault or not! BTW, I'm using the Business Edition. jdcooley at ix.netcom.com ////////////////////\\\\\\\\\\\\\\\\\\\\ Always do right. This will gratify some people and astonish the rest. Mark Twain ////////////////////\\\\\\\\\\\\\\\\\\\\ PGP Public Key available upon request From jsw at netscape.com Tue Apr 2 10:37:02 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 3 Apr 1996 02:37:02 +0800 Subject: caching of form posts in netscape (was:(none)) In-Reply-To: Message-ID: <3160E338.1805@netscape.com> Lucky Green wrote: > > Yes, Netscape caches passwords. > > [ forwarded message from sfnb deleted ] The problem is that form post data was being used as part of the database key for storing and accessing form posts in our cache. The current work around for this problem is to use the 'pragma: no-cache' HTTP header. I just sat down with the responsible engineer and helped him fix this. The fix will be in our next beta (marketing name of Atlas Preview Release 2, user-agent of Mozilla/3.0b3). This next beta will also include several other security/privacy related features/preferences: 1) Preference to enable sending of email address for anon ftp password. The 2.0 release always sends "mozilla@" as the anon ftp password, to protect the privacy of our users. We are now giving the user the ability to enable sending of their e-mail address if they choose. 2) Warning dialog on "mailto:" form posts. The user will be warned that the form submission is via e-mail and will be given the opportunity to cancel the operation. The warning can be turned off via a preference. 3) There will be an option to enable/disable disk caching of documents retrieved over an SSL connection. The current (2.01) behaviour is to always cache such documents in the absence of the "Pragma: no-cache" header. The new option will default to not caching SSL-fetched documents, but will allow the user to enable caching if they desire. This option will not effect caching of documents retrieve in the clear via un-encrypted http (which can be disabled by turning off the disk cache). 4) Dialog for cookie acceptance. There will be an option to enable a dialog that will be displayed whenever you are sent an HTTP cookie. This dialog will allow you to discard the cookie. 5) You will be able to disable/enable SSL2 and SSL3, and the specific cipher-suites. For example, if you use the US-domestic version of the navigator, you can turn off the export ciphers to ensure that you never send any data over SSL using 40-bit secret keys. I look forward to any feedback people may have on these new options once the new beta is out. Sorry, but I can't tell you the exact date yet... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jad at dsddhc.com Wed Apr 3 06:54:19 1996 From: jad at dsddhc.com (John Deters) Date: Wed, 3 Apr 1996 06:54:19 -0800 (PST) Subject: software with "hooks" for crypto Message-ID: <2.2.32.19960403145406.0034a4d4@labg30> At 02:31 PM 4/2/96 -0800, you wrote: >Hello all, > >I'm trying to figure out exactly what the laws are regarding the export of >software which contains "hooks" for PGP. In various forms, I've heard >that it's not the ITAR which prevents this, but more a "suggestion" by >the NSA that we "shouldn't do it." Does anyone have any pointers to >real legislation/laws regarding this? There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out there. These are other PGP front end applications such as Private Idaho, PGPShell and others that do NOT include PGP, nor do they contain any encryption code within them. These applications are all billed as "freely exportable". If your software does not contain any encryption code, such that it simply "invokes" the users separately-obtained-and-installed copy of PGP, you are not in violation of ITAR. It sounds like this is what you're doing with your "hooks for PGP". I would recommend you visit a couple of these helper application sites and check out what their authors say about the exportability of their code. You might ask them if they have encountered any legal difficulties because their code is advertised as freely exportable. Private Idaho is available at www.eskimo.com/~joelm and (rats) you'll have to hunt PGPShell down yourself. If you actually include the RSA algorithms, the IDEA algorithm, or any "cryptographic" code in your software, then yes, you could get in trouble for exporting it. Again, remember that I'm not a lawyer and that any legal advice you get from anyone on the net is worth exactly what you pay for it. -j, is anyone else finding it harder to say the "Pledge of Allegiance" to this country these days? -- J. Deters >From our _1996_Conflict_of_Interest_Statement_, re: our No Gift policy: "If you receive any alcoholic beverages, for example, a bottle of wine, you must give the gift to your location Human Resources Manager." This memo is from the Senior V.P. of Human Resources. +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From huopio at lut.fi Tue Apr 2 15:48:10 1996 From: huopio at lut.fi (Kauto Huopio) Date: Wed, 3 Apr 1996 07:48:10 +0800 Subject: ssh won the Sampo Data Security Prize! Message-ID: The local TV news just announced that Tatu Ylonen won the Sampo Insurance Company's Data Security Prize 1996. Ssh will have a lot of good publicity here in Finland.. --Kauto *********************** Kauto Huopio (Kauto.Huopio at lut.fi) ****************** *Mail: Kauto Huopio, Laserkatu 3 CD 363, FIN-53850 Lappeenranta, Finland * *Tel : +358-53-4126573, GSM(mobile): +358-40-5008774 * ***************************************************************************** From trei at process.com Wed Apr 3 08:43:21 1996 From: trei at process.com (Peter Trei) Date: Wed, 3 Apr 1996 08:43:21 -0800 (PST) Subject: Canada's ISO standards body? Message-ID: <199604031643.IAA18779@toad.com> Simon Spero > On Thu, 28 Mar 1996 s1113645 at tesla.cc.uottawa.ca wrote: > > > Speaking of which, could someone tell me who Canada's standards body and > > rep to the ISO is (and if that's where I've gotta go to get my hands on X.509 > > and all those other X.docs.). Any addresses would be helpful too. > > Try www.itu.org (X. series docs come from the ITU, not ISO. Same text > though). While the International Triathlon Union may be a standards body in it's own field, it has shockingly little influence on the X series of communications standards. You might try the International Telecommunications Union, at www.itu.ch. > I don't think v3 has been balloted yet - that gives you a chance to > explore one of the more amusing twists of OSI standardisation- you can > get copies for free of most drafts from the editor right up until it gets > standardised. Silly, isn't it. Haven't located it yet. > Simon Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From declan+ at CMU.EDU Tue Apr 2 16:57:07 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 3 Apr 1996 08:57:07 +0800 Subject: Witch Hunts In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 31-Mar-96 Witch Hunts by Bruce Zambini at rwd.gouche > effective, critical technique. (This is, in fact, one reading of De > Sade's "pornography" -- an interesting counterexample to what was > trumpeted on _Both_ sides of the recent Firing Line debate: that > pornography or obscenity is, whether or not protected, devoid of any > intellectual content.) That's not entirely true. The ACLU's position, as provided by Ira Glasser at the debate, is that pornography is not a legal term d'art, that it is presumptively protected by the First Amendment, and furthermore that sexually explicit images are not necessarily harmful to minors. The difference between "porn" and "obscenity" is intellectual content. -Declan (Not speaking for the ACLU) From anon-remailer at utopia.hacktic.nl Tue Apr 2 17:12:42 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 3 Apr 1996 09:12:42 +0800 Subject: Please ignore this message Message-ID: <199604021427.QAA23645@utopia.hacktic.nl> Test of remailer at utopia.hacktie.nl From john at loverso.southborough.ma.us Tue Apr 2 18:52:00 1996 From: john at loverso.southborough.ma.us (John Robert LoVerso) Date: Wed, 3 Apr 1996 10:52:00 +0800 Subject: caching of form posts in netscape (was:(none)) In-Reply-To: <3160E338.1805@netscape.com> Message-ID: <199604021516.KAA08671@loverso.southborough.ma.us> > This next beta will also include several other security/privacy related > features/preferences: > 2) Warning dialog on "mailto:" form posts Also add a warning dialog on any form post that includes a file upload. This will prevent any re-occurance of the JavaScript bug I was about to exploit in 2.01 that let code upload files without the user's knowledge. (That particular bug is fixed in 3.0b2). John From fmouse at fmp.com Tue Apr 2 19:11:40 1996 From: fmouse at fmp.com (Lindsay Haisley) Date: Wed, 3 Apr 1996 11:11:40 +0800 Subject: (fwd) Russians Break RSA? (fwd) Message-ID: <199604021527.JAA05958@gateway.fmp.com> Would someone be kind enough to forward me the original article on this? "Thus spake Jim Choate" > > This is true. I read about it in The Spotlight. Or was it libernet? > > -rich > Visit Propaganda on the Barbie! > http://www-leland.stanford.edu/~llurch/potw2/ > -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available via fmouse at fmp.com | (The Roadie) | Internet finger http://www.fmp.com | | From rodger at interramp.com Tue Apr 2 19:41:13 1996 From: rodger at interramp.com (rodger at interramp.com) Date: Wed, 3 Apr 1996 11:41:13 +0800 Subject: Cypherpunks investigated, FOIA? Message-ID: <199604021537.KAA10355@smtp1.interramp.com> If it's been done, it won't likely make any difference. Information that would affirm or refute the existence of an investigation by law enforcement is exempt from FOIA. Will Rodger Interactive Week <---- Begin Included Message ----> Date: Tue, 2 Apr 1996 00:26:29 -0500 (EST) From: "Declan B. McCullagh" To: cypherpunks at toad.com Subject: Cypherpunks investigated, FOIA? Cc: sgs at well.com >From sgs at well.com: Have the cypherpunks requested data on whether they are being investigated by the same agencies under the FOIA individually or as a group listed by that name? If so, what are the results, if any, so far? Does anyone know if this has been done? The FOIA, that is. -Declan <---- End Included Message ----> From hfinney at shell.portal.com Tue Apr 2 21:22:42 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 3 Apr 1996 13:22:42 +0800 Subject: What backs up digital money? Message-ID: <199604021611.IAA08188@jobe.shell.portal.com> From: "FRank O. Trotter, III" > Ecash is a means of transferring value, currently USD at Mark Twain, > betweeen parties. Ecash, however denominated, is not a currency in > itself. I am curious to know why you say that ecash is not a currency. One of the main points of my original posting was to challenge this view. Do you simply mean that this is a matter of definitions, that ecash isn't a currency because it lacks some property X that, by definition, a currency must have (such as, it must be issued by a national government)? Or are you saying that there is an important functional difference, that ecash cannot be used as we normally use currency (that is, the dollar bills and coins in our pockets) because of reason X? If so I would like to hear what you think that reason is. The one I have seen mentioned previously is transferrability, so I discussed this in my original message. > The value unit or currency has value because people agree it has > value. CyberBucks were (and still are) somewhat convertable to > tangible goods - they are for sure convertable to intrinsic goods as > demonstrated by the CyberBucks trial. USD and DEM have value only > because we all accept them as payment - as fiat currencies there is no > formal backing. Gold has value because ... The whole issue of why dollars have value is one which is poorly understood, IMO. There are several reasons, which are inter-related. One of the big ones is that they are legal tender. This term does not mean what a lot of people think it does, but at least it means that your dollars carry certain legal weight if you have a debt that you need to pay off. Another reason dollars are accepted is because you know you can pay your taxes with them. This is something that most people have to do, and dollars are something they can do it with. Another factor is that there are long term contracts, such as mortgages, which are denominated in dollars. You can use your dollars to pay off your debt at the bank, and the bank is contractually bound to accept them (even apart from legal tender considerations), and grant you title to tangible property in return. Interestingly, the volume of outstanding mortgages is of the same order of magnitude as the circulating money supply. I know someone who claims that this is the most important factor in giving dollars value. And finally, the reason that most people think of, the fact that everyone around them accepts dollars, and presumably will do so in the future. I don't actually think this is as strong as the others, since there is no guarantee that people won't change their minds, and in fact there have been historical situations where due to hyper inflation merchants have come to view government money as almost worthless. So since these people haven't committed to accept the money, this grounding is not that strong. I think the earlier examples are more important as an ultimate grounding, although they are not cited as frequently. > Ecash puts banks back into the business of being banks - acting as a > storehouse of value, and as a means to transfer this value, all for a > fee. The early bank models were exclusively along these lines, with > the various lending and investing functions added later. I would expect that an ecash issuing bank would make ecash loans just as it makes other forms of loans. So I don't see ecash as making this kind of difference in a bank. Just because a bank issues ecash it's not going to roll back the clock to the 18th century. One of the big advantages of multiple ecash currencies is that it turns out that there is automatic control of inflation. A bank which issues too much currency (relative to its reserves) will find it becoming worth less because it is trusted less. There is an automatic balancing act. We see the same thing in the international currency markets with government currencies. In the olden days, when international trade was less important, a government could inflate without feeling much pain. But today its currency will lose value, which will hurt its balance of trade and make it hard to acquire foreign goods. So this puts a brake on the ability of governments to play games with the money supply. The same factor would be expected to occur with private currencies. Hal From CINDYV at sierra.com Tue Apr 2 21:40:31 1996 From: CINDYV at sierra.com (Sierra On-Line) Date: Wed, 3 Apr 1996 13:40:31 +0800 Subject: E-News! Message-ID: <199604021514.HAA01321@www.sierra.com> Sierra On-Line E-News Issue 1.1, April 1996 ------------------------------------------------------------------ Welcome to the first ever Sierra On-Line electronic newsletter! It's informative, it's free, and it doesn't kill any trees. In each issue, you'll find information on new releases, behind-the-scenes peeks at products in development, great bargains you won't be find anywhere else, and possibly even a hint or two. Look for the following departments (and make sure to check the end of this newsletter for a chance to win five free Sierra games!): *Headlines (news so hot, we had to mention it first) *Games (there's always an adventure in store at Sierra) *Home Productivity (great stuff for the home system) *Kidstuff (products even a mother will love) *The Virtual Store (hot deals and bargain prices) *Web News (what's new with Sierra's website) *Technical Support (don't blow up that computer!) You're getting this newsletter because you clicked one of the "yes, I'd like more information" boxes when you registered on our website. Assuming that we aren't kidnapped by Martians (always a danger), you'll find one of these virtual newsletters in your mailbox about once a month. If you'd like to unsubscribe for whatever reason (too much mail already, allergic to newsletter electrons, gave up computer games so you'd have more time for macrame), all you need to do is mail us at UNSUBSCRIBE at SIERRA.COM, with your e-mail address as the Subject: line. If you later regret the decision and would like to re-subscribe, just send a note to SUBSCRIBE at SIERRA.COM. And now, with the administrative stuff out of the way, let's go on to the interesting bits: HEADLINES ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ New Member of the Sierra Family ---------------------------------------- The big news here is Sierra's acquisition of Papyrus, maker of the top-selling Indy Car and NASCAR racing simulations. And with games as incredible as those, who wouldn't want to buy the company? Well, apparently the Software Publishers Association shares our opinion, since Indy Car II just won no less than two Codie awards, one for Best Sports Software and the other for Best Simulation Software Program. If you haven't seen Indy Car II, you may want to check it out. After all, if your last name's not Unser or Andretti, this may be your only chance to win! http://www.sierra.com/sierra/papy/home.htm GAMES ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Everybody Wants To Rule The World ------------------------------------------- Have you ever had one of those days when you're sitting at your desk, looking at everybody else's emergencies spilling out of your in-box, and think to yourself, "You know, if I were king of all these idiots, I'd feed `em to the crocodiles"? Well, your chance at imperialist expansion is on the way. We've just put the finishing touches on The Rise and Rule of Ancient Empires. Imagine the opportunity not only to carve your own empire out of untamed wilderness (or out of the ruins of your enemies' cities), but also to stomp your friends and co-workers along the way! Rise and Rule has everything going for it: full modem and network support, a wide range of cultures to choose from, a great CD-audio soundtrack, lots of fully-rendered cut-scenes, even different architectural graphics depending on which culture you're playing. If you liked Caesar II, then this game is the next step forward. Our Technical Support department has been playing a lot of it after-hours, and I think i! ! t's safe to say that we're hooked. Bottom line: this is definitely THE game for anyone with a taste for global conquest. http://www.sierra.com/games/riserule News From The Officers' Club ---------------------------------- If it's contemporary warfare that you're after, then you'll definitely want to check out Silent Thunder: A-10 Tank Killer 2. This is one kicking, white-knuckled, joystick-killing ride. Even the critics are raving: PC Gamer says that Silent Thunder has "the best terrain graphics ever seen in a flight sim" and Strategy Plus says that it includes "incredible terrain graphics and all the best features of the original A-10 game, pushed to current cutting edge levels." My cousin says that it's an absolute nuisance, since now he can't get his wife off the computer. If you're a fan of the original A-10 Tank Killer, or of combat flight simulations in general, you'll find a lot to like in this game. And, since it is just a game, the best part is that even if you crash into the ground in a ball of flames and twisted metal, the worst thing that might actually happen is that you'll spill your drink into the keyboard when smashing both fists into the computer table. http://www.sierra.com/games/sttank Surface To Air ---------------- If you prefer futuristic combat, then perhaps you're ready to fight that final desperate battle against Cybrid world domination. In the newly-released EarthSiege 2, that war will turn about as vicious as a mother rhino protecting her young. All-new HERCs with all-new weaponry maximize the possibility for destructive fun. And if you ever found yourself playing the original EarthSiege and saying, "You know, I could take that bad boy out in three seconds if this thing could only FLY," you're in luck; one of the new HERCs is an airborne combat monster. So sign on for another tour of duty, and this time we'll promise you the dream of every HERC pilot ... bigger guns. http://www.sierra.com/games/es2 Desktop Athletes Battle It Out Online -------------------------------------------- On the interactive end of things, the results are in from the first-ever "Sierra Bowl". If you're not a CompuServe or America Online user, you may have missed out on hearing about this, but it was an absolute blast! The champion of AOL's Front Page Sports: Football Pro league faced off against CompuServe's champion in a winner-take-all game held just before the real Super Bowl. We ran the game right here at Sierra on a copy of FPS: Football Pro `96, and simul-cast all the action live on both AOL and CompuServe. (Hey, none of us had tickets to the real Super Bowl, so we had to make our own!) The winner was CompuServe's Chris Muller (representing Dallas), who took home a plethora of nifty prizes including a color TV, 10 hours of free online time on both AOL and Compuserve, a Barry Sanders autographed football, a Football Pro Design Team T-shirt, and, of course, the coveted Sierra Bowl trophy. http://www.sierra.com/sierra/online/ossb/ossb.htm KIDSTUFF ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Kudos For "Lost Mind Of Dr. Brain" ------------------------------------------- Bragging time: one of my favorite Sierra programs just won the Software Publishers Association's Codie award for Best Home Learning Program for Adolescents. And if you think that The Lost Mind Of Dr. Brain is only for kids, then you're in for a surprise the first time you find yourself trying desperately to get past the Synaptic Cleft puzzle just ONE LAST TIME ... at three in the morning. I speak from experience. Don't say I didn't warn you. http://www.sierra.com/games/drbrain "Playtoons" `Toons In -------------------------- If you've got kids, then you're probably very familiar with Saturday morning cartoons. Kids and `toons go together like peanut butter and jelly (or, in my cousin's house, peanut butter and waffles ... bleah). Now you can give your kids the tools to create their very own cartoons on your home PC or Mac. Sierra's new Playtoons series gives kids a chance to write, direct, edit, record, and play a nearly limitless set of animated sequences in a variety of absurd and fun situations. Educators would say that it "promotes creative thinking." This is true, but personally what I would say is that it keeps them off the TV so you can watch reruns of "The Dukes of Hazzard". (Two great reasons to pick up a copy!) Look for no less than four new Playtoons titles in the near future. WEB NEWS ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ If it's been a while since the last time you logged onto our website, there's a few good reasons to go take another look. One I think you'll particularly like is our new Chat area. (Right now, this area is open to Netscape 2.0 users only, but we're working on it!) We'll be using the Chat forum to host regular conferences with game designers and developers. To start it off, we hosted a discussion on Friday, March 15th, with the designers of the upcoming Front Page Sports: Baseball `96. And to celebrate the fact that we signed last season's Cy Young award winner Randy Johnson to help us out with this new game, we even gave away free Sierra products during the chat session. Sound cool? Then be there for the next one! http://www.sierra.com/bin/club/chat/sierrachat THE VIRTUAL STORE ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Never got around to dogfighting those German aces? Somehow neglected to find time to build that worldwide automobile manufacturing empire? Spent the last two years sitting on your butt instead of getting out there and saving the environment? GREAT! It's always nice to meet a fellow procrastinator, so we'd like to reward your tardiness with fabulous prices on the games you missed out on. We call them the SierraOriginals, and we're selling them for dirt-cheap. $14.95 will get you any of these titles on CD-ROM: Red Baron (plus a free copy of A-10 Tank Killer), Detroit, EcoQuest: The Search for Cetus, The Even More Incredible Machine, Quest for Glory IV, King's Quest VI, Leisure Suit Larry in the Land of the Lounge Lizards (and this isn't the old type-`til-you-bleed version either, but the updated point-and-click interface), Gobliiins, Gobliins 2 (yes, the preceding two titles do indeed contain the correct number of "i"s), my personal favorite (for sheer mayhem value), The! ! Incredible Toon Machine, or just a mess of other titles. You can find them in your local software store, or order them directly from our website's online store or from the legion of telephone customer service representatives at 1-800-SIERRA5. Then you can tell that third-grade teacher who used to lecture you about punctuality that you paid about thirty bucks less per game than she did. http://www.sierra.com/games/originals/index.html ONE MORE THING ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ If you're anything like me, the one thing better than dirt-cheap games is free games, so I'll throw a few of those in here as well. I just so happen to have a big batch of SierraOriginals titles sitting at my desk (got them through the departmental budget by calling them "research materials") and I'm holding a contest to give `em away. And since I hate random drawings (since they involve no thought) and essay contests (since I'd have to read all your entries, and I do have somewhere I need to go this year), we're going to do this a little bit differently. One of the SierraOriginals is "Leisure Suit Larry in the Land of the Lounge Lizards." There are a lot of letters in that game title, and if they were in a different order, it stands to reason that they'd make other words and sentences. What I'm looking for is the most creative sentence which can be made from the letters in the game title. You don't have to use all of the letters, but each letter can only be used once (t! ! here's only one "g" in the title, so there'd better only be one "g" in the sentence). You may use as much punctuation as you need. Send your sentences to PRIZE at SIERRA.COM. Whichever entry I think is the coolest (that's right, just me, no panel of impartial judges, sorry) wins your choice of any FIVE SierraOriginals games. That should keep you busy for a while. And that's about everything I can fit into one issue. Fun info next month on Betrayal In Antara and the Mac version of Space Quest 6, so stay tuned, and happy gaming! ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Visit the Sierra On-Line website at: http://www.sierra.com To unsubscribe from this newsletter: UNSUBSCRIBE at SIERRA.COM Please remember to put your e-mail address all by itself in the Subject: line when you try to unsubscribe, or (guess what?) it won't work. Comments? Suggestions? Family recipes for lasagna? Great! Just send them to CindyV, at the following address: CINDYV at SIERRA.COM If the volume of mail is staggering, it may take me a day or two to reply, but I will answer each and every e-mail, because your comments are important to us (and also because I'm a certified e-mail junkie, just one step away from E-Mailers' Anonymous). From stillson at ashd.com Tue Apr 2 22:00:55 1996 From: stillson at ashd.com (Chris Stillson) Date: Wed, 3 Apr 1996 14:00:55 +0800 Subject: (fwd) Russians Break RSA? Message-ID: <199604021654.KAA17128@bach.ashd.com> at Kryptogorodok, the secret city of Soviet cryptographers >hidden in the Urals (and first visited by an outsider, Stephen >Wolfram, only a couple of years ago). > Nice touch. I worked at Wolfram Research a few years ago, and wolfram actually was in Russia for a tour. Chris ############################################ Chris Stillson Chief Rocket Scientist Resident Web Geek Hip Young Nerd Second Rate graphic designer Unix Guru In other words, Webmaster American Software & Hardware Distributors fluffy at ashd.com Check out our web site-> http://www.ashd.com Cause I did it all.... stop the CDA. Check http://www.eff.org ############################################ From maldrich at grctechs.va.grci.com Tue Apr 2 22:23:30 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Wed, 3 Apr 1996 14:23:30 +0800 Subject: J Bell's Moniker (WAS: Re: NYT on CFP) In-Reply-To: Message-ID: On Mon, 1 Apr 1996, jim bell wrote: > > The proposal drew some opposition. "I think we'll regret it > > down the road," said Dorothy E. Denning, a professor of > > computer sciences at Georgetown University and a computer > > security consultant to the military. Dr. Denning and others > > have argued that the use of unrestricted encryption would > > thwart the ability of law-enforcement and intelligence > > agencies to conduct wiretaps on messages sent by foreign > > spies, terrorists, child pornographers and other criminals. > > Damn! They keep leaving me out of their short list! Maybe they meant to > lump me in with the groups they mentioned. I'm an American, so I can't be a > "foreign spy," and my supply of child pornography is at a constant zero > level. I'd sure hate to be lumped into an ignominious position with the > "other criminals," however: What an unimpressive title! > > Maybe I'll just have to settle for being called a terrorist. Harrumph! OK, Jim, I'll take the bait: What, per chance, _DO_ you want to be called? ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From anon-remailer at utopia.hacktic.nl Tue Apr 2 22:45:43 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 3 Apr 1996 14:45:43 +0800 Subject: No Subject Message-ID: <199604021835.UAA05687@utopia.hacktic.nl> Test of remailer at utopia.hacktie.nl From me at muddcs.cs.hmc.edu Tue Apr 2 23:28:10 1996 From: me at muddcs.cs.hmc.edu (Michael Elkins) Date: Wed, 3 Apr 1996 15:28:10 +0800 Subject: software with "hooks" for crypto Message-ID: <199604022231.OAA10821@muddcs.cs.hmc.edu> Hello all, I'm trying to figure out exactly what the laws are regarding the export of software which contains "hooks" for PGP. In various forms, I've heard that it's not the ITAR which prevents this, but more a "suggestion" by the NSA that we "shouldn't do it." Does anyone have any pointers to real legislation/laws regarding this? Also, since we all know that our gov't thinks it perfectly legal to export source code in hardcopy form (albeit with a license, right?) I was wondering... I've written a Unix e-mail client which contains support for PGP/MIME and also a front end for mixmaster. Right now I basically reap all the "bad" code before I distribute it (at _least_ 50% of my testers are outside the US). However, this has been annoying for those users because they want to be able to use the PGP support (so do I!). So, what I'm wondering is what the laws are regarding snail-mailing source code to these people. The actually pgp/remailer stuff isn't more than a few pages of code, which could easily be transcribed or scanned in with OCR software. Would I have to get a "license for export" in order to send the code outside the US? It's worth the $1.00 it would cost to do this if it really is legal... me -- Michael Elkins http://www.cs.hmc.edu/~me PGP key fingerprint = EB B1 68 32 3F B5 54 F9 6C AF 4E 94 5A EB 90 EC From foodie at netcom.com Wed Apr 3 00:19:58 1996 From: foodie at netcom.com (Jamie Lawrence) Date: Wed, 3 Apr 1996 16:19:58 +0800 Subject: (fwd fyi) SecureNet to allow classified data on the I'net?? Message-ID: --- begin forwarded text Date: Mon, 1 Apr 1996 17:11:21 -0800 From: jwarren at well.com (Jim Warren) Subject: (fwd fyi) SecureNet to allow classified data on the I'net?? For whatever it's worth -- from an unknown source inside a govt lab, forwwarded to me by an outside friend. Distribute freely, as far as I'm concerned. --jim Jim Warren, GovAccess list-owner/editor (jwarren at well.com) Advocate & columnist, MicroTimes, Government Technology, etc. A "Superlab" linking the computational resources of four national laboratories has come a big step toward becoming a reality with the opening of SecureNet -- a network for transmitting secret and classified data over the Internet. Bing Young, who led the Lab's part in the project, says the new network is still only a "dirt road" able to transmit data at 1.5 megabits/second. However, he says new encryption technologies will bring the network up to information superhighway speeds over the next year. Young will discuss SecureNet in a presentation at 10 a.m., Wednesday, April 3, in Bldg. 113, room 1104. Green-badge employees only. The Department of Energy gave approval in March for the network developed by the Lab, Los Alamos and the two Sandia laboratories to improve scientific collaboration in Stockpile Stewardship programs. --- end forwarded text From jimbell at pacifier.com Wed Apr 3 00:33:04 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Apr 1996 16:33:04 +0800 Subject: ACM/IEEE Letter on Crypto Message-ID: At 04:24 PM 4/1/96 -0500, Dave Banisar wrote: > Association For Computing Machinery [address deleted] > Institute of Electronics and Electrical Engineers [address deleted] >April 2, 1996 [thank heavens it wasn't April 1!] >Honorable Conrad Burns >Chairman, Subcommittee on Science, Technology and Space [etc] >Dear Chairman Burns: > > On behalf of the nation's two leading computing and engineering >associations, we are writing to support your efforts, and the efforts of >the other cosponsors of the Encrypted Communications Privacy Act, to >remove unnecessarily restrictive controls on the export of encryption >technology. The Encrypted Communications Privacy Act sets out the >minimum changes that are necessary to the current export controls on >encryption technology. However, we believe that the inclusion of issues >that are tangential to export, such as key escrow and encryption in >domestic criminal activities, is not necessary. The relaxation of >export controls is of great economic importance to industry and users, >and should not become entangled in more controversial matters. As far as it goes, and considering that it's from an industry group, this sounds like an excellent response to this Burns bill proposal. (Not "Bill," because it's still not available, apparently.) This response is probably as close as we can expect to a repudiation of the Leahy bill. It still isn't clear, though, whether the Burns bill is intended to be just an elimination of export controls on encryption, or whether it will contain other provisions. My question, which still hasn't been answered, is: "Does this bill exist yet?" The answer is really not inconsequential, because if it _isn't_ at least sketched out yet, then that either should give us the opportunity to add provisions we want, or alert us that there is still the risk from Denning-types of including provisions we don't want. Either way, action is called for, if only action to keep somebody else from taking action. I don't have any objection to a bill which merely eliminates export requirements on encryption; that would be a substantial step in the proper direction. If that's the best we can do for this session of Congress, I hope we can achieve this as a stepping-stone. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Wed Apr 3 00:35:42 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Apr 1996 16:35:42 +0800 Subject: J Bell's Moniker (WAS: Re: NYT on CFP) Message-ID: At 12:06 PM 4/2/96 -0500, Mark Aldrich wrote: >On Mon, 1 Apr 1996, jim bell wrote: >> Damn! They keep leaving me out of their short list! Maybe they meant to >> lump me in with the groups they mentioned. I'm an American, so I can't be a >> "foreign spy," and my supply of child pornography is at a constant zero >> level. I'd sure hate to be lumped into an ignominious position with the >> "other criminals," however: What an unimpressive title! >> >> Maybe I'll just have to settle for being called a terrorist. Harrumph! > >OK, Jim, I'll take the bait: > >What, per chance, _DO_ you want to be called? What I was trying to suggest, in a suitably humorous way, is the fact that the government really isn't concerned about these "bad guys," and in fact is (or, ought to be) more worried about technological developments that will (and should!) make governing populations increasingly difficult. It doesn't want to admit this, but that's still the truth. I'm sure they have advisors who are telling them what is going to occur, and if they're at all on the ball they're desperately working to try to figure out if these eventualities can be prevented. I don't think they'll be successful, but it is still possible to identify many of their efforts such as the Clipper I and Clipper II proposals, both of which were abject failures, and the Digital Telephony bill, which despite the fact it passed has not been funded, and others. I view the Leahy bill as a somewhat more "realistic" proposal in this series, in the sense that they got a bit smarter about their proposals, putting some tasty bait in the trap. It's still a trap. I was also trying to point out that when the government views just about all its enemies as "foreign spies, child pornographers, other criminals and terrorists," its task is to fit all the people who are REALLY dangerous to it into one of these pre-defined molds. I am reminded of the saying, "When the only tool you have is a hammer, you begin to treat all problems as if they are nails." So I wonder what kind of "nail" I'm going to be. One last thing: I don't really know what I'd like to be called, but maybe "the last revolutionary" is appropriately melodramatic. Because what I'm promoting will be, literally, the LAST revolution society will ever need. Jim Bell jimbell at pacifier.com From daw27 at newton.cam.ac.uk Wed Apr 3 00:40:30 1996 From: daw27 at newton.cam.ac.uk (D.A. Wagner) Date: Wed, 3 Apr 1996 16:40:30 +0800 Subject: Chaumian ecash without RSA In-Reply-To: <199604021544.HAA26145@dns2.noc.best.net> Message-ID: <199604021555.QAA16166@jordan.newton.cam.ac.uk> > 1: A coin is almost twice the size of a coin in the RSA protocol Nah, it can be the same size as in the RSA-based Digicash protocol. (Pick x to be 128 bits, and repeatedly iterate SHA to get a 1024 bit y value, like Digicash does in their RSA-based Chaumian protocol.) > 2: Nobody except the bank can verify that a coin has face validity. So your comment makes me glad I posted the scheme (even if it turns out to be only of academic interest :-). I claim that statement 2 is also true of Digicash's protocol as well. Recall that Digicash is using an *online clearing* protocol-- so you can't tell whether a coin is valid without consulting the bank. Consulting the bank is absolutely necessary to prevent double spending. So if you ever wrote an application which made a security-critical decision based on whether the RSA signature verified correctly in the Digicash protocol, and you didn't consult the bank re: double spending, you'd be 100% vulnerable to a simple double spending attack. In particular, I claim that the only reason the bank needs to publish its RSA public exponent e is to allow you to blind the RSA signature: it's specifically *not* intended for you to verify coin validity. Everyone, feel free to jump in correct me if you disagree. > For computer mediated management of contracts, transactions, and > credit ratings, we need contracts such that all intermediate > transactions can be reduced to locally verifiable cryptographic > protocols. Well, if that's what you want, no currently shipping protocol gives you that. The current Digicash protocol does *not* let you do offline clearing. I don't claim to be able to solve the offline clearing problem; I just hoped to point out that there is/(seems to be) nothing special about RSA. (Indeed, one researcher has kindly emailed me to point out that several well-known digital cash schemes use a El Gamal-based protocol.) From remailer at yap.pactitle.com Wed Apr 3 16:41:23 1996 From: remailer at yap.pactitle.com (Yap Remailer) Date: Wed, 3 Apr 1996 16:41:23 -0800 (PST) Subject: National id already here? Message-ID: <199604040035.QAA24941@yap.pactitle.com> http://www.aamva.net/AAMVAnet_New_Systems.html says: Coman said [police] officers can use "CDLISCheck" to access commercial driver license status, history and AKA information. She noted that the new service was developed in response to a Congressional mandate that requires access to commercial carrier and driver information by at least 100 roadside sites by 1996 and at least 200 locations by 1997. There's a congressional mandate for nationwide online id??? From rah at shipwright.com Wed Apr 3 00:46:05 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 3 Apr 1996 16:46:05 +0800 Subject: What backs up digital money? Message-ID: At 11:11 AM 4/2/96, Hal wrote: > I am curious to know why you say that ecash is not a currency. One of > the main points of my original posting was to challenge this view. I'd like a shot at this... I sort of blurted this at the coin-BOF at CFP96, and I think I'll still own up to it, viz, When money finally goes onto the net, and never comes back, the digital bearer certificates we call ecash will be a currency. Until then, it's just a script. Or is it an interestless bond? ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From enquirer at alpha.c2.org Wed Apr 3 16:51:26 1996 From: enquirer at alpha.c2.org (enquirer at alpha.c2.org) Date: Wed, 3 Apr 1996 16:51:26 -0800 (PST) Subject: Cypherpunk Enquirer Message-ID: <199604040041.QAA24115@eternity.c2.org> THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." The Enquirer has strong evidence that a group of well known cypherpunks is using the nym Jim Bell in a conspiracy to wheedle a free legal education out of the Black Unicorn. As one of the anonymous unindicted co-conspirators stated recently on the semi-secret coderpunks mailing list, "If Mr. Bell had not already existed, we probably would have been forced to invent him." Mr. Bell has pleaded innocent to charges that he is assisting the group, stating that his judgement was impaired by the ingestion of large quantities of sugar in the form of Hostess chocolate covered cupcakes, otherwise know as the "Ding Dong Defense". Microsoft announced today that it has achieved B1 Orange Book security on a Windows NT box by encasing the computer in concrete and sinking it to the bottom of the Marianas Trench. C2 security had previously been attained for Windows 95 by adding a warning message that the C2 rating was voided by any use of the I/O bus. In other news, the DoD has announced it is suing c2.org for unauthorized appropriation of the C2 security designation. A DoD spokesperson stated that, "they can use the C2 designation all they want to as long as they don't hook it up to a network." Novell has announced that all future versions of Netware will abandon their proprietary IPX protocol, in favor of IPv6. "That way," claimed a Novell spokesperson, "we won't have to worry about Netware 5.0 for at least a couple of years, and if we still can't get it out in time, we'll just announce that we're waiting for PGP 3.0." Timothy May is spending his recuperative time in the Corralitos General Hospital learning some Spanish. Mr. May suffered a broken nose, a sprained neck, and multiple bruises and contusions in a local Mexican restaurant after a friend jokingly told him that the Spanish translation of "Where's the restroom?" was "Puta tu madre". Perry Metzger announced a new theoretical attack on so-called 'smart card' technology such as the Fortezza card. Using the newly developed Continuous Atomic-Level Asynchronous Magnetic Array Resonance Interferometer, Mr. Metzger speculated that it should be possible to train a school of the little nanotechnological wonders (also affectionately known as "Detweilers" because of their many tentacles) to swim up a PCMCIA port and back out the NSA's secret trap door with code fragments clutched in their suction cups. Raph Levien lost an important court case recently, when a federal judge ruled that his son (born March 17, 1996) will legally be known as Alan Mathison Levien until he's old enough to decide for himself whether he wants to be named after his PGP key fingerprint. Netscape Communications announced today that they were launching a hostile takeover bid of $35/share for Lance Cottrell in order to get his highly coveted export-controlled ftp site technology. Netscape engineers, stymied after a year and a half of effort to code a secure export- controlled ftp site, have hailed the new acquisition. Jeff Weinstein, Electronic Munitions Specialist at Netscape, stated, "Now we'll finally be able to offer the same RC4 128 security to our beta testers as we offer to our regular clients. Non-domestic users, unfortunately, will still have to install it themselves by copying it off the T-shirts." Employees of the FBI have banded together to purchase director Louis Freeh a cowboy belt with his name embossed on the back, so that when the proctologists at Bethesda Naval Hospital finally get his head unstuck, he'll be able to see who he is. After a recent discussion of WWII "codetalkers" on the cypherpunks mailing list, the NSA and DoD have banned Native Americans of Navahoe descent from leaving the country without first filing a CJR. The sale of Internet Security Guaranteed to the Elementrix Corporation for one dollar was cancelled today after San Francisco securities analysts Hambrecht and Quist declared ISG 'overvalued'. CERT has announced the first discovery of a computer 'prion'. The prion, which affects only Microsoft's Explorer web browser, causes the victim's hard drive to slowly fill with holes until his data turns to mush. Bill Gates reportedly started foaming at the mouth when told of the new threat to Internet security, causing Microsoft employees to dub the new affliction "Mad Bill Disease", which resulted in Mr. Gates being banned in Britain. Next in the Enquirer: Direct from the CDA hearings, Marty Rimm and Dorothy Denning demonstrate the "Rimm" job. From enquirer at alpha.c2.org Wed Apr 3 16:51:27 1996 From: enquirer at alpha.c2.org (enquirer at alpha.c2.org) Date: Wed, 3 Apr 1996 16:51:27 -0800 (PST) Subject: Cypherpunk Enquirer Message-ID: <199604040040.QAA24093@eternity.c2.org> THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." The Enquirer has strong evidence that a group of well known cypherpunks is using the nym Jim Bell in a conspiracy to wheedle a free legal education out of the Black Unicorn. As one of the anonymous unindicted co-conspirators stated recently on the semi-secret coderpunks mailing list, "If Mr. Bell had not already existed, we probably would have been forced to invent him." Mr. Bell has pleaded innocent to charges that he is assisting the group, stating that his judgement was impaired by the ingestion of large quantities of sugar in the form of Hostess chocolate covered cupcakes, otherwise know as the "Ding Dong Defense". Microsoft announced today that it has achieved B1 Orange Book security on a Windows NT box by encasing the computer in concrete and sinking it to the bottom of the Marianas Trench. C2 security had previously been attained for Windows 95 by adding a warning message that the C2 rating was voided by any use of the I/O bus. In other news, the DoD has announced it is suing c2.org for unauthorized appropriation of the C2 security designation. A DoD spokesperson stated that, "they can use the C2 designation all they want to as long as they don't hook it up to a network." Novell has announced that all future versions of Netware will abandon their proprietary IPX protocol, in favor of IPv6. "That way," claimed a Novell spokesperson, "we won't have to worry about Netware 5.0 for at least a couple of years, and if we still can't get it out in time, we'll just announce that we're waiting for PGP 3.0." Timothy May is spending his recuperative time in the Corralitos General Hospital learning some Spanish. Mr. May suffered a broken nose, a sprained neck, and multiple bruises and contusions in a local Mexican restaurant after a friend jokingly told him that the Spanish translation of "Where's the restroom?" was "Puta tu madre". Perry Metzger announced a new theoretical attack on so-called 'smart card' technology such as the Fortezza card. Using the newly developed Continuous Atomic-Level Asynchronous Magnetic Array Resonance Interferometer, Mr. Metzger speculated that it should be possible to train a school of the little nanotechnological wonders (also affectionately known as "Detweilers" because of their many tentacles) to swim up a PCMCIA port and back out the NSA's secret trap door with code fragments clutched in their suction cups. Raph Levien lost an important court case recently, when a federal judge ruled that his son (born March 17, 1996) will legally be known as Alan Mathison Levien until he's old enough to decide for himself whether he wants to be named after his PGP key fingerprint. Netscape Communications announced today that they were launching a hostile takeover bid of $35/share for Lance Cottrell in order to get his highly coveted export-controlled ftp site technology. Netscape engineers, stymied after a year and a half of effort to code a secure export- controlled ftp site, have hailed the new acquisition. Jeff Weinstein, Electronic Munitions Specialist at Netscape, stated, "Now we'll finally be able to offer the same RC4 128 security to our beta testers as we offer to our regular clients. Non-domestic users, unfortunately, will still have to install it themselves by copying it off the T-shirts." Employees of the FBI have banded together to purchase director Louis Freeh a cowboy belt with his name embossed on the back, so that when the proctologists at Bethesda Naval Hospital finally get his head unstuck, he'll be able to see who he is. After a recent discussion of WWII "codetalkers" on the cypherpunks mailing list, the NSA and DoD have banned Native Americans of Navahoe descent from leaving the country without first filing a CJR. The sale of Internet Security Guaranteed to the Elementrix Corporation for one dollar was cancelled today after San Francisco securities analysts Hambrecht and Quist declared ISG 'overvalued'. CERT has announced the first discovery of a computer 'prion'. The prion, which affects only Microsoft's Explorer web browser, causes the victim's hard drive to slowly fill with holes until his data turns to mush. Bill Gates reportedly started foaming at the mouth when told of the new threat to Internet security, causing Microsoft employees to dub the new affliction "Mad Bill Disease", which resulted in Mr. Gates being banned in Britain. Next in the Enquirer: Direct from the CDA hearings, Marty Rimm and Dorothy Denning demonstrate the "Rimm" job. From reagle at MIT.EDU Wed Apr 3 00:57:53 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Wed, 3 Apr 1996 16:57:53 +0800 Subject: New Internet Security Survey Message-ID: <9604022119.AA27542@rpcp.mit.edu> LAS VEGAS, Nevada, April 1 (Reuter) - The overwhelming majority of America's top corporate high tech users will have implemented some Internet strategy over the next 12 months, although worries over security and distracted workers persist. A survey of 500 leading U.S. networking users found that 89 percent expect to have implemented strategies for using Internet technologies in internal corporate networks -- known as intranets -- by the end of the next 12 months. But 70 percent believe employees use the Internet for entertainment on company time and 54 percent are worried about the security of information they exchange over the Internet. A preview of the Network World 500 Internet study "Networking in the Cyber Age," jointly conducted by Network World and International Data Corp, was due to be released here on Tuesday at the NetWorld+Interop trade show. A significant portion of respondents -- 28 percent -- already make some use of Internet or intranet applications for making transactions in electronic commerce with customers, while 48 percent plan to do so in the next 12 months. "As networking enters the cyber age, it will create new electronic commerce oppertunities on the Internet, increasing general acceptance and demand," Network World president and chief executive Colin Ungaro said in a statement. Among the top five general Internet trends, 83 percent of respondents said they use the Internet for communications -- email and file sharing, while 78 percent said they use it for research, such as accessing electronic information. A majority of 55 percent said they access the Internet several times a day, and that most spend five to 30 minutes per session on-line using the global computer network. An overwhelming majority of 85 percent of respondents said they have Web servers in their organizations for Internet applications, and 73 percent for intranet use -- while 88 percent said new services will make public carriers more important to their company's enterprise network strategies. Fully 69 percent said they have remote access to local area networks for more than 200 employees. "The study demonstrates how quickly corporate America has become acclimated to Internet technologies," said John Gallant, editor-in-chief of Network World. The annual telephone survey polled 500 U.S. network users whose companies have internetworked local area networks and wide area networks and annual network expenditures of more than $5 million, with more than 1,000 employees. -- Silicon Valley Bureau +1 415 462 2610 _______________________ Regards, Those who would have nothing to do with thorns must never attempt to gather flowers. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From jimbell at pacifier.com Wed Apr 3 01:07:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Apr 1996 17:07:49 +0800 Subject: Test case for RSA t-shirts Message-ID: At 12:33 AM 4/2/96 -0800, Jeff Weinstein wrote: >Dave Del Torto wrote: >> >> At 1:08 pm 3/30/96, Raph Levien wrote: >> > While we're on the subject, I called Sam Capino's office regarding my >> >CJR for this t-shirt, and he said they were still waiting for a response >> >from the NSA. I think my next move will be a letter asking exactly when >> >I can expect a response, and whether there's anything I can do to compel >> >a response, It was originally filed (in October) as a 15-day expedited >> >review. >> >> FYI, PRZ mentioned to me last night that the CJR on the OCR-able book of >> PGP source is still pending. The "15 days" has stretched into about a year >> in that case, if I don't have my dates/the facts wrong. Bob Prior at MIT >> would know. I'm trying to figure out what the difference is (legal) between a "book" an an "OCR-able" book. FAIK, all fonts are OCR-able, simply with widely varying degrees of difficulty. A fixed-spacing, non-microspace justified typewriter font is probably one of the easiest ones to OCR. Did the export license application for this "OCR-able" book say that "It's an OCR-able" book, or did they just include a copy of that book on paper? From jf_avon at citenet.net Wed Apr 3 01:21:50 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Wed, 3 Apr 1996 17:21:50 +0800 Subject: [MagicMoney] Passwords of various PGP keys. Message-ID: <9604030141.AB20176@cti02.citenet.net> I played with Magic Money recently. I wondered: Where are the passwords of the various PGP keys stored? Now, suppose you want to use this system for serious use: What, if any, are the critical files that must be protected from outsiders to prevent tempering (altering without the owner's ability to quickly discover the manipulation) with the system data? Is is necessary to encrypt the whole client directory when you don't use it? Ditto, for the server? JFA PGP key at: http://w3.citenet.net/users/jf_avon Jean-Francois Avon ID:C58ADD0D 96/03/01 fingerprint: 52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 Unsollicited commercial e-mail will be proofread at a rate of 165 $ U.S. per hours. Any sender of unsollicited commercial e-mail will be considered as to have accepted the above ment- ionned terms. From cpunk at remail.ecafe.org Wed Apr 3 01:40:07 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Wed, 3 Apr 1996 17:40:07 +0800 Subject: Treasure of Sierra Madres? Message-ID: <199604030045.BAA17195@pangaea.hypereality.co.uk> "The scent of riches wafting from cyberspace is overpowering." Free CSI Report Explores Threats to Secure Electronic Commerce San Francisco, April 2 -- The drive toward Internet commerce is unstoppable. But how serious are the security threats associated with it? And how effective are the proposed solutions? Computer Security Iinstitute's "Special Report on Electronic Commerce Security: Treasure of Sierra Madres?" offers a comprehensive look at the risks, threats and vulnerabilities of Internet-based transactions. Will the profits justify the risk? What lessons can be drawn from recent revelations such as the vetting of Netscape, the robbing of Citibank, the ransacking of the Netcom and the Kocher "timing attack?" This latest "CSI Special Report" contains insightful answers from a broad range of experts including Dr. Gene Spafford of Computers, Operations, Audit, Security and Technology (COAST), Donn B. Parker of SRI International, Dan Farmer, co-author of SATAN, and Mack Hicks, Vice President of Bank of America. "The scent of riches wafting from cyberspace is overpowering," comments Richard Power, CSI editor and author of the report. "The risk of failing to go on-line is perceived as greater than the risk of failing to go on-line securely. But recent revelations about vulnerabilities in Java and Netscape highlight how much still needs to be done." The 19-page study includes practical tools such as electronic commerce security checklists and sample electronic commerce policies. To obtain a free copy of CSI's "Special Report on Electronic Commerce Security" email your mailing address to prapalus at mfi.com, phone 415-905-2310, or fax 415-905-2218. Computer Security Institute (CSI) is the industry's leading international membership organization specifically serving the information security professional. Established in 1974, CSI has members worldwide and provides a wide variety of information and educational programs to assist practitioners in protecting the information assets of corporations and governmental organizations. -- From WlkngOwl at UNiX.asb.com Wed Apr 3 17:46:29 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Wed, 3 Apr 1996 17:46:29 -0800 (PST) Subject: Video retraces as a source of entropy... Message-ID: <199604040205.VAA15030@unix.asb.com> Quickie blurb on using video card retraces as a source of entropy... I've done some brief testing in the last couple of days on using the timing drift between video retrace events as a source of randomness. It seems comparable to truerand() spinners that check the system's timer ticks [which makes me leary of relying on it since it has similar strange attractors when plotted in a noise sphere, but that's another post...]. Assuming one trusts truerand spinners, this method could have some advantages over a 'pure software' method, since the video controller (and other hardware controllers which could be adapted to this) runs in 'parallel' [although it's liable to the samefluctuations in current or memory-access and other interfaces with the main system, or possibly tempest attacks for the paranoid...]. In pseudo-C: int retrace(void) { // test for video retrace #ifdef __MSDOS__ return (port[0x3da] & 8); // Some VGA, maybe EGA cards #else // your OS here #endif } [..] x = 0; while (!retrace()) x++; I've tested it as standalone routines (in Pascal and assembler) as well as a hook to the DOS idle in the background [See note about strange atteactors above]. It also seems to work while in Windows (but not OS/2?!), which is an advantage over using the system's microsecond timer alarm (which Win3 takes over). Comments? (other than "truerand is an oxymoron"....) Rob. --- Send a blank message with the subject "send pgp-key" to for a copy of my PGP key. From jimbell at pacifier.com Wed Apr 3 02:03:17 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Apr 1996 18:03:17 +0800 Subject: Witch Hunts Message-ID: At 08:55 PM 4/1/96 EST, Dr. Dimitri Vulis wrote: >Bruce Zambini writes: >> On Sun, 31 Mar 1996 JonWienke at aol.com wrote: >> > Unicorn = Detweiler = Agent Provocateur >> >> Well, I won't say it's impossible. > >Don't you get the hint -- Unicorn == Sir Lancelot == Lance. Hey, I never thought of that! I guess my knowledge of early English mythology is a bit weak. Jim Bell jimbell at pacifier.com From wombat at mcfeely.bsfs.org Wed Apr 3 02:13:19 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 3 Apr 1996 18:13:19 +0800 Subject: Why Americans feel no compulsion ... In-Reply-To: <315F53DC.4685@together.net> Message-ID: Yeah, and some americans speak C, and FORTRAN, and FORTH, and ... ---------------------------------------- Rabid Wombat wombat at mcfeely.bsfs.org ---------------------------------------- > > At 12:21 AM 3/28/96, Syed Yusuf wrote: > > >If a person who speaks three languages is tri-lingual > > >If a person who speaks two languages is bi-lingual > > > > > >What do you call a person who only speaks one language? > > > > > >An American. From survey at pathfinder.com Wed Apr 3 02:16:29 1996 From: survey at pathfinder.com (survey at pathfinder.com) Date: Wed, 3 Apr 1996 18:16:29 +0800 Subject: Pathfinder Survey Message-ID: <199604030254.VAA24829@tigger.dev.pathfinder.com.pathfinder.com> Dear Pathfinder Member: Will you help us on a very important project? You are one of a representative group of Pathfinder members that we are asking to take part in a special survey. The answers you provide us with will help us make Pathfinder a pleasurable experience for its users. Our survey is available online (you can cut and paste the URL into your browser) at: http://pathfinder.com/poll Please take a few minutes and complete the questionnaire now. Your answers will be treated in the strictest confidence. Since you are part of a small, carefully selected sample, your response is very important to the success of our study. Thank you very much for your help. Sincerely yours, Gina Monaco Market Research Manager From markm at voicenet.com Wed Apr 3 02:54:05 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 3 Apr 1996 18:54:05 +0800 Subject: Majordomo and anon.penet.fi Message-ID: In case anyone is interested, I have written a patch for Majordomo 1.93 that will automatically convert an address of the form "anXXXXX at anon.penet.fi" to "naXXXXX at anon.penet.fi". I have tested the code I used to patch up Majordomo, but I haven't verified that it actually works within Majordomo. *** majordomo.pl.orig Sat Jan 7 12:34:27 1995 --- majordomo.pl Tue Apr 2 23:24:15 1996 *************** *** 81,86 **** --- 81,91 ---- $ReplyTo = $array{'apparently-from'} unless $ReplyTo; join(", ", &main'ParseAddrs($ReplyTo)) if $ReplyTo; + if ($ReplyTo =~ '^(an).*\@anon\.penet\.fi') + { + $anonid = substr($ReplyTo, 2); + $ReplyTo = "na$anonid"; + } $ReplyTo; } -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me From hfinney at shell.portal.com Wed Apr 3 02:59:47 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 3 Apr 1996 18:59:47 +0800 Subject: software with "hooks" for crypto Message-ID: <199604030147.RAA10970@jobe.shell.portal.com> From: me at muddcs.cs.hmc.edu (Michael Elkins) > I've written a Unix e-mail client which contains support for PGP/MIME and > also a front end for mixmaster. Right now I basically reap all the "bad" > code before I distribute it (at _least_ 50% of my testers are outside the > US). However, this has been annoying for those users because they want > to be able to use the PGP support (so do I!). So, what I'm wondering is > what the laws are regarding snail-mailing source code to these people. > The actually pgp/remailer stuff isn't more than a few pages of code, which > could easily be transcribed or scanned in with OCR software. Would I > have to get a "license for export" in order to send the code outside the > US? Let me first point out that this procedure is not as easy as it sounds. Phil Karn has an interesting description of what happened when he actually tried to do this, as part of his suit to try to export the Applied Cryptography source code on disk. It is at . This is something that people have talked about for a long time, and it is interesting to see what happened when he tried it: 5. I began by first photocopying, on a standard office photocopier, the 18 pages containing the Triple DES source code listing from Part V of the Book. This took about 5 minutes. Second, I scanned in the 18 sheets on a Macintosh Quadra 610 computer system equipped with an HP ScanJet II flatbed scanner and Omnipage Professional optical character recognition (OCR) software. The computer, scanner, and software are all readily available through normal consumer computer supply channels. The total scanning process took about one and a half hours. About an hour of this time was spent learning to use the scanning system and conducting trial runs, as I had only used it briefly some time ago. The actual scan of the 18 pages took about 15-20 minutes. Third, I transferred the resulting machine-readable file from the Macintosh to my own personal computer and brought it up under GNU EMACS, a popular and widely available text editing program that I have used for many years. In EMACS I compared, by eye, the scanned file displayed on my screen against the printed listing in the Book. I began correcting the scanner's many errors, such as mistaking the digit '0' for the letter 'O' or mistaking the vertical bar '|' for the letter 'I'. 6. After manually correcting those errors noticed through visual comparison with the Book, I invoked the "C" language compiler on the (partially) corrected file. The compiler immediately pointed out additional errors I had overlooked in my visual inspection so I could also correct them by reference to the Book. I also noticed several errors in the listing printed in the Book. However, the programmer's intentions were obvious from the context of each error and were easily fixed. About fifty minutes later, I successfully compiled the file without error. 7. The fourth step was to write a small test program to execute the DES code with the test vectors given at the end of the source code listing. This trivial program took less than 5 minutes to write. Unfortunately, the test did not succeed, meaning that at least one error went undetected by the compiler in either the code as printed in the Book or as scanned. Scrutinizing the code more closely, I quickly found another error in the printed version that was easily corrected. However, it still did not produce correct results. After about an hour of searching, I finally located the error in a list of numbers in a table -- another error in the printed version. By reference to the DES algorithm description in the first part of the Book, which includes the correct numbers in tabular form, I found and corrected the error. 8. At this point the test finally succeeded, so I knew I had a correct program. As you can see, it took a long time. Part of the problem was that the printed copy of the code was apparently simply wrong. Presumably if you printed it this would not be the case. Also, your code is shorter than the 18 pages that Phil had to work with. Still OCR may not be that well adapted to source code. Most texts use ( a lot more than {, and the OCR may not pick out that kind of difference well. I will also note, parenthetically, that it is a credit to Phil that he was obviously being very honest and above-board in describing what he had to go through, possibly to his (and our) own detriment. If the process of turning the book into the floppy were easier and did not appear to require so much expertise, the government's case might have been weakened. Your bigger question is about the legalities of it, and that is harder to answer. There is a continuum of cases. At one end we can say that it is apparently legal to discuss cryptographic algorithms with foreigners. This happens all the time at international conferences. As long as the material isn't classified, you can talk about the technical issues. At the other end, it is at present definitely illegal to export a working cryptographic device. In between there is a gray area. Currently it appears that exporting cryptographic source code in machine readable form on magnetic media is illegal, at least pending some resolution of the Karn suit. Probably exporting it in other ways, such as by email, would be treated the same. My guess is that exporting in machine readable form on paper, such as by a bar code, would also be equivalent. There is a little more effort involved in scanning it in, but if the bar code has good redundancy and is reliable, it is not much more. The next step is printed source code. There are fonts (or other tricks, such as per-line checksums) which can be used to make scanning this in relatively reliable. I don't have enough experience to know how good it can get. But let's suppose it were practically error-free. By the reasoning above, this would also be restricted. OCR'ing the text, if it can really be done mechanically and automatically (which is clearly not the case with the technology that Phil Karn had access to) is not much different from getting it on a floppy. Yet we know that at least in the case of Applied Cryptography the book, export permission was granted. So at least in some cases, printed source code can be exported. I understand that the PGP source code book is in an OCR friendly font. It would be interesting to hear whether Phil's experience above is actually made easier with the PGP source code book. I think the bottom line is that the government will restrict any method which makes it significantly easier for a foreigner to get working source code than by typing it in from a book by hand. (BTW, Phil's lawyer did have two secretaries do that. It took under 3 hours, although presumably the code was subject to some of two same printing errors that Phil had to fix in his test.) So my guess is that technically you could get in trouble by doing what you propose. I'm not a lawyer though - Hal From ericm at lne.com Wed Apr 3 03:28:02 1996 From: ericm at lne.com (Eric Murray) Date: Wed, 3 Apr 1996 19:28:02 +0800 Subject: Article on PGP Viacrypt In-Reply-To: Message-ID: <199604030451.UAA06038@slack.lne.com> Chris Walter writes: > > Hi Folks, > > There is an interesting article by Simon Garfinkle in this > morning's(Apr 2nd) electronic version of the San Jose Mercury news. > Its on the index page so I don't think you need an account to read > it. > > The article deals with the new key management features and extensions > in Viacrypt and how PRZ is upset since it allows employers to read > their employees messages. I read it this morning. The gist is that this new evil PGP lets your employer SPY ON EVERYTHING YOU DO! And was written in about that tone. I was disappointed by the article. I don't know if Simson is deluded about the use of Viacrypt PGP, or the article got hacked up by by ignorant/malicious editors, or my understanding of Viacrypt PGP is competely wrong. I thought the purpose to putting key escrow (that's real escrow not GAK) into PGP was to allow its use for business purposes. Often in business use you're not too concerned with keeping secrets from your employer or fellow employees, but do want to keep those secrets within the company. And there is a real concern that you might encrypt company-secret stuff and then fall off your motorcycle and get run over by a truck, leaving your securely-encrypted company secrets suddenly inaccessable to the company... Key escrow, with the keys held by the company, is designed to prevent this problem. The article failed to mention that you're not prevented from using a non-escrow PGP for personal secrets (could Viacrypt PGP prevent you from using PGP 2.6.2? I don't think so) and made it sound like Viacrypt PGP is designed to allow nosy employers to spy on employees encrypted email. I guess it would, if the employers were that nosy and the employees dumb enough to use company-provided escrowed PGP to send personal secrets. But that theory's about as credible as the Clipper chip proponents's "dumb crooks" theory where crooks would want encrypted phones but be dumb enough to forget that the Government held the keys... Simson's the one main-line journalist who writes about internet and computer issues that I still think has a clue, and has written a pretty good book about PGP, so I'd be suprised if he got this so wrong. On the other hand, I haven't used this new Viacrypt PGP and I'm going on what I think that escrowed PGP is really good for. Maybe my feeling about that have blinded me to reality. Or, most likely, the editor(s) hacked the story up either out of ignorance or to present a viewpoint that they had already decided they want to present, truth be damned. If I wanted to present a conspiracy theory about the government wanting to discourage use of PGP for businesses, this would be the place to do it. If PGP gains a foothold in the businessplace it'll be nearly impossible to eradicate, given the fact that (big) business essentially runs the country. Key escrow will make PGP a lot more usefull to businesses, increasing its use. I'm sure you can fill in the rest of the theory. > http://www.sjmercury.com/business/priv401.htm > -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From jamesd at echeque.com Wed Apr 3 03:49:26 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 3 Apr 1996 19:49:26 +0800 Subject: Chaumian ecash without RSA Message-ID: <199604030633.WAA06128@mail1.best.com> >> 2: Nobody except the bank can verify that a coin has face validity. At 04:55 PM 4/2/96 +0100, D.A. Wagner wrote: > I claim that statement 2 is also true of Digicash's protocol as well. > > Recall that Digicash is using an *online clearing* protocol-- so you > can't tell whether a coin is valid without consulting the bank. > Consulting the bank is absolutely necessary to prevent double spending. Suppose Alice generates an unsigned coin, blinds it, and shows Bob the usigned, blinded coin. Bob then has the bank sign it, and gives the signature to Alice. If we use RSA to sign the coin, Alice now knows she has a valid coin, because she can verify the coin herself without needing to show it to the bank. So Bob has paid Alice some money, and nobody can double spend the coin, because Alice, and only Alice, knows the blinding factor. So Alice does *not* need to check with the bank. Alice cannot do this with your protocol, so we cannot have payee anonymity with your protocol. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Wed Apr 3 03:50:58 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 3 Apr 1996 19:50:58 +0800 Subject: software with "hooks" for crypto Message-ID: <199604030639.WAA06486@mail1.best.com> At 02:31 PM 4/2/96 -0800, Michael Elkins wrote: >Hello all, > >I'm trying to figure out exactly what the laws are regarding the export of >software which contains "hooks" for PGP. In various forms, I've heard >that it's not the ITAR which prevents this, but more a "suggestion" by >the NSA that we "shouldn't do it." Does anyone have any pointers to >real legislation/laws regarding this? Evidently you are under the impression that we are still governed in accordance with the rule of law. Since the legislation in question was intended to prohibit gun running, it naturally contains no such thing. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From walter at cithe302.cithep.caltech.edu Wed Apr 3 04:11:25 1996 From: walter at cithe302.cithep.caltech.edu (Chris Walter) Date: Wed, 3 Apr 1996 20:11:25 +0800 Subject: Article on PGP Viacrypt Message-ID: Hi Folks, There is an interesting article by Simon Garfinkle in this morning's(Apr 2nd) electronic version of the San Jose Mercury news. Its on the index page so I don't think you need an account to read it. The article deals with the new key management features and extensions in Viacrypt and how PRZ is upset since it allows employers to read their employees messages. The URL is: http://www.sjmercury.com/business/priv401.htm -Chris walter at cithe501.cithep.caltech.edu From stewarts at ix.netcom.com Wed Apr 3 04:43:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 3 Apr 1996 20:43:23 +0800 Subject: Elementrix Technology Announces Power Quantum Cryptography Message-ID: <199604030716.XAA14560@dfw-ix7.ix.netcom.com> At 11:58 AM 4/1/96 -0800, sales at elementrix.co.il wrote: >By using a novel method (covered by trade secret law and now patent-pending >in 26 countries) our server software transmits packets onto your local >network without reading them, thus preserving their unique quantum >properties. Any attempt to read the packet, except by the intended >recipient will destroy the quantum waveform of the packet. Our >sophisticated error-recovery system will detect this and re-initialize >with a predefined Emergency Quantum State, which has all the same >characteristics as the Normal Quantum State, but has not been compromised >by the attempted eavesdropper. Unfortunately, the method can be cracked easily. Because the system uses two patented states, a Normal Quantum State and an Emergency Quantum State, and it's patent-pending in 26 different countries, you can divide the 26 patent-pending states by the two patented states giving a pending 13. By rotating the 13 twice, of course, the original text can be recovered. However, the method is partially useful, using a lemma by Dr. Denning. While 26 is divisible by 2, it's not divisible by 3, so the addition of a third state renders it effective again. Denning's paper recommends use of a National Security State as the additional state, which provides effective protection, additional security and supports the legitimate needs of law enforcement. So if you want your crypto to be secure, it's an offer you can't refuse... Another approach has been suggested by the Syndicate for Quantum Deconstruction, in their prescient 1998 paper "Smash the State". By deconstructing the quantum packet on arrival, an imbalance is created which can only be resolved by constructing the packet an equal time period before the origination of the packet in the Normal Quantum State. In addition to preventing the emergence of the Emergency Quantum State, it allows, and in fact requires, the packet to be present and read some time before its original transmission time. Copies of the paper are currently circulating only as preprints; the original will be posted on http://www.timenet.net/1998/Physics/~SQuD/Deconstruct.vrml as soon as it becomes available. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From stewarts at ix.netcom.com Wed Apr 3 04:50:04 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 3 Apr 1996 20:50:04 +0800 Subject: Why Americans feel no compulsion ... Message-ID: <199604030815.AAA01084@dfw-ix3.ix.netcom.com> At 09:41 PM 4/2/96 -0500, Rabid Wombat wrote: >Yeah, and some americans speak C, and FORTRAN, and FORTH, and ... This discussion is about languages for communications between _humans_ - like ALGOL, and the lambda calculus :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From tcmay at got.net Wed Apr 3 04:50:27 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Apr 1996 20:50:27 +0800 Subject: (fwd) Russians Break RSA? Message-ID: At 3:52 PM 4/2/96, Chris Stillson wrote: >at Kryptogorodok, the secret city of Soviet cryptographers >>hidden in the Urals (and first visited by an outsider, Stephen >>Wolfram, only a couple of years ago). >> > > >Nice touch. I worked at Wolfram Research a few years ago, and wolfram >actually was in Russia for a tour. > And based on an actual happening. Wolfram reasoned that the Soviets must've had a "secret city of cryptographers," as they had secret cities for several other kinds of military scientists (rockets, atomic energy, CBW, metallurgy, etc.). He speculated that the U.S. should locate this city and see if the residents needed jobs. And of course several people have speculated that if the "P ?=? NP" ball of wax has been solved by anyone, in secret, the Russians are a good bet, given their strong skills in pure mathematics. (And my choice of Kolmogorov was not just a name made up...) I first floated this April Fool's Day joke two years ago...I figured enough time had passed and enough newcomers had subscribed to make it worth posting again. Wolfram actually saw the copy two years ago and liked it. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Apr 3 04:59:52 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Apr 1996 20:59:52 +0800 Subject: Disclosure of Public Knowledge to Foreigners Message-ID: Here's a conclusion I reach at the end of this piece: "There is a reasonable chance the Supreme Court would see the overall absurdity of a situation where the knowledge is freely available to 200 million adult Americans, with no restrictions whatsover on publication, discussion, etc., and yet uttering this knowledge in front of a foreigner is a crime." At 1:47 AM 4/3/96, Hal wrote: >The next step is printed source code. There are fonts (or other tricks, >such as per-line checksums) which can be used to make scanning this in >relatively reliable. I don't have enough experience to know how good it >can get. But let's suppose it were practically error-free. Nearly error-free entry of credit card slips has been done for many years in various offshore data entry locations (Barbados was once a major center of this, with jets carrying in raw credit card slips to be processed by the Barbadans, who were highly literate and well-trained in English, and yet who worked cheap). Interestingly, according to a friend of mine (Mike Ward, of San Jose), it is much cheaper (or was when he did the analysis a couple of years ago) to have a chunk of text entered two or more times by humans and then XORed for errors than to OCR the text. This form of error correction--redundant entry--would presumably work well for Schneier's code, for example. What Phil Karn and others are doing is a useful and interesting experiment, and I join others in thanking Phil and the others. However, I think it pushes the envelope without really touching the real issues. To wit, here is my bold submission: Despite the ease with which printed text can be entered by cheap labor in nearly any country, I'll bet a lot that not a single person or foreign government got their crypto for actual use from a book! It just never was a credible claim that books like "Applied Cryptography" could represent a "leakage" of valuable crypto knowledge. (In terms of actual code--the book itself, like other books, is itself an incredibly "damaging" book for evil enemies to use to educate their cryptographers, but such is the case with nearly all technical books.) The MIT Press book of PGP's code is closer to being an important example, as approval of it for export could lead to offshore versions which are "identical" to PGP and thus eport of PGP would have been de facto approved. I submit that the issue has nothing to do with the OCR font used, modulo the points made above about a determined effort to input the text. In terms of realpolitik, a handwritten edition of the PGP code might be ignored, where an OCR version is deemed "close enough" to being actual runnable code that its export will not be approved. A distinction without a difference in my book. What we are really about to run into is the "export of knowledge" issue, which I think the Constitution will have some pretty important things to say about. (It has long been the case that certain armaments knowledge, and atomic secrets as per the Atomic Energy Act, were restricted. But this knowledge was _also_ not in the public domain. There have not been many cases that I know of where knowledge was freely discussable within, say, the United States, by any citizens (and maybe others, such as permanent residents, foreign students at colleges, etc.) and yet this knowledge could not be "exported" outside the U.S. Except with our crypto laws, and some related Munitions Act laws. There is a reasonable chance the Supreme Court would see the overall absurdity of a situation where the knowledge is freely available to 200 million adult Americans, with no restrictions whatsover on publication, discussion, etc., and yet uttering this knowledge in front of a foreigner is a crime. I don't think this would pass Constitutional muster, as the lawyers like to say. (The British at least have an Official Secrets Act. Much as I dislike that Act, at least they are more consistent in the sense of classifying things as being secret. How can the U.S. argue that knowledge available in any large library or bookstore to anyone who wants it, citizen or not, may not be "disclosed" to foreigners? If it's common knowledge, it's common knowledge!) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Apr 3 05:55:44 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Apr 1996 21:55:44 +0800 Subject: Please stop sending "Test" messages to the list Message-ID: At 6:35 PM 4/2/96, Anonymous wrote: >Test of remailer at utopia.hacktie.nl Look, folks, we're seeing more and more of these "test" messages. With 1000+ subscribers, clearly people should not be using the list as a target for test messages. And there is no need. Unlike, say, mail-to-newsgroup systems, about which there may be some doubt as to functioning, the Cypherpunks list is just another mailing address. Thus, if you can send anonymous mail to yourself--always a good test target--then you can send it to the cypherpunks at toad.com! I just deleted-and-ignored the last several of these "test" messages, but the time has come to say "Enough." (This is, naturally, not an enforceable opinion. I appeal to your common sense to not use the list as a target for test messages.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From daw27 at newton.cam.ac.uk Wed Apr 3 08:11:27 1996 From: daw27 at newton.cam.ac.uk (D.A. Wagner) Date: Thu, 4 Apr 1996 00:11:27 +0800 Subject: Chaumian ecash without RSA In-Reply-To: <199604030633.WAA06128@mail1.best.com> Message-ID: <199604031057.GAA07040@jeans.newton.cam.ac.uk> jamesd at echeque.com writes: > we cannot have payee > anonymity with your protocol. Doh! You are quite right. Good observation. Thanks for setting me straight. I think I'll go back to lurk-mode again, -- Dave Wagner From declan at eff.org Wed Apr 3 08:57:16 1996 From: declan at eff.org (Declan McCullagh) Date: Thu, 4 Apr 1996 00:57:16 +0800 Subject: CDA Court Challenge: Update #3 Message-ID: ----------------------------------------------------------------------------- The CDA Challenge, Update #3 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- April 1, 1996 PHILADELPHIA -- Chief Judge Dolores Sloviter's mouth fell open in astonishment this afternoon when net.culture guru Howard Rheingold testified that some online communities elect cyberjudges to hear disputes. Sloviter asked if realspace judges "can escape to this community?" Judge Stewart Dalzell wondered: "How are they selected? Is there impeachment?" The court's questions of Rheingold -- who appeared in a glowing blue suit, an iridescent pink shirt, and the first tie he's worn in a decade -- showed that the judges hearing our challenge to the CDA are trying hard to understand the Net. But while the three-judge panel was fascinated by Rheingold, they just didn't connect with him. This was due largely to the skilled lawyering of the Department of Justice's Patricia Russotto -- the Marcia Clark of this case. During her cross-examination, Russotto repeatedly steered Rheingold away from describing relatively understandable online communities like the WELL -- and towards hangouts like MUDs and MOOs that he said are inhabited by "dwarves, wizards, and princesses." Belittling those online communities, Russotto repeatedly dismissed them as "these fantasy worlds" and tried to confuse the judges by tossing a string of acronyms at them, staccato. Judge Dalzell rose to the challenge: "All right, I'll take the bait. What's a MUD?" Like Dalzell, Judge Sloviter is enjoying this case. As the chief judge of the U.S. Third Circuit Court of Appeals, she usually deals with lawyers, not expert witnesses, and clearly likes to quiz them herself. Responding to Rheingold's description of MUDs, she said: "I don't know about being a wizard, but I'd be a princess." Eventually the line of questioning turned to BBSs, and Russotto tried once again to damage Rheingold's credibility, saying he had stated under oath that BBSs were "open to everyone" but had just testified that adult BBSs were not. He clarified, and rallied when asked if he let his 11-year old daughter surf the Net unsupervised: "I teach her that just as there are nutritious things to put in your body, there are nutritious things to put in your mind." Russotto continued, rapidfire: "Do you really think that Hamlet depicts sexual or excretory acts in a patently offensive manner?" "You have not participated in virtual communities built around trading sexually-explicit images, correct?" "You are aware that sexually-explicit networks can form around a BBS?" "Virtual communities can form around such a BBS?" "Some Usenet newsgroups carry sexually-explicit materials?" "An ISP can decide to carry certain newsgroups?" "The particular server you're on could decide to carry the alt.sex and alt.binaries hierarchy?" The tension had heightened earlier in the day, just before lunch, when Russotto tried to prevent Rheingold from testifying. When we introduced the celebrated author of "Virtual Communities" as our witness, Russotto objected: "We would submit that his expert opinion is not relevant to this case." Battering Rheingold with a quick series of questions, the DoJer forced Rheingold to stumble. ACLU attorney Chris Hansen quickly rescued his witness and Sloviter overruled Russotto's objection: "The court will hear Mr. Rheingold." Over lunch in the courthouse cafeteria, I talked with Rheingold, who was understandably nervous from the drumming he had experienced minutes earlier. Of course, the very fact that we were chatting like old friends demonstrated the power of a virtual community -- we had communicated in one form or another every day for the last year, but we had never met in person before. Like the man himself, Rheingold's testimony was interesting and colorful, unlike that of Bill Burrington, the director of public policy for America Online, who was the first witness of the day. A good number of courtroom observers, including myself and some reporters, snoozed through most of Burrington's statements. I was more-or-less awake enough to realize that Burrington was once again characterizing AOL as a "resort pool with lifeguards" next to the wild, untamed ocean of the Internet, with its predators and sharks: "There is a channel to the Internet. You can be whisked out into the sea." His evils-of-the-Net description confused Judge Sloviter, who asked: "When you say whisked out into the sea, you don't mean involuntarily whisked?" Tony Coppolino from the DoJ cross-examined Burrington. Coppolino seems to be the most cyber-savvy DoJer and the leader of their legal team on this case. Like Russotto, he doesn't pass up an opportunity to damage the credibility of our witnesses: Judge Sloviter: "How many newsgroups are available on AOL?" Burrington: "Up to 20,000." Judge Dalzell: "I thought someone said 30,000." Coppolino: "I have a stipulation here saying 15,000." Pressed by Coppolino, Burrington admitted that AOL didn't carry Playboy or Penthouse because the material was "inappropriate for families and children." Later Coppolino suggested that AOL has problems with pedophiles and child pornographers, asking Burrington to describe a case where an AOLer found children's names from a chat room then sent them sexually-explicit images. Burrington parried: "This is the first such incident. We terminated his account immediately and are cooperating with Federal law enforcement." When HotWired honcho Andrew Anker took the stand, the questioning turned to alt.sex.bondage. Judge Sloviter started by asking: "What is alt.sex.bondage? What does that mean?" Turns out that HotWired had published a story about the newsgroup, though by the end of the questioning, the judges seemed convinced that HotWired was a net.porn haven and were surprised when Anker estimated that much less than 10 percent of his web site's content was sexually-explicit. Again, Judge Dalzell tossed us a few sympathetic questions: "If you were to label your web site as adult, would it scare off advertisers?" After some brief testimony by ACLU plaintiff Stephen Donaldson of Stop Prisoner Rape, Barry Steinhardt took the stand. Steinhardt is the associate director of the ACLU -- I first got to know him when he blasted CMU for censoring its USENET feed years ago -- and was subject to an antagonistic cross-examination from Craig Blackwell. Blackwell relied on his boss Tony Coppolino for technical tips, and stumbled a few times, like when he confused AOL with a web site on the Internet: Blackwell: "The ACLU has two Internet sites, right?" Steinhardt: "No. We have one Internet site and we are a content provider on America Online." During the DoJ's questioning of Steinhardt, a few points emerged: * The content the ACLU posts to the web and AOL is educational. * The ACLU controls content on its web site but not in AOL chat rooms and discussion groups. * The ACLU is concerned that the CDA subjects it to liability for "indecent" material, including George Carlin's monologues it has placed online. * The DoJ is trying to draw a distinction between "indecent" images of couples engaged in sexual intercourse and educational "indecent" material that they will claim is not going to be prosecuted under the CDA. We're still wondering who the DoJ will call as their pro-CDA witnesses. The two prime suspects are someone supposedly from the Department of Defense and a computer scientist from Carnegie Mellon University. I suspect that the DoD guy is the gent who's been sharing the second row of courtroom seats with me -- a grey-haired gentleman always sporting a nondescript grey flannel suit. He's been sitting on the DoJ side of the courtroom (the ACLU is on the left, of course), and after court adjourned he was confabbing with them about plans to meet later in the day. I walked over and asked Grey Flannel Suit if he was with the DoJ, and he replied: "I just do some computer work for them." I was asking Grey Flannel for his name when DoJ attorney Jason Baron jumped between us: Baron: "He can't talk to you." McCullagh: "Why don't you let him make that decision for himself?" Baron: "I make decisions for him." McCullagh: "What's his name?" Baron: "He has no comment." I'll bet anyone five bucks that Grey Flannel is from the NSA. The other pro-CDA witness is almost certainly Dan Olsen, a Mormon who is the head of the computer science department at Brigham Young University and the incoming director of the Human Computer Interaction Institute at Carnegie Mellon University. (The HCI Institute at CMU is known as a dumping ground for faculty who can't make the cut in the justly-renowned CMU computer science department.) Of course, CMU is the school that is considering what cyberlibertarian attorney Harvey Silverglate calls an "Orwellian speech code," and erotic USENET newsgroups are still banned from almost all campus computers. Since CMU spawned Marty Rimm, who tried to sell his unethical research to the DoJ and whose study helped pass the CDA, it's appropriate that CMU affiliates are helping the DoJ defend the damned CDA after all. Today's testimony ended our case, with the exception of one of our witnesses who couldn't make it earlier. Albert Vezza is the associate director of MIT's Lab for Computer Science and a PICS guru who will be testifying for us on April 12 or April 15. With the exception of Vezza, those two days will be devoted to the DoJ's arguments alleging that the CDA is constitutional and should be upheld by the court. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on 4/12, 4/15, and 4/26. The DoJ will reveal the identity of their expert witnesses on 4/3 or 4/8. Mentioned in this CDA update: Howard Rheingold CMU and the Rimm study CMU's HCI Institute Dan Olsen at BYU Censorship policy at BYU Censorship at CMU USENET censorship at CMU HotWired / WIRED PICS information These and previous CDA updates are available at: To subscribe to the fight-censorship list, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: ----------------------------------------------------------------------------- From declan+ at CMU.EDU Wed Apr 3 19:05:23 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 4 Apr 1996 11:05:23 +0800 Subject: CMU/BYU administrator helps the DoJ defend the CDA Message-ID: [Dan Olsen was hired as the director of the Human Computer Interaction Institute at Carnegie Mellon University earlier this year. --Declan] -------------------------------------------------------------------------- Date: Wed, 3 Apr 1996 09:12:20 -0700 To: "Declan B. McCullagh" From: olsen at cs.byu.edu (Dan Olsen) Subject: Re: Question >Will you be testifying on behalf of the DoJ in the CDA lawsuit in >Philadelphia? Have you been at all involved with the case? > Yes I am and yes I have. ------------- Dan R. Olsen Jr. Computer Science Department, Brigham Young University Provo, UT 84602 phone: 801-378-2225 fax: 801-378-7775 -------------------------------------------------------------------------- Date: Wed, 3 Apr 1996 09:35:39 -0700 To: "Declan B. McCullagh" From: olsencs.byu.edu (Dan Olsen) Subject: Re: Question >Dan: Thanks for replying. What are you planning to testify about? What >are your personal feelings about the CDA? How were you contacted? > I understand your interest, having read your home page. I would be happy to go over all of this with you when I actually move to CMU in July and the case has completed. Until the case is resolved, it would be inappropriate to discuss it. Thanks for your interest ------------- Dan R. Olsen Jr. Computer Science Department, Brigham Young University Provo, UT 84602 phone: 801-378-2225 fax: 801-378-7775 From Administrator_at_DCACINTS at dca.com Wed Apr 3 21:48:02 1996 From: Administrator_at_DCACINTS at dca.com (Administrator) Date: Thu, 4 Apr 1996 13:48:02 +0800 Subject: software with "hooks" for crypto Message-ID: <2.2.32.19960403215138.0032ece4@labg30> At 02:31 PM 4/2/96 -0800, you wrote: >Hello all, > >I'm trying to figure out exactly what the laws are regarding the export of >software which contains "hooks" for PGP. In various forms, I've heard >that it's not the ITAR which prevents this, but more a "suggestion" by >the NSA that we "shouldn't do it." Does anyone have any pointers to >real legislation/laws regarding this? There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out there. These are other PGP front end applications such as Private Idaho, PGPShell and others that do NOT include PGP, nor do they contain any encryption code within them. These applications are all billed as "freely exportable". If your software does not contain any encryption code, such that it simply "invokes" the users separately-obtained-and-installed copy of PGP, you are not in violation of ITAR. It sounds like this is what you're doing with your "hooks for PGP". I would recommend you visit a couple of these helper application sites and check out what their authors say about the exportability of their code. You might ask them if they have encountered any legal difficulties because their code is advertised as freely exportable. Private Idaho is available at www.eskimo.com/~joelm and (rats) you'll have to hunt PGPShell down yourself. If you actually include the RSA algorithms, the IDEA algorithm, or any "cryptographic" code in your software, then yes, you could get in trouble for exporting it. Again, remember that I'm not a lawyer and that any legal advice you get from anyone on the net is worth exactly what you pay for it. -j, is anyone else finding it harder to say the "Pledge of Allegiance" to this country these days? From kreidl at newrock.com Wed Apr 3 22:50:34 1996 From: kreidl at newrock.com (kreidl at newrock.com) Date: Thu, 4 Apr 1996 14:50:34 +0800 Subject: Digest Version??????? Message-ID: <199604032328.RAA22264@Ultra1.corenet.net> Anyone know if I can get a digest version of this??? (__) (oo) /--------\/ / | || <-- Moo.(We live in Wisconsin, the dairy state, get it?) / || || * ||-----|| ~~ ~~ Chris (or Richard) Kreidl kreidl at newrock.com From hfinney at shell.portal.com Wed Apr 3 23:15:04 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 4 Apr 1996 15:15:04 +0800 Subject: Disclosure of Public Knowledge to Foreigners Message-ID: <199604031545.HAA12637@jobe.shell.portal.com> From: tcmay at got.net (Timothy C. May) > "There is a reasonable chance the Supreme Court would see the overall > absurdity of a situation where the knowledge is freely available to 200 > million adult Americans, with no restrictions whatsover on publication, > discussion, etc., and yet uttering this knowledge in front of a foreigner > is a crime." It would be good if this happened. Yet unfortunately I think it is unlikely. Absurdity is not necessarily sufficient to invalidate a law. Especially in this case, if you read the judge's decision (at ) you see that this issue is one which is "hands off" for the judiciary. The question of designating whether items should be on the Munitions List has been found both by the courts and by the legislature to be "non-justiceable", something which the courts can't review. It is strictly in the purview of the legislative branch, which passes the law, and the executive branch, which sets the policy and creates the list. Courts are required to refrain from second-guessing them. Of course this doesn't totally close the door, and if serious constitutional questions arise, the court can consider this. Phil Karn attempted to do so, but did not succeed in this case. Unfortunately there is clear precedent at the appellate court level that First Amendment concerns are not violated by export bans. As long as you can say whatever you want domestically, the government has a lot of latitude to prevent you saying things to foreigners, even though that is illogical in many contexts. I feel, by the way, that this may soon present another line of attack on the restrictions. As the Internet becomes a dominant communications medium, it will become more true than ever that these regulations have a chilling effect on all communications relating to cryptography. I can't, right now, post crypto source code to this list without breaking the law. Nor can I post it to sci.crypt. How then can I participate in discussing these matters in detail on the Internet? Maybe I could put the material on an export-restricted disk somewhere, but that does not allow for the dynamic give-and-take which is so much a part of internet discussion. So, in the context of the net, export controls are de facto content controls on domestic discussion. For now, maybe being unable to speak in detail about crypto on the net isn't that big a handicap. But in a few years, Internet communication will be a big part of everyone's lives (arguably) and being unable to present certain information will produce a stronger First Amendment violation. A couple more comments on Tim's message: > Interestingly, according to a friend of mine (Mike Ward, of San Jose), it > is much cheaper (or was when he did the analysis a couple of years ago) to > have a chunk of text entered two or more times by humans and then XORed for > errors than to OCR the text. This form of error correction--redundant > entry--would presumably work well for Schneier's code, for example. I can certainly believe it after reading about Phil's efforts. And as I point out, he actually did have a secretary type it in. It is disturbing, though, that the book had errors in it. I wonder if it was typeset by hand? Is that possible in this day and age? > What we are really about to run into is the "export of knowledge" issue, > which I think the Constitution will have some pretty important things to > say about. (It has long been the case that certain armaments knowledge, and > atomic secrets as per the Atomic Energy Act, were restricted. But this > knowledge was _also_ not in the public domain. There have not been many > cases that I know of where knowledge was freely discussable within, say, > the United States, by any citizens (and maybe others, such as permanent > residents, foreign students at colleges, etc.) and yet this knowledge could > not be "exported" outside the U.S. > > Except with our crypto laws, and some related Munitions Act laws. Unfortunately, as I noted above, so far no one has been able to come up with a convincing Constitutional argument, especially in the face of the Posey and Edler precedents, which are discussed by the judge in Phil's case, and for which I have some excerpts at . I think the real solution frankly is to get the laws changed. If the laws are absurd, people should be taught about them, and they should pressure their legislators to change them. This is not an attractive solution because it implies a lot of work and a long, slow process. But in the long run it will be better to establish a national consensus about how to deal with these issues. Then it will be harder for government to place new restrictions in place. I think the recent legislative action reflects the beginnings of this process. It may not succeed this year, but hopefully in a few years, as more people get on the net, it will gain momentum. Ironically, the termination of the case again Phil Zimmermann may hurt progress in this area. Unfair and unjustified as the pending charges against Phil were, they did at least raise people's consciousness about the problems in current policies. Phil did an excellent job of keeping these issues in front of people in all sorts of media. Now that there is no longer an articulate victim of unfair export laws it may be harder to keep people thinking about the problem. Perhaps we need a new volunteer... Hal From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Wed Apr 3 23:15:20 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Thu, 4 Apr 1996 15:15:20 +0800 Subject: Navajo code-talkers Message-ID: <9604031922.AA3658@smtp1.chipcom.com> >From: grafolog @ netcom.com (Jonathon Blake) @ UGATE > << It's one of the status languages to study, if you are > a new ager --- along with Ancient Mayan, linear B and > Egyptian Hieroglyphics. >> Well, hieroglyphics and linear b are writing systems, not languages. And Linear B is Greek (though it takes effort to read it even if you know your Homer...) paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From mccoy at communities.com Wed Apr 3 23:22:32 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 4 Apr 1996 15:22:32 +0800 Subject: Canada's ISO standards body? Message-ID: At 11:50 AM 4/3/96, Peter Trei is rumored to have typed: > Simon Spero > I don't think v3 has been balloted yet - that gives you a chance to > > explore one of the more amusing twists of OSI standardisation- you can > > get copies for free of most drafts from the editor right up until it gets > > standardised. Silly, isn't it. > > Haven't located it yet. ftp://hesiod.communities.com/pub/mccoy/ansi-x9.ps I also have a PDF version of the draft as ansi-x9.pdf, and the certificate DAM in the file certdam.ps. jim From batman at infomaniak.ch Wed Apr 3 23:31:49 1996 From: batman at infomaniak.ch (Batman) Date: Thu, 4 Apr 1996 15:31:49 +0800 Subject: No Subject Message-ID: <01BB21C1.ECEED360@ppp10.infomaniak.ch> unsubscrive * batman at internet.infomaniak.ch unsubscrive * batman at ns.infomaniak.ch unsubscrive * batman at mail.infomaniak.ch From proff at suburbia.net Wed Apr 3 23:48:48 1996 From: proff at suburbia.net (Julian Assange) Date: Thu, 4 Apr 1996 15:48:48 +0800 Subject: Reminder. Suburbia BOAF Sat 6 April Message-ID: <199604032330.JAA12922@suburbia.net> ____ _ _ _ / ___| _ _| |__ _ _ _ __| |__ (_) __ _ \___ \| | | | '_ \| | | | '__| '_ \| |/ _` | ___) | |_| | |_) | |_| | | | |_) | | (_| | |____/ \__,_|_.__/ \__,_|_| |_.__/|_|\__,_| ------------------------------------------------------------------------------- Birds of a feather ____ _ _ | _ \ __ _ _ __| |_ _ _| | | |_) / _` | '__| __| | | | | | __/ (_| | | | |_| |_| |_| |_| \__,_|_| \__|\__, (_) |___/ Saturday April 6, 1996 (easter weekend) 8:30pm till day light boaf at suburbia.net Melbourne Australia (http://www.lonelyplanet.com/dest/aust/melb.htm) This is a reminder. There are only three days left to RSVP. If you haven't received the address yet, then you are not on the list. There is no door fee (please see the original invite). Ps. Despite the attention to detail, it will be a very laid back affair. DO NOT wear a tie. At least, not around your neck, or someone might attach it to the rafters. Despite the serious types during the day, we are fully BYO pillow. --- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From sawyer at nextek.com Thu Apr 4 00:27:34 1996 From: sawyer at nextek.com (Thomas J. Sawyer) Date: Thu, 4 Apr 1996 16:27:34 +0800 Subject: CDA Court Challenge: Update #3 Message-ID: > * The DoJ is trying to draw a distinction between "indecent" images > of couples engaged in sexual intercourse and educational > "indecent" material that they will claim is not going to be > prosecuted under the CDA. I wonder if they are considering any "artistic" indecent material that would also not be prosecuted? Maybe if Playboy remains themselves to "A Pictorial of The Female Body" then it would be ok. Just a thought anyway. Thanks for reading, Thomas J. Sawyer sawyer at nextek.com From ota+ at transarc.com Thu Apr 4 00:38:26 1996 From: ota+ at transarc.com (Ted Anderson) Date: Thu, 4 Apr 1996 16:38:26 +0800 Subject: java: vending machine software (long) In-Reply-To: <199603282211.OAA15109@netcom14.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- "Vladimir Z. Nuri" writes: > Java seems to be catching on in a big way (only a few months ago, These are important ideas. I found them explored very nicely in several papers written by Drexler and Miller (circa 1988!). They are available in the collection "Ecology of Computation (1988)" and via the Agorics Home page (http://www.webcom.com/~agorics). It seems that with the Web and Java now widely available the technical means to implement these ideas are getting visibly closer. > when one thinks about this, I think it becomes clear that we are going > to see many, many new standards for code communication in the future. The most interesting thing I've heard along these lines was described in a talk by Matthew Fuchs. He suggested the idea of using something like SGML (of which HTML is a subset) to communicate between smart agents. The idea is to provide a machine understandable equivalent of a web form which could be used to send info back and forth. In this application display instructions are not important, what is important is the meaning assigned to the keywords. For example, in a simple web page you might use , <body>, <author>, <h1>, etc. The browser knows how display these because for simple documents they have a well defined meaning, but an automatic document indexer could also easily find the title and author. Consider an airline reservation system. It might support a variety of commands to answer queries and make reservations. Clearly once the *meaning* is in hand, crafting a way to display it would be easy. So you have a scheme which can be used with equal facility by either a human or a machine. This allows for smooth transition from human mediated to automated steps in a larger project (e.g. plan a trip visiting these five cities) where some parts have been automated (e.g. airline reservations) and other parts have not (say, hotel reservations). Further, the system can be built out of layers of objects that give meanings to various keywords. Consider a bunch of keywords and associated Java applets that understand dates and times (they know about timezones and daylight savings and weekends and so forth). Another level of objects knows how to manage schedules, and still another layer knows about travel arrangements. The system used by a particular airline uses all these objects to provide an interface for communicating with customers (or their automated agents). Java seems ideal suited to be the active lubricant in such a system. Ted Anderson -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWK8PwGojC9e/wyBAQFuVAQA0Z4qjeIs2j8bxEYqaxuwQLdw49oXTX5a sN9L75sy8AmdMJjDfBuo8Kij7Iyx/ZrexJp/lsGS0pC76OpafNs0nfckQsblmrA5 9BzHe+PmDgPtJOvdCJYnR624PuioGihD/J8l2YZFf7/OfaRCXW2q/HvcBeuDWseS zSIumBmiObo= =F+Zv -----END PGP SIGNATURE----- From hfinney at shell.portal.com Thu Apr 4 00:55:08 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 4 Apr 1996 16:55:08 +0800 Subject: What backs up digital money? Message-ID: <199604032050.MAA02754@jobe.shell.portal.com> From: rah at shipwright.com (Robert Hettinga) > When money finally goes onto the net, and never comes back, the digital > bearer certificates we call ecash will be a currency. Until then, it's just > a script. > > Or is it an interestless bond? ;-). I'm not sure exactly what you mean by money "going onto the net and never coming back". Is this just a matter of there being a wider variety of useful things to buy on the net? Or do you mean that people who receive ecash will not want to deposit in their bank accounts, but just turn around and spend it? I will point out that with regular currency, most merchants who receive it just deposit it at the bank, save for a bit passed out as change. Supermarkets don't actually take the cash their customers give them and hand it to their suppliers. They deposit it and pay with checks. So the "life cycle" of a $20 bill is pretty much from the bank, to the customer, to the merchant, and back to the bank, only to repeat the cycle. Ecash, it seems to me, is already able to circulate to this extent, although of course it is not yet widely used. Hal From mccoy at communities.com Thu Apr 4 02:26:48 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 4 Apr 1996 18:26:48 +0800 Subject: Navajo code-talkers Message-ID: <v02140b01ad88b56fd647@[205.162.51.35]> At 11:22 AM 4/3/96, Paul_Koning is rumored to have typed: > >From: grafolog @ netcom.com (Jonathon Blake) @ UGATE > > << It's one of the status languages to study, if you are > > a new ager --- along with Ancient Mayan, linear B and > > Egyptian Hieroglyphics. >> > > Well, hieroglyphics and linear b are writing systems, not languages. > And Linear B is Greek (though it takes effort to read it even if > you know your Homer...) Linear B is Minoan, and knowing Greek helps in understanding what things decipher to, but it predates the Greek alphabet by several centuries so even if you knew Homer personally you would have had trouble reading it. ObCrypto: Unlike Egyptian hieroglyphics, we have yet to find a Rosetta Stone equivalent for Linear B (or Linear A, it's predecessor, although I seem to remember Linear A being more akin to ideograms) Most of what is known about Linear B was inferred using a sort of linguistic cryptanalysis, in fact there was a paper in one of the Crypto proceedings from the mid-80s which described some of the methods employed. ObMoreDeadLanguages: Does anyone know if there are Unicode character sets for Sanskrit or hieroglyphics? How exactly does one get a proposed character set approved/ratified if not? jim From tomw at netscape.com Thu Apr 4 02:35:16 1996 From: tomw at netscape.com (Tom Weinstein) Date: Thu, 4 Apr 1996 18:35:16 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... In-Reply-To: <315C8FCB.2781@netscape.com> Message-ID: <31636529.167E@netscape.com> Phil Karlton wrote: > Rich Graves wrote: > > > How about limiting URLs on non-blessed ports to, say, 64 > > alphanumeric characters? I'm sure the documentation writers and > > technical support folks would hate you, but it should address these > > concerns. > > This is not good enough. Many people, feeling secure on their side of > a firewall, put proprietary information in their .plan files. Since > the the Navigator is running inside that firewall, we can't give > access to that data to sources coming from outside the firewall. Given > the many ways to construct a URL, the safest was to prevent any access > to the finger port (along with a number of others). Of course, this isn't really a good reason because there's no way to get the information back out to the other side of the firewall. As a matter of fact, limiting URLs as Rich suggests might in fact be good enough. It's one of the possibilities we'll be looking at for reenabling finger and whois. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From banisar at epic.org Thu Apr 4 02:36:48 1996 From: banisar at epic.org (Dave Banisar) Date: Thu, 4 Apr 1996 18:36:48 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <n1383571756.16740@epic.org> The draft bill which currently exists only takes the export controls on crpyto. The provisions on key escrow, criminal penalities and other problems are not in there and Burns staff have no intention of letting them in. The actual bill will be introduced in about 2 weeks. -dave -------------------------------------- Date: 4/2/96 2:46 PM To: Dave Banisar From: jim bell At 04:24 PM 4/1/96 -0500, Dave Banisar wrote: > Association For Computing Machinery [address deleted] > Institute of Electronics and Electrical Engineers [address deleted] >April 2, 1996 [thank heavens it wasn't April 1!] >Honorable Conrad Burns >Chairman, Subcommittee on Science, Technology and Space [etc] >Dear Chairman Burns: > > On behalf of the nation's two leading computing and engineering >associations, we are writing to support your efforts, and the efforts of >the other cosponsors of the Encrypted Communications Privacy Act, to >remove unnecessarily restrictive controls on the export of encryption >technology. The Encrypted Communications Privacy Act sets out the >minimum changes that are necessary to the current export controls on >encryption technology. However, we believe that the inclusion of issues >that are tangential to export, such as key escrow and encryption in >domestic criminal activities, is not necessary. The relaxation of >export controls is of great economic importance to industry and users, >and should not become entangled in more controversial matters. As far as it goes, and considering that it's from an industry group, this sounds like an excellent response to this Burns bill proposal. (Not "Bill," because it's still not available, apparently.) This response is probably as close as we can expect to a repudiation of the Leahy bill. It still isn't clear, though, whether the Burns bill is intended to be just an elimination of export controls on encryption, or whether it will contain other provisions. My question, which still hasn't been answered, is: "Does this bill exist yet?" The answer is really not inconsequential, because if it _isn't_ at least sketched out yet, then that either should give us the opportunity to add provisions we want, or alert us that there is still the risk from Denning-types of including provisions we don't want. Either way, action is called for, if only action to keep somebody else from taking action. I don't have any objection to a bill which merely eliminates export requirements on encryption; that would be a substantial step in the proper direction. If that's the best we can do for this session of Congress, I hope we can achieve this as a stepping-stone. Jim Bell jimbell at pacifier.com ------------------ RFC822 Header Follows ------------------ Received: by epic.org with SMTP;2 Apr 1996 14:44:17 -0500 Received: from ip17.van1.pacifier.com by pacifier.com (Smail3.1.29.1 #6) with smtp for <banisar at epic.org> id m0u4Bhn-0008xuC; Tue, 2 Apr 96 11:25 PST Message-Id: <m0u4Bhn-0008xuC at pacifier.com> X-Sender: jimbell at pacifier.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Apr 1996 11:24:08 -0800 To: "Dave Banisar" <banisar at epic.org>, "Cypherpunks List" <cypherpunks at toad.com> From: jim bell <jimbell at pacifier.com> Subject: Re: ACM/IEEE Letter on Crypto _________________________________________________________________________ Subject: RE>>ACM/IEEE Letter on Crypto _________________________________________________________________________ David Banisar (Banisar at epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org Washington, DC 20003 * ftp/gopher/wais cpsr.org From fotiii at crl.com Thu Apr 4 02:47:21 1996 From: fotiii at crl.com (FRank O. Trotter, III) Date: Thu, 4 Apr 1996 18:47:21 +0800 Subject: What backs up digital money? Message-ID: <199604040402.AA10457@mail.crl.com> > Date: Tue, 2 Apr 1996 08:11:21 -0800 > From: Hal <hfinney at shell.portal.com> > To: cypherpunks at toad.com > Subject: Re: What backs up digital money? > From: "Frank O. Trotter, III" <fotiii at crl.com> > > Ecash is a means of transferring value, currently USD at Mark Twain, > > betweeen parties. Ecash, however denominated, is not a currency in > > itself. > > I am curious to know why you say that ecash is not a currency. One of > the main points of my original posting was to challenge this view. > > Do you simply mean that this is a matter of definitions, that ecash isn't > a currency because it lacks some property X that, by definition, a > currency must have (such as, it must be issued by a national government)? ===== I think I tried to cover too many bases at once. Ecash _is_ currency, it is not _a_ currency. This means that outside of the formal definition acording to BSA which says that currency is the stuff we carry around and nothing else, that ecash generated coins function as a currency in that one can make purchases on a peer to peer basis, and appears to have the migration path necessary to exist in an offline world as well. To me this makes it currency. It is not a currency. One sees many articles and posts (not yours) that refer to ecash as though it were not USD or some other store of value. In this case I mean that ecash is the software that moves and stores money like a check, or more precisely like a money order, but is not in itself _a_ currency. > > Or are you saying that there is an important functional difference, that > ecash cannot be used as we normally use currency (that is, the dollar > bills and coins in our pockets) because of reason X? If so I would like > to hear what you think that reason is. The one I have seen mentioned > previously is transferrability, so I discussed this in my original > message. > > > The value unit or currency has value because people agree it has > > value. CyberBucks were (and still are) somewhat convertable to > > tangible goods - they are for sure convertable to intrinsic goods as > > demonstrated by the CyberBucks trial. USD and DEM have value only > > because we all accept them as payment - as fiat currencies there is no > > formal backing. Gold has value because ... > > The whole issue of why dollars have value is one which is poorly > understood, IMO. There are several reasons, which are inter-related. > One of the big ones is that they are legal tender. This term does not > mean what a lot of people think it does, but at least it means that > your dollars carry certain legal weight if you have a debt that you > need to pay off. Another reason dollars are accepted is because you > know you can pay your taxes with them. This is something that most > people have to do, and dollars are something they can do it with. > > Another factor is that there are long term contracts, such as > mortgages, which are denominated in dollars. You can use your dollars > to pay off your debt at the bank, and the bank is contractually bound > to accept them (even apart from legal tender considerations), and grant > you title to tangible property in return. Interestingly, the volume of > outstanding mortgages is of the same order of magnitude as the > circulating money supply. I know someone who claims that this is the > most important factor in giving dollars value. > > And finally, the reason that most people think of, the fact that > everyone around them accepts dollars, and presumably will do so in the > future. I don't actually think this is as strong as the others, since > there is no guarantee that people won't change their minds, and in fact > there have been historical situations where due to hyper inflation > merchants have come to view government money as almost worthless. So > since these people haven't committed to accept the money, this > grounding is not that strong. I think the earlier examples are more > important as an ultimate grounding, although they are not cited as > frequently. Exactly - I agree. Take a look at contracts like loans until Roosevelt closed the gold window in the early thirties. They said things like "you owe $100 or the equivalent of X.xx ounces of gold. With the revaluation of the US currency in terms of gold in the 30s there was a specific potion of the bill that disallowed these terms in contracts since the devaluation could not effectively take place otherwise (ref - Jim Grant). > > > Ecash puts banks back into the business of being banks - acting as a > > storehouse of value, and as a means to transfer this value, all for a > > fee. The early bank models were exclusively along these lines, with > > the various lending and investing functions added later. > > I would expect that an ecash issuing bank would make ecash loans just as > it makes other forms of loans. So I don't see ecash as making this > kind of difference in a bank. Just because a bank issues ecash it's > not going to roll back the clock to the 18th century. No quarrel here - but I think it is easier to build a competing lending institution where the business gives you money and you promise toi give it back, than it is to build confidence in a deposit institution where you give money and hope to get it back. I take my original commnet as a positive. > > One of the big advantages of multiple ecash currencies is that it turns > out that there is automatic control of inflation. A bank which issues > too much currency (relative to its reserves) will find it becoming worth > less because it is trusted less. There is an automatic balancing act. > Sure, this is like free banking in the 1800 - Fed KC traded at a discount to Fed NY or vice versa depending on attitude at the time. > We see the same thing in the international currency markets with > government currencies. In the olden days, when international trade was > less important, a government could inflate without feeling much pain. > But today its currency will lose value, which will hurt its balance of > trade and make it hard to acquire foreign goods. So this puts a brake on > the ability of governments to play games with the money supply. The same > factor would be expected to occur with private currencies. In the old days there was an automatic balance when a government inflated - the metal standard attached. If inflation got out of hand people would show up at the window with bills asking for the gold or silver equivalent - when the government gave out too much metal it had to behave. I would like to note that I am a big supported of private currencies. We have had many discussions on the topic and I have had the academic side covered by folks who wrote papers as far back as the 50s on how to do it. As ecash is accepted in the mainstream by multi-issuing interoperable banks I expect to spend more time on this topic - for now I need to get on with the conventional version. Great ideas! Frank > > Hal > > Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From vznuri at netcom.com Thu Apr 4 03:08:21 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 4 Apr 1996 19:08:21 +0800 Subject: java: vending machine software (long) In-Reply-To: <QlMfpa2SMV0_1o3040@transarc.com> Message-ID: <199604032126.NAA05470@netcom8.netcom.com> TA: >The most interesting thing I've heard along these lines was described >in a talk by Matthew Fuchs. He suggested the idea of using something >like SGML (of which HTML is a subset) to communicate between smart >agents. > .. >Further, the system can be built out of layers of objects that give >meanings to various keywords. Consider a bunch of keywords and >associated Java applets that understand dates and times (they know about >timezones and daylight savings and weekends and so forth). Another >level of objects knows how to manage schedules, and still another >layer knows about travel arrangements. The system used by a particular >airline uses all these objects to provide an interface for communicating >with customers (or their automated agents). > >Java seems ideal suited to be the active lubricant in such a system. yes, I didn't get into some of what you are talking about in my essay, but that's something very significant that is going on right under our noses this minute: the formatting of vast kinds of data into SGML systems. I have a book called "writing SGML DTDS". it seems pretty boring-- it talks about how to create tags and all that, and doesn't give a "big picture scenario" of what this technology can lead to-- which is unfortunate, because the end result of it it all is extremely significant. the framework I like to use to describe this technology is to portray it as the steps that are necessary to create the "paperless office". this was a holy grail that computers were supposed to deliver many years ago, and many have noted the irony that the exact opposite seems to have happened in that computers are generating mountains of paper. it is clear that to achieve the paperless office, many, many standards have to be devised an adhered to for the formatting of information in documents. SGML is intended to be a high-level total overview architecture that can encompass all document definitions created by anyone, and allows embedding of different formats within formats, so that a massive hierarchy of interchangeable formats can be constructed. EDI or electronic data interchange format for billing that many companies are using (I don't know anything about it I assure you) is an example of the kind of standardization that is gradually taking place. whether Java is the "ideal language" to handle all this I think remains to be seen. I expect amny new languages and concepts to be developed that focus on the creation/manipulation of document standards. an object-oriented paradigm will be important in this endeavor, though, I agree. your idea of relating "documents" and "objects" I definitely expect to see as a strong emerging paradigm. a document will be thought of as an "object" whose local data are the blanks in the form, and the document can perform some operations on that data using its "methods". also the hierarchy you described is very nicely imposed on documents: a very general "bill" class might have only a "payer/payee/amount/desc" fields, and all kinds of comkpanies would create their unique subclasses that describe their own internal company forms. general methods would be overridden, etc. what this is all moving toward, imho, is a kind of "information assembly line". imagine every task in the world today that involves nothing but shuffling information from one form to another, in a way that requires "logic" but not human intelligence (i.e. could be programmed if the data were available in digital form and inputs/outputs were hooked up properly). I predict that wherever this is the case, there is going to be a gradual motion toward automization of these processes. also note that the concept of an "object" tends to become far less local and more universal. there may be "objects" "out there" in cyberspace that you can manipulate and subclass as if they were sitting on your own computer. but because they are so universal, other companies or individuals anywhere on the planet may be using the same objects. at various levels in the hierarchies of data, it is all interchangeable and related. this all suggests an amazing new collaboration between companies to create standards where everyone benefits. in today's system, companies tend to behave as if they are isolated entities who all survive at the expense of the other. I believe this concept will largely dissipate as companies see themselves as fitting into special places in a characteristic "niche" of the ecosystem of business. they will see themselves as components in a massive computing system that interface to each other via cyberspace. cyberspace becomes then a kind of nervous system for an entire nation (which it already is, just not as overtly). it is quite surprising that given how far we are into the Information Age how much information and data has resisted the gradual trend toward automization. many, many companies are interested in "reengineering" for this reason: they want to take full advantage of technology, but realize how incredibly difficult this is to do when you have decades of "status quo" type procedures calcified into the system that tend to be hostile & resistant towards automization. the job of turning documents into data is actually quite herculean-- we have a tendency to see it as trivial but the amount of labor involved in "conversion" can be enormous. the payoffs are very significant once you have converted your atoms to bits, though. the corporations of the future I imagine will have incredible fluidity without the cost in lack of security. in other words, they will be able to dynamically "re" configure themselves to suit the instant because they will have highly organized and malleable "central nervous systems" that govern the information flow within them. these systems will be built out of massive hierachies of document format standards and enormous, seamless flows of data. someday, I think every form that is in existence will have an electronic description similar to SGML syntax, and every aspect of data shuffling in companies and between them that can be automated, will be. its going to be quite awhile before this achieved however. thanks for your reactions to the writing, which have caused a whole new avalanche of neurons to fire.. <g> From karlton at netscape.com Thu Apr 4 03:46:22 1996 From: karlton at netscape.com (Phil Karlton) Date: Thu, 4 Apr 1996 19:46:22 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... In-Reply-To: <315C8FCB.2781@netscape.com> Message-ID: <31633ABF.4487@netscape.com> Rich Graves wrote: > How about limiting URLs on non-blessed ports to, say, 64 alphanumeric > characters? I'm sure the documentation writers and technical support > folks would hate you, but it should address these concerns. This is not good enough. Many people, feeling secure on their side of a firewall, put proprietary information in their .plan files. Since the the Navigator is running inside that firewall, we can't give access to that data to sources coming from outside the firewall. Given the many ways to construct a URL, the safest was to prevent any access to the finger port (along with a number of others). PK -- Philip L. Karlton karlton at netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin From declan+ at CMU.EDU Thu Apr 4 04:09:01 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 4 Apr 1996 20:09:01 +0800 Subject: FC: CDA Court Challenge: Update #4 Message-ID: <AlMpnsa00YUv1kCG9X@andrew.cmu.edu> ----------------------------------------------------------------------------- The CDA Challenge, Update #4 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- April 3, 1996 NEW YORK -- This afternoon the action shifted to a Manhattan courtroom, where a panel of Federal judges tried to decide what to do with a CDA challenge filed after ours. The lone plaintiff is Joe Shea, who declined to join the ACLU/ALA coalition lawsuit and is suing on behalf of the American Reporter. Shea has been pressing the NYC court to rule on his case before ours is decided. While we've taken pains to net.educate our judges with live -- albeit buggy -- demos and six days of hearings, Shea is relying on hardcopy to argue his case. This strategy is dangerous: if a relatively ill-educated NYC court upholds the CDA, that precedent can hurt our case. In court today, U.S. Second Circuit Court of Appeals Judge Cabranes proposed that Shea and the assistant U.S. Attorney defending the CDA adopt the record of the Philadelphia case to avoid duplication of evidence, testimony, and exhibits. Shea's attorney, Randall Boe, was reluctant to agree, even though he would be allowed to present additional evidence. (The DoJ's crack civil team declined to show today.) The court wasn't happy with Boe's response. It gave Shea and the government until April 17 to decide to include the entire record of the Philly lawsuit -- and said that if they don't, the court would appoint its *own* computer expert to demo the Net and blocking software on April 30. Another possibility is that the New York court could stay its decision until the Philly court issues its opinion. At the request of the Pennsylvania three-judge panel, Marjorie Heins from the ACLU was in NYC today to describe the latest in our case; she also suggested that the Judge Cabranes' court had the option to wait. This could happen -- my friend Eric Freedman of Hofstra Law School tells me it is by no means unusual for one Federal court to defer to parallel proceedings in another. No matter what the panels of judges decide, the two cases will be consolidated on appeal to the Supreme Court. (If we lose, we have 60 to 90 days to file our appeal. If the DoJ loses, they have 20 to 30 days to file theirs.) Bruce Taylor has a unique perspective on the hearings. He's the guy who helped *write* the be-damned CDA and he's been its most vocal supporter over the last year as president of the National Law Center for Children and Families. I met Taylor last week at the Computers, Freedom, and Privacy conference and we sucked down a few beers in the hotel bar before he went cue-to-cue with Brock Meeks. Taylor told me today that the assistant US atty for the Southern District of New York was "just parroting what's happening in Philadelphia" and had come down from NYC on Monday to observe the proceedings. A former porn-prosecutor, Taylor wears his successful convictions as a badge of honor: "Comstock was an amateur!" He says his side is doing well: "I've worked with the civil division before... They're very good litigators who do their homework." (Of course, Taylor conveniently has deluded himself into believing the CDA is constitutional.) Today we also officially learned the identities of the DoJ's two expert witnesses. Since the DoJ is calling only two witnesses and we're calling just one more, we should finish before April 26. (The DoJ's fax to our legal team today says: "At this point, defendants do not plan to call additional witnesses.") If this works out, we'll complete testimony on April 12 and reserve April 15 for rebuttal. As I reported in a previous dispatch, the first pro-CDA witness is Dan R. Olsen, Jr., the incoming director of the Human Computer Interaction Institute at Carnegie Mellon University. Currently the head of the computer science department at Brigham Young University, Olsen will testify about the "technical issues related to the 'safe harbor' defenses" under the CDA. Olsen will be deposed, probably in Washington, DC, on April 8. Olsen was unwilling to tell me much in email earlier today: "I understand your interest, having read your home page. I would be happy to go over all of this with you when I actually move to CMU in July and the case has completed. Until the case is resolved, it would be inappropriate to discuss it. Thanks for your interest." Note that BYU's rather Orwellian computer usage policies say: "DON'T: Use BYU resources to view or transmit pornography... All the activities and circumstances covered by this policy must comply with the University's standards of Christian living... The University community may direct questions or requests for exceptions to this policy, as well as report any instances of noncompliance or deviations to the Advancement Vice President." How appropriate that a faculty member at such a school would take a job as an administrator at equally-censorhappy Carnegie Mellon University -- which is considering a truly heinous speech code and still censors its USENET feed! I predict lots of cybersmut when the second government witness testifies. He's Special Agent Howard A. Schmidt from the Air Force Office of Special Investigations, and will "present a demonstration and testify concerning access to information, including sexually explicit material, that is available online, including through the Internet." Schmidt will be deposed on April 9. Brock Meeks reports that Schmidt apparently is a member of the High Technology Crime Investigation Association and has participated in a "Law Enforcement Panel on Computer Forensics" for the 18th National Information Systems Security Conference in Baltimore last October. He also likes boats and fishing; hiking and camping. It's a cinch that the April 12 hearing will be the best-attended. How often do you get a chance to see a DoD Special Agent pull up smutty GIFs on dual 8' projection screens in a Federal courtroom? The question is, of course, which GIFs? On the WELL, folks are betting that the salacious collection will include at least one snapshot of female genitals nailed to a table. At least, that the image that Bruce Taylor delights in using as an example of cybernastiness. Still no word on the true identity of Grey Flannel Suit. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on 4/12, 4/15, and possibly 4/26. Mentioned in this CDA update: The American Reporter <http://www.newshare.com/Reporter/today.html> Joe Shea <joeshea at netcom.com> DoD's Howard Schmidt <howardas at aol.com> MU's HCI Institute <http://www.cs.cmu.edu/~hcii/> Dan Olsen at BYU <http://www.cs.byu.edu/info/drolsen.html> BYU's censorship policy <http://advance.byu.edu/pc/releases/guidelines.html> Censorship at CMU <http://joc.mit.edu/> Brock Meeks on Howard Schmidt: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2039> Brock Meeks' CyberWire Dispatch on Bruce Taylor: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2040> Joe Shea's complaints about ACLU wanting to "stand alone in the limelight": <http://fight-censorship.dementia.org/fight-censorship/dl?num=2014> <http://fight-censorship.dementia.org/fight-censorship/dl?num=2036> <http://fight-censorship.dementia.org/fight-censorship/dl?num=2037> This and previous CDA Updates are available at: <http://fight-censorship.dementia.org/top/> <http://www.epic.org/free_speech/censorship/lawsuit/> To subscribe to the fight-censorship mailing list for future CDA Updates and similar discussions, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: <http://www.eff.org/> <http://www.aclu.org/> <http://www.cdt.org/> ----------------------------------------------------------------------------- (This CDA Update was compiled from various firsthand reports.) ----------------------------------------------------------------------------- From stewarts at ix.netcom.com Thu Apr 4 04:13:27 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 4 Apr 1996 20:13:27 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199604040730.XAA21490@dfw-ix3.ix.netcom.com> At 10:25 AM 3/29/96 -0800, Jim Bell wrote: >At 05:49 AM 3/29/96 -0500, Black Unicorn wrote: >>I thought I would take the time to let everyone know that this is >>baseless as well. Most jurisdictions forbid third parties to reveal >>prosecution inquries to the principal for which they are holding >>documents or other information. A VERY few have laws on the books that >>require this disclosure. Switzerland is no longer one of them. > >As usual, Unicorn is FOS. Not entirely in his facts, but in his >conclusions. To "forbit third parties to reveal prosecution inquiries" is >an obvious violation of freedom of speech, and in fact is PRIOR RESTRAINT. >Maybe Unicorn can't see what's wrong with that, but I can. It is unclear >whether this has ever been tested in court, or whether that test occurred >recently. Black Unicorn is absolutely correct that this is generally the law. Jim Bell is absolutely correct that laws like this are offensive and outrageous. Unfortunately, Jim then rants at Unicorn for suggesting that this would be the case; you'd think he'd be the first to realize that there are laws out there that are offensive and outrageous and enforced. >For example, if I ask my ISP to send me an anonymous, encrypted message with >the word, "Rosebud" in it to me if he receives any requests to tap my >connection, he can do so with no fear of being discovered, because no third >party can decrypt the message, know who is is from, or know the real meaning >of the word, "Rosebud" in the context of an encrypted, anonymized message. >Further, since the whole thing is by pre-arrangement, even I cannot prove >(to the satisfaction of a third party) that the message really meant what I >would interpret it to mean. The message is useful to me, as a warning, but >it could never turn around and "bite" the ISP. Now that's an interesting wrinkle to the problem. I suspect that, as you suggest, there will be ISPs, especially in non-US jurisdictions, that are willing to send out "Rosebud" messages to anonymous remailers, or to fail to send "Remarque" messages, or to debit anonymous accounts for data retrieval services rendered while also supporting billing-status checking by anonymous remailers. From a crypto-anarchist dogmatic perspective, it'll definitely happen, though there may be a rough transition until there's enough critical mass to make it undetectable (and note that "undetectable" is a tougher standard than "untraceable"...) # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 fax-2527 # # Spam. It's what's for dinner. From stewarts at ix.netcom.com Thu Apr 4 04:56:59 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 4 Apr 1996 20:56:59 +0800 Subject: "unsubscrive" again! Message-ID: <199604040832.AAA08016@ix10.ix.netcom.com> At 10:10 PM 4/3/96 -0800, Timothy C. May wrote: >Yet another "unsubscrive"? Is this some weird alternate spelling? Or are we >being trolled? My gut feel is that it's a troll. Don't know if it's a Medusa with tentacles all over the world subscribing and asking to undescrive, or whether somebody's been forging subscription requests and sending along bogus instructions for getting off. Sigh. From rah at shipwright.com Thu Apr 4 05:12:27 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 4 Apr 1996 21:12:27 +0800 Subject: e$ Signorage Message-ID: <v02120d0aad88ab66941d@[199.0.65.105]> At 3:50 PM 4/3/96, Hal wrote: > Or do you mean that people who receive > ecash will not want to deposit in their bank accounts, but just turn > around and spend it? Yes. Or maybe even invest it there. I was just finished a little 800 word blurb for Wired's Idees Fortes section on, (guess what?) "Geodesic Capital", which talked about just such a scenario. I believe money which is never redeemed back at the bank is called signorage in the currency biz. Whatever signorage *actually* is, Kawika Daquio of the ABA (B for "Banking"), the Fed makes $20 billion a year on it. Not much against a trillion dollar federal budget, but, hey, every little bit helps... Stuff that doesn't get returned also useful for other stuff, like the reputation of the currency. When was the last time someone went in and cashed in their dollars for gold, or silver, at the Fed? It's legally impossible now, but the French did it until Nixon stopped it by floating the dollar, in the early seventies, if you remember, and it used to be done by normal people all the time. Pierpont Morgan had to bail out Presedent Garfield?, Cleveland? with a European treasury bond flotation because there was a run on the treasury at the turn of the century. > I will point out that with regular currency, most merchants who receive > it just deposit it at the bank, save for a bit passed out as change. Unless, of course, they're in Russia (remember the money plane?), and other places. That's where that $20MMM comes from, I think, but I'm not sure. > Supermarkets don't actually take the cash their customers give them and > hand it to their suppliers. They deposit it and pay with checks. So > the "life cycle" of a $20 bill is pretty much from the bank, to the > customer, to the merchant, and back to the bank, only to repeat the > cycle. Maybe I'm talking about net balances on the net. e$ in circulation overall. I'm really starting to stretch here, you can tell. My guess is in the old days before book-entry stuff like credit cards, and even pervasive checking accounts, cash had to be more physically robust, because it probably stayed out longer. Remember those old double-eagles? Gold is certainly durable. More probably people just exchanged worn-out bills for cleaner ones, but that meant that the money stayed in cash. > Ecash, it seems to me, is already able to circulate to this > extent, although of course it is not yet widely used. Indeed. On both counts. :-). If my WAG about digital cash certificates eventually replacing demand deposits comes about (my claim is that they'll eventually be cheaper, and maybe more secure someday), then money would tend to stay on the net. That's when I figure we'll have actual e$-currency. On the other hand, one of the best deterrents against someone cracking or stealing the bank's key is to "expire" your currency issues, so there might be some "rolling over" of the the money on the net, expecially if it's anonymous. Just like they traded in worn-out bills in the old days. Hmmm. As usual, I seem to be loosing my wiggle room here. Welcome to quibble-punks. ;-). (Me! Not you, Hal!) Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From stewarts at ix.netcom.com Thu Apr 4 05:16:34 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 4 Apr 1996 21:16:34 +0800 Subject: National id already here? Message-ID: <199604040831.AAA08006@ix10.ix.netcom.com> At 04:35 PM 4/3/96 -0800, Yap Remailer <remailer at yap.pactitle.com> wrote: >http://www.aamva.net/AAMVAnet_New_Systems.html says: > Coman said [police] officers can use "CDLISCheck" to access commercial > driver license status, history and AKA information. She noted that > the new service was developed in response to a Congressional mandate > that requires access to commercial carrier and driver information by > at least 100 roadside sites by 1996 and at least 200 locations by 1997. > >There's a congressional mandate for nationwide online id??? There are a lot more regulations on interstate truckers than on most people; it's somewhat within the Constitutional guidelines. From tcmay at got.net Thu Apr 4 05:58:06 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Apr 1996 21:58:06 +0800 Subject: "unsubscrive" again! Message-ID: <ad88923e0e021004e928@[205.199.118.202]> At 12:51 AM 4/4/96, Batman wrote: >unsubscrive * batman at internet.infomaniak.ch >unsubscrive * batman at ns.infomaniak.ch >unsubscrive * batman at mail.infomaniak.ch Yet another "unsubscrive"? Is this some weird alternate spelling? Or are we being trolled? Apparently Batman has not been reading any of the recent posts on this subject--which is not surprising, for correlative reasons--so I doubt he'll even read this message. But in the hopes that he comes out of his Batcave long enough to fire up his Batcomputer: How to subscribe to the Cypherpunks mailing list: send a message to "majordomo at toad.com" with the body message "subscribe cypherpunks". To unsubscribe, send the message "unsubscribe cypherpunks" to the same address. For help, send "help cypherpunks". Don't send these requests to the Cypherpunks list itself. And be aware that the list generates between 40 and 100 messages a day. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Peter.Posch at koeln.netsurf.de Thu Apr 4 07:05:47 1996 From: Peter.Posch at koeln.netsurf.de (Peter N. Posch) Date: Thu, 4 Apr 1996 23:05:47 +0800 Subject: unsubscrive * Peter.Posch@koeln.netsurf.de Message-ID: <3163B992.132A@koeln.netsurf.de> unsubscrive * Peter.Posch at koeln.netsurf.de From merriman at arn.net Thu Apr 4 07:07:43 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 4 Apr 1996 23:07:43 +0800 Subject: Rebuttal to Dvorak Message-ID: <2.2.32.19960403215935.00686afc@arn.net> Letters to the Editor, PC Magazine RE: April 23 issue I found Mr. Dvorak's name-calling and finger-pointing sufficiently inspirational that I have posted an editorial rebutting his April 23 column on our Web server at http://www.shellback.com/editorials.htm (yes, the 'l' is missing at the end :-) Permission is hereby granted to reprint and/or repost the article in total. David Merriman webmaster at shellback.com Amarillo, TX ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From llurch at networking.stanford.edu Thu Apr 4 07:14:09 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 4 Apr 1996 23:14:09 +0800 Subject: Fascinating troll with forged newgroups Message-ID: <Pine.SUN.3.92.960404025711.4952A-100000@elaine13.Stanford.EDU> Looks like the Nazis forged newgroup messages for rec.fag-bashing, rec.org.kkk, and 100 RFD'd groups in order to get their little messages across. How entertaining. What a marvelous new form of net.vandalism they've discovered. Or is this not new? The clearly forged Date: header and the cover newsgroups are pretty transparent, if you ask me. -rich From stewarts at ix.netcom.com Thu Apr 4 07:32:54 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 4 Apr 1996 23:32:54 +0800 Subject: Digest Version??????? Message-ID: <199604040831.AAA07991@ix10.ix.netcom.com> Typically the way to get a digested version of a cow is to kill and eat it... Oh, wait, you probably mean the list..... www.hks.net and nntp.hks.net let you read the Cypherpunks and Coderpunks mailing lists with the Web and Newsreader programs (except when they're down for repairs.) The Web version is typically half a month behind because it gets summarized and hypertextified monthly, though I suspect the articles are there and it's just the index that's old. If you're looking for a reduced-volume list filtered using human intelligence, Eric Blossom <eb at comsec.com> does cypherpunks-light for $20/year, and Ray Arachelian (sp?) does fcpunx for free, somewhere you can probably look up with AltaVista. At 05:30 PM 4/3/96 -0600, you wrote: >Anyone know if I can get a digest version of this??? > > (__) > (oo) > /--------\/ > / | || <-- Moo.(We live in Wisconsin, the dairy state, get it?) > / || || > * ||-----|| > ~~ ~~ From rah at shipwright.com Thu Apr 4 09:20:27 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 5 Apr 1996 01:20:27 +0800 Subject: Digest Version??????? Message-ID: <v02120d05ad896c35ceb1@[199.0.65.105]> At 3:32 AM 4/4/96, Bill Stewart wrote: > If you're looking for a reduced-volume list filtered using human >intelligence, > Eric Blossom <eb at comsec.com> does cypherpunks-light for $20/year, > and Ray Arachelian (sp?) does fcpunx for free, somewhere you can probably > > look up with AltaVista. I also run e$pam, where I filter the e$-relevant stuff from cypherpunks and about 50 (don't hold your breath, there isn't that much else out there, yet) other sources. The total e$pam mail feed is about 30-50% (depends on the day) of the cypherpunk total. The e$ home-page is: http://thumper.vmeng.com e$pam is sponsored, so individual subscriptions are free. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From in5y113 at public.uni-hamburg.de Thu Apr 4 10:50:05 1996 From: in5y113 at public.uni-hamburg.de (Ulf Moeller) Date: Fri, 5 Apr 1996 02:50:05 +0800 Subject: Digest Version??????? Message-ID: <9604041252.AA45126@public.uni-hamburg.de> Bill Stewart writes: > www.hks.net and nntp.hks.net let you read the Cypherpunks and Coderpunks > mailing lists with the Web and Newsreader programs (except when they're > down for repairs.) The Web version is typically half a month behind > because it gets summarized and hypertextified monthly, though I suspect > the articles are there and it's just the index that's old. There is another hypermail archive at http://infinity.nus.sg/cypherpunks/ and an unmoderated digest from majordomo at abc.gateway.com (subscribe cypherpunks-d). -- "In some ways the online environment in 1996 feels like Hong Kong in the last days of British rule: a very free community wondering what's going to happen as the forces of law and order start moving in." -- Charles Platt Ulf M�ller * E-Mail: <um at c2.org> * WWW: http://www.c2.org/~um/ From bryce at digicash.com Thu Apr 4 12:01:36 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Fri, 5 Apr 1996 04:01:36 +0800 Subject: the "unsubscrive" meme keeps on going... Re: unsubscrive * Peter.Posch@koeln.netsurf.de In-Reply-To: <3163B992.132A@koeln.netsurf.de> Message-ID: <199604041328.PAA17335@digicash.com> > unsubscrive * Peter.Posch at koeln.netsurf.de I suspect that this meme propagates (especially among non-native-English-speakers) via the list itself. Peter Posch probably saw one of the previous "unsubscrives" and is hoping it will work for him. Perhaps the owner-cypherpunks at toad.com people could hack it to bounce "unsubscrives" (along with the other spellings) back to sender with an explanation? Regards, Bryce From dlv at bwalk.dm.com Thu Apr 4 12:10:08 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 5 Apr 1996 04:10:08 +0800 Subject: Fascinating troll with forged newgroups In-Reply-To: <Pine.SUN.3.92.960404025711.4952A-100000@elaine13.Stanford.EDU> Message-ID: <qo4uLD107w165w@bwalk.dm.com> Rich Graves <llurch at networking.stanford.edu> writes: > Looks like the Nazis forged newgroup messages for rec.fag-bashing, > rec.org.kkk, and 100 RFD'd groups in order to get their little messages > across. > > How entertaining. What a marvelous new form of net.vandalism they've > discovered. Or is this not new? > > The clearly forged Date: header and the cover newsgroups are pretty > transparent, if you ask me. If your co-dependents had forged tale's digital signatures, then this would be interesting. But tale doesn't use digital signatures. Therefore forging him is nothing new, nothing fascinating, has no cryptographic relevance, and probably needn't be reported to the cypherpunks mailing list. I'm sure there are many free-speech advocates on this list who find your attempts to silence the Nazis _even _more distasteful then the Nazis' messages of hatred. A more appropriate forum for your announcement might be news.admin.net-abuse.misc or news.groups. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From gleick at around.com Thu Apr 4 14:50:42 1996 From: gleick at around.com (James Gleick) Date: Fri, 5 Apr 1996 06:50:42 +0800 Subject: e$ Signorage Message-ID: <1.5.4b13.32.19960404143637.006a92b8@pop3.interramp.com> >I believe money which is never redeemed back at the bank is called >signorage in the currency biz. Whatever signorage *actually* is, Kawika >Daquio of the ABA (B for "Banking"), the Fed makes $20 billion a year on >it. Not much against a trillion dollar federal budget, but, hey, every >little bit helps... Seigniorage is actually the Government's interest income on all the currency in circulation. It's not obvious, but it's true, that the Fed collects the "float" on dollar bills you carry in your pocket, exactly as American Express collects the float on traveler's checks. And, I don't know, call me crazy, but $20 billion sounds like a lot of money to me. -- James Gleick gleick at around.com http://www.around.com From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Thu Apr 4 15:18:09 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Fri, 5 Apr 1996 07:18:09 +0800 Subject: Navajo code-talkers Message-ID: <9604041824.AA1177@smtp1.chipcom.com> >Linear B is Minoan, and knowing Greek helps in understanding what things >decipher to, but it predates the Greek alphabet by several centuries so >even if you knew Homer personally you would have had trouble reading it. Well, I know the writing system is different, and knowing the greek alphabet is no help at all, but that in itself is of no significance. What is of significance is that the syllabic writing system forces the words into somewhat peculiar forms (exactly as in Japanese transliterations of English words). Furthermore the language is several centuries older than Homer, so you have to deal with assorted archaisms. Then again, if you know even a little of ancient greek linguistics, it gets easier. My greek is all high school level and yet I can figure out some of the Minoan stuff. >ObCrypto: Unlike Egyptian hieroglyphics, we have yet to find a Rosetta >Stone equivalent for Linear B (or Linear A, it's predecessor, although I >seem to remember Linear A being more akin to ideograms) Most of what is >known about Linear B was inferred using a sort of linguistic cryptanalysis, >in fact there was a paper in one of the Crypto proceedings from the mid-80s >which described some of the methods employed. There's a book on the subject: Chadwick, "The decypherment of Linear B". Neat. The particularly fascinating part about it is that no Rosetta stone was needed -- and indeed if one were found now it would merely serve to confirm the decypherment, not really to add anything to it. Linear A looks a whole lot like Linear B but as far as I know has not yet been decyphered and is believed to be a completely different language (I think the guess is some Semitic language but absent a decypherment that remains speculation). I don't think it is any more ideographic. There is a third writing system from the same area that has a hieroglyphic look to it (pictures) and is also undecyphered as far as I know. I think Chadwick has details, if not look in the recently published "The world's writing systems" by Daniels & Bright, Oxford U. Press, 1995, ISBN 0-19-507993-0. Great book! >ObMoreDeadLanguages: Does anyone know if there are Unicode character sets >for Sanskrit or hieroglyphics? How exactly does one get a proposed >character set approved/ratified if not? Well, Sanskrit is usually written with Devanagiri, same as Hindi, so that's all covered. If you want to write it with Siddham characters, there are proposals for that but I don't think they have gone all that far. I have also seen discussions about hieroglyphics, again not beyond the proposal stage as far as I can recall. Talk to Rick McGowan (Rick_McGowan @ NeXT.Com), he's the driving force behind efforts to put all the obscure, obsolete, and archaic scripts into Unicode. I know he has a proposal for Linear B, complete with encodings of each character... paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From froomkin at law.miami.edu Thu Apr 4 16:24:36 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Fri, 5 Apr 1996 08:24:36 +0800 Subject: New essay Message-ID: <Pine.SUN.3.91.960404113134.9576A-100000@viper.law.miami.edu> Not that it will say much you haven't heard before, but I have an essay on "The Internet as a Source of Regulatory Arbitrage" available at http://www.law.miami.edu/~froomkin/arbitr.htm It's an attempt to be less "legal". Only 93 footnotes! [The above may have been dictated with Dragon Dictate/Win 2.0 voice recognition. Be alert for unintentional strange word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From melman at osf.org Thu Apr 4 16:26:48 1996 From: melman at osf.org (Howard Melman) Date: Fri, 5 Apr 1996 08:26:48 +0800 Subject: software with "hooks" for crypto In-Reply-To: <2.2.32.19960403145406.0034a4d4@labg30> Message-ID: <9604041614.AA04108@absolut.osf.org.osf.org> On Wed Apr 3, 1996, John Deters wrote: > At 02:31 PM 4/2/96 -0800, you wrote: > >Hello all, > > > >I'm trying to figure out exactly what the laws are regarding the export of > >software which contains "hooks" for PGP. In various forms, I've heard > >that it's not the ITAR which prevents this, but more a "suggestion" by > >the NSA that we "shouldn't do it." Does anyone have any pointers to > >real legislation/laws regarding this? > > There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out > there. These are other PGP front end applications such as Private Idaho, > PGPShell and others that do NOT include PGP, nor do they contain any > encryption code within them. These applications are all billed as "freely > exportable". If your software does not contain any encryption code, such > that it simply "invokes" the users separately-obtained-and-installed copy of > PGP, you are not in violation of ITAR. It sounds like this is what you're > doing with your "hooks for PGP". I am not a lawyer. Hooks to encryption code have *sometimes* been considered "ancillary devices" and as such are in violation of ITAR. Calling another executable like pgp *might* be less of an issue than having source code hooks that call crypto library routines, but maybe not. (And no I don't understand why they would be different) NCSA had something related to this in their use of PEM/PGP in httpd. See some info at: http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html which says: Note: As of NCSA HTTPd 1.4.1, support for PEM/PGP encryption was removed in order to bring NCSA in compliance with the Internation Treaty on Arms Reduction to which the United States of America is a signatory. We hope to have an improved version available with NCSA HTTPd 1.5 from an export controlled server. In sum, check with a lawyer. Howard From jpps at voicenet.com Thu Apr 4 18:31:48 1996 From: jpps at voicenet.com (jpps at voicenet.com) Date: Fri, 5 Apr 1996 10:31:48 +0800 Subject: pgp keys Message-ID: <199604041655.LAA01570@laura.voicenet.com> Is there a reliable method for obtaining the pgp public key for an arbitrary email address? elm-2.4pl24pgp3 does a logical join on my local alias and keyring files; what I'm looking for is a way for my mua/mta to obtain keys I do not have. I've caught some of the discussion on key servers, and noted some people's use of their signature, plan, or home page to distribute their keys. Are some combination of these suitable today? Is there a parseable convention in use for extracting keys from mail/finger/html? Is there a "get_keyd" floating about? My goal is to make encryption the default behavior on outgoing mail. I am not concerned about local security. Thanks in advance. jps -- Jack P. Starrantino jpps at voicenet.com http://www.voicenet.com/~jpps From erice at internic.net Thu Apr 4 19:46:24 1996 From: erice at internic.net (Eric Eden) Date: Fri, 5 Apr 1996 11:46:24 +0800 Subject: Using crypt() Message-ID: <199604041747.MAA11669@ops.internic.net> I'm testing a encryption program that includes use of crypt(). (I know its not the strongest scheme.) Here's the problem: We ask users to e-mail us an encrypted password derived form the crypt() utility when they set up an account. When they want to change information related to the account, we ask them to e-mail the cleartext of the encrypted password. The program then checks to see if the cleartext matches the original encrypted password. If so, their information is automatically updated. The only problem is when users mistakenly supply cleartext initially, they can never update their information because the program isn't smart enough to realize that the user was submitting cleartext instead of an encrypted password when setting up their account. Is there any way to check and see if the text the user supplies initially has been encrypted or is cleartext? Or is there a better way to do this? The account does not contain financial information, otherwise a stronger scheme would be required. Right now the program allows the user to choose from the auth schemes MAIL-FROM, CYPT-PW or PGP. Any hints would be appreciated. Eric From jimbell at pacifier.com Thu Apr 4 20:13:17 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Apr 1996 12:13:17 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u4tAl-00090wC@pacifier.com> At 11:34 PM 4/3/96 -0800, Bill Stewart wrote: >>As usual, Unicorn is FOS. Not entirely in his facts, but in his >>conclusions. To "forbit third parties to reveal prosecution inquiries" is >>an obvious violation of freedom of speech, and in fact is PRIOR RESTRAINT. >>Maybe Unicorn can't see what's wrong with that, but I can. It is unclear >>whether this has ever been tested in court, or whether that test occurred >>recently. > >Black Unicorn is absolutely correct that this is generally the law. >Jim Bell is absolutely correct that laws like this are offensive and outrageous. >Unfortunately, Jim then rants at Unicorn for suggesting that this >would be the case; you'd think he'd be the first to realize that >there are laws out there that are offensive and outrageous and enforced. I really don't think you're giving me enough credit. I am fully aware that in the past, the organizations on which wire-tap-type subpoenas were served (primarily AT+T, "The phone company") were very cooperative with the police and probably "never" challenged the subpoena. There is the law, and there is the usual reaction to that law, and I expect that much of Unicorn's position is based on a (false) assumption that this reaction will necessarily continue unchanged. Besides, that phone company had a monopoly, so it wasn't possible for citizens to shop around for a phoneco that was known to make it hard for police. But that's changing, and that's my point. Now and in the future, it's going to be harder and harder for the police to get a bend-over-backwards level of cooperation, and in fact phonecos (and especially ISP's) might reasonably want to build up a reputation that they will defend a customer's security in court long before a wiretap is installed. Imaginative phonecos will find ways to inform the target legally, including naming the target as a non-hostile defendant in a court challenge to that wiretap, and noticing that target since he's now a party to a court action that must be noticed under civil procedure rules. In short, there is a drastic difference between blind obeisance and enthusiastic hostility, even if you exclude actions by the ISP or phoneco that would rise to the level of some crime. It is this difference which will change the previous ability of the police to get wiretaps done secretly. My point in the first paragraph that I am quoted in above is that many of the challenges that have never been made against wiretap subpoenas, due to a closer-than-arms-length relationship between the phoneco and the government, _will_ be challenged. Precedent, to the extent precedent exists, will be challenged on (among other things) the basis of the fact that this precedent was formulated during an era when essentially all telecommunications was monopolized and regulated, and there is no reason to believe that a previous telecom monopoly would have been diligent at protecting the rights of their captive customers against the interest of the government at that time. >>For example, if I ask my ISP to send me an anonymous, encrypted message with >>the word, "Rosebud" in it to me if he receives any requests to tap my >>connection, he can do so with no fear of being discovered, because no third >>party can decrypt the message, know who is is from, or know the real meaning >>of the word, "Rosebud" in the context of an encrypted, anonymized message. >>Further, since the whole thing is by pre-arrangement, even I cannot prove >>(to the satisfaction of a third party) that the message really meant what I >>would interpret it to mean. The message is useful to me, as a warning, but >>it could never turn around and "bite" the ISP. > >Now that's an interesting wrinkle to the problem. I suspect that, >as you suggest, there will be ISPs, especially in non-US jurisdictions, >that are willing to send out "Rosebud" messages to anonymous remailers, >or to fail to send "Remarque" messages, or to debit anonymous accounts >for data retrieval services rendered while also supporting billing-status >checking by anonymous remailers. From a crypto-anarchist dogmatic perspective, >it'll definitely happen, though there may be a rough transition until >there's enough critical mass to make it undetectable (and note that >"undetectable" is a tougher standard than "untraceable"...) I think we need to start challenging all the previously-assumed issues that have been interpretated to benefit the government. If my ISP has agreed, for instance, to send me daily certifications that he hasn't received any "official" inquiries about my account, and one day he receives such an inquiry and is forced to install some sort of a tap, it is hard for me to imagine what kind of legal precedent would allow (and, even, REQUIRE) him to continue to send false certifications when the alternative, simply failing to send any certifications whatever, is also "legal." (and, in fact, may be required under my contract with him, should he be obligated to do a tap or know one exists.) The fact that I'd likely interpret his failure to send those messages as meaning that my access is tapped is not within his control, and if he's unwilling to screw me I find it hard to believe that he can't act on this fact even if those actions have an indirect effect of alerting me. These are the kinds of issues that have either rarely or never been challenged in court, simply because the organization(s) that would normally do those challenges was in the hip pocket of government. It's going to be a brave new world very soon. Jim Bell jimbell at pacifier.com From rah at shipwright.com Thu Apr 4 20:15:04 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 5 Apr 1996 12:15:04 +0800 Subject: e$ Signorage Message-ID: <v02120d00ad89c2c2811b@[199.0.65.105]> At 9:35 AM 4/4/96, James Gleick (!) wrote: > Seigniorage is actually the Government's interest income on all the >currency in circulation. It's not obvious, but it's true, that the Fed >collects the "float" on dollar bills you carry in your pocket, exactly as >American Express collects the float on traveler's checks. Ah. That makes much more sense. I've always wanted to know what to call the interest an ecash issuer made on the e$ he had out on the net. "None Dare Call it Seigniorage." Sounds like a 50's movie title... > And, I don't know, call me crazy, but $20 billion sounds like a lot of >money to me. I bet that's a real number. In terms of its scale in the overall Federal Universe, to paraphrase Dirksen, "a billion here, a billion there..." Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From maldrich at grctechs.va.grci.com Thu Apr 4 20:26:28 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 5 Apr 1996 12:26:28 +0800 Subject: unsubscrive * Peter.Posch@koeln.netsurf.de In-Reply-To: <3163B992.132A@koeln.netsurf.de> Message-ID: <Pine.SCO.3.91.960404142543.16990A-100000@grctechs.va.grci.com> On Thu, 4 Apr 1996, Peter N. Posch wrote: > unsubscrive * Peter.Posch at koeln.netsurf.de Why don't we just patch Majordomo to recognize "unsubscrive", "unsuscribe", "unscribe," and "take me off this fucking list" as all being equal to "unsubscribe"? ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From frantz at netcom.com Thu Apr 4 20:51:04 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 5 Apr 1996 12:51:04 +0800 Subject: .sig followup Message-ID: <199604041930.LAA24745@netcom9.netcom.com> At 2:52 PM 4/4/96 +0200, Ulf Moeller quotes: >"In some ways the online environment in 1996 feels like Hong Kong in the >last days of British rule: a very free community wondering what's going to >happen as the forces of law and order start moving in." -- Charles Platt A better analogy would be free, peaceful, self governing Denmark waiting for the jack booted Nazi thugs to arrive and start hauling people off to jail. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Thu Apr 4 21:09:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Apr 1996 13:09:15 +0800 Subject: [NOISE] Re: Fascinating troll with forged newgroups In-Reply-To: <qo4uLD107w165w@bwalk.dm.com> Message-ID: <Pine.SUN.3.92.960404120337.12296A-100000@elaine28.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- My apologies for intruding in CDApunks/Bilingualpunks/CableTVpunks/INSpunks. On Thu, 4 Apr 1996, Dr. Dimitri Vulis wrote: > If your co-dependents had forged tale's digital signatures, then this > would be teresting. But tale doesn't use digital signatures. Therefore He should. > forging him is thing new, nothing fascinating, has no cryptographic > relevance, and probably edn't be reported to the cypherpunks mailing > list. I'm sure there are many ee-speech advocates on this list who find > your attempts to silence the Nazis ven _more distasteful then the Nazis' > messages of hatred. My attempts to silence the Nazis? That's a new one. So is the soc.culture.russian.moderated script freely available yet? I'd like to use a stripped-down version thereof (controlling crossposts only) for the talk.politics.natl-socialism that Milton Kleim and I proposed a week ago. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWQuDI3DXUbM57SdAQEoaQP+JsSl9ZLA4ojZCfV49tC35/mB8YuGnOJJ UkTX2VSEOlZQr3KtoI7c8+H0yFJm4eWdFDoxQcjnxSIjt0tn7W2r/ZfIRdaGjcF6 7x22rPMvJ5SQfvr979G1oGHt5ntP0hWuqi2DVlq1Pp3c/GhmEly6JJOVnulnW1yE VuKmV5JZ7J4= =KYL5 -----END PGP SIGNATURE----- From JonWienke at aol.com Thu Apr 4 21:12:21 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 5 Apr 1996 13:12:21 +0800 Subject: Fwd: Anonymous code name allocated. Message-ID: <960404135136_264041269@emout04.mail.aol.com> [The following has been censored to protect the guilty.] >Subj: Anonymous code name allocated. >Date: 96-04-02 23:37:10 EST >From: daemon at anon.penet.fi (System Daemon) >To: jonwienke at aol.com > >You have sent a message using the anon.penet.fi anonymous forwarding service. >You have been allocated the code name anXXXXXX. >You can be reached anonymously using the address >anXXXXXX at anon.penet.fi. > >If you want to use a nickname, please send a message to >nick at anon.penet.fi, with a Subject: field containing your nickname. > >For instructions, send a message to help at anon.penet.fi. I tried sending a test message to the address indicated, and received it back a day later, so sending email to this address does reach me. The funny part is that I have never (to my knowledge) had any communication with anon.penet.fi prior to receiving this email. Questions: 1. How do I use this to SEND messages anonymously? Having an email address with no obvious link to my identity is cool, but I would like to be able to send as well as receive. I sent email to help at anon.penet.fi, but have received no response yet. 2. Why was I chosen for this? How did anon.penet.fi find out my email address? Is the NSA trying to lull me into a false sense of security in the hope that I will use this account to violate ITAR? 3. Has anyone else on this list received unsolicited remailer accounts? Jonathan Wienke --------------------- Forwarded message: From: daemon at anon.penet.fi (System Daemon) To: jonwienke at aol.com Date: 96-04-02 23:37:10 EST You have sent a message using the anon.penet.fi anonymous forwarding service. You have been allocated the code name an573530. You can be reached anonymously using the address an573530 at anon.penet.fi. If you want to use a nickname, please send a message to nick at anon.penet.fi, with a Subject: field containing your nickname. For instructions, send a message to help at anon.penet.fi. From kreidl at newrock.com Thu Apr 4 22:25:59 1996 From: kreidl at newrock.com (kreidl at newrock.com) Date: Fri, 5 Apr 1996 14:25:59 +0800 Subject: Why pay??? Message-ID: <199604042142.PAA24182@Ultra1.corenet.net> > >Thanks for your interest in Cypherpunks Lite. > >I provide a moderated version of the Cypherpunks list called >"Cypherpunks Lite". A one year subscription costs US$20 and is >payable by check or money order to "Communication Security Corp". >Cypherpunks Lite is available in either individual messages or a >more-or-less daily message digest. The content of both are the same. >In either case, I forward approximately 5 - 10% of the total >Cypherpunks feed. This works out to about 5 - 10 messages / day. > >To take a look at what you can expect there is an archive of the previous >selections organized by month at ftp://ftp.crl.com/users/co/comsec/cp-lite. >The files with the extension .gz are compressed using gzip. > >If you would like to subscribe, please send payment to: > > Communication Security Corp. > 1275 Fourth Street, Suite 194 > Santa Rosa, CA 95404 USA > >Be sure to provide the email address you want us to use, as well as >indicating your preference for individual messages or the digest. > Why would I pay if I can get it for free this way?????? ��������������������������� Chris (or Richard) Kreidl � kreidl at newrock.com � ��������������������������� From agil.home at mail.telepac.pt Thu Apr 4 22:38:57 1996 From: agil.home at mail.telepac.pt (Andr Gil) Date: Fri, 5 Apr 1996 14:38:57 +0800 Subject: No Subject Message-ID: <199604042352.XAA10616@mail.telepac.pt> unsubscrive * agil.home at mail.telepac.pt unsubscrive * agil.home at mail.telepac.pt unsubscrive * agil.home at mail.telepac.pt From markm at voicenet.com Thu Apr 4 22:55:36 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 5 Apr 1996 14:55:36 +0800 Subject: pgp keys In-Reply-To: <199604041655.LAA01570@laura.voicenet.com> Message-ID: <Pine.LNX.3.92.960404175528.4389A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Thu, 4 Apr 1996 jpps at voicenet.com wrote: > Is there a reliable method for obtaining the pgp public key for an > arbitrary email address? elm-2.4pl24pgp3 does a logical join on my local > alias and keyring files; what I'm looking for is a way for my mua/mta to > obtain keys I do not have. > > I've caught some of the discussion on key servers, and noted some > people's use of their signature, plan, or home page to distribute their > keys. Are some combination of these suitable today? Is there a > parseable convention in use for extracting keys from mail/finger/html? > Is there a "get_keyd" floating about? Mkpgp does what you describe. You can get it by sending mail to slutsky@ lipschitz.sfasu.edu with a subject of "mkpgp". As for extracting keys from finger info or a web page, you can just run pgp on a file containing the user's homepage or .plan file. On Unix, a command like "finger user at host. domain | pgp -kaf" will work. Basically a combination of fingering the user and querying the key servers will work most of the time. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMWRUeLZc+sv5siulAQE82gP/ffidQVvrdrCizxb+0pAbNRsF0k2AcZpz ukqDuEv082zRV4JHcUodgKjIQ6EMH7P4zw+5HTgzIRp1jNl0k82XZn6NdYMlfIsE FOui0/P2i4LTwDAP5zl3lUQmq1x8pxnHNi195m1xP7e9KfTYpXPtxhQuhyp3LJCg pVSMDBpcTL0= =7u18 -----END PGP SIGNATURE----- From markm at voicenet.com Thu Apr 4 23:08:39 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 5 Apr 1996 15:08:39 +0800 Subject: Using crypt() In-Reply-To: <199604041747.MAA11669@ops.internic.net> Message-ID: <Pine.LNX.3.92.960404174853.4227B-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Thu, 4 Apr 1996, Eric Eden wrote: > I'm testing a encryption program that includes use of crypt(). > (I know its not the strongest scheme.) Here's the problem: > > We ask users to e-mail us an encrypted password derived form the > crypt() utility when they set up an account. When they want to > change information related to the account, we ask them to e-mail the > cleartext of the encrypted password. The program then checks to see > if the cleartext matches the original encrypted password. If so, their > information is automatically updated. > > The only problem is when users mistakenly supply cleartext initially, > they can never update their information because the program isn't > smart enough to realize that the user was submitting cleartext instead > of an encrypted password when setting up their account. > > Is there any way to check and see if the text the user > supplies initially has been encrypted or is cleartext? The only way I can think of is if the text that the user supplies is not 13 characters long and contains characters not used in crypt(3) base64 encoding, then the text is definitely not a hashed password. This would catch nearly all cleartext passwords, although there is a little room for error. FYI, the characters used for base64 encoding are [0-9],[A-Z],[a-z],'/', and '.'. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMWRTIbZc+sv5siulAQGf3AP+LfrlTrpvQgFju2k5yOyUTAxHDGxjHWFg 9M32OU1/Lsj9DtVk/WJBqBmy3SfHJ0ZdppZlxsrT4eywTUaqeg+dOxrQ/WPMPz8c smNykbfmVvzdiwFn4pQJ4/mPiSzFOSz3vshgMnZHzum6SpQ1+Hd4WYPD0Qcsc83q 5SKrfDRfVSs= =IgUR -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Thu Apr 4 23:12:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 5 Apr 1996 15:12:57 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <01I35I5KOWUU8ZE6BJ@mbcl.rutgers.edu> From: jim bell <jimbell at pacifier.com> >Far more acceptable (and useful to us) would be a rule which would mandate >the government's allowing the export of any program that had, say, the key >security provided by IDEA or less, regardless of what it did with that >encryption. (Not that I want _any_ restrictions; it's just that such a >limit would make it impractically large to attempt to crack.) As I pointed out earlier, one way (that would cause the NSA types problems trying to stop) would be to make legal for export anything which was no harder for the NSA to break than what's already out of the country. -Allen From agil.home at mail.telepac.pt Thu Apr 4 23:27:51 1996 From: agil.home at mail.telepac.pt (Andr Gil) Date: Fri, 5 Apr 1996 15:27:51 +0800 Subject: No Subject Message-ID: <199604042353.XAA10676@mail.telepac.pt> unsubscrive * agil.home at mail.telepac.pt unsubscrive * agil.home at mail.telepac.pt unsubscrive * agil.home at mail.telepac.pt From EALLENSMITH at ocelot.Rutgers.EDU Thu Apr 4 23:35:39 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 5 Apr 1996 15:35:39 +0800 Subject: Bad news from Judge Richey Message-ID: <01I35I2AXN1C8ZE6BJ@mbcl.rutgers.edu> From: tcmay at got.net (Timothy C. May) >At 3:28 AM 3/26/96, jim bell wrote: >>I realize that this may appear to be a rather disrespectful tactic, but have >>you considered reminding the judge that if you are not allowed to profit by >>exporting encryption that the government doesn't want to see exported, >>you'll just have to make money in some other way, and this may lead you to >>talk to Jim Bell about implementing a program using encryption that doesn't >>_need_ to be exported...legally anyway. >Whoahh! Hold on there, Jimbo! You're crossing the line. >You're coming perilously close to actually calling for the killing of a >federal judge. My recollection is that a couple of folks have been arrested >and charged for calling for the killing of judges. Umm... one would guess that a federal judge would be against the whole Assasination Politics idea, whether or not he himself became a target. I doubt that pointing AP out would do any good... but one can point out to a judge that, say, a mugger might mug him next without being threatening. -Allen From iang at cs.berkeley.edu Thu Apr 4 23:41:16 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Fri, 5 Apr 1996 15:41:16 +0800 Subject: [NOISE] Employers need pseudonymous off-shore remailers In-Reply-To: <v02120d4ead7e45b17945@[192.0.2.1]> Message-ID: <4k1nfk$4rt@abraham.cs.berkeley.edu> In article <v02120d4ead7e45b17945@[192.0.2.1]>, Lucky Green <shamrock at netcom.com> wrote: >Today, I tried to find out what it takes to hire someone who is in the US >on a student visa (F-1) as a consultant or part-time employee. The person >is an expert in his field. I don't know anyone available with a similar >proven track record. > >I thought, no problem, there are INS exceptions for foreign experts. So I >set on a quest to find out what it takes to get the INS to grant that >person a work permit. > >The process is simple. All I have to do is ask the California Employment >Development Department for a labor certificate, give that to the INS >together with an application and the required fees, after which they'll >issue the permit. > >Getting the certificate takes usually eight months, processing the >application about four months. So the whole process takes about *a year*. I >was stunned. Here I am willing to hire someone to work on a product that >will generate taxes in the US, and the bureaucrats are asking me to wait a >year. These people have lost any touch with reality. > >Not that *I* would do such a thing, but an off-shore pseudonymous remailer, >with payment in ecash might go a long way... > >[Disclaimer: Speaking only for myself, not for my employer] > Having recently been involved in a similar situation :-), I found that the following trick seems to work: have someone you know start a consulting company in another country (like Canada (yes, Canada is another country)). It seems an F-1 student (like me (for now; I'm trying to switch to J-1)) is allowed to work for a foreign company (as if the US government could prevent a foreign company from hiring a foreign citizen (well, it could try... (these nested parens are getting out of hand...))). So just contract work out to a foreign consulting company, which subcontracts work out to the F-1 student. - Ian From EALLENSMITH at ocelot.Rutgers.EDU Thu Apr 4 23:53:20 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 5 Apr 1996 15:53:20 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 ofVolume I] Message-ID: <01I35JEYE35K8ZE6BJ@mbcl.rutgers.edu> A very interesting essay, although I haven't had time to read over it in full (3 papers and an oral presentation due). I do have one question, and it concerns the introduction. You state that you are leaving out material that is currently in use - i.e., some of the most useful material. Why? I know that you don't currently have a fully anonymous nym... but if that was the reason, why not just release it under a fully anonymous nym? Mistrust of the remailers, or what? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Thu Apr 4 23:54:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 5 Apr 1996 15:54:56 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <01I35J1KFFB68ZE6BJ@mbcl.rutgers.edu> I have been doing some thinking about the whole key escrow retrieval matter. There are a couple of situations in which I can see real reasons for doing voluntary key escrow of sensitive material: A. You're afraid of losing the key. B. Your organization is afraid that you'll lose the key or be unavailable. The second can be handled internally via key sharing; if all the people you share the key with have as much to lose by the information getting out as you do, then they should be trustworthy and as hard to subpoena as you are. Encrypting the shared section with another, appropriate key should take care of the cop-stealing problem (i.e., they break into the machine). The first is more of a problem. If where you've entrusted your keys is known, then the cops can come in and strong-arm/subpoena your keys away. Thus, the basic protection mechanism should be denying them that knowledge. (Another protection mechanism is key sharing between key escrow organizations.) In other words, anonymous remailers with stable nyms for the key escrow organizations, together with fully anonymous digital cash. One problem in this is how the organization's reputation originally is established so people will deal with them so they can get a reputation.... etcetera. The basic method of doing so appears to be to post a digital cash bond. (I don't know the mathematics well enough to tell whether one could post verifiable digital cash with it still not being usable without a decryption step. If one can't, that's a real problem... but I suspect that one can.) The encryption on such a bond should be put into the hands of a group of above-ground "judges" via secret sharing, who would be a group of people chosen by the key escrow organization in hopes of their being trusted to resolve any disputes. Of course, digital receipts would be a big help here... -Allen From ravage at ssz.com Thu Apr 4 23:55:44 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 5 Apr 1996 15:55:44 +0800 Subject: A new law in the making? Message-ID: <199604050206.UAA01078@einstein.ssz.com> Forwarded message: > Date: Thu, 4 Apr 1996 00:24:08 -0500 (EST) > From: "Declan B. McCullagh" <declan+ at CMU.EDU> > Subject: FC: CDA Court Challenge: Update #4 > > The court wasn't happy with Boe's response. It gave Shea and the > government until April 17 to decide to include the entire record of > the Philly lawsuit -- and said that if they don't, the court would > appoint its *own* computer expert to demo the Net and blocking > software on April 30. This is a great idea if carried a little farther. Require courts in cases using technical or otherwise special evidence to appoint an indipendant expert to compare compare with the defence and prosecution experts. > litigators who do their homework." (Of course, Taylor conveniently has > deluded himself into believing the CDA is constitutional.) Are *any* of the current legal actions involved using either the 9th or 10th Amendment in their case? > We're back in court on 4/12, 4/15, and possibly 4/26. Good luck! Jim Choate CyberTects ravage at ssz.com From iang at cs.berkeley.edu Fri Apr 5 00:20:35 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Fri, 5 Apr 1996 16:20:35 +0800 Subject: What backs up digital money? In-Reply-To: <199604040402.AA10457@mail.crl.com> Message-ID: <4k1ql2$4vh@abraham.cs.berkeley.edu> And here's another data point I learned at CFP. <HEARSAY> Kawika Daguio (Federal Representative, Regulatory & Trust Affairs, American Bankers Association) mentioned that the Stamp Payments Act (or something like that) forbids "open" currencies in amounts less than $1. It seems certain casinos have been hit with this, when other businesses in the area started accepting their chips as "real" money. It seemed to me that he thought that ecash (Digicash's version) wouldn't fly in the US. </HEARSAY> We'll see, I guess... - Ian "Now where's the code for that library...?" From tcmay at got.net Fri Apr 5 00:20:45 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 16:20:45 +0800 Subject: unsubscrive * Peter.Posch@koeln.netsurf.de Message-ID: <ad89b90a150210042bde@[205.199.118.202]> At 11:59 AM 4/4/96, Peter N. Posch wrote: >unsubscrive * Peter.Posch at koeln.netsurf.de For the nth fucking time: How to subscribe to the Cypherpunks mailing list: send a message to "majordomo at toad.com" with the body message "subscribe cypherpunks". To unsubscribe, send the message "unsubscribe cypherpunks" to the same address. For help, send "help cypherpunks". Don't send these requests to the Cypherpunks list itself. And be aware that the list generates between 40 and 100 messages a day. From tcmay at got.net Fri Apr 5 00:21:37 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 16:21:37 +0800 Subject: the "unsubscrive" meme keeps on going. Message-ID: <ad8954b61102100499ab@[205.199.118.202]> At 1:28 PM 4/4/96, bryce at digicash.com wrote: >> unsubscrive * Peter.Posch at koeln.netsurf.de > > >I suspect that this meme propagates (especially among >non-native-English-speakers) via the list itself. Peter >Posch probably saw one of the previous "unsubscrives" and is >hoping it will work for him. Perhaps the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A good insight. Reminds me of the "cargo cults." (If you don't know the story, here's a brief version: Pacific Islanders saw Americans bringing riches and technological gew-gaws to their islands in WWII. Then they left, leaving cargo crates and whatnot behind. The Islanders believed if they fashioned radio headsets out of coconuts and radios out of old logs that they could bring the Great Birds from the Sky back. (*) This has since gotten currency--through anthropologists, Ayn Rand, Richard Feynman, and others--as a short-hand description for people engaging in magical thinking that the _trappings_ of something will sympathetically bring on the real thing. Some might say Java is a cargo cult...hmmmhhh, Java is a Pacific island....hmmmhhh.) (* Note: In this age of hypersensitivity, sometimes called political correctness, there are likely to be lurkers who suddenly jump up at this characterization of "native peoples" and decry my characterization of them as "savages" (even though I have not used this word nor this attitude toward them). And some will claim that if more American learned Bahasa Indonesia there would not be this cultural imperialism that is repressing all people of color. Hey, I don't repress no coloreds!) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri Apr 5 00:22:06 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 16:22:06 +0800 Subject: .sig followup Message-ID: <ad89b81814021004f2eb@[205.199.118.202]> At 8:32 PM 4/4/96, Rich Graves wrote: > >CDAmeisters as an "invasion," but I really don't buy this stuff about >Cyberspace (a word only Barlow can say with a straight face) being a new ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >"place." It's just a communications medium, no more and no less real than >anything else. I think it would be better to stress that the online *is* This is not true. I use the word "cyberspace" with a straight face. It has long seemed perfectly descriptive to me. This doesn't mean I buy Barlow's "let's just declare independence" schtick. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From asgaard at sos.sll.se Fri Apr 5 00:44:37 1996 From: asgaard at sos.sll.se (Asgaard) Date: Fri, 5 Apr 1996 16:44:37 +0800 Subject: Navajo code-talkers In-Reply-To: <9604041824.AA1177@smtp1.chipcom.com> Message-ID: <Pine.HPP.3.91.960405034921.29585A-100000@cor.sos.sll.se> > English words). Furthermore the language is several centuries older > than Homer, so you have to deal with assorted archaisms. Then again, > if you know even a little of ancient greek linguistics, it gets easier. There has been this talk of the Navajos for a couple of weeks. I know they are an interesting people (oh, how beautiful was Ninibah Miriam Crawford, the beautiful representative of the Navajo Nation at the UN Environmental Conference in Stockholm 1972), but what about the Hopis? At the same conference I met David Monangaye, then the spiritual leader of the Hopi Nation (now dead), and Thomas Banyacya, now their spokesperson (and Thomas' daughter Loreena, oh, a true keeper of the earth). The Hopi word for Navajo is TASAVUH; literally "He who pounds his enemy's head with a rock", and for the communal and peace-loving Hopis the Navajos are an aggressive and ornery people who have been a headache ever since they invaded Black Mesa, shortly after the palefaces first appeared on the Hopis' sacred land. How funny that these head-pounders found a niche in the Pantheon of American Heroes. But no wonder they are the only Native American Nation to have more territory now than 100 years ago. Asgaard From tcmay at got.net Fri Apr 5 00:50:27 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 16:50:27 +0800 Subject: Why pay??? Message-ID: <ad89c05a16021004e389@[205.199.118.202]> At 9:44 PM 4/4/96, kreidl at newrock.com wrote: >> >>Thanks for your interest in Cypherpunks Lite. >> >>I provide a moderated version of the Cypherpunks list called >>"Cypherpunks Lite". A one year subscription costs US$20 and is >Why would I pay if I can get it for free this way?????? You are of course free not to subscribe. A solution I think 98% of us would subscribe to, so to speak. Personally, I take the full Cypherpunks feed. Others may take Eric Blossom's for-a-fee filtered list, still others may take the variously-priced filtered lists by others. As it should be. (Goldwater and Heinlein got it slightly wrong when they said "There ain't no such as a free lunch." While true in many ways, TANSTAAFL ignorest the great willingness of people to donate time, effort, articles, etc. In fact, I've put many thousands of hours into the Cypherpunks list, for which I've received not a single centime of compensation. And I have no problem with this, provided it remains voluntary.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jwhiting at igc.apc.org Fri Apr 5 00:51:26 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Fri, 5 Apr 1996 16:51:26 +0800 Subject: time/date hash Message-ID: <199604050027.QAA01957@igc2.igc.apc.org> Interesting note in current issue of PC Magazine about how DOS 4 and later generates volume ID numbers. Neil Rubenking describes a time/date hash of the form: month plus seconds day plus hundredths of seconds high byte of the year plus hours low byte of the year plus minutes I've actually been thinking about such a time/date hash during idle brain cycles. Any thoughts on how secure such a hash is, as in how collision proof if the input date is from today forward 50 years? thanks, Jerry Whiting 72627.746 at compuserve.com <- til our server is back up... From llurch at networking.stanford.edu Fri Apr 5 01:00:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Apr 1996 17:00:37 +0800 Subject: .sig followup In-Reply-To: <199604041930.LAA24745@netcom9.netcom.com> Message-ID: <Pine.SUN.3.92.960404122403.12946A-100000@elaine28.Stanford.EDU> On Thu, 4 Apr 1996, Bill Frantz wrote: > At 2:52 PM 4/4/96 +0200, Ulf Moeller quotes: > >"In some ways the online environment in 1996 feels like Hong Kong in the > >last days of British rule: a very free community wondering what's going to > >happen as the forces of law and order start moving in." -- Charles Platt > > A better analogy would be free, peaceful, self governing Denmark waiting > for the jack booted Nazi thugs to arrive and start hauling people off to > jail. There's no question about the thugs *arriving*. They're already here. Fighting them is an internal political battle, not an external battle. Yes they're clueless about the net, so in that sense you might see the CDAmeisters as an "invasion," but I really don't buy this stuff about Cyberspace (a word only Barlow can say with a straight face) being a new "place." It's just a communications medium, no more and no less real than anything else. I think it would be better to stress that the online *is* real life. Your money and gigs of information about you is online. It can be a force for freedom, or a force for totalitarianism. Right now, the momentum is entirely in the wrong direction, both online and in "real life." -rich From stewarts at ix.netcom.com Fri Apr 5 01:27:50 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 5 Apr 1996 17:27:50 +0800 Subject: Fascinating troll with forged newgroups Message-ID: <199604050320.TAA20210@dfw-ix4.ix.netcom.com> At 03:00 AM 4/4/96 -0800, you wrote: >Looks like the Nazis forged newgroup messages for rec.fag-bashing, >rec.org.kkk, and 100 RFD'd groups in order to get their little messages >across. > >How entertaining. What a marvelous new form of net.vandalism they've >discovered. Or is this not new? Oh, no, this sort of thing is not new. It happened more before the Great Renaming, but it's not new. The other possibility is it's troll trying to make it _look_ like the Nazis did it. From dan at dpcsys.com Fri Apr 5 01:30:47 1996 From: dan at dpcsys.com (Dan Busarow) Date: Fri, 5 Apr 1996 17:30:47 +0800 Subject: Using crypt() In-Reply-To: <199604041747.MAA11669@ops.internic.net> Message-ID: <Pine.SV4.3.91.960404184726.12501A-100000@cedb> On Thu, 4 Apr 1996, Eric Eden wrote: > The only problem is when users mistakenly supply cleartext initially, > they can never update their information because the program isn't > smart enough to realize that the user was submitting cleartext instead > of an encrypted password when setting up their account. Far from bulletproof, but the three Unice I just checked, SCO Unix, UnixWare and FreeBSD, all generate 13 character encrypted passwords. I believe this is the norm for crypt. Very few people around here have 13 character clear text passwords, those that do are either very security concious and won't use CRYPT-PW or it's just coincidental and their bad luck. Anyway, requiring the supposedly encrypted password to be 13 characters is probably about the best you can do. If crypt generated recognizable patterns it wouldn't be very useful, would it? I'm still debating whether or not to allow our clients to use this option. We may require clients registering domains to pick up a copy of PGP first. Dan -- Dan Busarow DPC Systems Dana Point, California From matt at wdi.disney.com Fri Apr 5 01:32:41 1996 From: matt at wdi.disney.com (Matthew Fuchs) Date: Fri, 5 Apr 1996 17:32:41 +0800 Subject: java: vending machine software (long) In-Reply-To: <QlMfpa2SMV0_1o3040@transarc.com> Message-ID: <199604041741.JAA07928@scrumpox.rd.wdi.disney.com> "Ted Anderson" <Ted_Anderson at transarc.com> writes: > > "Vladimir Z. Nuri" <vznuri at netcom.com> writes: > > Java seems to be catching on in a big way (only a few months ago, > > These are important ideas. I found them explored very nicely > in several papers written by Drexler and Miller (circa 1988!). They > are available in the collection "Ecology of Computation (1988)" and > via the Agorics Home page (http://www.webcom.com/~agorics). > > It seems that with the Web and Java now widely available the technical > means to implement these ideas are getting visibly closer. > Agorics is a company devoted to commercializing these ideas (Mark Miller is one of the founders. They're building a language for this called Joule with some interesting properties. Electric Communities (http://www.communities.com), a "sister" company, has rolled a number of these ideas into E, an extension of Java for safe, distributed communications. > > when one thinks about this, I think it becomes clear that we are going > > to see many, many new standards for code communication in the future. > > The most interesting thing I've heard along these lines was described > in a talk by Matthew Fuchs. He suggested the idea of using something > like SGML (of which HTML is a subset) to communicate between smart > agents. The idea is to provide a machine understandable equivalent > of a web form which could be used to send info back and forth. In > this application display instructions are not important, what is > important is the meaning assigned to the keywords. For example, in > a simple web page you might use <title>, <body>, <author>, <h1>, etc. > The browser knows how display these because for simple documents they > have a well defined meaning, but an automatic document indexer could > also easily find the title and author. > > Consider an airline reservation system. It might support a variety of > commands to answer queries and make reservations. Clearly once the > *meaning* is in hand, crafting a way to display it would be easy. So > you have a scheme which can be used with equal facility by > either a human or a machine. This allows for smooth transition from > human mediated to automated steps in a larger project (e.g. plan a trip > visiting these five cities) where some parts have been automated (e.g. > airline reservations) and other parts have not (say, hotel reservations). > > Further, the system can be built out of layers of objects that give > meanings to various keywords. Consider a bunch of keywords and > associated Java applets that understand dates and times (they know about > timezones and daylight savings and weekends and so forth). Another > level of objects knows how to manage schedules, and still another > layer knows about travel arrangements. The system used by a particular > airline uses all these objects to provide an interface for communicating > with customers (or their automated agents). > > Java seems ideal suited to be the active lubricant in such a system. This is a pretty good summation, without the slides. What I'd add, though is that I want the smart agents to be our WWW browsers (whose intelligence I can extend either through local development or by retrieving software over the Web). I want the browser to be the gateway integrating my local environment with the big world out there and I want it defending my interests. (I also want to get rid of the word "browser" because it is too limited.) If the Web is going to support social interactions and growth to a zillion nodes, it has to move from a client/server architecture (good for a browsing human) to a peer-to-peer architecture, like EDI, but without requiring ISO or ANSI approval to do anything ('cause my agent will do most of the browsing of the 100 potentially interesting sites ). We need a "meta-standard" for creating and combining domain-specific "mini-standards," and let the mini-standards battle it out in the marketplace. SGML and IDL are two potential meta-standards. Java provides a way to communicate base line functionality the first time I see a new standard. At the bottom of my home page are two recent paper submissions on this. The first ("Beyond the Write-Only Web") might be particularly interesting to this group as it talks about how to make a self-modifying malicious Java applet in the spirit of Ken Thompson's Turing Award Lecture. Matthew Fuchs matt at wdi.disney.com http://galt.cs.nyu.edu/students/fuchs Mobile distributed objects, distributed coordination, and lots and lots of languages From quester at eskimo.com Fri Apr 5 01:38:55 1996 From: quester at eskimo.com (Charles Bell) Date: Fri, 5 Apr 1996 17:38:55 +0800 Subject: Why pay??? In-Reply-To: <ad89c05a16021004e389@[205.199.118.202]> Message-ID: <Pine.SUN.3.92.960404190728.25894F-100000@eskimo.com> On Thu, 4 Apr 1996, Timothy C. May wrote: > > (Goldwater and Heinlein got it slightly wrong when they said "There ain't > no such as a free lunch." While true in many ways, TANSTAAFL ignorest the > great willingness of people to donate time, effort, articles, etc. In fact, > I've put many thousands of hours into the Cypherpunks list, for which I've > received not a single centime of compensation. And I have no problem with > this, provided it remains voluntary.) > The fact that you choose not to charge for your time does not make your time worthless. The value your voluntary efforts add should be assigned due compensation even if you choose to waive it. The failure to take such contributions into account is one of the most serious flaws in all current economic paradigms. I think this will become more apparent in decades to come, as old concepts of `work' and `jobs' obsolesce. Charles Bell From mccoy at communities.com Fri Apr 5 01:43:35 1996 From: mccoy at communities.com (Jim McCoy) Date: Fri, 5 Apr 1996 17:43:35 +0800 Subject: Why pay??? Message-ID: <v02140b00ad8a416cbdbd@[205.162.51.35]> At 3:44 PM 4/4/96, kreidl at newrock.com is rumored to have typed: > [...regarding CPLite subscriptions...] > > Why would I pay if I can get it for free this way?????? Because then useless noise (such as the message you posted) would automagically get filtered out. Some people do not have the time to filter the noise from signal on mailing lists and this service caters to their needs. jim From tcmay at got.net Fri Apr 5 02:03:47 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 18:03:47 +0800 Subject: Message-ID: <ad89ceca1802100447ee@[205.199.118.202]> At 11:52 PM 4/4/96, Andr� Gil wrote: > unsubscrive * agil.home at mail.telepac.pt > unsubscrive * agil.home at mail.telepac.pt > unsubscrive * agil.home at mail.telepac.pt What the hell is going on? We seem to be under attack by foreigners. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed From dlv at bwalk.dm.com Fri Apr 5 02:04:05 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 5 Apr 1996 18:04:05 +0800 Subject: Bad news from Judge Richey In-Reply-To: <01I35I2AXN1C8ZE6BJ@mbcl.rutgers.edu> Message-ID: <JT8VLD113w165w@bwalk.dm.com> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> writes: > Umm... one would guess that a federal judge would be against the > whole Assasination Politics idea, whether or not he himself became a target. It's worth noting that one of the new newsgroups that Rich Graves mentioned is: talk.politics.assassination Assassination Politics My congratulations to Jim Bell on getting his own newsgroup! --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From etoy at hijack.org Fri Apr 5 02:54:43 1996 From: etoy at hijack.org (THE HIJACK-CREW) Date: Fri, 5 Apr 1996 18:54:43 +0800 Subject: HANDS UP! Message-ID: <199604050514.HAA01145@www.hijack.org> HI THERE! THIS IS etoy! "the digital hijack" is NOW running ! the internet-underground has decided: it is definitely time to blast SOUND and ACTION into the net !!! our software-agents have invaded the main searchservers... ++++for more information check out : http://www.hijack.org/++++++++++ or get kidnapped live --> go to infoseek (netsearch-button on your browser) and search for: UNDERGROUND - CENSORSHIP - DISCO - XTC - CLINTON - PORSCHE - CRACK - KRAFTWERK - ELVIS - TERROR - PENTHOUSE - SEGA - MONDRIAN - SEXPISTOLS - FIREARMS - TARANTINO - DJ - STONES - NETWORKS - BASE - CRIME - WAR - BUSINESS - WOMEN - NET - SOCIETY - ART - CASTRO - PARADISE - ATHLETICS - PULP - CYBER - YELLO - PETSHOPBOYS - REM - HUSTLER - BITCH - GUEVARA - SEVESO - MELODYMAKER - PORNO - GABBER - ROLLERBLADES - REBEL - OASIS - COMMUNICATIONS - PLAYBOY - BELGIUM - ORB - AND MANY MORE... these keywords will all appear on the TOP 10 - LIST. take the link to hijack.org to get the hijack-experience like millions of bored internet-users... download the hijackers-sound, get the best pictures and help us free our friend KEVIN D. MITNICK, THE SUPERHACKER (charged for electronic-terrorism, maximum sentence: 460 years prison) ! we would be very happy to welcome you on our site. spread this new internet-lifestyle to your friends and to internet-freaks + surfers ! this is a underground art-project not a bastard-business mail. our grab robot "etoy.IVANA" got your email-address by cruising the net. for the hijack-crew etoy MARTIN KUBLI email mailme at etoy.com fax ++41 1 363 35 57 _______________________________________________________________________ http://www.hijack.org/ for highres-pictures: ftp.etoy.com /press etoy: leaving reality behind...abusing technology...flashing the net From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 5 02:54:50 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 5 Apr 1996 18:54:50 +0800 Subject: The Law Loft: Surviving the Biometric I.D. Card Message-ID: <01I35II8ALVW8ZE6BJ@mbcl.rutgers.edu> From: Rich Graves <llurch at networking.stanford.edu> >The replacement of income tax with sales and real estate taxes -- despite >the fact that such a move would be incredibly regressive -- would be a >very good thing for freedom. Agreed (re:freedom) ... but why are you claiming that real estate taxes are regressive? Unless there's some nonsense like Louisiana's homestead exemption (own your own home, get 100,000 subtracted off of the value for property tax purposes... which is just as biased against apartment-dwellers and renters as the morgage interest deduction), real estate taxes should be even or "progressive" in their distribution of the tax burden. -Allen From tcmay at got.net Fri Apr 5 03:16:26 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Apr 1996 19:16:26 +0800 Subject: Why pay??? Message-ID: <ad8a0b671a02100485a6@[205.199.118.202]> At 3:14 AM 4/5/96, Charles Bell wrote: >The fact that you choose not to charge for your time does not make your >time worthless. The value your voluntary efforts add should be assigned >due compensation even if you choose to waive it. I didn't say my time is "worthless." But the term "worthless" (and "worth" and "value" and suchlike) are not defined in absolute terms, only in market terms. Commodities, including labor, are valued by what others will exchange for them. The notion that my efforts "should be assigned due compensation" is a flawed view of how markets determine prices and wages. There is no "assignment" absent a market. (On the other hand, I certainly will not object if Charles calls together his like-minded friends, evaluates my postings over the past several years, and "assigns due compensation." Hey, it won't cost me anything. But somehow I doubt I'll see any of this due compensation that Charles and Company assign to me.) This gets into economic issues, so I'll drop it here. I just wanted to correct this misapprehension that I was claiming my time is "worthless." >The failure to take such contributions into account is one of the most >serious flaws in all current economic paradigms. I think this will become >more apparent in decades to come, as old concepts of `work' and `jobs' >obsolesce. All the more reason to get beyond our current system, where governments set minimum wages, impose salary freezes, sue companies for charging too much (or too little) for products, and interfere in economic transactions in many other ways. With strong cryptography, at least the purely crypto-anarchic transactions will be this way. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From A5113643667 at attpls.net Fri Apr 5 03:22:08 1996 From: A5113643667 at attpls.net (Tom Jones) Date: Fri, 5 Apr 1996 19:22:08 +0800 Subject: Article on PGP Viacrypt Message-ID: <682D3253> Dear Cypherpunks, ---------------- Received: by attpls.net with Magicmail;3 Apr 96 09:19:59 UT Date: 5 Apr 96 02:14:38 UT Sender: owner-cypherpunks at toad.com (owner-cypherpunks) From: owner-cypherpunks at toad.com (owner-cypherpunks) Subject: Re: Article on PGP Viacrypt To: walter at cithe302.cithep.caltech.edu (Chris Walter) cc: cypherpunks at toad.com (Cypherpunks) Message-Id: <199604030451.UAA06038 at slack.lne.com> In-Reply-To: <<WALTER.96Apr2124421 at cithe302.cithep.caltech.edu> from "Chris Walter" at Apr 2, 96 08:44:20 pm> X-X-AUTHENTICATION-WARNING: toad.com: majordom set sender to owner-cypherpunks using -f I would have to agree that if businesses are to use PGP that "good" key escrow MUST be provided. Peace ..Tom Chris Walter writes: > > Hi Folks, > > There is an interesting article by Simon Garfinkle in this > morning's(Apr 2nd) electronic version of the San Jose Mercury news. > Its on the index page so I don't think you need an account to read > it. > > The article deals with the new key management features and extensions > in Viacrypt and how PRZ is upset since it allows employers to read > their employees messages. I read it this morning. The gist is that this new evil PGP lets your employer SPY ON EVERYTHING YOU DO! And was written in about that tone. I was disappointed by the article. I don't know if Simson is deluded about the use of Viacrypt PGP, or the article got hacked up by by ignorant/malicious editors, or my understanding of Viacrypt PGP is competely wrong. I thought the purpose to putting key escrow (that's real escrow not GAK) into PGP was to allow its use for business purposes. Often in business use you're not too concerned with keeping secrets from your employer or fellow employees, but do want to keep those secrets within the company. And there is a real concern that you might encrypt company-secret stuff and then fall off your motorcycle and get run over by a truck, leaving your securely-encrypted company secrets suddenly inaccessable to the company... Key escrow, with the keys held by the company, is designed to prevent this problem. The article failed to mention that you're not prevented from using a non-escrow PGP for personal secrets (could Viacrypt PGP prevent you from using PGP 2.6.2? I don't think so) and made it sound like Viacrypt PGP is designed to allow nosy employers to spy on employees encrypted email. I guess it would, if the employers were that nosy and the employees dumb enough to use company-provided escrowed PGP to send personal secrets. But that theory's about as credible as the Clipper chip proponents's "dumb crooks" theory where crooks would want encrypted phones but be dumb enough to forget that the Government held the keys... Simson's the one main-line journalist who writes about internet and computer issues that I still think has a clue, and has written a pretty good book about PGP, so I'd be suprised if he got this so wrong. On the other hand, I haven't used this new Viacrypt PGP and I'm going on what I think that escrowed PGP is really good for. Maybe my feeling about that have blinded me to reality. Or, most likely, the editor(s) hacked the story up either out of ignorance or to present a viewpoint that they had already decided they want to present, truth be damned. If I wanted to present a conspiracy theory about the government wanting to discourage use of PGP for businesses, this would be the place to do it. If PGP gains a foothold in the businessplace it'll be nearly impossible to eradicate, given the fact that (big) business essentially runs the country. Key escrow will make PGP a lot more usefull to businesses, increasing its use. I'm sure you can fill in the rest of the theory. > http://www.sjmercury.com/business/priv401.htm > -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF --- NOTICE: This message originally included graphics and/or sounds which can only be received by AT&T PersonaLink(sm) subscribers. You received only the text portion(s) of the message. Please contact the sender for information that was deleted. To learn how to send and receive graphics, voice and text messages via AT&T PersonaLink Services, call 1-800-936-LINK. ---------------- From WlkngOwl at UNiX.asb.com Fri Apr 5 03:38:57 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Fri, 5 Apr 1996 19:38:57 +0800 Subject: Video retraces as a source of entropy... Message-ID: <199604050236.VAA01556@unix.asb.com> On 4 Apr 96 at 5:58, Laszlo Vecsey wrote: [..] > > In pseudo-C: > > > > int retrace(void) { // test for video retrace > > #ifdef __MSDOS__ > > return (port[0x3da] & 8); // Some VGA, maybe EGA cards > > #else > > // your OS here > > #endif > > } > > [..] > > x = 0; > > while (!retrace()) x++; > As far as I know, while(retrace()) will loop until vertical retrace > begins, and then you call while(!retrace()) and that will loop until > vertical retrace is over. (Or it may be the other way around). Sloppy pseudo-C code. The code I've been experimenting with waits until it's no longer in a vertical retrace (if one is still active since the last sample) and then collects the sample when the next vertical retrace occurs. [..] > What if the screen is filled with different colors, or shapes. On some > monitors you can actually see the size of the screen changing, warping out > a little.. maybe the time for retrace will be different when painting > screens with different data. I haven't done a lot of tests yet.... and even then, it's probably very system specific. Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From frantz at netcom.com Fri Apr 5 03:43:02 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 5 Apr 1996 19:43:02 +0800 Subject: Why pay??? Message-ID: <199604050818.AAA25870@netcom9.netcom.com> At 7:14 PM 4/4/96 -0800, Charles Bell wrote: >On Thu, 4 Apr 1996, Timothy C. May wrote: > >> >> (Goldwater and Heinlein got it slightly wrong when they said "There ain't >> no such as a free lunch." While true in many ways, TANSTAAFL ignorest the >> great willingness of people to donate time, effort, articles, etc. In fact, >> I've put many thousands of hours into the Cypherpunks list, for which I've >> received not a single centime of compensation. And I have no problem with >> this, provided it remains voluntary.) >> > >The fact that you choose not to charge for your time does not make your >time worthless. The value your voluntary efforts add should be assigned >due compensation even if you choose to waive it. > >The failure to take such contributions into account is one of the most >serious flaws in all current economic paradigms. I think this will become >more apparent in decades to come, as old concepts of `work' and `jobs' >obsolesce. IMHO, another failure is that not all compensation can be expressed in money. Feeling good about making a contribution is an example. Another is the "guaranteed" place in heaven for the suicide bomber. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From richieb at teleport.com Fri Apr 5 04:13:00 1996 From: richieb at teleport.com (Rich Burroughs) Date: Fri, 5 Apr 1996 20:13:00 +0800 Subject: Message-ID: <2.2.32.19960405071419.0068c65c@mail.teleport.com> At 08:37 PM 4/4/96 -0800, you wrote: >At 11:52 PM 4/4/96, Andr� Gil wrote: >> unsubscrive * agil.home at mail.telepac.pt [snip] >What the hell is going on? We seem to be under attack by foreigners. > >--Tim It's hard to understand. I can't velieve it. >Voycott "Vig Vrother Inside" software! >We got computers, we're tapping phone lines, we know that that ain't allowed Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From unicorn at schloss.li Fri Apr 5 04:30:32 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 5 Apr 1996 20:30:32 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <m0u4tAl-00090wC@pacifier.com> Message-ID: <Pine.SUN.3.91.960404182031.758A-100000@polaris.mindport.net> On Thu, 4 Apr 1996, jim bell wrote: > At 11:34 PM 4/3/96 -0800, Bill Stewart wrote: > >Black Unicorn is absolutely correct that this is generally the law. > >Jim Bell is absolutely correct that laws like this are offensive and outrageous. > >Unfortunately, Jim then rants at Unicorn for suggesting that this > >would be the case; you'd think he'd be the first to realize that > >there are laws out there that are offensive and outrageous and enforced. > > I really don't think you're giving me enough credit. I am fully aware that > in the past, the organizations on which wire-tap-type subpoenas were served > (primarily AT+T, "The phone company") were very cooperative with the police > and probably "never" challenged the subpoena. There is the law, and there is > the usual reaction to that law, and I expect that much of Unicorn's position > is based on a (false) assumption that this reaction will necessarily > continue unchanged. Now, if this is your postion, let's see some support. If you're trying to tell me that your going to see some mass uprising of the baby ISP's just because compelled discovery orders leave a sour taste in Mr. Bell's or anyone else's mouth, I just think you are a fool. Compelled discovery orders work because they are backed with the very credible threat of financial and custodial sanctions. Obstruction, or conspiracy is a crime, and in the case of the FBI, a federal crime of some magnitude. While some ISP's may indeed feel they are able to resist the whims and enforcement powers of the United States, they are likely to be offshore, small, and viewing themselves as out of the reach of U.S. jurisdiction. With the scope of U.S. jurisdiction for compelled discovery, however, I think that most ISP's will find themselves in for significant surprises. Mr. Bell somehow assumes that smaller ISP's will be less vulnerable. I believe this in error. Smaller ISP's won't even have the financial wherewithall to fight a compelled discovery order properly, much less actualy prevail in court where it is firmly estlablished that compelled discovery orders will be enforced and enforced with vigor, and that judicial review will be a waste of time. Part of Mr. Bell's error lies in his basic assumptions about the political makeup and convictions of the general business community, even the small business community. Mr. Bell, as demonstrated by his belief that small ISP's and other service providers will risk freedom, fines, and asset forfeiture, seems to think that the rumblings of a grass roots revolution are in the wind. Why Mr. Bell thinks this, other than the fact that it seems his personal fantasy, is without explanation. It is worth bearing in mind that subpoenas are not the only tool that authorities can use to affect compliance. In many cases authorities simply seize the equipment and hold it for the statuatory period before which they are required to file charges in. The Ripco BBS in Chicago, victim of the Sun Devil raids, is a prime example. In that case the equipment was seized (via sealed warrant which later proved to authorize seizure of "computer or other electronic equipment of any nature." and in actuality resulted in the seizure of everything from disks to printers to telephones), and held for five years before finally being returned. Clearly it was obsolete by this time. No charges have been filed. While I'm sure Mr. Bell would sacrifice hardware, freedom, cash, (though I'm sure he would insist on representing himself), and time to fight the tyrany of the FBI, I don't see every ISP suddenly turning into a Montana freemen armed standoff with the authorities, which is what it would practically take to resist such warrants and exercise of authority, even by preemptive or malicious encryption or disposal of data. In short, welcome to the real world, Mr. Bell. > Besides, that phone company had a monopoly, so it wasn't possible for > citizens to shop around for a phoneco that was known to make it hard for > police. But that's changing, and that's my point. Now and in the future, > it's going to be harder and harder for the police to get a > bend-over-backwards level of cooperation, and in fact phonecos (and > especially ISP's) might reasonably want to build up a reputation that they > will defend a customer's security in court long before a wiretap is > installed. In practice many ISP's or phone co's will not have the opportunity to defend the matter in court without their services and equipment being forcibly seized preemptively. > Imaginative phonecos will find ways to inform the target > legally, including naming the target as a non-hostile defendant in a court > challenge to that wiretap, and noticing that target since he's now a party > to a court action that must be noticed under civil procedure rules. So the ISP sues their client to notify them of the wiretap? Or the ISP sues the FBI and then draws the client into the suit? I'm not sure what you mean here. In any event it's a totally meaningless point as ongoing investigations could easily be blinded and the ISP or telco charged with willful obstruction or conspiracy to destroy material evidence to a crime, accessory after the fact in effect. > In short, there is a drastic difference between blind obeisance and > enthusiastic hostility, even if you exclude actions by the ISP or phoneco > that would rise to the level of some crime. What you have described is a crime. Your "clever" lawsuit isn't going to fool any judge, or anyone else. > It is this difference which > will change the previous ability of the police to get wiretaps > done secretly. Wrong. See above. > My point in the first paragraph that I am quoted in above is > that many of the challenges that have never been made against wiretap > subpoenas, due to a closer-than-arms-length relationship between the phoneco > and the government, _will_ be challenged. This argument relies heavily on the absence of other persuasion to comply with wiretaps, which, as I have demonstrated, exist in abundance. Thus the thing falls in upon itself. > Precedent, to the extent > precedent exists, Significant precedent exists, see my note. > will be challenged on (among other things) the basis of > the fact that this precedent was formulated during an era when essentially > all telecommunications was monopolized and regulated, and there is no reason > to believe that a previous telecom monopoly would have been diligent at > protecting the rights of their captive customers against the interest of the > government at that time. You're claiming that a court is going to distinguish the case where a small ISP/telco refuses to comply with a compelled discovery order from a case where a large telco typically complies with a discovery on the basis that the large company complies only under compulsion or in self interest? This amounts to "A obeys the law because he wants to. B doesn't want to obey the law, therefore B need not." The "attorney" who makes this argument will be laughed out of the courtroom. > I think we need to start challenging all the previously-assumed issues that > have been interpretated to benefit the government. If my ISP has agreed, > for instance, to send me daily certifications that he hasn't received any > "official" inquiries about my account, and one day he receives such an > inquiry and is forced to install some sort of a tap, it is hard for me to > imagine what kind of legal precedent would allow (and, even, REQUIRE) him to > continue to send false certifications when the alternative, simply failing > to send any certifications whatever, is also "legal." As I have tried to explain to Mr. Bell before, the days of legal formalism are over. Substance over form prevails today. The substance of this transaction is to inform the client that an investigation is ongoing. This is a major no-no, whatever Mr. Bell thinks he knows. > (and, in fact, may be > required under my contract with him, should he be obligated to do a tap or > know one exists.) As I explained before, contracts are void to the extent they are illegal. Mr. Bell's response? "Well, then we'll kill him and enforce the contract that way." > The fact that I'd likely interpret his failure to send those > messages as meaning that my access is tapped is not within his control, and > if he's unwilling to screw me I find it hard to believe that he can't act on > this fact even if those actions have an indirect effect of alerting me. Your use of the word "indirect" is stretching the bounds of the imagination. A judge, unless sleeping through argument, would see through this like glass. > These are the kinds of issues that have either rarely or never been > challenged in court, simply because the organization(s) that would normally > do those challenges was in the hip pocket of government. It's going to be a > brave new world very soon. Incorrect. They have been challenged time and time again in the context of compelled discovery. Time and time again compelled discovery has been required, TRO's forbidding the destruction of documents and other evidence issued, search warrants and seizure effected in place of subpoena. The telco in past has not complied with such orders because of some grand government conspiracy, although I realized Mr. Bell finds such things immensely sexy. It has complied because its officers faced criminal and financial sanctions for non-compliance. There are ways to resist compelled discovery. These are not they. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nobody at REPLAY.COM Fri Apr 5 04:44:08 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 5 Apr 1996 20:44:08 +0800 Subject: Fascinating troll with forged newgroups Message-ID: <199604050940.LAA01439@utopia.hacktic.nl> Bill Stewart wrote: >At 03:00 AM 4/4/96 -0800, you wrote: >>Looks like the Nazis forged newgroup messages for rec.fag-bashing, >>rec.org.kkk, and 100 RFD'd groups in order to get their little messages >>across. >> >>How entertaining. What a marvelous new form of net.vandalism they've >>discovered. Or is this not new? > >Oh, no, this sort of thing is not new. It happened more before the >Great Renaming, but it's not new. The other possibility is it's troll >trying to make it _look_ like the Nazis did it. The latter is most likely the truth given that Bnai Brith and the ADL and the Simon Wiesenthal centre all have plenty to gain financially by claiming that the internet is full of neo-nazis. From JonWienke at aol.com Fri Apr 5 05:22:37 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 5 Apr 1996 21:22:37 +0800 Subject: More visprint stuff Message-ID: <960405042910_264590150@emout08.mail.aol.com> >An alternative would be to supply a distinct name for each octet. Hashes >could >be displayed and verified something like: > >Frog Lizard Snake Tyranosaur >Cat Hat Rat Chair >Star Moon Sun Earth >Lincoln Washington Clinton Kennedy > >Ideally, there would be minimal confusion in the set of images/objects/names >(to avoid the "is that a Tyranosaur or a Lizard?" type questions.) Why not create a list of of syllables (256 would work nicely) designed in such a way that when combined together at random, they would always form a pronounceable (but otherwise nonsense) word pair? These words would be guaranteed to be as unique as the fingerprint, fairly easy to remember, and a perfect icebreaker at parties. (Imagine the reaction you would get if you sidled up to someone and tried "SOBgoFALpinHOGmiDOwop PORtudeINfoGLOPsabRIvar" as a pickup line.) The challenge to this approach, of course, is to come up with 256 reasonably distinct syllables. Jonathan Wienke P.S. AOL's send mail software is a wothless piece of ****. P.P.S. These "unsubrscive" pea-brains all need one of those Louis Freeh-style leather belts with their names embossed on the back in BIG letters... From wlkngowl at UNiX.asb.com Fri Apr 5 05:28:04 1996 From: wlkngowl at UNiX.asb.com (Mutant Rob) Date: Fri, 5 Apr 1996 21:28:04 +0800 Subject: Blue Water spooks In-Reply-To: <Pine.SUN.3.91.960331184105.18816I-100000@polaris.mindport.net> Message-ID: <3164F3BE.C5E@unix.asb.com> Black Unicorn wrote: [..] > Bottom line: The Chinese have often extended their intelligence > operations beyond their borders, even boldly. I remember after Tiannamen Sq. many protests/meetings help by Chinese were semi-secret or they did their best to keep cameras out, or in many of the public ones people disquised themselves (from wigs and makeup to outright bandanas or bags over their faces) because of fear that the Chinese authorities would see them and persecute relatives who were still there. ObCPunk: Anonimity is important not just in the cybernetic aether. From ses at tipper.oit.unc.edu Fri Apr 5 06:56:49 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 5 Apr 1996 22:56:49 +0800 Subject: e$ Signorage In-Reply-To: <1.5.4b13.32.19960404143637.006a92b8@pop3.interramp.com> Message-ID: <Pine.SOL.3.91.960404231459.28168A-100000@chivalry> On Thu, 4 Apr 1996, James Gleick wrote: > Seigniorage is actually the Government's interest income on all the >currency in circulation. It's not obvious, but it's true, that the Fed And there I was thinking it was the right for Greenspan to sleep with any unmarried woman on the eve of her wedding... --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From dlv at bwalk.dm.com Fri Apr 5 07:13:15 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 5 Apr 1996 23:13:15 +0800 Subject: In-Reply-To: <ad89ceca1802100447ee@[205.199.118.202]> Message-ID: <LNuwLD116w165w@bwalk.dm.com> tcmay at got.net (Timothy C. May) writes: > At 11:52 PM 4/4/96, Andr=C8 Gil wrote: > > unsubscrive * agil.home at mail.telepac.pt > > unsubscrive * agil.home at mail.telepac.pt > > unsubscrive * agil.home at mail.telepac.pt > > > What the hell is going on? We seem to be under attack by foreigners. Maybe they were offended by the politically incorrect discussions on this list? :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rah at shipwright.com Fri Apr 5 07:38:22 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 5 Apr 1996 23:38:22 +0800 Subject: Wired didn't like this one.... Message-ID: <v02120d03ad8ab73d36b6@[199.0.65.105]> --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: rah at shipwright.com (Robert Hettinga) Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 4 Apr 1996 21:21:19 -0500 Precedence: Bulk To: Multiple recipients of <e$@thumper.vmeng.com> Subject: Wired didn't like this one.... -----BEGIN PGP SIGNED MESSAGE----- ...but I like it. Said it was a little too "fast paced". (For WIRED???) I'm starting over on another, so you guys might as well see this one... It *was* supposed to go into their Idees Fortes (Or, as my brother Mike in Albuqerque says, in his best Jose Jimenez, "Stron' Gideas") section. Now something else is, once I write it. Feh! It's 800 words. Exactly. Cheers, Bob Hettinga ------------------------ Geodesic Capital? Robert Hettinga I've just finished a bit of anonymous consulting on the net for an anonymous client, being paid, of course, in anonymous digital ecash(tm). I could just store it, offsite even, anonymously. But, I'm saving it for that special retirement habitat in the Belt ("Gerry's Habitats, Inc.: Pie in the sky, Nano-Built(tm) *before* you die!"). I have to *invest* it somewhere. I buy a page of mutual fund reccomendations from a LipperBot(tm). In my case, I just want to buy a broad market index, say, the (ahem) Hettinga Million(tm), and shop around for the fund server which approximates closest the HM's price over time. I link to the server, and buy anonymous bearer certificates for that server's HM fund. Later, when I cash in my certificates, I have enough appreciated capital to buy the custom Bernal sphere of my dreams. Of course, if my tolerence for risk is higher, I could buy shares from a fund manager (bot or otherwise, no way to tell with anonymous cash markets) with a hot hand for picking stocks. OK. Say I don't actually *save* money. I'm someone who borrows money for very short term "assets" like resturaunt meals, and pays the incurred debt off over the long term at some userous interest rate. How do I do this? I issue a personal digital bearer bond for the amount of the transaction. All I need is someone to underwrite the risk. Fortunately, I always have an efficient real-time market to auction it into, one that always knows my payment reputation, thanks to all those money-bots in the ubiquitous network. Voila'! Bring on the chateaubriand for one, waiter, and don't spare the bearnaise, all this thinking about money's made me hungry. What we're talking about here is nothing new, of course. We've had trade ever since we've had artifacts. The ancient "red-paint" culture was just a trading network which ran around the north Atlantic from New England to as far as Ireland. So much for the "New" World. The oldest surviving Babylonian money is a piece of clay saying "three cows" wrapped in a clay "envelope" saying something like "three cows, payable on demand, so say I, (signed) Joe Nebbuchenazzar". This happened shortly after writing was invented, which was actually invented for *accounting*. Mechanical signatures like chops and seals have been around since. Digital signatures and bearer certificates are just a new implementation of some *very* old stuff. Ornate paper certificates, representing shares in companies, or actual stuff, was physically traded for other ornate paper certificates (cash), or actual stuff, at places like the famous buttonwood tree on Wall Street. Pretty soon people didn't have to be there to trade. We built fast industrial communications (staged horsemen or coaches, then ships or trains, then telegraphy, then telephony) but we still had slow switches (people), so we had to build all the communication/organization/market hierarchies we know and love today. In addition, the power of the state (another industrial communication heirarchy) provides a sizable argumentum ad bacculum for people who repudiate trades. If you don't pay, I throw you in jail. Like every thing else, Moore's law changes that. Proportionately, semiconductor switches get more and more cheaper than lines, so the telephone network is no longer a hierarchy. Nodding to Buckminster Fuller, Peter Huber called it the "Geodesic Network", the title of the 1986 government report he wrote describing it. Ironic. I'm here saying this in a magazine founded by deciples of Stwart Brand, himself a one-time Fullerite. All threads lead to Bucky. When you combine a geodesic network with strong cryptography, you get a geodesic economy, which needs geodesic capital. Just change the size of players in either equity or debt scenario, and you're looking at what any large business organization does today. The only thing you're missing is how to deal with non-repudiation. If the state can't tax transactions or financial assets because strong crypto makes them all invisible, states can't exist, much less "bacculize" very well. The solution is the same it ever was: reputation. J. Pierpont Morgan said, when hauled before Congress one afternoon, "Character, sir. I wouldn't buy anything from a man with no character, even if he offered me all the bonds in Christendom." In a geodesic economy, reputation is abstracted to keys, not people. Geodesic capital scales up to bigger stuff than we can do now. A chaotic hoarde of autonomous money-bots swarms on the minutia of the necessary financial complexity. It also scales *down* as processor prices fall. Real time, MicroMint(tm) cash-on-the-router-head auctions for packet switching, anyone? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWR/ovgyLN8bw6ZVAQHCkQP7BPmSNibfRQLeZETvRkUVGJdPB0WOYrTM yU33wwqDPBEcwfYLgX4oBcAfHv/Kfvr1vH4bBTioEVyanVDtJLt9KL/62kn+Ot+/ BLDdBM6Km1R/xRD9xnvQd5Kyz2INQCmNU7ZJk3BQpK484V74aW6We155fH2ovjr3 TgQ6mYMe7rs= =GVNA -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From unicorn at schloss.li Fri Apr 5 14:32:24 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 6 Apr 1996 06:32:24 +0800 Subject: A new law in the making? In-Reply-To: <199604050206.UAA01078@einstein.ssz.com> Message-ID: <Pine.SUN.3.91.960405103144.13105B-100000@polaris.mindport.net> On Thu, 4 Apr 1996, Jim Choate wrote: > > Forwarded message: > > > Date: Thu, 4 Apr 1996 00:24:08 -0500 (EST) > > From: "Declan B. McCullagh" <declan+ at CMU.EDU> > > Subject: FC: CDA Court Challenge: Update #4 > > > > The court wasn't happy with Boe's response. It gave Shea and the > > government until April 17 to decide to include the entire record of > > the Philly lawsuit -- and said that if they don't, the court would > > appoint its *own* computer expert to demo the Net and blocking > > software on April 30. > > This is a great idea if carried a little farther. Require courts in cases > using technical or otherwise special evidence to appoint an indipendant > expert to compare compare with the defence and prosecution experts. This is a hard thing to do in U.S. courts just because of the way the history and jurisprudence of the U.S. legal system works. That is, the neutral finder of fact does not typically participate in investigations of his or her own, but relies on the adverse parties to develop truth through the clash of their respective interests before him/her. Many jurisdictions allow an active judiciary in this regard. Its nearly improper in the U.S. > > > litigators who do their homework." (Of course, Taylor conveniently has > > deluded himself into believing the CDA is constitutional.) > > Are *any* of the current legal actions involved using either the 9th or 10th > Amendment in their case? > > > We're back in court on 4/12, 4/15, and possibly 4/26. > > Good luck! > > > Jim Choate > CyberTects > ravage at ssz.com > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jya at pipeline.com Fri Apr 5 15:15:12 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Apr 1996 07:15:12 +0800 Subject: RIC_odj Message-ID: <199604051541.KAA07895@pipe4.nyc.pipeline.com> 4-5-96. TWP: "At the Justice Dept., Big Government Keeps Getting Bigger" In the tug-of-war over downsizing the government, Republicans and Democrats still willingly take out the checkbook when crime is the issue. Over the past 16 years, a time in which both parties have controlled Congress, Justice's budget has grown by nearly 600 percent and its work force has expanded from about 55,000 employees to 94,000. Justice is only one part of this phenomenal crime- fighting growth. Where the federal government once relied mostly on the FBI, the federal buildup is creating several large police agencies. More than 41,000 criminal investigators now work for 32 federal agencies. "It has grown like Topsy," says former AG Griffin B. Bell. "What I worry about is that people with a badge many times can't manage power." Senior members of Congress with oversight responsibility for DoJ say they are considering ways to consolidate the government's law enforcement agencies under a more centralized command. Among the models under review are the JCS, which aerosols DoD hogstench, and the DCI, who perfumes spy pew. RIC_odj From 0005514706 at mcimail.com Fri Apr 5 15:56:14 1996 From: 0005514706 at mcimail.com (Michael Wilson) Date: Sat, 6 Apr 1996 07:56:14 +0800 Subject: Was Cohen the first? Message-ID: <35960405162553/0005514706DC3EM@MCIMAIL.COM> I ran across the following article, and it set me to wondering--did Dr. Cohen actually publish on 'computer viruses' before anybody else? He continues to use it as the bedrock of his reputation capital, so if this pre-dates his 'seminal' article, please let me know. Included message: For Liz Bass or Reg Gale Discovery 9:31 AM Friday, April 5, 1996 By Lou Dolinar This is still my favorite computer story. I'm not saying it was the first piece ever written about computer viruses, but I won't say that it isn't. I still have the original, dated April 16, 1985. In some ways I wish I hadn't written it, because it was posted and reposted on bulltetin boards all over the U.S., and seems to have subsequently inspired a whole generation of virus writers. Note to kids: back then, most computers didn't have hard disks, and started up from floppies, hence floppy based viruses were a big deal. As usual, The Hacker wasn't paying for his midnight phone call; he had stolen the line from one of the long distance phone services. What's up? I asked. The 17-year-old snickered. Doom was ahead for all Apple II owners. "Don't engage in casual disk-copying with strangers," he said. "You might catch an operating-system virus." Now the hacker has a pretty hefty national rep in the computer underground, so when he talks about this crazy stuff, it's worth listening. I've seen whole collections of pirated games software bearing his nom de hack, and his black-bag jobs on mainframes would curl your hair. In case you're not familiar with software piracy, manufacturers build protection schemes into their programs to prevent people from making illegal copies and siphoning their profits. Dedicated pirates like my friend spend hours, sometimes days, cracking these schemes then release them, illegally, free, to the public over a network of electronic bulletin boards that can be reached with a phone, a computer and a modem. The Hacker always imprinted his name, electronically, on the game that he cracked ("Cracked by The Hacker, July 4, 1978"). And therein lies this tale. A couple of years back, he recalled, some teenagers in the Milwaukee area stole his stolen programs and released them under their own names. Why bother, you ask? Because the hacker whose name the stolen program bears receives the "credit" for having cracked the piracy protected program and, thus, is viewed with some degree of appreciation by similarly larcenous wizards in the computer underground. The Hacker was outraged and plotted a diabolical revenge: A wizard of code, he constructed ted what he calls an "operating system virus" for the Apple II computer. The operating system, you may know, loads into the computer before the program and controls the functions of the computer. The Hacker modified the operating system erase whatever disks were in the computer after they had been used 25 times. Not only that, but the "virus" would attache itself to any other discs that were loaded during the particular session of computer use. Thus,k if you played a "virus" carrying pirated game, and then went on to use your $495 word processor and $795 data-base program, these too would be infected and would cash after their 25th use--and in the meantime, they would be spreading the "virus." Like any disease, then, Killer-DOS, as The Hacker dubbed it, has a latency period, which allowed it to spread to other "victims" He inserted it into a recently cracked games program, put it on an electronic bulletin board frequented by the Minneapolis crowd, and sat back to watch the fun. A couple of months later, whole libraries of disks were begin wiped out as the "disease" spread. Now Killer-DOS is common knowledge in the underground, it it wasn't the reason The Hacker called. It seems he had, in a frenzy of anti-social behavior, created a particularly virulent form of Killer-DOS that didn't crash until it had been loaded 150 times---with a longer latency period, the potential number of victims rises geometrically. But conscience prevailed. The Hacker decided not to release the bug. Then, however, just like the Andromeda Strain, the bug got loose anyway--the Killer-DOS disk got mixed in with "healthy" programs, disks that he has been handing out for the last couple of years and are now all over the country. So if you find a worm in your Apple, don't say you haven't been warned. From blane at aa.net Fri Apr 5 16:04:01 1996 From: blane at aa.net (Brian C. Lane) Date: Sat, 6 Apr 1996 08:04:01 +0800 Subject: In-Reply-To: <199604042353.XAA10676@mail.telepac.pt> Message-ID: <31654ad4.1639807@mail.aa.net> On Thu, 4 Apr 1996 23:53:05 GMT, you wrote: > unsubscrive * agil.home at mail.telepac.pt > unsubscrive * agil.home at mail.telepac.pt > unsubscrive * agil.home at mail.telepac.pt > Just goes to show why congress should pass a mandatory spell-checker bill. We need their protection from these misspelling miscreants, don't we? Brian ------- <blane at aa.net> -------------------- <http://www.aa.net/~blane> ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From cpunk at remail.ecafe.org Fri Apr 5 16:07:14 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Sat, 6 Apr 1996 08:07:14 +0800 Subject: NSA Oil Message-ID: <199604051448.PAA01358@pangaea.hypereality.co.uk> NYT, 5 April, 1996 Pentagon Spy Agency Bares Some Dusty Secret Papers By Tim Weiner Washington, April 4 -- The National Security Agency, the Pentagon spy service that eavesdrops on global communications, said today that it had declassified more than 1.3 million pages of secret documents, some from before World War I. All the declassified material is more than 50 years old, older than the agency itself, and represents a tiny fragment of the billions of pages of Government documents that have been kept secret on the grounds that their release would damage national security. Agency officials were at a loss to explain why these documents, now at the National Archives, had remained secret for so long. Among the documents declassified today is a January 1919 memorandum from CoL A. W. Bloor of the Army, a commander in the American Expeditionary Force in France, explaining the origin of the "code talkers," American Indian soldiers who spoke in their native tongues to confound enemy code breakers in World War I and World War II. Their languages were largely unwritten and largely unstudied by foreigners, and so constituted an instant code translatable only by the speakers. "The German was a past master at the art of 'Listening In,' " on radio transmissions, the memorandum says. "It was therefore necessary to code every message of importance and coding and decoding took valuable time." Then, Colonel Bloor wrote, he remembered that he had a company of Indians in his regiment who among them spoke 26 languages or dialects, and that "there was hardly a chance in a million" that the Germans could translate them. David Hatch, the National Security Agency's historian, said Choctaws, Navajos, Comanches, Winnebagos, Pawnees, Kiowas and Cherokees served as code talkers. In World War II, he said, the Marine Corps used more than 400 Navajos as communicators in the Pacific campaign. That story has been popularized by Hollywood films, documentaries and books. Mr. Hatch said he could not explain why the documents stayed secret for so long. The agency's archives run into the billions of pages, and the agency, loath to disclose anything concerning codes, has only begun to consider declassifying documents in the past four years. "We have so many pages and we've only been at it for a few years," Mr. Hatch said. "The interesting thing to me is that this is coming out. What was known only to insiders is now becoming known to historians and outsiders." ----- WSJ, 5 April, 1996 Secret Cables of '43 And the Hiss Case May I offer a distinction that may clarify a point in Eric Breindel's March 14 editorial-page piece "New Evidence in the Hiss Case?" The matter deals with the newly released Soviet cables dated from 1943 to the early Cold War, and intercepted and solved by the National Security Agency and its predecessors in a project called Venona. As Mr. Breindel states, "The single most interesting document in the new Venona batch is a March 30,1945, Washington-to-Moscow report on an agent whose cover name was 'Ales.' The cable was decrypted on Aug. 8, 1969, and the NSA glossary ... explains that 'Ales' is 'probably Alger Hiss.' " A distinction must be made between the test of the cables and the identification of the individuals mentioned in the text only by code name. The cables were cryptanalyzed. The internal cross-checks in this work make the likelihood of their being incorrectly solved all but zero. This means that the code names are almost certainly right. But the determination that a particular code name represents a particular individual did not come from cryptanalysis. It came from FBI field investigations. I have no reason to question their accuracy, but they stand on a different basis than codebreaking. This is why NSA qualified the Ales=Hiss identification with a "probably." David Kahn, Great Neck, N.Y. (Mr. Kahn was scholar in residence at the National Security Agency in 1995.) ----- From sunder at dorsai.dorsai.org Fri Apr 5 16:43:29 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Sat, 6 Apr 1996 08:43:29 +0800 Subject: Why pay??? In-Reply-To: <199604042142.PAA24182@Ultra1.corenet.net> Message-ID: <Pine.SUN.3.91.960405111006.4039B-100000@dorsai> On Thu, 4 Apr 1996 kreidl at newrock.com wrote: > Why would I pay if I can get it for free this way?????? You can also get it free from me. I also run a filtered cypherpunks list, but it's 100% free. :) To subscribe send a private message to me (don't use the reply command as it will fail.) with the subject like "fcpunx subscribe" (or "fcpunx help" if you want info first.) ========================================================================== + ^ + | Ray Arachelian |Emptiness is loneliness, and loneliness| _ |> \|/ |sunder at dorsai.org|is cleanliness and cleanliness is god-| \ | <--+-->| |liness and god is empty, just like me,| \| /|\ | Just Say |intoxicated with the maddness, I'm in| <|\ + v + | "No" to the NSA!|love with my sadness. (Pumpkins/Zero)| <| n ===================http://www.dorsai.org/~sunder/========================= [This Bible excerpt awaiting review under the Communications Decency Act] And then Lot said, "I have some mighty fine young virgin daughters. Why don't you boys just come on in and do em right here in my house - I'll just watch!"....Later, up in the mountains, the younger daughter said. "Dad's getting old. I say we should do him." So the two daughters got him drunk and did him all that night. Sure enough, Dad got em pregnant....Onan really hated the idea of doing his brother's wife and getting her pregnant while his brother got all the credit, so he whacked off first....Remember, it's not a good idea to have sex with your sister, your brother, your parents, your pet dog, or the farm animals. [excerpts from the Old Testament, Modern Vernacular Translation, TCM, 1996] From jimbell at pacifier.com Fri Apr 5 16:44:02 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Apr 1996 08:44:02 +0800 Subject: Bad news from Judge Richey Message-ID: <m0u5EKq-0008ypC@pacifier.com> At 10:35 PM 4/4/96 EST, Dr. Dimitri Vulis wrote: >"E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> writes: >> Umm... one would guess that a federal judge would be against the >> whole Assasination Politics idea, whether or not he himself became a target. > >It's worth noting that one of the new newsgroups that Rich Graves mentioned is: >talk.politics.assassination Assassination Politics >My congratulations to Jim Bell on getting his own newsgroup! Hey, it's news to me! I'll have to check it out... BTW, are you sure it's not an old one? After all, there have been enough assassination conspiracy theory discussions (Lincoln, Huey Long, JFK, RFK, King, etc) over the decades that I'm sure they'd merit a discussion area. Jim Bell jimbell at pacifier.com From thecrow at iconn.net Fri Apr 5 17:47:37 1996 From: thecrow at iconn.net (Jack Mott) Date: Sat, 6 Apr 1996 09:47:37 +0800 Subject: RC4 improvement idea Message-ID: <316551ED.28AB@iconn.net> I got a paper from the cryptography technical report server "http://www.itribe.net/CTRS/" about a weak class of RC4 keys. The report said that with some keys, it was possible to predict what some parts of the State-Box would be. I was thinking of a way to fix this, and had this idea: do some sort of hashing function with the key that derives a number between 55 and 500 or something like that, then scrabmle the S-box that many times. In this way, the chances that the State-Box will have any correlation becomes extremely small. I think it is 1/125 to begin with anyway, so this would make it around 1/(125*NumPasses). And since the exact number of passes is a function of the key, the cracker won't know how many times it went through. I tried this out and having 1000s of passes doesn't effect the randomness of the state-box in any negative way, possibly it makes it more random? If anyone has any thoughts I'd love to hear them. -- thecrow at iconn.net "It can't rain all the time" From nyap at mailhub.garban.com Fri Apr 5 17:57:07 1996 From: nyap at mailhub.garban.com (Noel Yap) Date: Sat, 6 Apr 1996 09:57:07 +0800 Subject: Blue Water spooks Message-ID: <9604051742.AA04477@mailhub.garban.com> > Have the Chinese turned their thought towards cryptography, > or cryptanalysis yet? If so, I suspect the answer is > yes, If not, then the answer is a definate No. > > The Chinese Intelligence Service traditionally has > not looked outward, preferring to ply its trade domestically. > That said, the earliest extant text on espionage is Chinese. In addition, (if I remember correctly from _The Puzzle Palace_), a person who was heavily initially involved in the formation of NSA also helped establishing the Chinese Intelligence Service. Also from the same book, in the US has set up, with Chinese approval, a sigint shop within China. This was done to sigint the Russians. With the tensions between the US and China now, I'm not sure whether they closed shop or not. From sameer at c2.org Fri Apr 5 18:35:45 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 6 Apr 1996 10:35:45 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <Pine.SUN.3.91.960404182031.758A-100000@polaris.mindport.net> Message-ID: <199604051727.JAA02353@atropos.c2.org> What's the point here, or is Unicorn just having fun lambasting Jim Bell? My basic attitude, running an internet privacy provider, is if Mr. Govt. wants my data, and gives me a court order (subpoena, "compelled discovery", whatever), then I'll give it to 'em. If my customers that they were looking for had any brains at all, a court order, compelled discover, whatever, will not help Mr. Govt. That's the cornerstone of my security model. Or am I confused about what you are talking about here. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From tcmay at got.net Fri Apr 5 19:15:04 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Apr 1996 11:15:04 +0800 Subject: "Contempt" charges likely to increase Message-ID: <ad8a9f931d0210045564@[205.199.118.202]> I almost titled this thread "'Contempt' charges likely to increase in popularity," but I felt the "popularity" would draw comment. By "popularity" I mean amongst judges and law enforcement. Many of the proposals here and in related discussions of offshore asset protection posit the following situations: * Alice places a copy of her key, or secret-shared parts of her key, in a location not reachable by subpoena. (This might be via strong crypto, a la mixes and pools, or just in a jurisdiction which historically and typically does not honor U.S. subpoenas.) * Alice deposits some fraction of her assets in accounts in jurisdictions which are friendly to such purposes. (Either "tax havens" or "asset protection havens," such as are described in various books and seminars.) * Alice receives information from a witness or source in a criminal case. She declines to say who this source is. Depending on the "shield laws" (about which I'm no expert), she may be held in contempt unless she reveals this information. (Side Note: I don't believe the law should make the distinction it has made between, say, Alice B. Toklas, Reporter for the "Washington Post," and Tim May, reporter for the "Cypherpunks" list; the law seems to create a distinction between "the press" and the rest of us. On what basis?) * Alice places her child in the hands of someone known only to her, e.g., to prevent the child from being given visitation rights by a spouse. (This last example is of a real one, based on the Rebecca Morgan case. The other examples are real, too, though not necessarily associated with a particular case.) In these cases, Alice has a secret of some sort and says "nyah nyah nyah" to those seeking the secret. With strong crypto, such situations are likely to become more common. The courts know that Alice can in fact retrieve the secrets, the funds, the child...and the courts know that only a "contempt of court" decree will serve as the lever to pry out this retrieval. What about the Fifth Amendment? Scholars are addressing this issue of compelled disclosure of cryptographic keys. Note, of course, that diaries, business records, papers, and, indeed, the entire contents of a putative crime scene are accessible to crime investigators and the legal system. (Whether giving up a key constitutes "testifying against one's self" or not is undecided, so far as I know. My own inclination is that it will be decided to be no different than the key to a locked diary--by itself, it is not self-incrimination.) That the key is _stored_ someplace else (the escrow agent, either in the country or outside the country) makes the "cannot be compelled to testify against one's self" interpretation even more of a reach, in my non-lawyer opinion. So, I see a rise in the use of "contempt" charges. Contempt charges have a kind of time limit, in practice, and there is a common interpretation that a person may be jailed on contempt charges so long as there is likelihood that she will eventually reveal the information sought. (Reporters have been jailed for more than six months, and I recall that Rebecca Morgan was jailed for a couple of years for refusing to tell the court the whereabouts of her daughter...) In short, "If you can retrieve the information or assets we order you to, and don't, then you'll be held in contempt of court until you do." If the secrets or assets _cannot_ be retrieved--a scenario which is possible, if the protocol is so written (clauses for court action)--then contempt charges are meaningless and would not stand, IMNALO. Legal students out there might find that specializing in this area of law brings in more clients in the coming decades. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Fri Apr 5 19:34:06 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 6 Apr 1996 11:34:06 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <199604051727.JAA02353@atropos.c2.org> Message-ID: <Pine.SUN.3.91.960405140338.22784A-100000@polaris.mindport.net> On Fri, 5 Apr 1996 sameer at c2.org wrote: > What's the point here, or is Unicorn just having fun > lambasting Jim Bell? > > My basic attitude, running an internet privacy provider, is if > Mr. Govt. wants my data, and gives me a court order (subpoena, > "compelled discovery", whatever), then I'll give it to 'em. > If my customers that they were looking for had any brains at > all, a court order, compelled discover, whatever, will not help > Mr. Govt. That's the cornerstone of my security model. > > Or am I confused about what you are talking about here. Yours seems to be about the most aggressive policy a ISP provider can take and expect to remain in business. That is, resist by what legal means are available, but ultimately depend on the user to secure his or her own data. Where I differ with Mr. Bell is that he seems to think the ISPs of the world are going to rise and unite to quash the oppressive hand of big government at their own expense in order to satisify some sense of personal ethics or customer goodwill. > -- > Sameer Parekh Voice: 510-601-9777x3 > Community ConneXion, Inc. FAX: 510-601-9734 > The Internet Privacy Provider Dialin: 510-658-6376 > http://www.c2.net/ (or login as "guest") sameer at c2.net > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From sentiono at cycor.ca Fri Apr 5 19:42:13 1996 From: sentiono at cycor.ca (Sentiono Leowinata) Date: Sat, 6 Apr 1996 11:42:13 +0800 Subject: In-Reply-To: <ad89ceca1802100447ee@[205.199.118.202]> Message-ID: <Pine.OSF.3.91.960405152202.7058A-100000@bud.peinet.pe.ca> On Thu, 4 Apr 1996, Timothy C. May wrote: > At 11:52 PM 4/4/96, Andr� Gil wrote: > > unsubscrive * agil.home at mail.telepac.pt > > unsubscrive * agil.home at mail.telepac.pt > > unsubscrive * agil.home at mail.telepac.pt > > What the hell is going on? We seem to be under attack by foreigners. > --Tim Dear Tim, It seems to me the sender is only *one* person who wants to agitate us. The chances for different people to send requests in sequence although being warned is very small. To maintainer, please forward me the original trace-points to trace down who is the *agitator* here. Anyone care to track this *annoying* person down? Regards, Sent. --------------------------------------------------------------- Sentiono Leowinata, Charlottetown, Prince Edward Island, Canada System Engineer/Programmer Analyst - Cycor Communications Inc. sentiono at cycor.ca, 902-629-2488, http://www.cycor.ca/ From dwl at hnc.com Fri Apr 5 19:50:01 1996 From: dwl at hnc.com (David Loysen) Date: Sat, 6 Apr 1996 11:50:01 +0800 Subject: unsubscrive * Peter.Posch@koeln.netsurf.de Message-ID: <199604051844.KAA03398@spike.hnc.com> At 02:33 PM 4/4/96 -0500, you wrote: >On Thu, 4 Apr 1996, Peter N. Posch wrote: > >> unsubscrive * Peter.Posch at koeln.netsurf.de > >Why don't we just patch Majordomo to recognize "unsubscrive", >"unsuscribe", "unscribe," and "take me off this fucking list" as all being >equal to "unsubscribe"? > If these people had sent their messages to majordomo that would work. From frissell at panix.com Fri Apr 5 21:02:00 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Apr 1996 13:02:00 +0800 Subject: "Contempt" charges likely to increase Message-ID: <2.2.32.19960405212940.007662d8@panix.com> At 11:57 AM 4/5/96 -0800, Timothy C. May wrote: >So, I see a rise in the use of "contempt" charges. Contempt charges have a >kind of time limit, in practice, and there is a common interpretation that >a person may be jailed on contempt charges so long as there is likelihood >that she will eventually reveal the information sought. (Reporters have >been jailed for more than six months, and I recall that Rebecca Morgan was >jailed for a couple of years for refusing to tell the court the whereabouts >of her daughter...) Hence the proper approach which is to constantly demonstrate your contempt for the court. Daily (hourly) phone calls, faxes, email, physical letters going on in boring detail all the reasons that you have for never purging yourself of the contempt. Logically, that should shorten your imprisonment but in practice... Obviously offshore key escrow facilities should have provisions similar to those in Foreign Asset Protection Trusts (FAPS). For example (from a recent non-fiction work on FAPTs written by one of the greatest minds of his generation): ******************* Duress Provisions The trust document should also contain language that basically says, "The Trustees should not obey any instructions that anyone else gives them under the orders of any court that has no jurisdiction over them." You see, a foreign-based trust is not under the jurisdiction of a court in any other country. A court can only order people to do things if it has them under its physical control. For example, a German court cannot send the police to Bermuda or to the Channel Islands to force your trust's trustees to transfer trust assets to the court for payment to creditors. What creditors in a German court will try to do in such cases is to find someone in their jurisdiction who has some powers over the trust. They then order this person to direct the Trustees to cough up the trust assets. A duress clause frees the Trustees from any obligation to obey instructions caused by orders from a German court. It is a powerful method of protecting your trust from the asset grabbers. But, you may ask, "What if a persistent creditor manages through some miracle to get an order against the trustees from a court in the foreign jurisdiction where the trust is located? That's easy. You include "flight provisions" in your trust. Flight Provisions You know that German courts or those of any other country will have no jurisdiction over your offshore trust assets. But what do you do if a really dedicated creditor tries to pursue your trust in the courts of the trust's home jurisdiction. Flight provisions take care of this situation. These provisions will require that the location (situs) of either the trust or the trust assets (or both) be changed automatically, in the event that creditors move against your trust in its home location. So even if they do manage to get a court order against your trust, the trust will have been moved to another jurisdiction. Your creditors will have to start all over again. It is important to realize that having a "flight" clause in your trust is no guarantee that the trust will successfully escape. The trust and its assets must be moved in time. It is possible that the trustees will fail to act in time and your trust may be frozen in its foreign jurisdiction. These provisions do add an additional layer of protection, however. If you do run into financial problems, you may move your trust in advance of need -- before any lawsuits are filed. You can also protect yourself further if your investments are physically located in a third jurisdiction -- neither in your country of residence nor in the trust jurisdiction. Trustee Switching Provisions In addition to moving the trust itself, you may also want or need to change Trustees. Trustee switching provisions give power to both the Trustee and the Trust Protector to remove Trustees and name new Trustees. For example, if Trustees in one country come under court order to relinquish the trust's assets, those Trustees can be removed and replaced with new Trustees, who are not affected by the court order. ********************** DCF From steve at edmweb.com Fri Apr 5 22:30:28 1996 From: steve at edmweb.com (Steve Reid) Date: Sat, 6 Apr 1996 14:30:28 +0800 Subject: .sig followup In-Reply-To: <Pine.SUN.3.92.960404122403.12946A-100000@elaine28.Stanford.EDU> Message-ID: <Pine.BSF.3.91.960405133752.1713B-100000@kirk.edmweb.com> I'm probably just stating things that have been hashed out here long ago, but I'll voice my opinions anyway... > There's no question about the thugs *arriving*. They're already here. > Fighting them is an internal political battle, not an external battle. Yes > they're clueless about the net, so in that sense you might see the > CDAmeisters as an "invasion," but I really don't buy this stuff about Clueless about the net? I'd say Congress and the "CDAmeisters" are, but the NSA most certainly isn't. > Cyberspace (a word only Barlow can say with a straight face) being a new > "place." It's just a communications medium, no more and no less real than > anything else. I think it would be better to stress that the online *is* > real life. Your money and gigs of information about you is online. It can With ATM machines and the like, "Cyberspace is where your money is". I don't remember who said that. Cyberspace used to be a good word to use, but it's been cliche'ed by the technotrendies. :( > be a force for freedom, or a force for totalitarianism. Right now, the > momentum is entirely in the wrong direction, both online and in "real > life." The media coverage of the sensationalist (violent and/or sexual) crime has given the law makers and enforcers an excuse to step things up. It's not quite as bad up here in Canada, but where the US goes, Canada (and probably the rest of the world) usually follows. <RANT><PARANOIA> I'm particulary concerned about Clipper and it's variants... It doesn't take a rocket scientist to figure out that Real Criminals will use Real Encryption (IMHO Real != Escrowed) even if Real Encryption is illegal... Surely the NSA knows that Real Crypto will be just as easy to find as pirated software, and criminals will use it. Thus, Clipper will only enable the government (most likely the NSA) to spy on law abiding citizens. </PARANOIA> I think it would be paranoid to assume the above, but naive to ignore it. Clipper may be some sinister plot by the NSA to grab power, or... <NAIVE> It may just be a last ditch effort to maintain the power they already have. After all, nobody wants to lose their job, and the NSA is no different from the rest of us in that regard. </NAIVE></RANT> This is my first post to the Cypherpunks... So what government black lists does this get me on? "To remove yourself from the Black List, send email to listserv at fbi.gov with the command UNSUBSCRIVE FBI-SUBVERSIVE-GROUPS" ;) From dave.hodgins at westonia.com Fri Apr 5 23:05:47 1996 From: dave.hodgins at westonia.com (DAVE HODGINS) Date: Sat, 6 Apr 1996 15:05:47 +0800 Subject: MPI10.ZIP RELEASED Message-ID: <8BE1440.0001012D96.uuout@westonia.com> ���������� Original From: DAVE HODGINS � CARBON � To: ALL � COPY � Date/Number: 04/05/96 - Not Yet Posted ���������� On: WESTONIA - 2513 - Public-Key Encryption and Distribution Echo ----------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- I've written an interface for dos based mail programs and pgp. The interface provides menu selection for various pgp functions likely to be used when writing email, and selection of keys to be used, from a list of the keys in your keyring. The program is similar in function to John Schofield's ez-pgp. The program has been tested under win95, and dos 6.22. I'm uploading the file to the westonia bbs, and will email a copy to anyone who requests it. Regards, Dave Hodgins. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMWWnkIs+asmeZwNpAQGyEwf/YGWfkuWVcEzISpnin3z24WJyqzq0e48B VZihLsKsdJ+BL+VNvBoejvpIxEZM2dq2VyycrKFks7TK8HSjUlcCiv4prSGUQqsB K1PKdJPpUyT6f1EHdHz3UllBeIGjR8mjgmGRV86ezUC+Y2lHmWvqlWT1YlHPwIwp 1LnQL9aIzFkz1WaFvzC9O19dzKqT+FMIMS2QtVarHCcbWlmWYwgRuPihNngciXKs tKChLjeh88/DlItGm8dhu2iPoGzb4LpPDBuUrJZB5hPxaBJjdgugiNE/CY+Z9Fhj E02Ji2ZraFrXi6nOCCNnIq97PHf/aZlDn9CrSZyOLBkO2hx7WXdUnQ== =8osk -----END PGP SIGNATURE----- cc: ALL in 5711 on WESTONIA CYPHERPUNKS at TOAD.COM in 0001 on WESTONIA --- � RM 1.31 0820 � Internet:Dave.Hodgins at Westonia.com Rime->1347 Fido 1:250/636 From trei at process.com Fri Apr 5 23:30:23 1996 From: trei at process.com (Peter Trei) Date: Sat, 6 Apr 1996 15:30:23 +0800 Subject: [OFF-TOPIC] Re: Fwd: Anonymous code name allocated. Message-ID: <199604051712.JAA06181@toad.com> > From: JonWienke at aol.com [I know this is off-topic for coderpunks, but some of the discussion is happening here] > [The following has been censored to protect the guilty.] > > >Subj: Anonymous code name allocated. > >Date: 96-04-02 23:37:10 EST > >From: daemon at anon.penet.fi (System Daemon) > >To: jonwienke at aol.com > > > >You have sent a message using the anon.penet.fi anonymous forwarding > service. > >You have been allocated the code name anXXXXXX. > >You can be reached anonymously using the address > >anXXXXXX at anon.penet.fi. > > > >If you want to use a nickname, please send a message to > >nick at anon.penet.fi, with a Subject: field containing your nickname. > > > >For instructions, send a message to help at anon.penet.fi. > > I tried sending a test message to the address indicated, and received it back > a day later, so sending email to this address does reach me. The funny part > is that I have never (to my knowledge) had any communication with > anon.penet.fi prior to receiving this email. > > Questions: > 1. How do I use this to SEND messages anonymously? Having an email address > with no obvious link to my identity is cool, but I would like to be able to > send as well as receive. I sent email to help at anon.penet.fi, but have > received no response yet. > > 2. Why was I chosen for this? How did anon.penet.fi find out my email > address? Is the NSA trying to lull me into a false sense of security in the > hope that I will use this account to violate ITAR? > > 3. Has anyone else on this list received unsolicited remailer accounts? > > Jonathan Wienke > --------------------- > Forwarded message: > From: daemon at anon.penet.fi (System Daemon) > To: jonwienke at aol.com > Date: 96-04-02 23:37:10 EST > > You have sent a message using the anon.penet.fi anonymous forwarding service. > You have been allocated the code name an573530. > You can be reached anonymously using the address > an573530 at anon.penet.fi. > > If you want to use a nickname, please send a message to > nick at anon.penet.fi, with a Subject: field containing your nickname. > > For instructions, send a message to help at anon.penet.fi. While I'm not up on all of the wrinkles, I've seen this reported as an attack on the penet anonymous mail forwarder and news poster. An attacker forges email in your name, requesting an anon-id. The server creates one, and sends the report both to you, and to the attacker's address. If you try posting thru the penet server, the post gets anonymized using the anon-id the attacker created. The attacker can now link the anonymized post to your True Name. If you ever intend to use the penet anon server, you should write to the server administrator, requesting to have the id the attacker created deleted, and the create a new one, with password protection. (I don't use penet, so I don't know the details). Peter Trei ptrei at acm.org From robalo at elogica.com.br Fri Apr 5 23:35:31 1996 From: robalo at elogica.com.br (robalo) Date: Sat, 6 Apr 1996 15:35:31 +0800 Subject: unsubscrive Message-ID: <31659CFA.132F@elogica.com.br> unsubscrive * robalo at elogica.com.br unsubscrive * robalo at elogica.com.br unsubscrive * robalo at elogica.com.br From perry at piermont.com Fri Apr 5 23:44:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 6 Apr 1996 15:44:35 +0800 Subject: e$ Signorage In-Reply-To: <1.5.4b13.32.19960404143637.006a92b8@pop3.interramp.com> Message-ID: <199604060044.TAA05367@jekyll.piermont.com> James Gleick writes: > >I believe money which is never redeemed back at the bank is called > >signorage in the currency biz. Whatever signorage *actually* is, Kawika > >Daquio of the ABA (B for "Banking"), the Fed makes $20 billion a year on > >it. Not much against a trillion dollar federal budget, but, hey, every > >little bit helps... > > Seigniorage is actually the Government's interest income on all the > currency in circulation. Seignorage is neither of these things. It is the difference between the cost of producing a currency token (like a quarter or a dollar bill) and the face value of the token. In essense, its the profit margin on printing or minting money. > It's not obvious, but it's true, that the Fed collects the "float" > on dollar bills you carry in your pocket, Oh, really? From whom? First I've heard of this. Now, it is indeed true that the Fed holds large numbers of government bonds and theoretically earns interest on them, and that banks in a free banking system do indeed loan out the money that backs their notes. However, the fed has no mechanism to earn interest on dollar bills, nor, in fact, does it need to. Perry From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 5 23:46:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 6 Apr 1996 15:46:35 +0800 Subject: PICS required by law Message-ID: <01I36YAYMC3K8ZE63H@mbcl.rutgers.edu> What was I saying a while back about mandatory PICS through liability? As I recall, various people such as TCMay were saying that it wouldn't happen. Looks like I need to get out that article against PICS that I was working on and rewrite it a bit. I would remind people that PICS allows parents (or whoever else is holding the reins, such as an ISP - or the Chinese firewall) to filter on such content as material (including scientific studies) stating that a given illegal drug is not as harmful as some would claim, any idea futures market - even a simulated one, on homosexual content separately from heterosexual, and against criticisms of religions (such as Scientology). To their credit, the ACLU (in the CDA court case) has stated that they will not put a PICS rating on their web site, even if it contains "indecent" or allegedly "harmful to minors" material. I agree strongly with their position. -Allen Computer underground Digest Wed Mar 27, 1996 Volume 8 : Issue 25 ISSN 1004-042X [...] Date: Thu, 14 Mar 1996 11:47:33 -0800 From: telstar at WIRED.COM(--Todd Lappin-->) Subject: File 1--CONGRESS: Online Parental Control Act of 1996 [...] Maintains the Communications Act of 1934's legal defenses against liability for people who choose to give parents technology that: 1) blocks or restricts access to online materials deemed obscene or harmful to minors, and 2) restricts access to such materials through adult access codes or credit card numbers; Adds two new defenses: 1) the use of labeling or segregating systems to restrict access to online materials, such as systems developed using the standards designed by the Platform for Internet Content Selection project (PICS), and 2) the use of other systems that serve the same function of the other defenses if they are as reasonable, effective, and appropriate as blocking, adult access code, and labeling technologies; and Protects providers or users of interactive computer services, information content providers, and access software providers from civil or criminal liability under state law for making available to minors materials that are indecent or harmful to minors if they take actions to qualify for the defenses mentioned above. [...] PICS is a cross-industry working group assembled under the auspices of MIT's World Wide Web Consortium to develop an easy-to-use content labeling and selection platform that empowers people worldwide to selectively control online content they receive through personal computers. The Recreational Software Advisory Council recently announced that it will soon implement a detailed voluntary ratings system, using PICS standards, that will let computer users filter out varying degrees of sex, violence, nudity, and foul language. Companies and groups supporting PICS include Apple, America Online, AT&T, the Center for Democracy and Technology, CompuServe, IBM, France Telecom, Prodigy, Providence Systems/Parental Guidance, Surf Watch Software, and Time Warner Pathfinder. From vznuri at netcom.com Fri Apr 5 23:49:40 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 6 Apr 1996 15:49:40 +0800 Subject: myths of software "standards" (long) Message-ID: <199604052239.OAA27249@netcom16.netcom.com> this is an essay on some ideas that have been swimming around in my head about "software standards" and the various pervasive myths associated with them, unleashed on this motley crowd for your viewing pleasure or distaste. there is tremendous amount of angst and anguish spent on software standards by designers. I'm going to try to point out some of the ways that software standards are fundamentally different from hardware standards and the implications this has for their use. with a hardware standard, we are talking about "atom configurations". if a given computer is manufactured in a given way, there are zillions of standards that are implicit in the design. there is a standard in the way that cards interface to the bus, in the ways that chips fit in sockets, in screw sizes, component sizes (such as the power supply), etc. obviously it is virtually impossible to refit a component that does not adhere to some "physical configuration standard". if the power supply does not have the right footprint, good luck filing down the edges to the point that it fits. <g> another point to make about physical components is that it is possible to "own" them. in our system, we are even allowed ownership of the abstract standards used to design their atomic configurations; we call these things "patents". however, notice that software standards are sometimes thought of in the same way as hardware standards. I want to make a point about how fundamentally different they really are. == software standards ultimately govern the "configuration of bits". to borrow Negroponte's lovely distinction, bits are far different than atoms. foremost of the difference is what might be called the fundamental "malleability" or "fluidity" of bits in contrast to atoms. atoms are expensive to move around and to manipulate. bits can be moved around and manipulated at such an infinitesmal cost as to be almost free. here is the chief myth that I want to address, and I'm going to borrow web concepts here especially, because the public is misapplying the concepts of hardware and software standards especially in this area. now suppose that Netscape comes up with their own unique HTML "extensions" which they have done. if you want to think of this "standard" in the old paradigm of atoms that are expensive to move around etc., then what netscape has done is pretty outrageous. one might assert, as the press and public tend to do, that Netscape is trying to "own" the standard and "impose" it on the rest of the world, so that they can "control" it. but what is this "imposition"? if they were saying that particular hardware components had to be designed in their way, indeed this would be an onerous and suspicious demand. it would be reminiscent of industry outrages like IBM's "microchannel" architecture. but the fundamental distinction here is that Netscape is *not* designing a standard that refers to atoms, but one that refers to bits. and standards that refer to bits have fundamentally different properties. first of all, if they are good standards, then it should be easy to manipulate the bits between the different standards, and the cost of doing so should be close to negligible. we are only talking about straightforward algorithms easily implemented by even 1st year CS students, typically. when you think about it, the concept that a company can "own" a software standard in the way that hardware configurations are "owned" is pretty obtuse and incongruous. because bits are so readily converted and manipulated, it actually becomes the case that companies that create bit standards are almost doing a public service in devising orderly systems of bit arrangements not previously established. if bits are interchangeable, then the key is to get them into an orderly form first, and then just twiddle them into the format that you want. == all this sounds a bit vague and nebulous but is extremely significant. it demonstrates how radically different the information revolution is from the industrial revolution. in the information realm, "interchangeable parts" takes on a whole new meaning. all that is necessary is that the bits be in some standard form to start, and then they can easily be transformed into some other form. a very important point to make is this: what becomes more valuable with bits i s *not* that everyone pick and agree on *the*same*standard*. this is applying "atom" type prejudice to a new problem. if everyone wants to have compatible hardware, then indeed we need to have the kinds of standards I described. but software (bit) standards work differently. you only want to have *any* kind of a standard that is well designed. you want standards that are not necessarily *universal* as with atoms, but instead are *orderly*. if they are *orderly* or "well designed", then it should be easy to convert any "bit configuration" standard to any other standard on the fly with algorithms. there is tremendous ranting and raving in the Web world about how the HTML standard is fragmenting because of Netscape etc., and there is so much angst about trying to devise a *single* cohesive, unified standard that "everyone" follows. people talk as if Netscape is trying to "hijack" the standard, when in my opinion they are performing a valuable public service of trying to hammer the bits into useful form. everything they have proposed could not be handled by the earlier standards-- and if it could have been, chances are they would have used that standard. a unified standard in software realms is a total fantasy to achieve, and in my opinion the dramatically wrong & specious goal. == instead, I taking into account the above ideas, what we need are a *variety* of different standards, all of them in themselves cohesive and fully functional, which can be *translated* readily between each other. the key goal is not *unified* standards that try to entail "everything", but instead collections of complementary standards that are in themselves nice unified "pieces" of the whole. (somewhat like original Unix design philosophy). the various image formats such as DVI, postscript, TIFF, etc. is an example of this. they all are decent standards for what they attempt to standardize, and it is silly to lament that there isn't a single image standard-- it misses the point. (one tricky thing with bit standards is the goal of trying to go "backward" in converting a very complex format into a simpler format. trying to have text-based web browsers with all the complex images and formatting out there is an example of this.) in other words, some people seem to imagine that in the future some massive HTML language is going to be devised that all browsers support. many web design discussions seem to implicitly talk as if this is the goal. instead what I imagine is that many different substandards will be devised, and will *continue* to be devised-- the point when there is a global, unified "web formatting language" will *never* come and this is an illusionary, impossible, and *unnecessary* goal. what we need are browsers that are extremely flexible and can support on-the-fly translation between different formats, and which try to support the capability that at any time in the future, someone may come up with a new language that could drive browser formatting and display characteristics. the idea of having different layers over the network, such as "conversion servers" which might convert between all the more common formats and requests, is another interesting idea to pursue. netscape 2.0 "plugins" are a first step in this direction. imho, the web of the future is going to have not one but a *zillion* different languages describing all of the data that is out there. the goal should not be unification under a single standard, but of ease of conversion between existing standards that are modular and complete in themselves. in this view, the complementing (not competition) of different formatting languages is glorious and to be encouraged, not something to be dreaded, avoided, and stamped out. the diversity and "complementarity" is the key to the power. == I've been making all my points relative to the Web, but I think the ideas apply equally well to *computer*languages*. there are all kinds of silly holy wars fought over about what are the *best* computer languages, and everyone that designs a new language seems to be implicitly trying to incorporate the features of every other language in existence and then some, i.e. a new "unified" or "complete" or "ultimate" language (I recall a long flamewar out in the newsgroups between Stallman, espousing Lisp, and Wall Perl fanatics). to me this is all ridiculous, because in the future the goal will be the ability to *convert* between languages in automated ways, such that the same problem can be automatically reformulated in another form to gain its particular idiosyncrasies. imho, new computer languages are going to be invented as long as human beings exist-- because what they really are is a "component library". for example, C is very low level but fast-- why can't I just convert my Perl code directly into C whenever I want to? or vice versa? in fact that is exactly what a compiler does, and I am suggesting that the compilers of the future will allow conversions between all kinds of languages, not merely a high level language to machine code. in this sense the idea of fighting over different languages as "ultimate" is ridiculous as the religious wars over who is the "one true god"!! all algorithms are in principle interchangeable, and I believe this theoretical concept will be increasingly applied directly in the future. == anyway, this is my contribution-of-the-moment in trying to dispel some of the "standards myths" that are extremely persistent out there esp. in regard to Web software and language extensions. From sameer at c2.org Sat Apr 6 00:45:21 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 6 Apr 1996 16:45:21 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <Pine.SUN.3.91.960405140338.22784A-100000@polaris.mindport.net> Message-ID: <199604052037.MAA13576@atropos.c2.org> > Where I differ with Mr. Bell is that he seems to think the ISPs of the > world are going to rise and unite to quash the oppressive hand of big > government at their own expense in order to satisify some sense of > personal ethics or customer goodwill. > I urge Mr. Bell to start a business of his own with that model, and see how much fun he has. (Or, worded differently, how long it takes for him to go bankrupt. Perhaps we can setup betting pools. That could be fun.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From hfinney at shell.portal.com Sat Apr 6 00:57:27 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 6 Apr 1996 16:57:27 +0800 Subject: "Contempt" charges likely to increase Message-ID: <199604060105.RAA20223@jobe.shell.portal.com> I think Tim has hit the nail right on the head with this one. I have been quite appalled to read the various analyses on the net (URLs not handy, but they have been posted here before I think) which conclude that compelled disclosure of a cryptographic pass phrase would probably be OK despite the Fifth Amendment. This seems to be an area where there is widespread agreement based on recent precedent. In the past, when crypto was not widely used, the issue didn't really come up very often. If a criminal chose to write incriminating information diary or financial ledger, and it could be found in a search, then it was used as evidence against him. At one time not even this was accepted but it has been this way for many decades. But crypto, if it becomes widely and routinely used, raises the bizarre spectacle of criminals commonly being forced to produce information which will then be used against them! Imagine if they'd found a file by OJ on his computer, encrypted, which he refused to decrypt. The judge could actually jail him for contempt until he revealed the password. This could become a routine occurance in many kinds of crimes which rely on private records as evidence. Currently, I don't think the subpoena power is widely used in criminal cases. Rather, the prosecution relies on search warrants and the element of surprise to prevent the destruction of incriminating records. I think there is recognition that in practice subpoenas would not be effective, that the records would not be produced, even if contempt charges were the result. If so, then probably the tactic will not be that effective in forcing people to reveal cryptographic keys. Maybe if the jails start filling up with defendants who refuse to go along with such order, judges will decide that effective secrecy of records is now the new status quo. The law will then once again extend the Fifth Amendment privileges to personal papers. Hal From tcmay at got.net Sat Apr 6 00:58:53 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Apr 1996 16:58:53 +0800 Subject: "Contempt" charges likely to increase Message-ID: <ad8b1bc71f02100483ae@[205.199.118.202]> At 9:26 PM 4/5/96, Bill Frantz wrote: >At 11:57 AM 4/5/96 -0800, Timothy C. May wrote: > >>If the secrets or assets _cannot_ be retrieved--a scenario which is >>possible, if the protocol is so written (clauses for court action)--then >>contempt charges are meaningless and would not stand, IMNALO. > >The Black Unicorn indicates that if the reason the secrets _cannot_ be >retrieved is because they are in a jurisdiction which refuses to reveal >them when the owner is under compulsion, the owner can still be punished >for contempt (A contractual situation). Far be it from me to question the legal advice BU/Uni/Dirsec provides, but I think all contempt charges have a kind of eventual expiration. That is, after some number of months or years have passed and it becomes apparent the incarcerated person simply will not or cannot comply, release is ordered. It has happened in most cases of reporters, and it happened with Rebecca Morgan (who never did tell the court where her daughter was, though it later came out that her daughter was probably in Australia with grandparents). Jail term for contempt of court has certain resemblances to trial by ordeal: if after some period of time of ordeal one has not talked, the ordeal is over. If the court is shown that the protocol makes it impossible for the person to retrieve the material, especially that there are no ways to circumvent the contract, then the court may still jail the person for a while "just to make sure" that there is no means of circumventing it. If and when it becomes apparent to even the most skeptical that the material has been lost, or is unretrievable, then I think the contempt jailing must end. When nothing is served by furhter jailing, except punishment, then the reason for the contempt action is ended. Or so it seems to me, from what I've osmosed about the law. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JonWienke at aol.com Sat Apr 6 00:59:05 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 6 Apr 1996 16:59:05 +0800 Subject: Spinners and compression functions Message-ID: <960405210713_185610686@emout10.mail.aol.com> Since there has been a lot of discussion about spinners derived from various things (idle loops, video retrace, etc.) used as entropy sources, here is yet another idea. Run the spinner output through a PKZip type compression function, and then seed a PRNG with the output from that. This would provide a means of gauging the amount of entropy that has been fed into the PRNG, (count the bytes output from the compression function) which will allow the program to disallow any output from the PRNG until a sufficient amount of entropy has been fed into it. Even if there are correlations in the spinner data, (I know, that is obvious) by the time it has gone through the compression function and the PRNG, it should be cryptographically useful, especially if entropy from multiple sources (keyboard & mouse events, disk access times, network access times, etc.) is used to seed the same PRNG. Jonathan Wienke Political Rant: Re: e$ Signorage >And there I was thinking it was the right for Greenspan to sleep with any >unmarried woman on the eve of her wedding... Actually, that's "prima nocte" (Latin for 'bimbo eruptions" [:)] ) and the principal beneficiary is our beloved President... From tcmay at got.net Sat Apr 6 01:02:37 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Apr 1996 17:02:37 +0800 Subject: Was Cohen the first? Message-ID: <ad8abb671e021004df37@[205.199.118.202]> Little CP relevance, except as re: a former (maybe current, but no longer actively participating) list member, so I'll be brief. At 4:24 PM 4/5/96, Michael Wilson wrote: >I ran across the following article, and it set me to wondering--did >Dr. Cohen actually publish on 'computer viruses' before anybody else? >He continues to use it as the bedrock of his reputation capital, so if >this pre-dates his 'seminal' article, please let me know. > >Included message: >For Liz Bass or Reg Gale >Discovery >9:31 AM Friday, April 5, 1996 >By Lou Dolinar > > This is still my favorite computer story. I'm not saying it was the first >piece ever written about computer viruses, but I won't say that it isn't. I >still have the original, dated April 16, 1985. In some ways I wish I hadn't ... Much work was done in the 70s on "worms," which are related to viruses. John Shoch (spelling may be wrong) at Xerox PARC developed a "worm" which propagated from machine to machine, circa 1974 (give or take a year). John Brunner immortalized this in "The Shockwave Rider," his 1975 novel in which uber-hacker Nickie Halflinger uses worms to disable Big Brother's panopticon network. Having said this, Fred Cohen deserves credit for seriously studying properties of replicating programs, including viruses. (And I believe he coined the term virus, and also showed how it differs from a worm.) I will make no particular claims about how _much_ credit he deserves, as this seems petty. Nearly all discoveries have precursors, of course. The work on worms clearly was a precursor. Also, general biological work on replicating patterns was already going on, and Richard Dawkins' "The Selfish Gene" had been published in the 1970s (and I believe the work on replicating information patterns--memes--was important). His views should be taken on their merits, not on whether or not he was the first to study viruses or replicating programs in general. As it happens, I find much of what Fred Cohen writes to be tedious and repetitive, but not because he has gotten "too much" credit for his early work. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Sat Apr 6 01:23:14 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 6 Apr 1996 17:23:14 +0800 Subject: "Contempt" charges likely to increase Message-ID: <199604052123.NAA08617@netcom9.netcom.com> At 11:57 AM 4/5/96 -0800, Timothy C. May wrote: >If the secrets or assets _cannot_ be retrieved--a scenario which is >possible, if the protocol is so written (clauses for court action)--then >contempt charges are meaningless and would not stand, IMNALO. The Black Unicorn indicates that if the reason the secrets _cannot_ be retrieved is because they are in a jurisdiction which refuses to reveal them when the owner is under compulsion, the owner can still be punished for contempt (A contractual situation). I don't know what would happen if they _cannot_ be retrieved for technical reasons. If a communication key was aggreeded to be DH exchange and then discarded, I would think this would be analogous to asking for a document that was destroyed (before the subpoena) as part of a policy of destroying obsolete documents. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jya at pipeline.com Sat Apr 6 01:31:56 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Apr 1996 17:31:56 +0800 Subject: e$ Signorage Message-ID: <199604060252.VAA22047@pipe2.nyc.pipeline.com> Perry is closest to Webster's Third New International Dictionary: ----- seigniorage or seignorage also seigneurage [ME seigneurage, fr. MF, right of the lord, esp. to coin money, fr. seigneur + age] 1: a government revenue derived from the manufacture of coins that is calculated in the U.S. as the difference between the monetary and the bullion value of the silver contained in silver coins disregarding any alloy metal, all the metals contained in minor coins (as teh nickel and the cent), or the silver bullion that is held as backing for silver certificates -- compare brassage. 2 archaic: Dominion, Power. ----- brassage 1: a charge made to an individual under a system of free coinage for the minting of any gold or silver he may bring to the mint and usu. calculated to cover various costs -- compare seigniorage. ----- Still, Jim Gleick seems to be citing a special extension of this general definition, wherein government capitalizes on its money-coining power to reap any ancillary benefit, such as the float on money transactions. Is it not likely that there are other seigniorages of running the public till, as Kawika Gaguio suggests, or even such as pleasurably performed a la droit du seigneur cited by Simon? Another definition of seigniorage is that of any means to generate benefits for the lord. Along that line, I wonder if governments might not apply brassage to E-money. From tcmay at got.net Sat Apr 6 01:47:37 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Apr 1996 17:47:37 +0800 Subject: unsubscrive Message-ID: <ad8b328b20021004dcf5@[205.199.118.202]> At 10:21 PM 4/5/96, robalo wrote: >unsubscrive * robalo at elogica.com.br > unsubscrive * robalo at elogica.com.br > unsubscrive * robalo at elogica.com.br Maybe these dweebs are posting from an alternate universe? A universe in which not even messages explaining that "unsubscrive," "unsuscribe," "undescribe," "unscribe," and "unimbibe" are not valid alternate spellings of "unsubscribe." I've copied my short explanation of how to subscribe and unsubcribe too many times to do it again; and it is clear that these folks are either doing this out of spite, are not reading any of the messages we send them, or think it funny. This may kill off the Cypherpunks list even where Detweiler's massive rants failed. (Now that Detweiler's cabin in Montana has been raided, and one of his tentacles carried off, who will fill his shoes? Vlad the VZNuri is well on his way to matching Detweiler's volume, if not his obsessiveness.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From thecrow at iconn.net Sat Apr 6 01:56:59 1996 From: thecrow at iconn.net (Jack Mott) Date: Sat, 6 Apr 1996 17:56:59 +0800 Subject: rc4 weak keys fix? Message-ID: <3165F409.286E@iconn.net> I got a paper from the cryptography technical report server "http://www.itribe.net/CTRS/" about a weak class of RC4 keys. The report said that with some keys, it was possible to predict what some parts of the State-Box would be. I was thinking of a way to fix this, and had this idea: do some sort of hashing function with the key that derives a number between 55 and 500 or something like that, then scrabmle the S-box that many times. In this way, the chances that the State-Box will have any correlation becomes extremely small. I think it is 1/125 to begin with anyway, so this would make it around 1/(125*NumPasses). And since the exact number of passes is a function of the key, the cracker won't know how many times it went through. I tried this out and having 1000s of passes doesn't effect the randomness of the state-box in any negative way, possibly it makes it more random? If anyone has any thoughts I'd love to hear them. -- thecrow at iconn.net "It can't rain all the time" From perry at piermont.com Sat Apr 6 02:15:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 6 Apr 1996 18:15:27 +0800 Subject: Was Cohen the first? In-Reply-To: <ad8abb671e021004df37@[205.199.118.202]> Message-ID: <199604052236.RAA05091@jekyll.piermont.com> Timothy C. May writes: > Having said this, Fred Cohen deserves credit for seriously studying > properties of replicating programs, including viruses. (And I believe he > coined the term virus, and also showed how it differs from a worm.) Fred Cohen did not coin the term. "The Shockwave Rider" explicitly refers to viruses in addition to worms -- indeed, the main character at several points uses a "phage" (i.e. a virus) to eliminate information about himself from the global communications network. Other people used the term "virus" in a number of similar contexts long before Fred Cohen. Perry From thecrow at iconn.net Sat Apr 6 02:24:35 1996 From: thecrow at iconn.net (Jack Mott) Date: Sat, 6 Apr 1996 18:24:35 +0800 Subject: coderpunks questions Message-ID: <3166020B.17A2@iconn.net> I am really into programming and the math involved in crypto, and could care less about the politics. I assume that coderpunks are more into that sort of thing. I have heard they are invitation only. How can I get an invite? -- thecrow at iconn.net "It can't rain all the time" From jimbell at pacifier.com Sat Apr 6 02:41:37 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Apr 1996 18:41:37 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u5QPq-0008xyC@pacifier.com> At 12:37 PM 4/5/96 -0800, sameer at c2.org wrote: >> Where I differ with Mr. Bell is that he seems to think the ISPs of the >> world are going to rise and unite to quash the oppressive hand of big >> government at their own expense in order to satisify some sense of >> personal ethics or customer goodwill. >> > > I urge Mr. Bell to start a business of his own with that >model, and see how much fun he has. (Or, worded differently, how long >it takes for him to go bankrupt. Perhaps we can setup betting >pools. That could be fun.) By now, you've probably seen my comment to Unicorn, that ISP's could easily pool their resources, in a form of insurance, to guarantee that any test case will be fully litigated to ensure that a bad precedent isn't set. What if it cost a million dollars? That's only about 5 cents per American Internet user. You were saying about "going bankrupt"? Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sat Apr 6 02:49:33 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Apr 1996 18:49:33 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u5QH8-00090aC@pacifier.com> At 02:06 PM 4/5/96 -0500, Black Unicorn wrote: >On Fri, 5 Apr 1996 sameer at c2.org wrote: > >> What's the point here, or is Unicorn just having fun >> lambasting Jim Bell? >> >> My basic attitude, running an internet privacy provider, is if >> Mr. Govt. wants my data, and gives me a court order (subpoena, >> "compelled discovery", whatever), then I'll give it to 'em. >> If my customers that they were looking for had any brains at >> all, a court order, compelled discover, whatever, will not help >> Mr. Govt. That's the cornerstone of my security model. >> >> Or am I confused about what you are talking about here. > >Yours seems to be about the most aggressive policy a ISP provider can >take and expect to remain in business. This is a classic defeatist attitude, the one that Unicorn specializes in. He wants us to believe that there is literally NOTHING that anyone can possibly do to solve the "government problem." I contend that had he talked to Phillip Zimmermann in 1990 or so, he would have told Zimmermann that "It's illegal to write an encryption program using RSA, because it's patented! You'll never get away with it!" But history records that Zimmermann _did_, and he "got away with it." What I'm advocating is that people do what Zimmermann did: Write programs that will extend the usages of encryption to thwart attempts to retrieve data by its owners, whether or not the data is on the owner's system. >That is, resist by what legal means are available, but ultimately depend >on the user to secure his or her own data. Notice that Unicorn never gives useful specific suggestions about which "legal means are available." >Where I differ with Mr. Bell is that he seems to think the ISPs of the >world are going to rise and unite to quash the oppressive hand of big >government at their own expense in order to satisify some sense of >personal ethics or customer goodwill. Cumulatively, they could do exactly this. Spread among most ISP's, the cost per ISP could be quite low. Augmented with my AsPol idea, the costs would be even lower. What was that quote? "A box of shells is cheaper than an appeal." Jim Bell jimbell at pacifier.com From jamesd at echeque.com Sat Apr 6 02:50:10 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 6 Apr 1996 18:50:10 +0800 Subject: RC4 improvement idea Message-ID: <199604060539.VAA22611@dns1.noc.best.net> At 12:01 PM 4/5/96 -0500, Jack Mott wrote: >I got a paper from the cryptography technical report server >"http://www.itribe.net/CTRS/" about a weak class of RC4 keys. The >report said that with some keys, it was possible to predict what some >parts of the State-Box would be. The report was bogus: For one key in 256, you can tell what eight bits of the state box are. For one key in 64000 you can tell what sixteen bits of the state box are, and so on and so forth. Such keys are not weak. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From stewarts at ix.netcom.com Sat Apr 6 03:12:05 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 6 Apr 1996 19:12:05 +0800 Subject: Using crypt() Message-ID: <199604060645.WAA20225@dfw-ix10.ix.netcom.com> At 01:47 PM 4/4/96 -0400, Eric Eden <erice at internic.net> wrote: >I'm testing a encryption program that includes use of crypt(). Out of curiousity, why use crypt() instead of, say, MD5, which is stronger and allows arbitrarily long passphrase input? You could add a crypt()-like salt to it as well, if that helps. And just as crypt() lets you distinguish between input and output based on length and character set, if you use MD5, you know the output is 128 bits, rendered either as raw bits or 32 hexes depending on your program environment. With crypt(), for users who don't remember their passwords, you can run crack to try and recover them. This doesn't work, of course, if your stored "encrypted password" is really an unencrypted non-13-byte string which wouldn't ever be the output of crypt(). MD5, on the other hand, allows enough passphrase space that a brute force search would take much longer. From gleick at around.com Sat Apr 6 03:17:36 1996 From: gleick at around.com (James Gleick) Date: Sat, 6 Apr 1996 19:17:36 +0800 Subject: No Subject Message-ID: <2.2.32.19960406060312.006d58c0@pop3.interramp.com> Perry E. Metzger wrote: > >James Gleick writes: >> >> Seigniorage is actually the Government's interest income on all the >> currency in circulation. > >Seignorage is neither of these things. It is the difference between >the cost of producing a currency token (like a quarter or a dollar >bill) and the face value of the token. In essense, its the profit >margin on printing or minting money. You're giving a definition straight from a dictionary--an old one. Welcome to the modern world. >> It's not obvious, but it's true, that the Fed collects the "float" >> on dollar bills you carry in your pocket, > >Oh, really? From whom? First I've heard of this. Then you're learning something new. >Now, it is indeed true that the Fed holds large numbers of government >bonds and theoretically earns interest on them, and that banks in a >free banking system do indeed loan out the money that backs their >notes. However, the fed has no mechanism to earn interest on dollar >bills, nor, in fact, does it need to. On the contrary. The Federal Reserve holds Government securities corresponding to the dollar value of currency in circulation. It earns interest income on this amount, and returns this income to the Treasury. This is called seigniorage. It amounts this year to something over $20 billion. This is a very real issue. To the extent that electronic money replaces currency (reduces the amount in circulation), it will cost the Treasury seigniorage--and the Government is acutely aware of this. Whether the beneficiaries are consumers, banks, or other issuers of digital cash will depend on the system. -- James Gleick gleick at around.com http://www.around.com From declan+ at CMU.EDU Sat Apr 6 03:40:23 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 6 Apr 1996 19:40:23 +0800 Subject: PICS required by laws In-Reply-To: <01I36YAYMC3K8ZE63H@mbcl.rutgers.edu> Message-ID: <AlNVRNm00YUvRBRsgL@andrew.cmu.edu> The ACLU is taking the right position here, IMHO. But I sense no consensus from the coalition of groups in the CDA challenge. -Declan Excerpts from internet.cypherpunks: 5-Apr-96 PICS required by law by "E. ALLEN SMITH"@ocelot. > What was I saying a while back about mandatory PICS through liability? > > As I recall, various people such as TCMay were saying that it wouldn't happen. > > Looks like I need to get out that article against PICS that I was working on > and rewrite it a bit. I would remind people that PICS allows parents (or > whoever else is holding the reins, such as an ISP - or the Chinese firewall) t > o > filter on such content as material (including scientific studies) stating that > > a given illegal drug is not as harmful as some would claim, any idea futures > market - even a simulated one, on homosexual content separately from > heterosexual, and against criticisms of religions (such as Scientology). To > their credit, the ACLU (in the CDA court case) has stated that they will not > put a PICS rating on their web site, even if it contains "indecent" or > allegedly "harmful to minors" material. I agree strongly with their position. From sameer at c2.org Sat Apr 6 04:02:53 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 6 Apr 1996 20:02:53 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <m0u5QPq-0008xyC@pacifier.com> Message-ID: <199604060648.WAA11201@atropos.c2.org> > > By now, you've probably seen my comment to Unicorn, that ISP's could easily > pool their resources, in a form of insurance, to guarantee that any test > case will be fully litigated to ensure that a bad precedent isn't set. What > if it cost a million dollars? That's only about 5 cents per American > Internet user. > > You were saying about "going bankrupt"? > I urge Mr. Bell to start an ISP insurance company, then. Let us see how long it lasts. Perhaps I should put up a web page for the betting pool we can have. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From stewarts at ix.netcom.com Sat Apr 6 04:57:51 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 6 Apr 1996 20:57:51 +0800 Subject: pgp keys Message-ID: <199604060900.BAA24994@dfw-ix3.ix.netcom.com> At 11:55 AM 4/4/96 -0500, Jack P. Starrantino jpps at voicenet.com wrote: >Is there a reliable method for obtaining the pgp public key for an >arbitrary email address? [....] to obtain keys I do not have. Reliable? No; not everybody follows The One True KeyDistribution Method, or even follows one-or-more of the popular electronic approaches, and not all keys that are distributed electronically are on the Internet, though some of them may be on intranets or fido or uucp nets. There's also the problem that the results are not unique. If you look at the MIT keyserver, http://www-swiss.ai.mit.edu/~bal/pks-toplev.html, in the cluttered "Bill Stewart" namespace, you'll find several Bill Stewarts, and you'll find many people have multiple keys for each email address, especially after they've been in the servers a few years. >I've caught some of the discussion on key servers, and noted some >people's use of their signature, plan, or home page to distribute their >keys. Are some combination of these suitable today? There's a collection of keyservers that stay in sync with each other, including the ones at pgp.mit.edu. bal's http interface is a popular way to access them, though there are others communications methods as well. Some other people use finger; finger's really just a telnet to port 79 while sending a requested name and holding the connection up to wait for replies, but not everybody uses that either, and many host systems don't serve finger. My work PGP address is available on my company's internal phone-book web, and printed on my business cards, though I have now put it on MIT's server. >Is there a parseable convention in use for extracting keys from mail/finger/html? Sure - the standard ASCII form that PGP extracts keys in is parseable by PGP. (You have to be careful, when obtaining keys by mail/finger/html, that if you get multiple keys, you do something appropriate, like split them up first.) Unfortunately, Real PGP likes to ask you interactively if you want to add the keys it found to a keyring, or whatever, but you could just feed it some "Y"s on stdin to keep it happy. The new PGP 3.0 stuff will have libraries so it's much easier to build clean routines to do this rather than interact. >My goal is to make encryption the default behavior on outgoing mail. I >am not concerned about local security. Good luck! You'll probably have to prompt the user at least for disambiguation, and possibly for methods for finding keys as well. From jimbell at pacifier.com Sat Apr 6 05:46:26 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Apr 1996 21:46:26 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u5Q3q-0008xlC@pacifier.com> At 03:49 AM 4/5/96 -0500, Black Unicorn wrote: >On Thu, 4 Apr 1996, jim bell wrote: >> I really don't think you're giving me enough credit. I am fully aware that >> in the past, the organizations on which wire-tap-type subpoenas were served >> (primarily AT+T, "The phone company") were very cooperative with the police >> and probably "never" challenged the subpoena. There is the law, and there is >> the usual reaction to that law, and I expect that much of Unicorn's position >> is based on a (false) assumption that this reaction will necessarily >> continue unchanged. > >Now, if this is your postion, let's see some support. You do the research. Until 1968, Federal wiretaps were illegal, by the Federal communications Act of 1934. >From Encyclopedia Brittanica, 1970, vol 23 page 592: "The modern federal law of wiretapping begins with the case of Olmstead v. U.S., 277 U.S. 438 (1928). A majority of the Supreme Court, over vigorous dissent, held that a defendant's rights against unreasonable search and siezure, protected by the Fourth Amendment of the U.S. Constitution, were not denied by the tapping of his telephone wires by federal police officials. In denying constitutional protection to the privacy of telephonic communicatiosn, the Olmstead decision in effect delegated to Congress the responsibility for defining what restrains, if any, are to be imposed on wiretapping activiity. In 1934, Congress enacted section 605 of the Federaol Communications ACt, whcih provides, in part: "no person not being authorized by the sender shall intercept any communication and divulte...the contents..of such intercepted communication to any person." Brittanica continued: "It is clear that federal police officers continue to engage in wiretapping despite the statute. The position of the Department of Justice has been that section 605 does not forbid wiretapping per se, but only interception _and_ divulgence. Moreover, it is assered, communication of the contents of an intercepted message by one federal police officer to another is not 'divulgence' within the meaning of the act. This interpretation has never received definitive judicial approval. Since the late 1930's numerous unsuccessful attempts have been made to amend the provisions of section 605, usually with the purpose of broadening various law-enforcement uses of wiretapping." [end of Brittanica quote] Needless to say, I find these excuses and distinctions silly and self-serving. If Congress really had the power to increase the usage of wiretapping and numerous times chose not to do it, it is reasonable to assume that no legitimate interpretation of the Act of 1934 could allow police wiretapping to occur. It is reasonable to assume that most wiretaps, when they were done, were assisted by the local phone company (usually AT+T). In other words, AT+T assisted the government in illegal actions. What happened in 1968 was that Congress, recognizing this situation, decided to "compromise": They declared those wiretaps legal, if a warrant was obtained, and and a sop to the cops they allowed that evidence into court. But them's the details. The fundamental point is that if AT+T would engage in illegal activity to benefit the cops or Feds, they would certainly go less far to give the government what it wants, whether or not that was illegal. Clearly this was (and is) a non-arm's length relationship. And notice that there was apparently no way for the police to force AT+T to do those wiretaps, before 1968. They couldn't use them, so they couldn't insist on them. You'll have to explain why AT+T did what they did even though they were apparently not obligated to act, and there was NOTHING the Feds could have done (legally, anyway!) to force them to. >Compelled discovery orders work because they are backed with the >very credible threat of financial and custodial sanctions. Obstruction, >or conspiracy is a crime, and in the case of the FBI, a federal crime of >some magnitude. As usual, you misrepresent the situation. You're setting up a straw man. "Appeals" are not "obstruction." >While some ISP's may indeed feel they are able to resist the whims and >enforcement powers of the United States, they are likely to be offshore, >small, and viewing themselves as out of the reach of U.S. jurisdiction. You continue to build that straw man. And I notice that you said "whims"? What did you mean by this? Are you suggesting that there is something wrong or illegal with "resisting the whims" of the government if that government has no legal basis for compelling cooperation with those "whims"? I think it's interesting that with each paragraph you set little traps for yourself, and fall into them so embarrassingly. >With the scope of U.S. jurisdiction for compelled discovery, however, >I think that most ISP's will find themselves in for significant surprises. There you tried to knock him down. >Mr. Bell somehow assumes that smaller ISP's will be less vulnerable. I >believe this in error. Smaller ISP's won't even have the financial >wherewithall to fight a compelled discovery order properly, much less >actualy prevail in court Think "insurance companies." Insurance companies exist to pool risk. At some point, "subpoena insurance" will be recognized as being a valuable thing, because it will allow even the smallest ISP the full legal assistance necessary. A side-benefit of such assistance is that the government won't be able to "defendant shop" and try to set up a comfy precedent, because even the smallest ISP will be able to fight back as if it were large. This is important to all other ISP's, obviously. That's why they'll happily pool their resources. >where it is firmly estlablished that compelled >discovery orders will be enforced and enforced with vigor, and that >judicial review will be a waste of time. Continuing to knock down that straw man, I see! >It is worth bearing in mind that subpoenas are not the only tool that >authorities can use to affect compliance. In many cases authorities >simply seize the equipment and hold it for the statuatory period before >which they are required to file charges in. The Ripco BBS in Chicago, >victim of the Sun Devil raids, is a prime example. In that case the >equipment was seized (via sealed warrant which later proved to authorize >seizure of "computer or other electronic equipment of any nature." and in >actuality resulted in the seizure of everything from disks to printers >to telephones), and held for five years before finally being returned. >Clearly it was obsolete by this time. No charges have been filed. What I repeatedly find amazing about Unicorn's commentary is that he lists actions and behaviors of government that most of the rest of us find disgusting or egregious, and then he seems to take the position that it is impossible to prevail in court against those actions. Even if that limited opinion were true, to the extent it's true that merely goes to show why we can't expect justice from courts, and why we're going to have to set up a system to ensure that these egregious actions get punished. >While I'm sure Mr. Bell would sacrifice hardware, freedom, cash, (though >I'm sure he would insist on representing himself), and time to fight the >tyrany of the FBI, I don't see every ISP suddenly turning into a Montana >freemen armed standoff with the authorities, which is what it would >practically take to resist such warrants and exercise of authority, even >by preemptive or malicious encryption or disposal of data. Actually, it only takes one to set a precedent hostile to the government. >> Besides, that phone company had a monopoly, so it wasn't possible for >> citizens to shop around for a phoneco that was known to make it hard for >> police. But that's changing, and that's my point. Now and in the future, >> it's going to be harder and harder for the police to get a >> bend-over-backwards level of cooperation, and in fact phonecos (and >> especially ISP's) might reasonably want to build up a reputation that they >> will defend a customer's security in court long before a wiretap is >> installed. > >In practice many ISP's or phone co's will not have the opportunity to >defend the matter in court without their services and equipment being >forcibly seized preemptively. Oh, really? Do you realize what you've just admitted? You're your own worst enemy. Let me quote you something you said below: >There are ways to resist compelled discovery. These are not they. Sounds like a big contradiction, right? You can't even keep your story straight! Your loyalty to the truth is nil. Yet another trap you set for yourself. >> Imaginative phonecos will find ways to inform the target >> legally, including naming the target as a non-hostile defendant in a court >> challenge to that wiretap, and noticing that target since he's now a party >> to a court action that must be noticed under civil procedure rules. > >So the ISP sues their client to notify them of the wiretap? Or the ISP >sues the FBI and then draws the client into the suit? I'm not sure what >you mean here. Your cluelessness is legendary. Go talk to a real lawyer and he might tell you that occasionally, entities must be brought into lawsuits if their interests are at stake and their participation is necessary to decide an existing case. It happens all the time. In this kind of case, a challenge to the wiretap inherently involves the interests of the person to be tapped, and thus his participation is logical. Not that the cops would LIKE it, but that doesn't necessarily mean that it won't happen anyway. >In any event it's a totally meaningless point as ongoing >investigations could easily be blinded and the ISP or telco charged with >willful obstruction Naming the target as a non-hostile defendant is not illegal. Noticing him under civil procedure rules is not illegal. Etc. or conspiracy to destroy material evidence to a >crime, accessory after the fact in effect. You keep harping on this "destroy material evidence" kick. Is that the best you can do? I said NOTHING about "destroying evidence." (regular readers will notice that this is a pattern that Unicorn displays; typical straw-man behavior! His "destroying evidence" tirades are old.) > >> In short, there is a drastic difference between blind obeisance and >> enthusiastic hostility, even if you exclude actions by the ISP or phoneco >> that would rise to the level of some crime. > >What you have described is a crime. Your "clever" lawsuit isn't going to >fool any judge, or anyone else. There is a big difference between "not fooling the judge" and becoming a crime. As I pointed out before, these are exactly the kinds of issues that have "never" been enthusiastically challenged by an ISP or telco. Your assumption that such challenges will never happen, or will fail is touching. >> My point in the first paragraph that I am quoted in above is >> that many of the challenges that have never been made against wiretap >> subpoenas, due to a closer-than-arms-length relationship between the phoneco >> and the government, _will_ be challenged. > >This argument relies heavily on the absence of other persuasion to comply >with wiretaps, which, as I have demonstrated, exist in abundance. Thus the >thing falls in upon itself. The error you just made is to confuse the issue of adjudication and enforcement. All you just said was that, once the final decision is made, it can be enforced. I don't think it's necessary for me to challenge that claim, for the purposes of my point. My point is that challenges to subpoenas can and do occur, WHEN THE PERSON OR CORPORATION NAMED _wants_ to do them, and up until now that organization regularly failed to do so. >> will be challenged on (among other things) the basis of >> the fact that this precedent was formulated during an era when essentially >> all telecommunications was monopolized and regulated, and there is no reason >> to believe that a previous telecom monopoly would have been diligent at >> protecting the rights of their captive customers against the interest of the >> government at that time. > >You're claiming that a court is going to distinguish the case where a >small ISP/telco refuses to comply with a compelled discovery order from a >case where a large telco typically complies with a discovery on the basis >that the large company complies only under compulsion or in self interest? > >This amounts to "A obeys the law because he wants to. B doesn't want to >obey the law, therefore B need not." Further "straw-man" behavior. You just misrepresented the issue. I'll re-write it: "A obeys not only the law without question, but also agrees with all requests even if they are beyond the legal scope of the subpoena, and generously helps the cops, challenging nothing. B challenges everything, and uses 'every trick in the book' to eliminate or minimize his obligations under the law" There, that's better. >> I think we need to start challenging all the previously-assumed issues that >> have been interpretated to benefit the government. If my ISP has agreed, >> for instance, to send me daily certifications that he hasn't received any >> "official" inquiries about my account, and one day he receives such an >> inquiry and is forced to install some sort of a tap, it is hard for me to >> imagine what kind of legal precedent would allow (and, even, REQUIRE) him to >> continue to send false certifications when the alternative, simply failing >> to send any certifications whatever, is also "legal." > >As I have tried to explain to Mr. Bell before, the days of legal >formalism are over. Substance over form prevails today. What, exactly, does this mean? Are you saying, "The Constitution is dead"? Are you implicitly acknowledging here that my points are, or at least, WERE valid under a previous interpretation of the Constitution? What, exactly, happened to change this? Who passed which law to change it? >The substance >of this transaction is to inform the client that an investigation is >ongoing. This is a major no-no, whatever Mr. Bell thinks he knows. "major no-no"? It sure is interesting how Unicorn uses thes high-falutin legal terms like "major no-no" to describe the intricacies of subpoena law. I'm going to have to look in Black's to figure out the legal implications of "major no-no." >> (and, in fact, may be >> required under my contract with him, should he be obligated to do a tap or >> know one exists.) > >As I explained before, contracts are void to the extent they are >illegal. Unicorn proves, once again, that a little knowledge is a dangerous thing. But I don't think that FAILING to send a particular certification (that the ISP isn't under subpoena) constitutes an "illegal" contract. The fulfillment of that term is not legally required, absent a contract, and likewise it is not generally prohibited if it is part of a contract. It looks like the government has no basis to object to either sending that certification or failing to. And you also misrepresented things: it is more accurate to use the term "unenforceable" rather than "void". "Unenforceable" (assuming, for a moment, that this was a correct interpretation; it isn't, however) might simply indicate that the client can't sue his ISP for lack of fidelity to that particular term of the contract. But that's somewhat misleading, because this assumes that the ISP _doesn't_ want to comply with the terms of his contract. It is irrelevant that a contract is argued to be "unenforceable" if the parties to the contract _want_ to comply with it anyway. And if the ISP _wants_ to comply, and compliance merely involves FAILING to send a certification, and not sending that certification is not otherwise prohibited by pre-existing law, then I think it's obvious that the ISP is entitled to fail to send the certification. In a government-centric philosophy enthusiastically promoted by Unicorn, government is the only enforcer. In the real, digital world of the future, digital reputations will enforce behavior. A practice by an ISP to tolerate subpoenas without legal challenge will become well-known, and that ISP will shrink to oblivion unless he changes his policies. >Mr. Bell's response? "Well, then we'll kill him and enforce >the contract that way." Given the repeated admissions you make that the government can and does engage in outrageous behavior, I'd say that extra-legal enforcement is clearly warranted. >> The fact that I'd likely interpret his failure to send those >> messages as meaning that my access is tapped is not within his control, and >> if he's unwilling to screw me I find it hard to believe that he can't act on >> this fact even if those actions have an indirect effect of alerting me. > >Your use of the word "indirect" is stretching the bounds of the >imagination. A judge, unless sleeping through argument, would see >through this like glass. Again, doesn't make it illegal. There is no reason to assume that the government will always get whatever it wants. (remember the "whim" reference you made above? I'm _still_ laughing about it!) Challenging it on what it wants should be standard procedure. >> These are the kinds of issues that have either rarely or never been >> challenged in court, simply because the organization(s) that would normally >> do those challenges was in the hip pocket of government. It's going to be a >> brave new world very soon. > >Incorrect. They have been challenged time and time again in the context >of compelled discovery. Time and time again compelled discovery has been >required, TRO's forbidding the destruction of documents and other >evidence issued, search warrants and seizure effected in place of subpoena. For a different class of people and corporations, yes. Not ISP's, and as far as I know, telephone companies have never pushed the envelope. If you have any specific contrary examples, show me. >The telco in past has not complied with such orders because of some grand >government conspiracy, You statement is wildly in error. AT+T clearly did phone taps for the government prior to 1968 PRECISELY due to "some grant conspiracy": It certainly didn't do them because AT+T was _legally_obligated_ to. >although I realized Mr. Bell finds such things >immensely sexy. It has complied because its officers faced criminal and >financial sanctions for non-compliance. Which is an interesting statement, given the fact that I pointed out that in the period of 1930-1968, the phone company assisted with ILLEGAL wiretaps. Are you suggesting that during that time frame, they actually violated the law under threat of "criminal and financial sanctions for non-compliance"? What kind of government threatens people with "criminal and financial sanctions" for NOT assisting it with illegality? Yikes! Somehow I think your morality is about as warped as it comes. Yet another trap you set for yourself, and you jumped right in. > >There are ways to resist compelled discovery. These are not they. What you haven't explained or demonstrated is how ISPs could become more agressive in their defenses. This failure is typical of you: Your bag of tricks is empty _unless_you_are_paid_. Jim Bell jimbell at pacifier.com From steve at edmweb.com Sat Apr 6 06:30:57 1996 From: steve at edmweb.com (Steve Reid) Date: Sat, 6 Apr 1996 22:30:57 +0800 Subject: myths of software "standards" In-Reply-To: <199604052239.OAA27249@netcom16.netcom.com> Message-ID: <Pine.BSF.3.91.960406032352.2796A-100000@kirk.edmweb.com> > there is tremendous ranting and raving in the Web world about how > the HTML standard is fragmenting because of Netscape etc., and there > is so much angst about trying to devise a *single* cohesive, unified > standard that "everyone" follows. people talk as if Netscape is > trying to "hijack" the standard, when in my opinion they are performing > a valuable public service of trying to hammer the bits into useful > form. everything they have proposed could not be handled by the > earlier standards-- and if it could have been, chances are they would > have used that standard. Sure, the Netscape extensions are nice. And it's nice to have an operating system (M$-DOG) pre-installed on every hard drive. But Net$cape, like M$, was trying to esablish a dominant "follow-us-or-die" position in the industry. Yes, the Net$cape extensions allow people to do stuff that they wouldn't otherwise be able to do. But, the extensions *could have* been implemented in such a way that using them wouldn't be detrimental to non-Net$cape browsers. Instead, they've altered the World Wide Web in such a way that it can only be viewed "correctly" with Net$cape. The rest of your post was quite interesting. I *do* think it would be good to have multiple, interchangeable formats like we do for graphics. What we really need to make that happen are DETAILED SPECIFICATIONS. From jya at pipeline.com Sat Apr 6 07:32:35 1996 From: jya at pipeline.com (John Young) Date: Sat, 6 Apr 1996 23:32:35 +0800 Subject: Peeking at Your PC Message-ID: <199604061256.HAA29769@pipe1.nyc.pipeline.com> The New York Times, April 6, 1996, p. 23. Peeking at Your P.C. [Op-Ed] By Simson L. Garfinkel Cambridge, Mass. As more Americans use electronic mail, buy products over the Internet and keep their most personal records on desktop computers, there is increasing demand for cryptography software that can insure the privacy of personal electronic communication. This technology already exists, but the Government, through export-control regulations, effectively bars citizens from using it. The Government classifies encryption software as munitions, because foreign countries can use such programs to hide their communications during times of war. To prevent this, American companies are largely prohibited from selling to foreign customers any programs that include strong coding features. Unfortunately, that has stifled the domestic market. Encryption-software developers find it too expensive to create two versions of their programs -- one with strong cryptography for domestic use and one with cryptography that is weak enough for export. So in the United States, developers sell only the weaker cryptography software. Last month, a bipartisan group of lawmakers introduced "The Encrypted Communications Privacy Act of 1996" to combat this problem. But while this measure would increase the availability of good cryptography at home, it would limit our freedoms in other ways. The act would legalize the export of any mass-market software if similar technology is already available overseas. This would put an end to the futility of forbidding such exports at a time when cryptography technology is increasingly available around the globe -- in libraries and on the Internet. Indeed, the Software Publishers Association says that the main result of the export regulations simply has been to shift the overseas marketing of military-grade cryp tography to foreign companies. So although the new bill would still prohibit American companies from exporting innovative programs, it would at least allow them to compete with foreign companies on an equal footing. However, the Clinton Administration and others oppose this minor change, because they are worried that criminals and terrorists could use the export liberalization to their own advantage. Because of this opposition, the bill throws a bone to the antiprivacy forces. While lifting export controls, it criminalizes some uses of cryptography for the first time in our nation's history. It would be illegal, for instance, to use encryption that interferes with a felony investigation. But the language of the bill is so broad that these restrictions could apply to a reporter's encrypted computer files. The bill also creates legal rules for "key holders" -- organizations that would be given copies of an individual's decryption key, or codebreaker. This means that an individual's encoded messages or documents could be decoded, under a court order, without his or her knowledge. Although the use of key holders would be voluntary under the bill, that could easily change and the system could become mandatory. There is some hope for avoiding all this. Senator Conrad Burns, Republican of Montana, plans to introduce a narrower bill that focuses simply on liberalizing exports of encryption technology. The software industry and civil libertarians are already supporting this approach -- one that is good not just for American business but also for our right to privacy. Simson L. Garfinkel is the author of the book "PGP: Pretty Good Privacy." [End] From nsa at omaha.com Sat Apr 6 09:55:56 1996 From: nsa at omaha.com (Omaha Remailer) Date: Sun, 7 Apr 1996 01:55:56 +0800 Subject: (Excerpted Fwd) Minnesota Online privacy bill in conference comm In-Reply-To: <199603310737.CAA13085@unix.asb.com> Message-ID: <199604061435.IAA14114@glucose.suba.com> Could you pust a URL for the actual bill? I'm having a hard time tracking it down from the URL you gave. Thanks. From WlkngOwl at unix.asb.com Sat Apr 6 10:19:42 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 7 Apr 1996 02:19:42 +0800 Subject: RNG_DEVICE Environment Variable? Message-ID: <199604061226.HAA12458@unix.asb.com> Considering a couple of RNG hardware manufacturers use different names for device interfaces, perhaps it would be 'convenient' to have apps look for the environment variable RNG_DEVICE which gives the name of whatever device is used (rnadom$, random, rand, even lpt2...) or even a special file that is mixed periodically by a cron job (noiz.c?). The assumption is that reads from that device would return "truly random" bytes (not from a pseudo-RNG), either from specialized hardware or a system-noise sampler such as noise.sys (DOS) or random.c (Linux, FreeBSD). How software would handle not getting enough bytes is another matter, perhaps left configurable to the app. Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From sasha1 at netcom.com Sat Apr 6 10:31:17 1996 From: sasha1 at netcom.com (Alexander 'Sasha' Chislenko) Date: Sun, 7 Apr 1996 02:31:17 +0800 Subject: FWD: On digital cash and geodesic economies Message-ID: <2.2.32.19960406150904.00d4918c@netcom.com> Haven's seen anything on Bionomics list for a month. Is the list silent, or is it just me. I hope you will find the following article relevant to bionomics. --- begin forwarded text From: rah at shipwright.com (Robert Hettinga) Date: Thu, 4 Apr 1996 21:21:19 -0500 To: Multiple recipients of <e$@thumper.vmeng.com> Subject: Wired didn't like this one.... -----BEGIN PGP SIGNED MESSAGE----- ...but I like it. Said it was a little too "fast paced". (For WIRED???) I'm starting over on another, so you guys might as well see this one... It *was* supposed to go into their Idees Fortes (Or, as my brother Mike in Albuqerque says, in his best Jose Jimenez, "Stron' Gideas") section. Now something else is, once I write it. Feh! It's 800 words. Exactly. Cheers, Bob Hettinga ------------------------ Geodesic Capital? Robert Hettinga I've just finished a bit of anonymous consulting on the net for an anonymous client, being paid, of course, in anonymous digital ecash(tm). I could just store it, offsite even, anonymously. But, I'm saving it for that special retirement habitat in the Belt ("Gerry's Habitats, Inc.: Pie in the sky, Nano-Built(tm) *before* you die!"). I have to *invest* it somewhere. I buy a page of mutual fund reccomendations from a LipperBot(tm). In my case, I just want to buy a broad market index, say, the (ahem) Hettinga Million(tm), and shop around for the fund server which approximates closest the HM's price over time. I link to the server, and buy anonymous bearer certificates for that server's HM fund. Later, when I cash in my certificates, I have enough appreciated capital to buy the custom Bernal sphere of my dreams. Of course, if my tolerence for risk is higher, I could buy shares from a fund manager (bot or otherwise, no way to tell with anonymous cash markets) with a hot hand for picking stocks. OK. Say I don't actually *save* money. I'm someone who borrows money for very short term "assets" like resturaunt meals, and pays the incurred debt off over the long term at some userous interest rate. How do I do this? I issue a personal digital bearer bond for the amount of the transaction. All I need is someone to underwrite the risk. Fortunately, I always have an efficient real-time market to auction it into, one that always knows my payment reputation, thanks to all those money-bots in the ubiquitous network. Voila'! Bring on the chateaubriand for one, waiter, and don't spare the bearnaise, all this thinking about money's made me hungry. What we're talking about here is nothing new, of course. We've had trade ever since we've had artifacts. The ancient "red-paint" culture was just a trading network which ran around the north Atlantic from New England to as far as Ireland. So much for the "New" World. The oldest surviving Babylonian money is a piece of clay saying "three cows" wrapped in a clay "envelope" saying something like "three cows, payable on demand, so say I, (signed) Joe Nebbuchenazzar". This happened shortly after writing was invented, which was actually invented for *accounting*. Mechanical signatures like chops and seals have been around since. Digital signatures and bearer certificates are just a new implementation of some *very* old stuff. Ornate paper certificates, representing shares in companies, or actual stuff, was physically traded for other ornate paper certificates (cash), or actual stuff, at places like the famous buttonwood tree on Wall Street. Pretty soon people didn't have to be there to trade. We built fast industrial communications (staged horsemen or coaches, then ships or trains, then telegraphy, then telephony) but we still had slow switches (people), so we had to build all the communication/organization/market hierarchies we know and love today. In addition, the power of the state (another industrial communication heirarchy) provides a sizable argumentum ad bacculum for people who repudiate trades. If you don't pay, I throw you in jail. Like every thing else, Moore's law changes that. Proportionately, semiconductor switches get more and more cheaper than lines, so the telephone network is no longer a hierarchy. Nodding to Buckminster Fuller, Peter Huber called it the "Geodesic Network", the title of the 1986 government report he wrote describing it. Ironic. I'm here saying this in a magazine founded by deciples of Stwart Brand, himself a one-time Fullerite. All threads lead to Bucky. When you combine a geodesic network with strong cryptography, you get a geodesic economy, which needs geodesic capital. Just change the size of players in either equity or debt scenario, and you're looking at what any large business organization does today. The only thing you're missing is how to deal with non-repudiation. If the state can't tax transactions or financial assets because strong crypto makes them all invisible, states can't exist, much less "bacculize" very well. The solution is the same it ever was: reputation. J. Pierpont Morgan said, when hauled before Congress one afternoon, "Character, sir. I wouldn't buy anything from a man with no character, even if he offered me all the bonds in Christendom." In a geodesic economy, reputation is abstracted to keys, not people. Geodesic capital scales up to bigger stuff than we can do now. A chaotic hoarde of autonomous money-bots swarms on the minutia of the necessary financial complexity. It also scales *down* as processor prices fall. Real time, MicroMint(tm) cash-on-the-router-head auctions for packet switching, anyone? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWR/ovgyLN8bw6ZVAQHCkQP7BPmSNibfRQLeZETvRkUVGJdPB0WOYrTM yU33wwqDPBEcwfYLgX4oBcAfHv/Kfvr1vH4bBTioEVyanVDtJLt9KL/62kn+Ot+/ BLDdBM6Km1R/xRD9xnvQd5Kyz2INQCmNU7ZJk3BQpK484V74aW6We155fH2ovjr3 TgQ6mYMe7rs= =GVNA -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From ichudov at algebra.com Sat Apr 6 11:16:00 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Apr 1996 03:16:00 +0800 Subject: [NOISE] Re: Fascinating troll with forged newgroups In-Reply-To: <Pine.SUN.3.92.960404120337.12296A-100000@elaine28.Stanford.EDU> Message-ID: <199604061537.JAA06070@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- Date: Sat Apr 6 09:34:23 CST 1996 To: llurch at networking.stanford.edu Cc: dlv at bwalk.dm.com, cypherpunks at toad.com Subject: Re: [NOISE] Re: Fascinating troll with forged newgroups Rich Graves wrote: > > So is the soc.culture.russian.moderated script freely available yet? I'd > like to use a stripped-down version thereof (controlling crossposts only) > for the talk.politics.natl-socialism that Milton Kleim and I proposed a > week ago. > Yes, the scripts are freely available. The robomoderator has been working for about three weeks and now I seem to have little problems supporting it. Our human moderators spend relatively little time because the majority of posts come from preapproved users, and approval and rejection commands are very easy to use. The thing uses PGP extensively for authentification and secure exchange with human moderators. For signing approved articles it uses PMApp by Greg Rose. There are still a couple of optional things to do (such as taking headers from PGP-signed parts of messages if they are there), but otherwise it is in working condition. One really important thing to do before handing it out is adding more comments... - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWaPjcJFmFyXKPzRAQEJtwP/asqR7kbtQ0fc48a4az/IvBndnbLj6BZL oQgzwieoWZk6BeIyNmNDBHhtn7bXGVm+UoofYsLCxZSbjHfAvbohgryWCncYi2J8 Xjw5Dm47NSq9EoWoSlgogfVUHwLI82JN6T6RQ+IIISg+INjm1/BD1AVuvQ9pQUHv 8cwbccKVsdo= =9kaj -----END PGP SIGNATURE----- From sasha1 at netcom.com Sat Apr 6 11:59:05 1996 From: sasha1 at netcom.com (Alexander 'Sasha' Chislenko) Date: Sun, 7 Apr 1996 03:59:05 +0800 Subject: [mis]FWD: On digital cash and geodesic economies Message-ID: <2.2.32.19960406161654.00dbac68@netcom.com> Sorry - sent previous post to cp instead of bionomics. From perry at piermont.com Sat Apr 6 12:20:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Apr 1996 04:20:57 +0800 Subject: No Subject In-Reply-To: <2.2.32.19960406060312.006d58c0@pop3.interramp.com> Message-ID: <199604061646.LAA07847@jekyll.piermont.com> Incidently.... James Gleick writes: > >Seignorage is neither of these things. It is the difference between > >the cost of producing a currency token (like a quarter or a dollar > >bill) and the face value of the token. In essense, its the profit > >margin on printing or minting money. > > You're giving a definition straight from a dictionary--an old > one. Welcome to the modern world. The definition I use is *still* totally current. One concern when doing things like switching from dollar bills to dollar coins or altering printing processes in paper money is a change in seignorage because of a change in production cost of the currency tokens. Perry From perry at piermont.com Sat Apr 6 12:42:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Apr 1996 04:42:57 +0800 Subject: Spinners and compression functions In-Reply-To: <960405210713_185610686@emout10.mail.aol.com> Message-ID: <199604061626.LAA07799@jekyll.piermont.com> JonWienke at aol.com writes: > Since there has been a lot of discussion about spinners derived from various > things (idle loops, video retrace, etc.) used as entropy sources, here is yet > another idea. Run the spinner output through a PKZip type compression > function, and then seed a PRNG with the output from that. This would provide > a means of gauging the amount of entropy that has been fed into the PRNG, > (count the bytes output from the compression function) Actually, it doesn't. The entropy present from a reasonable source like keyclick timings is much much lower than the output of pkzip is going to suggest to you. Perry From JonWienke at aol.com Sat Apr 6 13:35:15 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 7 Apr 1996 05:35:15 +0800 Subject: Spinners and compression functions Message-ID: <960406122835_370230637@emout09.mail.aol.com> In a message dated 96-04-06 11:26:26 EST, Perry Metzger sez: >Actually, it doesn't. The entropy present from a reasonable source >like keyclick timings is much much lower than the output of pkzip is >going to suggest to you. I am not saying that the output of the compression function has 8 bits of entropy per byte, but rather that it will have a more consistent entropy level per byte than the input to the function. (Especially in the case of idle loop timings, where the entropy fluctuates considerably, depending on what the computer is doing.) If you want to be conservative, you can assume the output of the compression function has only 1 bit (or even less, if you are really paranoid) of entropy per byte, and adjust your seeding requirements accordingly. Jonathan Wienke From martin at mrrl.lut.ac.uk Sat Apr 6 14:05:31 1996 From: martin at mrrl.lut.ac.uk (Martin Hamilton) Date: Sun, 7 Apr 1996 06:05:31 +0800 Subject: pgp keys In-Reply-To: <199604060900.BAA24994@dfw-ix3.ix.netcom.com> Message-ID: <199604061756.SAA24919@gizmo.lut.ac.uk> Bill Stewart writes: | At 11:55 AM 4/4/96 -0500, Jack P. Starrantino jpps at voicenet.com wrote: | >Is there a reliable method for obtaining the pgp public key for an | >arbitrary email address? [....] to obtain keys I do not have. | | Reliable? No; not everybody follows The One True KeyDistribution Method, | or even follows one-or-more of the popular electronic approaches, | and not all keys that are distributed electronically are on the Internet, | though some of them may be on intranets or fido or uucp nets. It would be neat if individual Internet sites could run their own key servers in a distributed framework, using whatever protocol(s) they wanted to. Finding someone's public key shouldn't be rocket science - if you already have their email address. Checking the signatures might be, though ? The pgp.net folks have established the convention of "keys.<domain component>.pgp.net", which lends itself to a simple algorithm along the lines of... Email address: martin at mrrl.lut.ac.uk Look for: keys.mrrl.lut.ac.uk.pgp.net keys.lut.ac.uk.pgp.net keys.ac.uk.pgp.net keys.uk.pgp.net keys.pgp.net I'm not clear on whether it would be friendlier on the DNS to start with the least specific cases and move down to the most specific (i.e. reverse the order of the steps). The latter would seem to result in less junk (NXDOMAIN responses) being kept by DNS servers which implement negative caching. Keyservers might be reasonably be expected to speak a number of protocols ? e.g. mail to "pgp-public-keys", finger, and perhaps a dedicated key lookup protocol ? OK so we're lacking a mechanism for indicating things like which protocols/services a host supports, on which port numbers, etc... Perhaps it isn't even something we should be thinking about in relation to key servers ? In any case, lots of new DNS RRs have been proposed which could handle the problem - but not implemented or deployed :-) As a quick hack, I suppose the embedded URL scheme used by Netfind could be nicked and put to use for public key servers, e.g. in pseudo-Perl foreach (text record at keys.<domain>.pgp.net) { next unless /^kx-/; # only interested in kx-<URL> s/^kx-//; # toss Key eXchanger prefix out &do_something_with($_); # use resulting URL } Do people have any opinions about these ideas ? Obviously the DNS is going to be vulnerable to spoofing, so those URLs may be dodgy. If we're checking the signatures aggressively this needn't be a problem, at least in relation to serving up public keys ? If anyone knows of a forum where this stuff is being discussed, I'd appreciate a pointer. Would be happy to set up a dedicated list if there isn't anything already. FWIW, I don't seem to see any discussion on cypherpunks, coderpunks, spki, ietf-pkix, ietf-asid, ietf-ids, ... :-( Martin From tcmay at got.net Sat Apr 6 14:10:44 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Apr 1996 06:10:44 +0800 Subject: FWD: On digital cash and geodesic economies Message-ID: <ad8bf2ec250210040f94@[205.199.118.202]> At 3:09 PM 4/6/96, Alexander 'Sasha' Chislenko wrote: >Haven's seen anything on Bionomics list for a month. >Is the list silent, or is it just me. > >I hope you will find the following article relevant to bionomics. But, Sasha, this is the Cypherpunks list... Seriously, several years ago I started hearing the hype and hoopla about "Bionomics." Following the book, the conference. Then the seminars, the training packages, and perhaps even the cult. The book didn't seem to say anything new, except that markets and various other systems share some emergent commonalities. What made me think of it as a cult is when the groupies joined, the staff was hired, and the publicity campaign began. "The Bionomics Institute"? But who am I to question EST^H^H^Hbionomics? Personally, I have accepted Eric Drexler as my personal savior in the Churh of the Assembler Multitude. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Apr 6 14:16:37 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Apr 1996 06:16:37 +0800 Subject: Unicorn of Color Message-ID: <ad8bf5e226021004c1b9@[205.199.118.202]> At 6:00 PM 4/6/96, Black Unicorn wrote: >On Fri, 5 Apr 1996, Timothy C. May wrote: >> >> Far be it from me to question the legal advice BU/Uni/Dirsec provides, > >Unicorn is fine, don't be snide. Not meant to be snide, even if sounded that way. I just get confused by your various nyms, as some call you "Uni," others call you by what I presume is your real name (rhymes with Galois), and you sometimes sign your messages "Dirsec." Also, I am hesitant to call you "Black Unicorn," as applying the adjective "black" to a person is illegal in some jurisdictions, and "Unicorn of Color" does not ring true. (But I grew up calling blacks "colored people," and gladly switched to the more noble-sounding "black" in the 1960s, and now I almost vomit everytime I hear some radfem lesbian claim "All wimmin are people of color!!!!" Yeah, colored people. My, how the worm has turned....) Hope this clears things up. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sat Apr 6 14:18:06 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Apr 1996 06:18:06 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <m0u5cI0-000909C@pacifier.com> [on the Burns bill] At 04:55 PM 4/3/96 -0500, Dave Banisar wrote: >The draft bill which currently exists only takes the export controls on >crpyto. The provisions on key escrow, criminal penalities and other problems >are not in there and Burns staff have no intention of letting them in. The >actual bill will be introduced in about 2 weeks. >-dave That sounds okay as far as it goes, but I can see a potential problem. Your wording above is unclear, but if the Burns bill totally eliminates export controls that's great. However, we've frequently heard talk of "compromises" like the Leahy bill which seem to relate exportable encryption to that which is already available overseas. There have been suspicions around there that this is intended to keep the American producers out of the market as long as possible, which is still a problem. I don't think that's acceptable. It's also not logical. Even if we assume that the strongest encryption available overseas is 2048-bit RSA, that's far more secure than 1024-bit PGP, which itself (I've heard...) is probably 1-10 million times stronger than 512-bit PGP, and the last is probably just barely within the reach of even the NSA with a reasonable amount of resources directed at the task. Obviously, this means that the best encryption commonly available is so far beyond what the NSA can decrypt, there appears to be no point in denying somebody the right to export 3000-bit RSA, when 2048-bit versions are already in use. In addition, even if this condition is assumed, there is a question about whether or not export will or must be automatically approved for any program which uses encryption equally or less strong than, say, 2048 bit PGP, or whether they will refuse export of programs which use encryption to implement functions that are "politically incorrect" despite the fact they use only "exportable level" encryption. I could mention a specific example, but if you've followed my essays you already know what I'm talking about. The government could still deter new and innovative ideas utilizing encryption that themselves don't already exist overseas. I think there's a serious enough danger here that we should insist on (at least) wording that completely takes the decision-making authority out of the government's hands for encryption that uses the same or less key length than the maximum available overseas, regardless of its function. I don't want even this minimal restriction, but if that's what it takes to pass the Burns bill, it's progress anyway. I'm sure somebody can (or already has) extend foreign-source PGP to 4096-bit keys to push the limit well beyond any practical limit, if 2048 bits isn't there already. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Sat Apr 6 14:31:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 7 Apr 1996 06:31:57 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <m0u5QH8-00090aC@pacifier.com> Message-ID: <Pine.SUN.3.91.960406130107.2832C-100000@polaris.mindport.net> On Fri, 5 Apr 1996, jim bell wrote: > At 02:06 PM 4/5/96 -0500, Black Unicorn wrote: > >On Fri, 5 Apr 1996 sameer at c2.org wrote: > > > >> What's the point here, or is Unicorn just having fun > >> lambasting Jim Bell? > >> > >> My basic attitude, running an internet privacy provider, is if > >> Mr. Govt. wants my data, and gives me a court order (subpoena, > >> "compelled discovery", whatever), then I'll give it to 'em. > >> If my customers that they were looking for had any brains at > >> all, a court order, compelled discover, whatever, will not help > >> Mr. Govt. That's the cornerstone of my security model. > >> > >> Or am I confused about what you are talking about here. > > > >Yours seems to be about the most aggressive policy a ISP provider can > >take and expect to remain in business. > > This is a classic defeatist attitude, the one that Unicorn specializes in. > He wants us to believe that there is literally NOTHING that anyone can > possibly do to solve the "government problem." No, it is a classic lawyer's attitude. "If you do this, these are the risks." > > I contend that had he talked to Phillip Zimmermann in 1990 or so, he would > have told Zimmermann that "It's illegal to write an encryption program using > RSA, because it's patented! You'll never get away with it!" I would have indicated that "you're going to face the prospect of intellectual property litigation, and that can get nasty in the extreme." > But history records that Zimmermann _did_, and he "got away with it." A combination of politics and law and timing. If you're asking me to be a fortune teller, as so many people ask lawyers to do, you're asking too much. > What I'm advocating is that people do what Zimmermann did: Write programs > that will extend the usages of encryption to thwart attempts to retrieve > data by its owners, whether or not the data is on the owner's system. This in itself I have never had a problem with. I have called for as much myself many times. > >That is, resist by what legal means are available, but ultimately depend > >on the user to secure his or her own data. > > Notice that Unicorn never gives useful specific suggestions about which > "legal means are available." Notice that there are no checks in my mailbox from Mr. Bell. > >Where I differ with Mr. Bell is that he seems to think the ISPs of the > >world are going to rise and unite to quash the oppressive hand of big > >government at their own expense in order to satisify some sense of > >personal ethics or customer goodwill. > > Cumulatively, they could do exactly this. Spread among most ISP's, the cost > per ISP could be quite low. Provided you could get "most" ISP's to sign on, provided that the insurance provided for the very expensive proposition of seizure of ISP equipment, and provided that this be the first insurance entity ever with a stated policy of paying off policyholder for criminal sanctions which were directly the result of overt illegal acts by the policyholder. I'm not saying it's impossible. Well, I'm almost saying it's impossible. > Augmented with my AsPol idea, the costs would > be even lower. What was that quote? "A box of shells is cheaper than an > appeal." Yadda yadda yadda > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From tcmay at got.net Sat Apr 6 14:37:24 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Apr 1996 06:37:24 +0800 Subject: "Contempt" charges likely to increase Message-ID: <ad8bfa2028021004c0cf@[205.199.118.202]> At 6:19 PM 4/6/96, Black Unicorn wrote: >On Fri, 5 Apr 1996, Timothy C. May wrote: > >> If the secrets or assets _cannot_ be retrieved--a scenario which is >> possible, if the protocol is so written (clauses for court action)--then >> contempt charges are meaningless and would not stand, IMNALO. > >I'm not sure an appeals court will be particularly receptive to this >argument. I'll do a little research on the issue next week but I suspect >that appeals courts will be reluctant to overturn contempt charges on >this basis. Firstly, appeals courts generally do not do their own >findings of fact, but take the lower courts findings for granted. >Secondly, in the absence of serious error, higher courts are unlikely to >give their fellows a hard time. The culture of the jurist as it >were. Well, I think this will be a matter of time and education. The courts have not yet been presented with what we might call "unbreakable protocols" for the holding of information. Existing secret holding "arrangements" (I'll call them "arrangements" to make their informal, human-mediated nature more clear) have typically involved secrets (information, money, etc.) held by some other party subject to recall/retrieval by some form of instructions from the owner/depositor. The canonical example being a Swiss bank account, with the bank responding when the proper numbers or signatures or whatever are presented. (Things may have changed as the Swiss banks have become more compliant with U.S. demands, but the example still stands.) This model, is, I contend, the model with which courts are familiar. They know that Alice can retrieve the funds, so they simply order her to. If she does not comply, contempt of court. Q.E.D. What of a different model? What if, say, her funds are in a "time lock deposit," with the bank unwilling or even unable (cryptographic protocols involving multiple key holders) to retrieve the funds until, say, 2010? Even if she is being tortured to death and pleading with the Gemeinschaftbank of Zurich to please, pretty please, release her funds, they cannot. It may take some convincing, and some education of the court (a la the education that is slowly happening, as in the CDA case), but eventually it will be realized that "contempt of court" is not applicable. (The angle may be felonize the use of such "unbreakable" protocols, but this is part of a larger story....) >I might add that the Cayman Islands are full of trust companies with >provisions which forbid the disclosure of data to a client who is >coerced. A law on the books refuses to recognize "consent" orders made >under judicial compulsion. This would give the appearance of total >unavailability of evidence and suggest the futility of contempt >charges. Yet courts have still, and with no small measure of success, >imposed sanctions on witnesses so protected. I haven't studied such cases, but my hunch (SWAG) is that their are "leaks" in such offshore deposits, that the courts have actually had some measure of success in getting the funds that are reputed to be irretrievable. In any case, if and when the jails fill up with up with people who _cannot_ comply with a court order, something will change. (Note that I've never claimed such "unbreakable protocols" will become the norm. Many of us, myself included, would rather have a way to pay off the government to settle some tax evasion charge, or whatever, than sit in jail for an unlimited time because we absolutely cannot retrieve the funds....) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat Apr 6 14:44:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 7 Apr 1996 06:44:58 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <ad8a9f931d0210045564@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960406130905.2832D-100000@polaris.mindport.net> On Fri, 5 Apr 1996, Timothy C. May wrote: > If the secrets or assets _cannot_ be retrieved--a scenario which is > possible, if the protocol is so written (clauses for court action)--then > contempt charges are meaningless and would not stand, IMNALO. I'm not sure an appeals court will be particularly receptive to this argument. I'll do a little research on the issue next week but I suspect that appeals courts will be reluctant to overturn contempt charges on this basis. Firstly, appeals courts generally do not do their own findings of fact, but take the lower courts findings for granted. Secondly, in the absence of serious error, higher courts are unlikely to give their fellows a hard time. The culture of the jurist as it were. In the case where one appeals on the basis that the data cannot be retrieved because of cryptographic protections, an appeals court is unlikely to disturb the lower courts implicit finding that the data is recoverable. "Why would our esteemed member of the bench below impose such sanctions if he did not believe they might shake loose the very evidence he seeks?" Not impossible that it would come out the other way, but I suspect it would have to be a really obvious error on the part of the court below. I might add that the Cayman Islands are full of trust companies with provisions which forbid the disclosure of data to a client who is coerced. A law on the books refuses to recognize "consent" orders made under judicial compulsion. This would give the appearance of total unavailability of evidence and suggest the futility of contempt charges. Yet courts have still, and with no small measure of success, imposed sanctions on witnesses so protected. > > Legal students out there might find that specializing in this area of law > brings in more clients in the coming decades. > > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Sat Apr 6 15:01:03 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 7 Apr 1996 07:01:03 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <ad8b1bc71f02100483ae@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960406123254.2832B-100000@polaris.mindport.net> On Fri, 5 Apr 1996, Timothy C. May wrote: > At 9:26 PM 4/5/96, Bill Frantz wrote: > >At 11:57 AM 4/5/96 -0800, Timothy C. May wrote: > > > >>If the secrets or assets _cannot_ be retrieved--a scenario which is > >>possible, if the protocol is so written (clauses for court action)--then > >>contempt charges are meaningless and would not stand, IMNALO. > > > >The Black Unicorn indicates that if the reason the secrets _cannot_ be > >retrieved is because they are in a jurisdiction which refuses to reveal > >them when the owner is under compulsion, the owner can still be punished > >for contempt (A contractual situation). > > Far be it from me to question the legal advice BU/Uni/Dirsec provides, Unicorn is fine, don't be snide. I don't provide legal "advice" on the list. > but > I think all contempt charges have a kind of eventual expiration. That is, > after some number of months or years have passed and it becomes apparent > the incarcerated person simply will not or cannot comply, release is > ordered. It has happened in most cases of reporters, and it happened with > Rebecca Morgan (who never did tell the court where her daughter was, though > it later came out that her daughter was probably in Australia with > grandparents). If you mean, as I believe you do, that there is or can be a manner of "unofficial" expiration, I am in agreement with you. > > Jail term for contempt of court has certain resemblances to trial by > ordeal: if after some period of time of ordeal one has not talked, the > ordeal is over. This is about exactly correct. While occassionally actual sentences are passed down, this is rare and contempt generally falls into the bucket of "until the witness becomes more cooperative." > > If the court is shown that the protocol makes it impossible for the person > to retrieve the material, especially that there are no ways to circumvent > the contract, then the court may still jail the person for a while "just to > make sure" that there is no means of circumventing it. If and when it > becomes apparent to even the most skeptical that the material has been > lost, or is unretrievable, then I think the contempt jailing must end. When > nothing is served by furhter jailing, except punishment, then the reason > for the contempt action is ended. Or so it seems to me, from what I've > osmosed about the law. The above is essentially correct. The variable of the most consequence in such cases is the judge however. One must convince the judge that no further incarceration will prove effective. A witness' attorney could make showings to the court until he was blue in the face about the unavailability of the data because of cryptographic protocol. He could even be right, but unless he convinces the judge, the witness is still going to be subject to the whims (yes, Mr. Bell, I do mean whims) of the judge. Appealing contempt orders can be frustrating. Most jurisdictions I've worked in use the "clear error" standard, which is difficult enough to beat in itself, and nearly impossible when the subject of the ruling before an appeals court is a fellow member of the bench. To me this entire thread has threatened to suggest to people that they need only thumb their noses at the authorities, be it by cryptographic protocol or otherwise, and sit back in their easy chair and smile to themselves. Practically speaking security is a self assured right in this regard. Depending on anyone, be it your ISP, your attorney, or the constitution, is a foolish measure. Mr. Parekh hit the nail on the head. No ISP in its right mind is going to ask for trouble. If I'm a prosecutor and I suspect that the ISP may be complicit in hiding evidence, I'm going to ask for a search and seizure warrant (a la sun devil) and just walk in and take the equipment I believe the data to be on and then satisify myself that it's unattainable. In effect even some kind of insurance pool, or professional group of ISP's will have to provide for replacement of seized equipment to effectively prevent harm from government intervention. This gets expensive real fast and as risk can only be assessed by the stated policy of the ISP with regard to resisting government, it will be the active resisters who find themselves with the whopping size premiums. I understand that direct confrontation with government is appealing to the authority hater. (I happen to be one). Overt resistance, however, of the character suggested by Mr. Bell and others, is going to cause problems in two ways. Firstly, its going to cause the individual resister a good deal of headaches. Secondly, its going to make bad law eventually. The solution is more about protocol than anything else. I'll be interested to see what courts come up with when it becomes clear that offshore and properly protected data is impossible to obtain with the current tools available to the judiciary. I suspect that if enough big cases get stung by the crypto bee, someone is going to try and invent a bug lamp. One need only follow the evoltion of law that followed strict banking secrecy in tax evasion to see where that might end up. > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From gary at kampai.euronet.nl Sat Apr 6 15:54:13 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Sun, 7 Apr 1996 07:54:13 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) Message-ID: <199604061906.VAA16731@kampai.euronet.nl> James Gleick wrote: > Perry E. Metzger wrote: > > >James Gleick writes: > > > >> Seigniorage is actually the Government's interest income on all the > >> currency in circulation. > > > >Seignorage is neither of these things. It is the difference between > >the cost of producing a currency token (like a quarter or a dollar > >bill) and the face value of the token. In essense, its the profit > >margin on printing or minting money. > > You're giving a definition straight from a dictionary--an old one. > Welcome to the modern world. I think you're both right - Seignorage is the interest on the difference between the cost of producing the token and the face value of the token from the time the token is issued till the time it is redeemed. In the case of most government issued currencies though, the tokens can never be redeemed, so the total interest will be equal to the difference between the cost of manufacture and the face value. It is interesting to note that casinos could earn seignorage on their chips in circulation, and issuers of book/record/gift tokens will certainly earn seignorage on their tokens in circulation, and since these different types of token money reduce the amount of government currency in circulation, these earnings will be at the expense of the treasury. > This is a very real issue. To the extent that electronic money replaces > currency (reduces the amount in circulation), it will cost the Treasury > seigniorage--and the government is acutely aware of this. Sure, and this is equally true of cheques and credit cards replacing government currency. As to whether the government is concerned, that is subject to debate. If so, why all the government attempts at reducing cash transactions? > Whether the beneficiaries are consumers, banks, or other issuers of digital > cash will depend on the system. For e-cheque systems, the beneficiaries will be the consumers, in that the money which was previously in their wallets will now be earning interest in a bank account (assuming of course that the bank passes this benefit onto the customer). In the case of ecash (from DigiCash), however, the withdrawal of ecash from an account is done some time previous to it being spent and deposited, therefore the ecash is "in circulation". In this situation, the ecash issuer will earn seignorage on all the circulating ecash. Two questions arise: - What will be the typical time between the withdrawal of ecash and it being deposited? - Does the untraceability of ecash (of all types) rely on a time delay between withdrawal and deposit (I guess it does), and if so, is the interest that the consumer inevitably loses (and the ecash issuer gains) the price the consumer must pay for untracability of transactions? Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland <gary at kampai.euronet.nl> Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From steve at edmweb.com Sat Apr 6 16:06:56 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 7 Apr 1996 08:06:56 +0800 Subject: Someone's screwing around with anon.penet.fi In-Reply-To: <9604061342.AA14490@anon.penet.fi> Message-ID: <Pine.BSF.3.91.960406114609.5026B-100000@kirk.edmweb.com> Here's another one of them unsolicited messages from anon.penet.fi. I have a feeling lots of people on the Cypherpunks list are going to be getting these... My first post to the list was only about two days ago, and someone's already messing around. :( > Date: Sat, 6 Apr 96 16:42:14 +0300 > From: System Daemon <daemon at anon.penet.fi> > To: steve at edmweb.com > Subject: Anonymous code name allocated. > > You have sent a message using the anon.penet.fi anonymous forwarding service. > You have been allocated the code name an577024. > You can be reached anonymously using the address > an577024 at anon.penet.fi. > > If you want to use a nickname, please send a message to > nick at anon.penet.fi, with a Subject: field containing your nickname. > > For instructions, send a message to help at anon.penet.fi. > > From tcmay at got.net Sat Apr 6 17:35:23 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Apr 1996 09:35:23 +0800 Subject: Seignorage Message-ID: <ad8c243729021004a47a@[205.199.118.202]> (I'm cc:ing quibblepunks at toad.com and dictionarypunks at toad.com because of their obvious and inordinate interest, so to speak, in such matters.) >From the "MIT Dictionary of Modern Economics," 4th Edition, 1992: "seignorage. Historically, and as applied to money, this was a levy on metals brought to the mint for coining, to recover the cost of minting and provide a revenue to the ruler who claimed it as a prerogative. In recent monetary literature the term has been revived and applied to the net revenue derived by any money-issuing body, e.g. a note-issuing authority. It is applied more especially to a country whose currency is held by foreigners for trading or reserve purposes. In this case the seignorage amounts to the return on the extra assets, real or financial, which the country is enabled to acquire because of the external holdings of its currency, less the interest paid on the assets in which the foreigners invest their holdings, and less any extra administrative costs arising from the international role of its money." So it would seem that seignorage certainly can be used as a term for the interest the note-issuer for digital cash or any similar non-interest-bearing notes (banknotes, traveller's checks, e-cash in many forms, etc.). And the connection with the "float" is clear. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Sat Apr 6 17:45:44 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 7 Apr 1996 09:45:44 +0800 Subject: "Contempt" charges likely to increase Message-ID: <199604062150.NAA15092@netcom9.netcom.com> At 1:19 PM 4/6/96 -0500, Black Unicorn wrote: >I might add that the Cayman Islands are full of trust companies with >provisions which forbid the disclosure of data to a client who is >coerced. A law on the books refuses to recognize "consent" orders made >under judicial compulsion. This would give the appearance of total >unavailability of evidence and suggest the futility of contempt >charges. Yet courts have still, and with no small measure of success, >imposed sanctions on witnesses so protected. It is one thing to believe that you might be able to change a human's mind by threatening another human via jail. (It reminds me of many bad movies.) It is quite a different level of hubris to think that a similar action could overcome mathematical probability. However, I am unable to predict the actions of anyone who believes that the Supreme Court is the top law-giver of the Universe. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Sat Apr 6 18:08:04 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 7 Apr 1996 10:08:04 +0800 Subject: Unicorn of Color Message-ID: <199604062150.NAA15089@netcom9.netcom.com> At 11:57 AM 4/6/96 -0800, Timothy C. May wrote: >Also, I am hesitant to call you "Black Unicorn," as applying the adjective >"black" to a person is illegal in some jurisdictions, and "Unicorn of >Color" does not ring true. (But I grew up calling blacks "colored people," >and gladly switched to the more noble-sounding "black" in the 1960s, and >now I almost vomit everytime I hear some radfem lesbian claim "All wimmin >are people of color!!!!" Yeah, colored people. My, how the worm has >turned....) But Tim, we are ALL colored people. Even the albinos among us (since white is a mixture of all colors). Even the darkest among us reflect some light which has color. :-) ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Sat Apr 6 18:13:31 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 7 Apr 1996 10:13:31 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <199604062120.NAA12581@netcom9.netcom.com> At 9:58 AM 4/6/96 -0800, jim bell wrote: >[on the Burns bill] >At 04:55 PM 4/3/96 -0500, Dave Banisar wrote: >>The draft bill which currently exists only takes the export controls on >>crpyto. The provisions on key escrow, criminal penalities and other problems >>are not in there and Burns staff have no intention of letting them in. The >>actual bill will be introduced in about 2 weeks. >>-dave > >That sounds okay as far as it goes, but I can see a potential problem. Your >wording above is unclear, but if the Burns bill totally eliminates export >controls that's great. However, we've frequently heard talk of "compromises" >like the Leahy bill which seem to relate exportable encryption to that which >is already available overseas. There have been suspicions around there that >this is intended to keep the American producers out of the market as long as >possible, which is still a problem. I don't think that's acceptable. I have no objection to the salami approach in this case. The way the Burns proposal has been described, it seems all together better than the current situation. We can fight the next battle after people realize that the four horseman are well and truly loose, and that the world hasn't ended. When the Burns proposal has been written up into a bill and introduced, I expect I will be writing my congresscritters asking them to support it. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Sat Apr 6 19:01:32 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Apr 1996 11:01:32 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <m0u5ggW-0008xbC@pacifier.com> At 01:22 PM 4/6/96 -0800, Bill Frantz wrote: >At 9:58 AM 4/6/96 -0800, jim bell wrote: >>[on the Burns bill] >>That sounds okay as far as it goes, but I can see a potential problem. Your >>wording above is unclear, but if the Burns bill totally eliminates export >>controls that's great. However, we've frequently heard talk of "compromises" >>like the Leahy bill which seem to relate exportable encryption to that which >>is already available overseas. There have been suspicions around there that >>this is intended to keep the American producers out of the market as long as >>possible, which is still a problem. I don't think that's acceptable. > >I have no objection to the salami approach in this case. The way the Burns >proposal has been described, it seems all together better than the current >situation. We can fight the next battle after people realize that the four >horseman are well and truly loose, and that the world hasn't ended. When >the Burns proposal has been written up into a bill and introduced, I expect >I will be writing my congresscritters asking them to support it Myself also, I suppose. That's why I'm so concerned that it not contain any component that could be easily be re-written more to our liking. The big attraction of the Burns bill, from a strategic standpoint, is that (by the elimination of export controls, assuming it does it) it removes the one major "must do" task onto which could be loaded other "features" that we can't stand, as the Leahy bill tried to do. Once export controls are eliminated on crypto, it should become impossible to get enough support to pass a bill even mentioning key escrow, let alone mandating it. Jim Bell jimbell at pacifier.com From walter at cithe302.cithep.caltech.edu Sat Apr 6 19:10:55 1996 From: walter at cithe302.cithep.caltech.edu (Chris Walter) Date: Sun, 7 Apr 1996 11:10:55 +0800 Subject: Someone's screwing around with anon.penet.fi In-Reply-To: <cypherpunks.Pine.BSF.3.91.960406114609.5026B-100000@kirk.edmweb.com> Message-ID: <WALTER.96Apr6143709@cithe302.cithep.caltech.edu> In article <cypherpunks.Pine.BSF.3.91.960406114609.5026B-100000 at kirk.edmweb.com> Steve Reid <steve at edmweb.com> writes: > Here's another one of them unsolicited messages from anon.penet.fi. I also got one of these right after I posted to cypherpunks. I normally just lurk, and the address that was used is the machine I read and post news on(we have a gateway to the mailing list). So I am pretty sure it is related to my posting to cypherpunks. I have written to the administrators at anon.penet.fi asking about this and informing them. I'll pass on any relevant info they send me. -Chris walter at cithe501.cithep.caltech.edu From frissell at panix.com Sat Apr 6 19:41:25 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 7 Apr 1996 11:41:25 +0800 Subject: "Contempt" charges likely to increase Message-ID: <2.2.32.19960406233612.00c9b6fc@panix.com> At 08:26 PM 4/5/96 -0800, Timothy C. May wrote: >Jail term for contempt of court has certain resemblances to trial by >ordeal: if after some period of time of ordeal one has not talked, the >ordeal is over. Also, such a penalty will be pretty rare. One doesn't stop driving because one might be killed in a car accident. The number of people who will be jailed annually for contempt for "failure to decrypt" will always be small and a rapidly declining percentage of total world transactions will lead to such jailing (as transaction numbers double and redouble as more of the world's people enter the Market and the Net). Coercion is a dull tool because people have an incentive to avoid it. Reward is a sharp tool because people seek it out. One of the reasons markets beat governments. DCF "Well, say what you will but Right Wing Mad Bombers kill more people than Left Wing Mad Bombers." From merriman at arn.net Sat Apr 6 19:45:53 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 7 Apr 1996 11:45:53 +0800 Subject: Australia's New South Wales tries net-censorship Message-ID: <2.2.32.19960406114718.0067a910@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 12:45 PM 04/6/96 -0500, Stan Bernstein <sbernst at panix.com> wrote: > > >On Sat, 6 Apr 1996, Declan B. McCullagh wrote: >[snip] >> ... <snip> ... > > One wonders >whether "download" or "retrieve" could be applied to netsurfing on the >World Wide Web, which procedure "caches" web information in the >end-viewer's hard drive often for several days or even months depending >on configuration of browser software. Makes me wonder if browser companies/authors couldn't be dragged into any such conflicts. If Person A inadvertently stumbles across Pedophiles 'R' Us on the net, and quickly moves on, I have yet to see a browser that lets him/her say "quick - delete that last cacheing operation", thus *making* him/her 'guilty' of criminal possession. Legal opinions? Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWY9GcVrTvyYOzAZAQH8eQP8DxckYYyMg10XcQdH67G22hIsvuREGDOI AgN/aSJXDddwg0PslLqA3MVxCOB4POLLMx5EAO0aQ5yGVIBNdFNoG/9fQPi7DHMj rulR9PNClQG5krJ6jRDGT1KvE29xUu3inZLcPZF47N11+N5WWJ1YBUqdnlGJNrCb YXifso2HZjo= =EBit -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From banisar at epic.org Sat Apr 6 19:52:35 1996 From: banisar at epic.org (Dave Banisar) Date: Sun, 7 Apr 1996 11:52:35 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <n1383307207.33041@epic.org> The export language comes from the origional Cantwell bill and orders the Commerce Sec. to allow export of mass market software and allows somewhat more limited export of non-mass market software dependng on what is available to banks in that country. Its not ideal (I think the limits on non-mass market should be the same as mass market- almost none except for a limited number of "terrorist" countries (we'd get killed if we argue that those should be eliminated) but overall much better than leahy's and somewhat better than goodlatte's bill. -d -------------------------------------- Date: 4/6/96 6:07 PM To: Dave Banisar From: jim bell At 01:22 PM 4/6/96 -0800, Bill Frantz wrote: >At 9:58 AM 4/6/96 -0800, jim bell wrote: >>[on the Burns bill] >>That sounds okay as far as it goes, but I can see a potential problem. Your >>wording above is unclear, but if the Burns bill totally eliminates export >>controls that's great. However, we've frequently heard talk of "compromises" >>like the Leahy bill which seem to relate exportable encryption to that which >>is already available overseas. There have been suspicions around there that >>this is intended to keep the American producers out of the market as long as >>possible, which is still a problem. I don't think that's acceptable. > >I have no objection to the salami approach in this case. The way the Burns >proposal has been described, it seems all together better than the current >situation. We can fight the next battle after people realize that the four >horseman are well and truly loose, and that the world hasn't ended. When >the Burns proposal has been written up into a bill and introduced, I expect >I will be writing my congresscritters asking them to support it Myself also, I suppose. That's why I'm so concerned that it not contain any component that could be easily be re-written more to our liking. The big attraction of the Burns bill, from a strategic standpoint, is that (by the elimination of export controls, assuming it does it) it removes the one major "must do" task onto which could be loaded other "features" that we can't stand, as the Leahy bill tried to do. Once export controls are eliminated on crypto, it should become impossible to get enough support to pass a bill even mentioning key escrow, let alone mandating it. Jim Bell jimbell at pacifier.com ------------------ RFC822 Header Follows ------------------ Received: by epic.org with SMTP;6 Apr 1996 18:06:34 -0500 Received: from ip8.van1.pacifier.com by pacifier.com (Smail3.1.29.1 #6) with smtp for <banisar at epic.org> id m0u5ggW-0008xbC; Sat, 6 Apr 96 14:42 PST Message-Id: <m0u5ggW-0008xbC at pacifier.com> X-Sender: jimbell at pacifier.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 06 Apr 1996 14:40:21 -0800 To: frantz at netcom.com (Bill Frantz),"Dave Banisar" <banisar at epic.org>, "Cypherpunks List" <cypherpunks at toad.com> From: jim bell <jimbell at pacifier.com> Subject: Re: ACM/IEEE Letter on Cryp _________________________________________________________________________ Subject: RE>>ACM/IEEE Letter on Cryp _________________________________________________________________________ David Banisar (Banisar at epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org Washington, DC 20003 * ftp/gopher/wais cpsr.org From jimbell at pacifier.com Sat Apr 6 19:54:55 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Apr 1996 11:54:55 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u5gs0-0008zfC@pacifier.com> At 01:07 PM 4/6/96 -0500, Black Unicorn wrote: >> I contend that had he talked to Phillip Zimmermann in 1990 or so, he would >> have told Zimmermann that "It's illegal to write an encryption program using >> RSA, because it's patented! You'll never get away with it!" > >I would have indicated that "you're going to face the prospect of >intellectual property litigation, and that can get nasty in the extreme." One thing I've never heard is an explanation of how computer software and especially mathematics went from "extremely not patentable" in the early and middle 1970's, to "patentable" once Messr's Rivest, Shamir, and Adleman invented a piece of mathematics that the government wanted to deny to the public. How convenient. Coincidence? Even if we accept the supposition that at some point, "they" decided for non-suspicious reasons to _start_ issuing patents on software and mathematics, I've never heard an explanation of how R, S, and A _knew_ to apply for a patent, long before the first software patent was issued, and even longer before the first pure mathematics patent was issued. (which, was, probably, on RSA!) Were these guys psychic or what? Who told them what, and when? Patents have to be applied-for within a year of disclosure, which means they had to decide whether to pay the money for a patent application that by historic standards could not possibly be issued. Yet they did it anyway. What's wrong with this picture? >> But history records that Zimmermann _did_, and he "got away with it." > >A combination of politics and law and timing. Something tells me that given the unblemished history of non-patentable mathematics, RSA could never have withstood a patent challenge. They had to have known this. >> >That is, resist by what legal means are available, but ultimately depend >> >on the user to secure his or her own data. >> >> Notice that Unicorn never gives useful specific suggestions about which >> "legal means are available." > >Notice that there are no checks in my mailbox from Mr. Bell. Implying that he's unwilling to do anything useful for free, which raises interesting questions about why he's bothering to send his notes to me. Is he being _paid_ for this? >> >Where I differ with Mr. Bell is that he seems to think the ISPs of the >> >world are going to rise and unite to quash the oppressive hand of big >> >government at their own expense in order to satisify some sense of >> >personal ethics or customer goodwill. >> >> Cumulatively, they could do exactly this. Spread among most ISP's, the cost >> per ISP could be quite low. > >Provided you could get "most" ISP's to sign on, provided that the >insurance provided for the very expensive proposition of seizure of ISP >equipment, and provided that this be the first insurance entity ever with >a stated policy of paying off policyholder for criminal sanctions which were >directly the result of overt illegal acts by the policyholder. Yet another misrepresentation. The purpose of the risk-pooling is obviously to set a friendly precedent, and it does not require any "overt illegal acts," merely challenges to an overly broad interpretation of subpoena power. Any siezure of ISP equipment would simply result in another "Steve Jackson Games"-type decision that would be expensive for the jurisdiction in which it occurred, and would further cement the precedent that the government couldn't do anything about. In fact, one of the most obvious precedents that needs to be set is that the government has no right to sieze equipment from an ISP (and thus shut the ISP down) if all it wants is _data_. Clearly, that's exceeding the bounds of what the government is realistically entitled to. I think the most any ISP should be required to do is to present an encrypted version of all the system's data, and then the appeals process can start. The government won't be able to use the data until the process is complete, months or years down the line. Naturally, the fact that the information on the system is subpoenaed should automatically become public knowledge, because the data is already fixed and immutable. And an ISP should NEVER be required to act as an agent for the cops, and in fact should be prohibited from doing so if his contracts with his customers certify he won't be. Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Sat Apr 6 20:40:25 1996 From: stewarts at ix.netcom.com (stewarts at ix.netcom.com) Date: Sun, 7 Apr 1996 12:40:25 +0800 Subject: Someone's screwing around with anon.penet.fi Message-ID: <199604062359.PAA23221@toad.com> At 11:51 AM 4/6/96 -0800, Steve Reid <steve at edmweb.com> wrote: >Here's another one of them unsolicited messages from anon.penet.fi. >I have a feeling lots of people on the Cypherpunks list are going to be >getting these... My first post to the list was only about two days ago, >and someone's already messing around. :( Anon.penet.fi is working just fine. The problem is that someone subscribed to the cypherpunks list as anXXXXXX at anon.penet.fi, so any time you post to cypherpunks, anon.penet.fi receives a message From: you at yourplace.com To: anXXXXXX at anon.penet.fi Subject: My exciting post to cypherpunks It then checks its userlist for you at yourplace.fi, doesn't find you, allocates anYYYYYY at anon.penet.fi, notifies you, and sends out the message From: anYYYYYY at anon.penet.fi To: hisname at hisplace.com Subject: My exciting post to cypherpunks In my case, if I post to cypherpunks, it checks its userlist for stewarts at ix.netcom.com, finds anZZZZZZ at anon.penet.fi, sees that my password is PASSWORD, sees that the posting doesn't include the password, and sends me a reject message. The problem is that, the next time you post to cypherpunks, it'll leak your identity in the message headers; I forget the details. The way to prevent this whole mess is to educate majordomo to turn subscription requests from anXXXXXX at anon.penet.fi into naXXXXXX at anon.penet.fi, or at least to block subscription requests form anXXXXXX at anon.penet.fi. From weidai at eskimo.com Sat Apr 6 20:40:51 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 7 Apr 1996 12:40:51 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) In-Reply-To: <199604061906.VAA16731@kampai.euronet.nl> Message-ID: <Pine.SUN.3.92.960406154934.27655B-100000@eskimo.com> On Sat, 6 Apr 1996, Gary Howland wrote: > - What will be the typical time between the withdrawal of ecash > and it being deposited? I think this will depend on how easy it is to withdraw ecash. If the client software includes an option of automaticly withdrawing ecash from the bank when you don't have enough ecash to pay for the current purchase (thereby reducing the time between withdrawal and deposit to zero), then I suspect most people will use it, even though (anticipating your next question) this compromises their untraceability. > - Does the untraceability of ecash (of all types) rely on a time delay > between withdrawal and deposit (I guess it does), and if so, is the > interest that the consumer inevitably loses (and the ecash issuer gains) > the price the consumer must pay for untracability of transactions? The untraceability of ecash does depend on a time delay between withdrawal and deposit. It's analogous to the fact that the untraceability of anonymous e-mail depend on a time delay between sending and receiving. I think you're probably right that the interest lost is a price the consumer must pay for untraceability. One possible way to get around this is to have ecash issuers pay interest on ecash. However it requires ecash to be timestamped and therefore compromises its untraceability. (Think of the timestamp as a serial number.) Wei Dai From magnus at ii.uib.no Sat Apr 6 21:24:27 1996 From: magnus at ii.uib.no (Magnus Y Alvestad) Date: Sun, 7 Apr 1996 13:24:27 +0800 Subject: Someone's screwing around with anon.penet.fi In-Reply-To: <Pine.BSF.3.91.960406114609.5026B-100000@kirk.edmweb.com> Message-ID: <evpw9kq1z3.fsf@vipe.ii.uib.no> | I have a feeling lots of people on the Cypherpunks list are going to l be getting these... My first post to the list was only about two | days ago, and someone's already messing around. :( Something like that. No doubt, someone is subscribed to the cypherpunks list with an anonymous account on anon.penet.fi - of the an???? variant. When you posted to the cypherpunks list, your posting was sent to this account. Now, an???? accounts are supposed to be anonymized both ways, which means that when anon.penet.fi recieved your message, it anonymized it and assigned you an anon id. The nasty consequence is that the receiver can easily find the correspondence between your real and anon id, even if it wasn't generated just now. I thought there was some kind of mechanism on anon.penet.fi to prevent this, but it seems not. -Magnus From cdaemon at goblin.punk.net Sat Apr 6 21:39:39 1996 From: cdaemon at goblin.punk.net (Checkered Daemon) Date: Sun, 7 Apr 1996 13:39:39 +0800 Subject: Someone's screwing around with anon.penet.fi In-Reply-To: <WALTER.96Apr6143709@cithe302.cithep.caltech.edu> Message-ID: <199604070101.RAA18207@goblin.punk.net> -----BEGIN PGP SIGNED MESSAGE----- > > In article <cypherpunks.Pine.BSF.3.91.960406114609.5026B-100000 at kirk.edmweb.com> Steve Reid <steve at edmweb.com> writes: > > > Here's another one of them unsolicited messages from anon.penet.fi. > > I also got one of these right after I posted to cypherpunks. I > normally just lurk, and the address that was used is the machine I > read and post news on(we have a gateway to the mailing list). So I am > pretty sure it is related to my posting to cypherpunks. > > I have written to the administrators at anon.penet.fi asking about this > and informing them. I'll pass on any relevant info they send me. > > -Chris > walter at cithe501.cithep.caltech.edu > OK, somebody correct me if I'm wrong here, I haven't used anon.penet since I got mixmaster running ... When you send a message to someone at anon.penet, the anonymous remailer assumes that, since you're using a remailer, you want to be anonymous. So it gives you an account, sends your message on via that account, and informs you of the account information. If you try it a second time, you're already in the database, so you don't hear from them again. So if you make your first post to cypherpunks, and somebody has subscribed to the list via the anon.penet remailer ... - -- The Checkered Daemon cdaemon at goblin.punk.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0 iQCVAwUBMWcTxoQO/w1Q7FIdAQF0IAP+PoHjRPxP+0lZS7NlIKq42D/ypS62h20I 9Rv6qeIadya5iWqp6CuQJSXoA9eO7x1wNaNUtrfJUVJ4F8aIJJW6F6z9Urx639rC KmvaDJsWclnK3fv11rTDzyBSE6Ngp3mfz3ONBgc7sEN06R0rwl06qoqZzmcs7lwJ 3r/pxoB7mvM= =Zbdw -----END PGP SIGNATURE----- From rngaugp at alpha.c2.org Sat Apr 6 21:51:08 1996 From: rngaugp at alpha.c2.org (rngaugp at alpha.c2.org) Date: Sun, 7 Apr 1996 13:51:08 +0800 Subject: RNG_DEVICE Environment Variable? Message-ID: <199604062155.QAA00591@miron.vip.best.com> >Considering a couple of RNG hardware manufacturers use different >names for device interfaces, perhaps it would be 'convenient' to >have apps look for the environment variable RNG_DEVICE which gives >the name of whatever device is used (rnadom$, random, rand, even >lpt2...) or even a special file that is mixed periodically by a cron >job (noiz.c?). >The assumption is that reads from that device would return "truly >random" bytes (not from a pseudo-RNG), either from specialized >hardware or a system-noise sampler such as noise.sys (DOS) or >random.c (Linux, FreeBSD). >How software would handle not getting enough bytes is another matter, > >perhaps left configurable to the app. > >Rob. My hack to PGP to support RNG uses the varriable RNGDRIVER, but is in config.txt, not the environment. From jimbell at pacifier.com Sat Apr 6 22:05:10 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Apr 1996 14:05:10 +0800 Subject: ACM/IEEE Letter on Cryp Message-ID: <m0u5j2u-0008ypC@pacifier.com> At 06:25 PM 4/6/96 -0500, Dave Banisar wrote: >The export language comes from the origional Cantwell bill and orders the >Commerce Sec. Could somebody re-post that Cantwell bill? >to allow export of mass market software and allows somewhat more >limited export of non-mass market software dependng on what is available to >banks in that country. Which country? The country to be exported to? This bill is starting to sound distinctly manipulative! Remember, once it's out of the country, it can be sent _anywhere_ so it is pointless to include any destination distinctions, including "terrorist countries." And what happens if the only software available to banks in that country (by their law) requires some sort of key-escrow function, even if that country allows non-escrowed encryption to citizens? Do we get to export or not? It's already beginning to smell. The original claim, as I recall, was that export would be allowed if something was already available with at least as high a level of protection. No distinction as to _where_ that software was available. That would be a fairly broad allowance. Now, we are seeing that the evil hand of government is being inserted into the equation: Suddenly, what their government ALLOWS BANKS is the distinguishing factor. GRRRRRR! This is _exactly_ why I want to see this bill BEFORE it is officially introduced, and why everyone else here should as well. >Its not ideal Maybe it should be. There is already serious doubt as to whether this bill could even hope to pass before the end of the current session. That's not surprising; it will be introduced very late. If it can't pass, I see absolutely no reason to include misfeatures in a bill that will have many months to be re-written before the next session. Nothing is set in stone; it can all be changed _if_ it's not part of some sort of secret deal. The way I see it, if there is not a strong probability that it will be voted in, there is no reason to introduce a flawed bill. Even more so, there is no reason to support a hurried bill if the apparent reason for the hurry is to ensure that the bill contains "features" that will be hard to remove in the future. If Burns can't do it right soon enough to pass, he needs simply take an extra month or two and publicize the _corrected_ bill on (surprise!) the Internet, and worry about introducing it in the next session of Congress. (He'll get the election-year political benefit just as effectively. Pardon me for being cynical.) I can't see that anybody is going to hold a little delay against him. >(I think the limits on non-mass market >should be the same as mass market- almost none except for a limited number of >"terrorist" countries (we'd get killed if we argue that those should be >eliminated) but overall much better than leahy's and somewhat better than >goodlatte's bill. Pardon my language, but WHAT THE HELL IS "MASS MARKET SOFTWARE"? _Everybody_ wants their software to sell as many copies as possible; what is the difference between something which sells 10,000 copies and something that sells 10 million? Is this bill a sop to Egghead software? Is the legal difference going to be cost? Say, anything less than $1000? That would at least make a distinction that has a certain level of precedent behind it, since export licenses have had minimal-dollar-value exceptions built in for a long time. What about freeware/shareware? And you didn't answer my question about whether key length alone was a distinguishing feature, or software function. This is not looking good. Too many conditions? Too many exceptions? Too many caveats? Why can't those sleazy politicians give us what we want? Ooops, I just answered my own question. Jim Bell jimbell at pacifier.com From rakers at flash.net Sat Apr 6 23:50:58 1996 From: rakers at flash.net (rakers at flash.net) Date: Sun, 7 Apr 1996 15:50:58 +0800 Subject: Remove my name from this distribution list Message-ID: <199604070339.VAA21901@defiant.flash.net> Remove my name from this distribution list, thanx. From ghio at myriad.alias.net Sun Apr 7 00:00:47 1996 From: ghio at myriad.alias.net (Matthew Ghio) Date: Sun, 7 Apr 1996 16:00:47 +0800 Subject: Was Cohen the first? In-Reply-To: <35960405162553/0005514706DC3EM@MCIMAIL.COM> Message-ID: <199604070321.TAA02171@myriad> The following concerns the history of computer viruses. While an important issue in computer security, this has no direct relevance to cryptography, so skip this message if you're looking for crypto... --- > What's up? I asked. The 17-year-old snickered. Doom was ahead for all Apple >II owners. "Don't engage in casual disk-copying with strangers," he said. > "You might catch an operating-system virus." One interesting fact is that after the release of DOS 3.3 in 1980, the Apple II operating system was unchanged for several years, until Apple released a completly rewritten operating system (ProDOS) in 1984. During this period, hackers disassembled DOS 3.3 and its internal functions and data structures became well-known. The Apple II ROM contained a debugger/disassembler, which allowed the operating system to be disassembled and experimentally modified while it was resident in memory. In addition, several companies, including Beagle Brothers and Quality Software, published extensive information on DOS 3.3, which had been obtained through reverse-engineering. Apple DOS behaved very predictably: it was always loaded at the same location in memory, and when it formatted a disk, always wrote the operating system into the same location on the first three tracks of the floppy disk. This allowed the development of object code patches to the DOS kernel which would work reliably because almost everyone was running identical copies of DOS. It also made it easy to write viruses. The simplest was to attach a call to the sector-write subroutine at the end of the catalog command. This only took about 16 bytes of code. (Wouldn't that have made a neat .sig for you modern-day perl hackers?) Whenever the user issued the catalog command (which gave a list of files, like the unix ls command) it would write out that page of memory onto the dos image on the disk, thus infecting the disk. This was entirely benign unless you tried to use a disk with a different or modified operating system, in which case the patch would not apply cleanly, and would likely make the disk unbootable. Despite this, the Apple II never became a popular virus-writing platform. There are several possible reasons for this, but one of the main ones is that few Apple II users had hard disks. On the IBM PC, it was easy for a virus to get on the hard disk, then systematically infect every floppy disk put into the system. Apple II users, in contrast, often booted from floppies, and often rebooted when switching to a different software package, thus purging the virus from memory. (Pressing control-reset on the Apple II keyboard would always pull the reset line on the CPU, so it wasn't possible to trap the interrupt like it is possible to trap ctrl-alt-del on the PC.) A couple bits of interesting virus trivia: Joe Dellinger, then an undergrad at Texas A&M, set out to write the "perfect" virus, that is, one that would silently replicate without causing harm, just to see how far it would spread. The virus added a tag to the end of the boot sector which read: GENxxxxxxxTAMU, where xxxxxxx was the generation counter. A destructive virus called "CyberAIDS", appeared in 1988. I just looked this one up in an old magazine article, and, when the virus destroyed a disk, it printed, among other drivel: DISTRIBUTED BY Worshippers of Pat / [WOP] The Kool/Rad Alliance The Robert Dole Presidential Campaign I wonder if Bob Dole appreciated the free advertising. (Also remember that this was in 1988!) Modern operating systems make kernel-patching viruses like the simple ten-byte hacks effectively impossible since the operating system is less predictable with respect to its memory usage, people upgrade more frequently, and many experienced users compile their own kernel. Modern protected-mode operating systems are also making boot-sector viruses obsolete as well. That leaves executable file viruses. By the late eighties, hard disks were becoming fairly standard equipment, and the "CyberAIDS" virus mentioned above attached itself to executable files. Filesystem security and read/execute-only memory pages on Unix systems make writing effective viruses of this type quite difficult. Unfortunately, Microsoft's lax attitude toward security allows viruses to persist on their operating systems, and have made Bill Gates very popular with the virus writing groups. In addition, the lack of filesystem security in Windoze makes the shared libraries, and key system files, prime targets for malicious code. Still, as the famous login hack demontrates, it's not impossible to write a unix virus, if you can get control of the compiler/linker. It's just that there are other methods of hacking unix systems (ie buffer overruns) which provide a more immediate return on the investment of time for the hacker. From vznuri at netcom.com Sun Apr 7 00:04:49 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 7 Apr 1996 16:04:49 +0800 Subject: the value of money In-Reply-To: <2.2.32.19960406060312.006d58c0@pop3.interramp.com> Message-ID: <199604070315.TAA12896@netcom17.netcom.com> JG >This is a very real issue. To the extent that electronic money replaces >currency (reduces the amount in circulation), it will cost the Treasury >seigniorage--and the Government is acutely aware of this. Whether the >beneficiaries are consumers, banks, or other issuers of digital cash will >depend on the system. pardon me but just for fun, would you mind debunking some conspiracy theories on this subject, since you seem to understand our system? there are a lot of people now claiming that the federal reserve is a system designed to slowly cause the entire US economy to go into debt to it via charging interest on the loaning of paper money. how do you address this? to me the idea that cybercurrency might escape possible manipulations and machinations that are happening in the real world currency markets is quite liberating. I would also expect to see some powerful interests try to fight it for this reason. p.s. if you are really you, thought you made some great points about the Unibomber on Peter Lawrence, and I also love your two books, Chaos and on Feynmann. keep up the great work. From vznuri at netcom.com Sun Apr 7 00:19:07 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 7 Apr 1996 16:19:07 +0800 Subject: myths of software "standards" In-Reply-To: <Pine.BSF.3.91.960406032352.2796A-100000@kirk.edmweb.com> Message-ID: <199604070323.TAA13375@netcom17.netcom.com> SR: >Sure, the Netscape extensions are nice. And it's nice to have an operating >system (M$-DOG) pre-installed on every hard drive. But Net$cape, like M$, >was trying to esablish a dominant "follow-us-or-die" position in the >industry. that was exactly the view I was trying to discredit us in my post. did Netscape protect their creations with patents? no. what did they do that prevents other browsers from immediately latching onto their keywords?? we are talking about *bits*!!! oh, do they have too much PRIDE or something to use an idea that somebody else innovated? I think in all this ranting is lost the basic fact that Netscape did what they did to be *innovative* and this innovation is what is driving the net. can you indicate to me why or how they were trying to squelch competition? what kind of squelching is possible in a world where the next version of anybody's software can immediately incorporate their own features? >Yes, the Net$cape extensions allow people to do stuff that they wouldn't >otherwise be able to do. But, the extensions *could have* been >implemented in such a way that using them wouldn't be detrimental to >non-Net$cape browsers. you seem to be suggesting that they intentionally tried to screw up non-netscape browsers, which I find laughable. > Instead, they've altered the World Wide Web in >such a way that it can only be viewed "correctly" with Net$cape. this was by the choice of people who wrote web pages, who made the collective decision to follow netscape. you are not criticizing netscape, you see, you are simultaneously criticizing every person who has made the decision to go with their standard. which is a rather unenlightened way to look at the way that standards on the internet work, imho-- they are not "handed down by anyone". netscape could have been roundly ignored, and a zillion standards die every year for this reason. but netscape made a positive contribution, and this is reflected in the agreement of every person who voluntarily, under total free will and no coercion, picked their standard. can you tell me how netscape twisted a single person's arm to put netscape tags in their web pages? From love5683 at voicenet.com Sun Apr 7 00:47:52 1996 From: love5683 at voicenet.com (Chevelle) Date: Sun, 7 Apr 1996 16:47:52 +0800 Subject: HANDS UP! Message-ID: <199604070428.XAA24512@mail.voicenet.com> Hey guys if there's anything I can do to help Kevin out anything at all please let me know! chevelle out....At 07:14 AM 4/5/96 +0200, THE HIJACK-CREW wrote: >HI THERE! THIS IS etoy! > >"the digital hijack" is NOW running ! > >the internet-underground has decided: it is definitely time to blast SOUND >and ACTION into the net !!! > >our software-agents have invaded the main searchservers... > >++++for more information check out : http://www.hijack.org/++++++++++ > >or get kidnapped live --> go to infoseek (netsearch-button on your browser) >and search for: > >UNDERGROUND - CENSORSHIP - DISCO - XTC - CLINTON - PORSCHE - CRACK - >KRAFTWERK - ELVIS - TERROR - PENTHOUSE - SEGA - MONDRIAN - SEXPISTOLS - >FIREARMS - TARANTINO - DJ - STONES - NETWORKS - BASE - CRIME - WAR - >BUSINESS - WOMEN - NET - SOCIETY - ART - CASTRO - PARADISE - ATHLETICS - >PULP - CYBER - YELLO - PETSHOPBOYS - REM - HUSTLER - BITCH - GUEVARA - >SEVESO - MELODYMAKER - PORNO - GABBER - ROLLERBLADES - REBEL - OASIS - >COMMUNICATIONS - PLAYBOY - BELGIUM - ORB - AND MANY MORE... > >these keywords will all appear on the TOP 10 - LIST. take the link to >hijack.org to get the hijack-experience like millions of bored >internet-users... > >download the hijackers-sound, get the best pictures and help us free our >friend KEVIN D. MITNICK, THE SUPERHACKER (charged for electronic-terrorism, >maximum sentence: 460 years prison) ! > >we would be very happy to welcome you on our site. spread this new >internet-lifestyle to your friends and to internet-freaks + surfers ! > >this is a underground art-project not a bastard-business mail. our grab >robot "etoy.IVANA" got your email-address by cruising the net. > >for the hijack-crew etoy >MARTIN KUBLI > >email mailme at etoy.com >fax ++41 1 363 35 57 >_______________________________________________________________________ >http://www.hijack.org/ >for highres-pictures: ftp.etoy.com /press > > >etoy: >leaving reality behind...abusing technology...flashing the net > > From jimbell at pacifier.com Sun Apr 7 01:18:06 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 7 Apr 1996 17:18:06 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u5mjb-00090mC@pacifier.com> At 12:27 PM 4/6/96 -0800, Timothy C. May wrote: >This model, is, I contend, the model with which courts are familiar. They >know that Alice can retrieve the funds, so they simply order her to. If she >does not comply, contempt of court. Q.E.D. > >What of a different model? What if, say, her funds are in a "time lock >deposit," with the bank unwilling or even unable (cryptographic protocols >involving multiple key holders) to retrieve the funds until, say, 2010? >Even if she is being tortured to death and pleading with the >Gemeinschaftbank of Zurich to please, pretty please, release her funds, >they cannot. > >It may take some convincing, and some education of the court (a la the >education that is slowly happening, as in the CDA case), but eventually it >will be realized that "contempt of court" is not applicable. I look at it this way: It is inappropriate to look just at the desire of the court and its sanctions, it is necessary to study what kind of "crimes" are normally dealt with in such a fashion, and why they need to be crimes in the first place. Over time, technology is dramatically increasing our protections: From locks to alarms to monitoring systems to remote cameras, with bank accounts that are secure from ordinary criminals, we are becoming less and less dependant on government for our security. Since the ostensible purpose of courts is nominally to protect us, if those protections begin to be replaced by technology the logical conclusion is that courts will become less numerous and less powerful. The problem is, that isn't happening, and the reason is that organizations tend to act in ways to protect their own power and influence. In fact, the average citizen is subject to far more theft of his assets BY THE GOVERNMENT than by common criminals, so at some point we have to realize that the government is now a net problem, rather than being a net solution. I think that most crimes that subpoenas would normally be used for are probably not crimes at all, and are probably "malum prohibitum," not "malum in se" crimes. And in the future, they would likely be used to harass political enemies, as harassment was done in the 1950's and 60's. This means, for anybody of a libertarian bent, that it would actually be better if the government could be rendered incapable of enforcing them. Naturally, governments and courts will resist, but that will be irrelevant. Jim Bell jimbell at pacifier.com From dhaskove at ucsd.edu Sun Apr 7 01:21:10 1996 From: dhaskove at ucsd.edu (Dan Haskovec) Date: Sun, 7 Apr 1996 17:21:10 +0800 Subject: NYT: Chaotic Encryption: a Solution in Search of a Problem Message-ID: <2.2.32.19960407061512.0034fb58@sdcc10.ucsd.edu> The New York Times online site reports on a researcher at Oak Ridge National Labs who "devised and patented a new mathematical system for encrypting and authenticating digital data, based on the scientific concept of chaos." The article mention that people in industry were less than enthused about adopting it. Even the inventor says that it "isn't robust enough for military applications." It seems to use a chaotic system at both ends with a symmetric key. It almost sounds like the NYT covered it because chaos is "cool", not because this development is significant. Any insights? The story is online at http://www.nytimes.com/library/cyber/week/0407chaos.html From hoz at univel.telescan.com Sun Apr 7 01:21:21 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Sun, 7 Apr 1996 17:21:21 +0800 Subject: the cost of untracability? Message-ID: <199604070539.VAA27922@toad.com> >One possible way to get around this is to have ecash issuers pay interest >on ecash. However it requires ecash to be timestamped and therefore >compromises its untraceability. (Think of the timestamp as a serial >number.) It wouldn't exactly have to be timestamped. By convention, all interest bearing currency could be denominated as of some fixed date. For instance, its future value as of Jan 1, 2200 A.D. The issuer could then pay interest without knowing the date the currency was issued. (Of course, some accounting rules are probably going to need changing, hehe) Neither the payee nor the issuer needs to know the actual issue date when settlement time comes. When you buy a t-bill, it is worth some amount on some date. You don't know when the previous owner bought it or how much (s)he paid. The denominated date could even vary if it were "blinded". As long as the present value of the ecoin is the same, the issuing institution should not care how it is expressed. A variable interest rate scheme could even prevent an announced fixed rate from conveying clues about the issue date. Rick F. Hoselton (who doesn't claim to present opinions for others) From steve at edmweb.com Sun Apr 7 01:23:27 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 7 Apr 1996 17:23:27 +0800 Subject: myths of software "standards" In-Reply-To: <199604070323.TAA13375@netcom17.netcom.com> Message-ID: <Pine.BSF.3.91.960406192913.5521A-100000@kirk.edmweb.com> > >Sure, the Netscape extensions are nice. And it's nice to have an operating > >system (M$-DOG) pre-installed on every hard drive. But Net$cape, like M$, > >was trying to esablish a dominant "follow-us-or-die" position in the > >industry. > that was exactly the view I was trying to discredit us in my post. > did Netscape protect their creations with patents? no. what did they Of course not. If they "protected" their creations with patents, a lot of people would be less likely to use them. If the Net$cape extensions weren't used, everything would look fine on other browsers and there would be no pressure on the remaining non-netscape users (25%?) to switch to Net$cape. > why or how they were trying to squelch competition? what kind > of squelching is possible in a world where the next version of > anybody's software can immediately incorporate their own features? The "Why" can be answered very easily: $$$. Netscape is not some not-for-profit thing like PGP, Netscape is a COMMERCIAL CORPORATION. Keep that in mind while I explain the "How"...... I think it is not unlike what Micro$oft did in the early 80s... They put out a good OS (it was considered good at that time) and sold it really cheap, and they obtained a large market share. Since they had such a large market share, most of the software developers wrote for M$-DOS. Since practically everyone was writing for MS-DOS, the public bought MS-DOS. Other OS developers could write M$-DOS clones, but they would be just that- clones. They would have no reason to write in new features, since very few people would be bold enough to write software that wouldn't run on M$-DOS. The OS makers would be condemned to forever follow Micro$oft and try to maintain compatability. To this day, the mass market still centers around the MS operating system. With Netscape, it was similar... They put out a good browser (And I'm not arguing there- IMHO it's the best browser currently available) for really cheap, for many people it was even Free. They've obtained a large market share. Since they have such a large market share, everyone writes web pages for Net$cape. Since there are now so many "Get Netscape!" web pages, even more people are switching to Netscape. Sure, other browsers could add their own extensions, but if they won't work on Net$scape, nobody will use them. And every non-net$cape browser will be OBSOLETE as soon as the next version of net$cape comes along with it's new extensions. > picked their standard. can you tell me how netscape > twisted a single person's arm to put netscape tags in their > web pages? No arm twisting was necessary, once Net$scape had their large market share. Just as there was no arm twisting to get people to write software for MS-DOS and Windoze. Once a software company has a large enough market share that they can define the standards for everyone else, they are extremely difficult to "de-throne". At least Net$cape isn't abandoning the *official* HTML standards. Before I sign off, I will say that Netscape is a good browser. It may well be that they simply created the extensions to make the WWW better. But, since Netscape *IS* a commercial company, I tend to believe that they did it to ensure their own profits. Really, there is no Real Proof either way, so this tends to be a rather controversial (and opinionated) topic. Some good might yet come from this... If Netscape and Microsoft start battling over the "Web As An Operating System" market, Net$cape and Micro$oft might chip away at each other enough to let the smaller companies catch up. (Wishfull Thinking) I guess this is kinda off the topic of the Cypherpunks list... I think we should just "agree that we disagree" and let the matter be. ======================================== [This email signatu r e file is best viewed with the FooBar Mailer Program] ======================================== ;) From unicorn at schloss.li Sun Apr 7 03:00:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 7 Apr 1996 18:00:40 +0800 Subject: Unicorn of Color In-Reply-To: <ad8bf5e226021004c1b9@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960407011449.27408A-100000@polaris.mindport.net> On Sat, 6 Apr 1996, Timothy C. May wrote: > At 6:00 PM 4/6/96, Black Unicorn wrote: > >On Fri, 5 Apr 1996, Timothy C. May wrote: > > >> > >> Far be it from me to question the legal advice BU/Uni/Dirsec provides, > > > >Unicorn is fine, don't be snide. > > Not meant to be snide, even if sounded that way. I just get confused by > your various nyms, as some call you "Uni," others call you by what I > presume is your real name (rhymes with Galois), and you sometimes sign your > messages "Dirsec." Unicorn will do. The nym, for those interested, is taken from our crest. Dirsec, the username for a time, was a result of some ISP account shuffling. Completely outside my control I fear. I don't think anyone calls me by my name on the list, but I could be mistaken. > Also, I am hesitant to call you "Black Unicorn," as applying the adjective > "black" to a person is illegal in some jurisdictions, and "Unicorn of > Color" does not ring true. (But I grew up calling blacks "colored people," > and gladly switched to the more noble-sounding "black" in the 1960s, and > now I almost vomit everytime I hear some radfem lesbian claim "All wimmin > are people of color!!!!" Yeah, colored people. My, how the worm has > turned....) Again, Unicorn, or uni will do. When I adopted the nym, I never planned it to be a long term thing. I'm sure I would have been more obscure had I given it much thought. I'm not liberal enough to be offended by the color/evil implication of my nym. The blazon of the black unicorn has been with my family a long time. I'd hardly consider it an offense, though I understand the caution. > > Hope this clears things up. > It does, thanks. > --Tim > > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From JonWienke at aol.com Sun Apr 7 03:10:11 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 7 Apr 1996 18:10:11 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) Message-ID: <960407011827_186212737@emout09.mail.aol.com> Wei Dai writes: >One possible way to get around this is to have ecash issuers pay interest >on ecash. However it requires ecash to be timestamped and therefore >compromises its untraceability. (Think of the timestamp as a serial >number.) Interest-bearing accounts cannot legally be anonymous--the IRS requires records of interest payments for tax purposes. Even if the e$ issuer is collecting interest on my ecash, I don't care as long as they don't charge me any fees,. As far as I am concerned, if the issuer can make anonymous e$ worth his while to issue, the loss in potential interest income is more than outweighed by the advantages of being able to use such a system. Jonathan Wienke From jamesd at echeque.com Sun Apr 7 03:29:30 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 7 Apr 1996 18:29:30 +0800 Subject: "Contempt" charges likely to increase Message-ID: <199604070626.WAA10352@dns1.noc.best.net> At 01:00 PM 4/6/96 -0500, Black Unicorn wrote: > To me this entire thread has threatened to suggest to people that they > need only thumb their noses at the authorities, be it by cryptographic > protocol or otherwise, and sit back in their easy chair and smile to > themselves. [...] > > I understand that direct confrontation with government is appealing to > the authority hater. (I happen to be one). Overt resistance, however, > of the character suggested by Mr. Bell and others, is going to cause > problems in two ways. Firstly, its going to cause the individual > resister a good deal of headaches. Secondly, its going to make bad law > eventually. On this you are simply wrong: As Jim Bell pointed out, the current level of repression would have been unthinkable thirty years ago, and it has occurred with very little actual violence. 99% pure bluff. The authorities are generally reluctant to risk their reputation capital by direct confrontation. Government projects an image of being all powerful, but in fact they are in the same position as the lion tamer bullying his lions or the Mahout commanding the elephant to drag logs. Somebody complained that the image I put in by CDA protest was not obscene, mererly indecent (due perhaps due to the lousy dithering which obscured certain crucial features of the image) -- so I amended it to one which is definitely obscene. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From pjm at spe.com Sun Apr 7 04:29:58 1996 From: pjm at spe.com (Patrick May) Date: Sun, 7 Apr 1996 19:29:58 +0800 Subject: [NOISE] Unicorn of Color In-Reply-To: <ad8bf5e226021004c1b9@[205.199.118.202]> Message-ID: <199604070759.XAA00547@gulch.spe.com> -----BEGIN PGP SIGNED MESSAGE----- Timothy C. May writes: [ . . . ] > and gladly switched to the more noble-sounding "black" in the 1960s, and > now I almost vomit everytime I hear some radfem lesbian claim "All wimmin > are people of color!!!!" Yeah, colored people. My, how the worm has [ . . . ] The spelling is "wymmyn", you neanderthal oppressor. Cypherpunks wa ango o kakimasu, pjm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMWd16WAA81GB0e9dAQE2nAf/ZosmFkGcL/mzgkHVZWgpgrl/miz+FyrC 7rM2wwxLc0IkWmknVKRzujieOvDDImtYRLPBwLXFc4QlesTj9IKQCekfif+4qadD flio73ELz7FEwsy3pkTJQCJ1JBSh55/3mUKdzPOed8YJb2C7aMkHauB1Mo7XdrCI i7QXOh/Bx43/5YcSC0lqtlGcjKhQfEOcqurS+RcG5kWfnDRn2A21ejBBUjoezUuF r04qUbUoymXY+d+zkhhHxGfFpUPfFU0E0rH9d+p8/M2mc0WQr8PAOtMgz6OyA+Uj lknG8NXe+qExr6LkMvV1ozup3uuetpadVRV58o2kwzFBT/QirFknSQ== =tn+1 -----END PGP SIGNATURE----- From erc at dal1820.computek.net Sun Apr 7 04:30:00 1996 From: erc at dal1820.computek.net (erc at dal1820.computek.net) Date: Sun, 7 Apr 1996 19:30:00 +0800 Subject: [NOISE] Unicorn of Color Message-ID: <199604070845.EAA28473@dal1820.computek.net> No, it's "womyn", you Fascist male oppressor pretending to be in sympathy with the cause ;) ______________________________ Reply Separator _________________________________ Subject: [NOISE] Unicorn of Color Sent To: cypherpunks at toad.com Author: pjm at spe.com Reply To: pjm at spe.com Date: 4/7/96 1:36:53 AM The spelling is "wymmyn", you neanderthal oppressor. From pgp at lsd.com Sun Apr 7 05:00:07 1996 From: pgp at lsd.com (Dave Del Torto) Date: Sun, 7 Apr 1996 20:00:07 +0800 Subject: LSD|CFP Message-ID: <v03005b1cad8d2bd02332@[192.187.167.52]> All constructive comments, corrections & suggestions are greatly appreciated... <http://www.well.com/user/ddt/crypto/crypto.html> dave ___________________________________________________________________ Cryptography is the entertainment branch of the computing industry. From weidai at eskimo.com Sun Apr 7 09:45:11 1996 From: weidai at eskimo.com (Wei Dai) Date: Mon, 8 Apr 1996 00:45:11 +0800 Subject: the cost of untracability? In-Reply-To: <199604070539.VAA27922@toad.com> Message-ID: <Pine.SUN.3.92.960407052217.24243B-100000@eskimo.com> On Sat, 6 Apr 1996, rick hoselton wrote: > It wouldn't exactly have to be timestamped. By convention, all interest > bearing currency could be denominated as of some fixed date. For instance, > its future value as of Jan 1, 2200 A.D. The issuer could then pay interest > without knowing the date the currency was issued. (Of course, some accounting > rules are probably going to need changing, hehe) Neither the payee nor the > issuer needs to know the actual issue date when settlement time comes. > > When you buy a t-bill, it is worth some amount on some date. You don't > know when the previous owner bought it or how much (s)he paid. > > The denominated date could even vary if it were "blinded". > As long as the present value of the ecoin is the same, the issuing institution > should not care how it is expressed. A variable interest rate scheme could > even prevent an announced fixed rate from conveying clues about the issue date. I think you're right. There is no need for the issuer to pay explicit interest. The easiest way to eliminate signorage would be to steadily increase the value of each denomination of ecash. It would be kind of like a mutual fund that doesn't pay dividends. In fact, if the ecash is backed by a portfolio of investment securities and its value floats with the value of the portfolio, then it would be almost exactly like a mutual fund. Of course, as Jonathan Wienke pointed out, the IRS would not be very happy about this. Then again, the IRS would not be happy with a lot of the technology discussed on this list. Wei Dai From gary at kampai.euronet.nl Sun Apr 7 09:45:13 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 8 Apr 1996 00:45:13 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) Message-ID: <199604071315.PAA18136@kampai.euronet.nl> Wei Dai wrote: > > On Sat, 6 Apr 1996, Gary Howland wrote: > > > - What will be the typical time between the withdrawal of ecash > > and it being deposited? > > I think this will depend on how easy it is to withdraw ecash. If the > client software includes an option of automaticly withdrawing ecash from > the bank when you don't have enough ecash to pay for the current purchase > (thereby reducing the time between withdrawal and deposit to zero), then I > suspect most people will use it, even though (anticipating your next > question) this compromises their untraceability. Interesting note - I think that if the time between withdrawal and deposit ever reaches zero, then we have a e-cheque system (which is fully traceable). From grafolog at netcom.com Sun Apr 7 13:17:44 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 8 Apr 1996 04:17:44 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) In-Reply-To: <960407011827_186212737@emout09.mail.aol.com> Message-ID: <Pine.3.89.9604070949.A1206-0100000@netcom3> Jonathan: On Sun, 7 Apr 1996 JonWienke at aol.com wrote: > Interest-bearing accounts cannot legally be anonymous--the IRS requires To quote TCMay: National boundaries aren't even speedbumps on the information highway. Who says the e$ has to be based in the US? Andorra, Liechenstein, San Marino, St Pierre, all come to mind as countries to investigate, because they are outside of the United States. << Has St Pierre joined NAFTA? If so, that rules them out. >> xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * *********************************************************************** From markm at voicenet.com Sun Apr 7 13:39:22 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 8 Apr 1996 04:39:22 +0800 Subject: NYT: Chaotic Encryption: a Solution in Search of a Problem In-Reply-To: <2.2.32.19960407061512.0034fb58@sdcc10.ucsd.edu> Message-ID: <Pine.LNX.3.92.960407113537.158A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Sat, 6 Apr 1996, Dan Haskovec wrote: > The New York Times online site reports on a researcher at Oak Ridge National > Labs who "devised and patented a new mathematical system for encrypting and > authenticating digital data, based on the scientific concept of chaos." The > article mention that people in industry were less than enthused about > adopting it. Even the inventor says that it "isn't robust enough for > military applications." It seems to use a chaotic system at both ends with > a symmetric key. It almost sounds like the NYT covered it because chaos is > "cool", not because this development is significant. Any insights? There has been research into developing chaos based encryption, but none of the systems developed are nearly as strong as block ciphers such as IDEA and 3DES. Chaos encryption is more like steganography than encryption. The chaos encryption schemes that I know of use a driving circuit to generate the carrier wave for the transmission. If a person on the other end knows the driving circuit used, then that person can remove it. The output of a chaos encryption mechanism is similar to static, but I don't think that it is particularly strong. With proven strong encryption, the only advantage I can see to using chaos encryption would be to encrypt analog data. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMWfiZrZc+sv5siulAQEwcAQAq8Sp1o6bkxAbZwEpKf3TZjcLP6q1AP7h 4/YIVDVZamfQ8BUtji1r/jFAJLviPF1ibC8459L9+Q4GlDzSBEpYA5gHjIywyg61 3iv86ZwTy2xijPkINWSnlDF04FiMwmBuTC91hS/9DiSYQ6dQZWxy8L2LZkaJb57v 5Qds6rfBFRM= =aLiN -----END PGP SIGNATURE----- From perry at piermont.com Sun Apr 7 13:53:32 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 8 Apr 1996 04:53:32 +0800 Subject: e$ Signorage Message-ID: <199604071620.MAA14286@jekyll.piermont.com> I misdirected this yesterday. Yes, its relevant: it answers the contention that ecash somehow lowers government seignorage income. ------- Forwarded Message To: James Gleick <gleick at around.com> cc: cypherpunk at toad.com Subject: Re: e$ Signorage From: "Perry E. Metzger" <perry at jekyll.piermont.com> James Gleick writes: > >> It's not obvious, but it's true, that the Fed collects the "float" > >> on dollar bills you carry in your pocket, > > > >Oh, really? From whom? First I've heard of this. > > Then you're learning something new. Oh, really? Don't teach grampaw to suck eggs. > On the contrary. The Federal Reserve holds Government securities > corresponding to the dollar value of currency in circulation. Ah, no. Sorry. The Fed does indeed monetize debt, but 1) that isn't related to seignorage, and 2) all new money is monetized debt, and it makes no difference whether it is held in paper or bank accounts or anything else. > It earns interest income on this amount, and returns this income to > the Treasury. This is called seigniorage. It amounts this year to > something over $20 billion. This is a very real issue. To the > extent that electronic money replaces currency (reduces the amount > in circulation), it will cost the Treasury seigniorage- -and the > Government is acutely aware of this. Whether the beneficiaries are > consumers, banks, or other issuers of digital cash will depend on > the system. Again, you really don't know what you are talking about. The vast bulk of the money in the field is not currency. Most of it is in the form of bank deposits and is circulated through bank mechanisms like checks and such. When the Fed wants to expand the money supply, it buys government debt on the open market, paying for it with nothing at all other than changing numbers in the Fed's computers. This is how debt is monetized. The bulk of that money never becomes dollar bills, and whether it is circulated via checks or ecash or direct deposit or whatever makes no difference to the amount of fake interest earned. I say "fake interest" because it isn't real income to the government at all. The amount of currency in circulation is dependant purely on demand by consumers, via banks, for currency. When banks want dollar bills, they ask the Fed -- they hand the fed electronic money and the fed gives them back dollar bills. The amount of currency, however, has nothing to do with the amount of bonds being held -- whether the monetized debt is held in bank accounts, in dollar bills, or in ecash makes absolutely no difference. Again, you just don't know what you are talking about. E-Cash has no impact on the fake interest earned by the fed, which is not seignorage to begin with. Perry ------- End of Forwarded Message From tallpaul at pipeline.com Sun Apr 7 14:14:08 1996 From: tallpaul at pipeline.com (tallpaul) Date: Mon, 8 Apr 1996 05:14:08 +0800 Subject: Unicorn of Color Message-ID: <199604071702.NAA23833@pipe6.nyc.pipeline.com> On Apr 06, 1996 11:57:33, 'tcmay at got.net (Timothy C. May)' wrote: > >Also, I am hesitant to call you "Black Unicorn," as applying the adjective >"black" to a person is illegal in some jurisdictions, and "Unicorn of >Color" does not ring true. (But I grew up calling blacks "colored people," >and gladly switched to the more noble-sounding "black" in the 1960s, and >now I almost vomit everytime I hear some radfem lesbian claim "All wimmin >are people of color!!!!" Yeah, colored people. My, how the worm has >turned....) > Don't go Grubor on us now Tim. Slip over the border and get some downers to handle the delusion of "some jurisdictions" that make it "illegal" to call someone "black." Your gorge is also a lot more steady than you think, so I wouldn't worry about it. If you can choke down nuclear bombings of civilians, surely you can handle the new "private dictionaries" of a few radical feminists who spell "adult female" w-i-m-m-i-n. --tallpaul PS: I identify with that section of the women's liberation movement who spell a different word b-y-t-c-h. From jimbell at pacifier.com Sun Apr 7 15:08:06 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Apr 1996 06:08:06 +0800 Subject: the cost of untracability? Message-ID: <m0u5yIb-0008z6C@pacifier.com> At 05:30 AM 4/7/96 -0700, Wei Dai wrote: >I think you're right. There is no need for the issuer to pay explicit >interest. The easiest way to eliminate signorage would be to steadily >increase the value of each denomination of ecash. It would be kind of >like a mutual fund that doesn't pay dividends. In fact, if the ecash is >backed by a portfolio of investment securities and its value floats with >the value of the portfolio, then it would be almost exactly like a mutual >fund. > >Of course, as Jonathan Wienke pointed out, the IRS would not be very happy >about this. Then again, the IRS would not be happy with a lot of the >technology discussed on this list. Some more than others, huh? B^) FWIW, I think that there is no capital-gains-type tax on currency conversions. In other words, if I take dollars and buy yen today, and the interconvert rate changes and I convert back and make a "profit," that is not considered income. If that's the case, then ecash has an excellent precedent behind it to avoid any taxes on interest, especially if that interest is, in effect, paid by increasing the inherent value of the currency. And most of the "interest" will simply be the avoided inflation loss that would have otherwise occurred. Buying ecash may be equivalent to buying an absolutely non-inflating currency that the government can't manipulate. Jim Bell jimbell at pacifier.com From jim at ACM.ORG Sun Apr 7 17:25:12 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Mon, 8 Apr 1996 08:25:12 +0800 Subject: the cost of untracability? In-Reply-To: <m0u5yIb-0008z6C@pacifier.com> Message-ID: <199604071953.MAA03973@mycroft.rand.org> jim bell <jimbell at pacifier.com> writes: >FWIW, I think that there is no capital-gains-type tax on currency >conversions. In other words, if I take dollars and buy yen today, and the I bounced this off a CPA, who said she would be very suprised if this is really the case: in general the IRS considers increases in wealth to be taxable, and unless there's a specific exclusion for currency transactions that she doesn't know about, she suspects this is not the case. As a conceptual counterexample she points out that you are responsible for any profit you make from selling your car for more than you pay for it (but, as you might expect, you don't get to take a loss if you sell it for less). >interconvert rate changes and I convert back and make a "profit," that is >not considered income. If that's the case, then ecash has an excellent >precedent behind it to avoid any taxes on interest, especially if that >interest is, in effect, paid by increasing the inherent value of the >currency. My tame CPA also volunteered the information that the IRS is very interested and concerned about how they're going to capture transaction information for electronic transactions, and they do think it's in their bailiwick... she's read some articles on it. Jim Gillogly 17 Astron S.R. 1996, 19:52 From rollo at artvark.com Sun Apr 7 20:19:36 1996 From: rollo at artvark.com (Rollo Silver) Date: Mon, 8 Apr 1996 11:19:36 +0800 Subject: Why sign pubkey? Message-ID: <v02130500ad8dc7aab49a@[198.59.115.161]> Why You Should Sign Your PGP Public Key Francis Litterio (franl at world.std.com) If you generate a public/private key-pair and distribute the public key without any signatures on it, you are open to a denial of service attack. Here's how the attack works. I take your unsigned public key, and (using a suitably powerful editor, such as Emacs) I edit the userid string so that it still has your name but my email address on it. Then I distribute this fake key widely. Anyone who uses the fake key to encrypt email to you will send the email to me instead (if she uses the email address in the key). Of course, I won't be able to decrypt the email I receive, because it was encrypted with your public key, but I have denied you the option of decrypting it. You might never know the message was even sent. If you have at least one signature on your public key, PGP detects the tampering of the userid string and alerts the person who is sending you encrypted email. This is possible because of the nature of a digital signature. A digital signature is the output of a cryptographically secure hash function taking as input your RSA public key and your userid string (among other things). That hash output value is encrypted with the private key of the signer. If you have a valid public key from the signer and if you trust the signer to sign other people's keys, then PGP allows you to infer a certain degree of trust that the signed key belongs to the person named in the key's userid field. A cryptographically secure hash function is an irreversable hash function for which it is computationally infeasible to find an input message that hashes to a given output value. A task is computationally infeasible if the sun will have burned out before even the most powerful computer could finish the task. This prevents people from forging digital signatures. ------------------------------- How to Sign Your PGP Public Key You should sign your PGP public key immediately after generating your public/private key-pair. To sign your own public key, type this: pgp -ks <userid> where <userid> is the userid attached to your just-generated public key. If you have more than one userid on your public key, then you should sign each one individually. ------------------------------- Misconceptions About Signed Keys A widespread misconception about self-signed public keys (i.e., keys that have been signed by their corresponding private keys) is that a self-signed key is somehow more valid than a key that is not self-signed. A self-signed key is no more valid than a key with no signatures at all. Why? Suppose you have a public key with this userid string: John Q. Public <jqp at somewhere.com> Here's my denial of service attack. I use PGP to generate a new public/private key-pair with the same userid string as your public key but having different RSA public key bits. I self-sign that public key with its private half. I distribute that public key widely. Someone thinks it's yours based on the userid string. She makes the mistake of concluding that it is your key because it is self-signed. This is the mistake of inferring validity merely from the presence of a self-signature. She uses it to encrypt email to you, but you will not be able to decrypt that mail. This is a different kind of denial of service attack than the one described earlier (see Why You Should Sign Your PGP Public Key above). The only defense against this attack (that I can think of) is to be ever-vigilent for public keys that have your userid string but a different key-id and key-fingerprint. The key-id is the 32 least-significant bits of your RSA modulus, which is one of the two numbers that make up your RSA public key. The other number is the RSA public exponent (see the mathematical guts of RSA encryption for more details). The key fingerprint is a cryptographically secure hash of the RSA modulus and RSA public exponent, which together make up your public key. The cryptographically secure hash function is Ron Rivest's MD5, which outputs a 128-bit (16-byte) number, which depends in no discernable way on every bit in its input. It is much easier for two people to compare a 16-byte hexadecimal value over the phone that it is for them to compare the many hundreds or thousands of bits that compose the modulus and public exponent. If an RSA public key were tampered with in transmission from one person to another, comparing the fingerprints (via a tamperproof communication channel) would certainly reveal the tampering. The moral of this story is that you should regularly verify that the fingerprints of distributed copies of your PGP public keys (such as those in the PGP keyserver databases) match the fingerprints of your copies of those keys. Rollo From perry at piermont.com Sun Apr 7 20:54:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 8 Apr 1996 11:54:03 +0800 Subject: Spinners and compression functions Message-ID: <199604072252.SAA29569@jekyll.piermont.com> [I've sent a fuller reply to Jon in private mail.] JonWienke at aol.com writes: > >Actually, it doesn't. The entropy present from a reasonable source > >like keyclick timings is much much lower than the output of pkzip is > >going to suggest to you. > > I am not saying that the output of the compression function has 8 bits of > entropy per byte, but rather that it will have a more consistent entropy > level per byte than the input to the function. What makes you think that? There is little to no cause to expect this at all. I can think of a number of instances, like image data streams, where this idea is completely unfounded for most conventional compression techniques. Perry From iang at cs.berkeley.edu Sun Apr 7 21:51:21 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Mon, 8 Apr 1996 12:51:21 +0800 Subject: Was Cohen the first? In-Reply-To: <35960405162553/0005514706DC3EM@MCIMAIL.COM> Message-ID: <4k9hog$buj@abraham.cs.berkeley.edu> In article <199604070321.TAA02171 at myriad>, Matthew Ghio <ghio at myriad.alias.net> wrote: >Despite this, the Apple II never became a popular virus-writing platform. >There are several possible reasons for this, but one of the main ones is >that few Apple II users had hard disks. On the IBM PC, it was easy for a >virus to get on the hard disk, then systematically infect every floppy disk >put into the system. Apple II users, in contrast, often booted from >floppies, and often rebooted when switching to a different software package, >thus purging the virus from memory. (Pressing control-reset on the Apple II >keyboard would always pull the reset line on the CPU, so it wasn't possible >to trap the interrupt like it is possible to trap ctrl-alt-del on the PC.) Not true. Pressing ctrl-reset jumped to the interrupt routine pointed to by the vector at (I think) 1010/1011, if the contents of that vector checksummed correctly with the contents of the next byte (1012), and otherwise reset the computer. It certainly was possible (and useful) to trap ctrl-reset. Also, even when a reset occurred, not all of the memory was cleared, so you could in fact keep code in memory across a reset, if you could arrange to have it run on the other side of the boot. As you pointed out, it was very easy to write viruses for the Apple ][. The "slave" disk layout contained two blank sectors (.5 K) within the DOS image that get loaded into memory. The designers may as well have labelled it "put virus here". - Ian "Been there; done that..." From bplib at wat.hookup.net Sun Apr 7 23:11:34 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Mon, 8 Apr 1996 14:11:34 +0800 Subject: e$ seigniorage (and is this the cost of untracability?) In-Reply-To: <Pine.3.89.9604070949.A1206-0100000@netcom3> Message-ID: <Pine.OSF.3.91.960407172850.9962A-100000@nic.wat.hookup.net> On Sun, 7 Apr 1996, Jonathon Blake wrote: > > Andorra, Liechenstein, San Marino, St Pierre, all come > to mind as countries to investigate, because they are > outside of the United States. << Has St Pierre joined > NAFTA? If so, that rules them out. >> St.Pierre is an island off of the coast of Canada that belongs to France. It cannot join NAFTA (yet <G>) Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From jimbell at pacifier.com Sun Apr 7 23:31:54 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Apr 1996 14:31:54 +0800 Subject: the cost of untracability? Message-ID: <m0u65hy-0008ynC@pacifier.com> At 12:53 PM 4/7/96 PDT, Jim Gillogly wrote: > >jim bell <jimbell at pacifier.com> writes: >>FWIW, I think that there is no capital-gains-type tax on currency >>conversions. In other words, if I take dollars and buy yen today, and the > >I bounced this off a CPA, who said she would be very suprised if this is >really the case: in general the IRS considers increases in wealth to be >taxable, and unless there's a specific exclusion for currency transactions >that she doesn't know about, she suspects this is not the case. As a >conceptual counterexample she points out that you are responsible for any >profit you make from selling your car for more than you pay for it (but, >as you might expect, you don't get to take a loss if you sell it for less). That assumes that there is "profit" from exchanging currencies. On any given transaction, there is never any "profit." The only thing that might be called a profit is a difference in exchange rates, and that really isn't an increase in wealth at any point. Ask that CPA to look it up. This makes sense: If the currency in my pocket becomes less valuable due to inflation, I cannot deduct the loss. If it becomes MORE valuable due to deflation, I do not need to declare the difference as income. Currency transactions only generate "profits" from a change in conversion rates, which are simply differences in inflation rate between two currencies. >>interconvert rate changes and I convert back and make a "profit," that is >>not considered income. If that's the case, then ecash has an excellent >>precedent behind it to avoid any taxes on interest, especially if that >>interest is, in effect, paid by increasing the inherent value of the >>currency. > >My tame CPA also volunteered the information that the IRS is very interested >and concerned about how they're going to capture transaction information for >electronic transactions, and they do think it's in their bailiwick... she's >read some articles on it. The answer is, "They're not!" That's right, you heard me. It's uphill all the way for the IRS. From perry at piermont.com Sun Apr 7 23:40:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 8 Apr 1996 14:40:35 +0800 Subject: e$ Signorage In-Reply-To: <Pine.SV4.3.91.960407214309.2856A-100000@larry.infi.net> Message-ID: <199604080206.WAA29767@jekyll.piermont.com> Alan Horowitz writes: > > Date: Sun, 07 Apr 1996 12:20:11 -0400 > > From: Perry E. Metzger <perry at piermont.com> > > > > whatever makes no difference to the amount of fake interest earned. I > > say "fake interest" because it isn't real income to the government at > > all. > > When the Fed buys government bonds, the interest income goes to the > owners of the Federal Reserve Bank. Nope, sorry. Some of the interest is used to fund the Fed overhead itself -- salaries, heat, electricity and the like. The rest is "returned" to the treasury (actually, it was never paid out in the first place and it was all funny money to begin with.) > The Federal Resreve Bank is _not_ a > government agency - it is privately owned by the member banks.. Also false. All of the board of governors of the Fed are government appointees. In some theoretical sense the Fed isn't part of the government, but in all practical terms it is. Greenspan has to worry about whether Bill Clinton is going to reappoint him and congress will reconfirm him, not about whether the member banks think he's doing a good job. The myth that the fed is a private entity is an enduring one in conspiracy theory circles, but its trivial to check that it isn't the case. Perry From jimbell at pacifier.com Sun Apr 7 23:42:01 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Apr 1996 14:42:01 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u66D6-0008z3C@pacifier.com> The following is a comment of mine that Unicorn didn't respond to. My comments are included as well. I repeat this because I just saw a quote from Lysander Spooner which was appropriate under the circumstances. Those who read Unicorn's notes will notice that he frequently ignores embarrassing gaffes that he makes. [beginning of re-quote] At 08:56 PM 3/30/96 -0500, Black Unicorn wrote: >> Naturally, you won't address this >> problem, but the man-on-the-street is more realistic about his own privacy. >> How many times must I raise this issue? How many times do you ignore it? >> Face it, people are smarter than you give them credit for. They will simply >> not tolerate any more shit from the government. > >Funny, the latest primary has been one of the highest voter turn outs in >quite a while (except in Deleware). Considering those are the law-and-order >types who are most likely to invade personal liberities, I think its a >bit hard to make the case that the temper of the country is anything but >very pro-political process. Unicorn again displays his cluelessness. If people know that the system is sick, and they believe (even wrongly) that the only way to fix the problem is through "the political process," they can reasonably be expected to take one last, desperate effort at fixing the situation. That doesn't make anybody "pro-political-process," in fact they could be disgusted with the lack of progress that this system produces. They simply believe that they have no alternative. To put it in simple terms that even you should be able to understand, the fact that a drowning person moves his arms and legs around a lot doesn't mean that he LIKES to swim, it may merely mean that he likes drowning even less. [end of re-quote] Spooner's quote follows: "Doubtless the most miserable of men, under the most oppressive government in the world, if allowed the ballot, would use it, if they could see any chance of thereby meliorating their condition. But it would not, therefore, be a legitimate inference that the government itself, that crushes them, was one which they had voluntarily set up, or even consented to." Lysander Spooner From stewarts at ix.netcom.com Mon Apr 8 00:30:34 1996 From: stewarts at ix.netcom.com (stewarts at ix.netcom.com) Date: Mon, 8 Apr 1996 15:30:34 +0800 Subject: Spinners and compression functions Message-ID: <199604080336.UAA16840@toad.com> At 06:52 PM 4/7/96 -0400, perry at piermont.com wrote: >JonWienke at aol.com writes: >> I am not saying that the output of the compression function has 8 bits of >> entropy per byte, but rather that it will have a more consistent entropy >> level per byte than the input to the function. >What makes you think that? There is little to no cause to expect this >at all. I can think of a number of instances, like image data streams, >where this idea is completely unfounded for most conventional >compression techniques. Obviously you need to mix raw data with a hash function if you really want to smear out the entropy so there's an even amount per output byte. But lossless compression can gain you a little bit, and seldom hurts (assuming it's faster than the hash), and it can help you be less unrealistic about the amount of entropy you've really got. Data contains varying quantities of predictablity and unpredictability. Some of the predictability has simple enough structure that a basic compression function can find and exploit it to squash the data. Some of the predictability doesn't. For what it's worth, compressing the data before using it for other things does leave you with somewhat more consistent entropy per byte for "typical" random input, because it eliminates the easy stuff. Obviously there are cases where this doesn't help you much, like inputting a graphic representation of a column of Chinese characters, where you'd benefit a lot more by looking them up and outputting Unicode or some such and then compressing (and where the first time you encounter a given character, the output of the compression function has to represent the picture, where the next time it sees the same set of input bits, it's able to abbreviate much more.) From jamesd at echeque.com Mon Apr 8 01:01:27 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 8 Apr 1996 16:01:27 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199604080427.VAA04452@dns2.noc.best.net> At 05:55 PM 4/7/96 -0800, jim bell wrote: > Those who > read Unicorn's notes will notice that he frequently ignores embarrassing > gaffes that he makes. Those who read Jim Bell's notes will notice that Unicorn is not alone in this practice. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Mon Apr 8 01:45:14 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Apr 1996 16:45:14 +0800 Subject: They're running scared. Message-ID: <m0u68el-0008yhC@pacifier.com> Jim Hoagland's newspaper column from April 4, 1996: Governments awakening to threat of the Internet The computer and modem now downsize the globe, enabling citizens to vault over walls of secrecy, law and control erected by governments. Still gathering steam, the information revolution is creating a new generation of ticklish foreign policy and national security problems for the world's governments. They are organized to operate in a heirarchical world of borders and customs posts and to keep out the unwanted, the unhealthy or the dangerous. But the boundaries of cyberspace are unfixed and amorphous. They are being determined more by the availability and cost of communication modems, sophisticated software, satelite stations, encryption techniques and other data processing technology than by government fiat. An example of cyberspace's potential for harm surfaced last week when France asked the United States to crack down on a San Diego-based Islamic group that posts instructions on the Internet for assembling inexpensive bombs like those exploded on the Paris subways last year. French officials traveling or posted abroad fear they are the intended targets of these homemade bombs, the Quai D'Orsay's senior Middle East expert, Denis Bouchard, told American diplomats at a meeting last week on international terrorism in Washington. State Department officials offered the French sympathy. But they did not hold out much hope they coudl act on the sparse information the French provided. The line between computer-driven incitement to terrorism and electronic free speech still has to be drawn in the brave new cyber world. The inchoate nature of that world was underscored by the disclosure March 29 that U.S. authorities had charged an Argentine student with three felonies for illegally entering Pentagon and other U.S. military computers to obtaining confidential files on satellites, radiation and energy-related engineering. But Julio Cesar Ardita, 22, who raided Washington files from his home in Buenos Aires, cannot be extradited under American-Argentine treaties, which do not cover these alleged national security violations. Governments are waking late to the implications of individuals and small groups operating across boundaries and oceans to bypass, introde upon or flip and electronic finger at bureaucracies that have controlled or regulated the security and business of nations for centuries. The implications are particularly dramatic for totalitarian regimes that brook no open dissent. China seeks to impose a government monopoly over economic data transmission into China to go along with the draconian political censorship already practiced on the nation's traditional media. But as long as the Middle Kingdom remains part of the International telephone system with its faxing and modem capabilities, words and facts the communist leadership abhors will spread faster than Big Brother can track them. The world stands roughly where it stood as television began to reshape politics, and policy-making, in ways that we still do not fully understand. A new communication technology arrives to change what we think, as well as how we think and communicate. Traditionalists fear anarchy (or obsolescence). Optimists foresee the best of all worlds, with Orwell's 1984 predictions of Big Brother tracking and brainwashing everyone through television proven to have been 180 degrees off course. But the picture is in fact mixed. Governments have begun to talk seriously to each other about controlling the computer revolution. The Pentagon is studying the information highway as the route to complete domination of the battlefield and thus the ultimate source of power. THe FBI, IRS, and CIA are determined to keep you from being able to encode and transmit information they want to see. Orwell may turn out to have been premature, but not wrong. The struggle over the course of the information revolution is only beginning. The bureaucracies that are most threatened still have powerful hands to play. There is no guarantee that cyberspace will provide the world with the era of new freedoms that now seem likely. That battle is still to be fought, and won. [end of article] Articles such as this are interesting because they appear to be written without any illusion that the interests of governments are anything other than just that, interests of governments. They are NOT the interests of the average citizen. From perry at piermont.com Mon Apr 8 02:15:42 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 8 Apr 1996 17:15:42 +0800 Subject: my apologies Message-ID: <199604080212.WAA01180@jekyll.piermont.com> My apologies about getting drawn into an argument about conspiracy theory and whether the fed is "privately owned" or some such bull. It isn't cypherpunks material. We all forget on occassion. Perry From hal9001 at panix.com Mon Apr 8 02:17:51 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 8 Apr 1996 17:17:51 +0800 Subject: Australia's New South Wales tries net-censorship Message-ID: <v02140b01ad8e4283e85d@[166.84.254.3]> At 17:47 4/6/96, David K. Merriman wrote: >Makes me wonder if browser companies/authors couldn't be dragged into any >such conflicts. If Person A inadvertently stumbles across Pedophiles 'R' Us >on the net, and quickly moves on, I have yet to see a browser that lets >him/her say "quick - delete that last cacheing operation", thus *making* >him/her 'guilty' of criminal possession. Netscape in the Cache Preferences has a button to delete your cache contents so button would seem to serve this need (while being a little overkill for this capability since it deletes everything and you must then rebuild your cache from scratch). From norm at netcom.com Mon Apr 8 02:21:22 1996 From: norm at netcom.com (Norman Hardy) Date: Mon, 8 Apr 1996 17:21:22 +0800 Subject: Why sign pubkey? Message-ID: <ad8e59160002100407e9@DialupEudora> Thanks for the post. There is someone with a quite legitimate reason to sign a newly generated public key with "Norman Hardy" in the user id string but without my my e-mail address. He is one of the several other Norman Hardy's in the U.S. I could include a very short biography which would fix that ambiguity. I only send secrets to people that I have some reason to trust. I gain trust sometimes from having met someone in person and talked for a few hours. If I get a business card with a key finger print and e-mail address (or URL) then I am safe from such spoofing as described in your post. Her name plays no role in the transaction. If I trust her because you recommended her to me, then perhaps I can get a fingerprint and URL from you. Again I need no name. In both of these cases the URL is merely a convenience. If she moves her web page, a search engine will soon find it given a part of the finger print included in the web page. Unless the attacker has compromised the search engine, I need merely send mail enciphered by her public key to the e-mail address given in each web page claiming to own the public key. Only she will be able to read the mail. Recommendation: Put URL & finger print on business cards. Include URL and finger print in recommendations. To send a secure message to some whose URL & trusted print you have: Check the URL for a public key whose print matches the trusted print. If that fails use a search engine for a better URLs. Send mail to each e-mail address found on a web page passing the test. Recommendations should include a little text about what things the designee should trusted with. Programs like PGP that follow trust chains should display the text from each recommendation in the chain. From fotiii at crl.com Mon Apr 8 02:33:17 1996 From: fotiii at crl.com (Frank O. Trotter, III) Date: Mon, 8 Apr 1996 17:33:17 +0800 Subject: the cost of untracability? Message-ID: <199604080217.AA24295@mail.crl.com> > FWIW, I think that there is no capital-gains-type tax on currency > conversions. In other words, if I take dollars and buy yen today, and the > interconvert rate changes and I convert back and make a "profit," that is > not considered income. If that's the case, then ecash has an excellent > precedent behind it to avoid any taxes on interest, especially if that > interest is, in effect, paid by increasing the inherent value of the currency. > > And most of the "interest" will simply be the avoided inflation loss that > would have otherwise occurred. Buying ecash may be equivalent to buying an > absolutely non-inflating currency that the government can't manipulate. > > Jim Bell > jimbell at pacifier.com > There is a tax event that occurs when one converts from one currency to another (be it capital or current). In your example the purchase of Yen and later sale may result in a gain if the Yen appreciates, or a loss if it drops. This is a taxable event. You actually refer to the method that was used in the 14th - 16th century in europo to pay interest when it was against church (really "Church") law. Early banks would do currency or metals-to-currency trades with people and imply a rent or interest rate. It was also the begining of the discount trade bill (I'll give you 90 cents today and get your dollar in a year from the person you sold those chairs to). I'll still cling to my Ecash is curency not a currency agument as well BTW. Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From alanh at mailhost.infi.net Mon Apr 8 02:41:46 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Mon, 8 Apr 1996 17:41:46 +0800 Subject: e$ Signorage In-Reply-To: <199604071620.MAA14286@jekyll.piermont.com> Message-ID: <Pine.SV4.3.91.960407214309.2856A-100000@larry.infi.net> > Date: Sun, 07 Apr 1996 12:20:11 -0400 > From: Perry E. Metzger <perry at piermont.com> > > whatever makes no difference to the amount of fake interest earned. I > say "fake interest" because it isn't real income to the government at > all. When the Fed buys government bonds, the interest income goes to the owners of the Federal Reserve Bank. The Federal Resreve Bank is _not_ a government agency - it is privately owned by the member banks.. From hal9001 at panix.com Mon Apr 8 03:12:44 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 8 Apr 1996 18:12:44 +0800 Subject: Someone's screwing around with anon.penet.fi Message-ID: <v02140b03ad8e4a21b288@[166.84.254.3]> At 15:55 4/6/96, stewarts at ix.netcom.com wrote: >The way to prevent this whole mess is to educate majordomo to turn >subscription requests from anXXXXXX at anon.penet.fi into naXXXXXX at anon.penet.fi, >or at least to block subscription requests form anXXXXXX at anon.penet.fi. As I've noted, such a patch already exists - it just must be installed by the Maintainer of the Majordomo copy at the Provider. From jf_avon at citenet.net Mon Apr 8 04:11:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 8 Apr 1996 19:11:23 +0800 Subject: .sig followup Message-ID: <9604080657.AD09420@cti02.citenet.net> >The media coverage of the sensationalist (violent and/or sexual) crime >has given the law makers and enforcers an excuse to step things up. It's >not quite as bad up here in Canada, but where the US goes, Canada >(and probably the rest of the world) usually follows. Hey, we got the new gun control bill up here. Mandatory registration of all firearms by year xxxx (I forgot). Other things are coming. Yesterday, a minister of Quebec province declared that the ownership of a house is a *privilege*, and therefore, can be seized for non payment or evasion of income tax. Next thing we'll know, they'll put a luxury tax on the breathing of air... >This is my first post to the Cypherpunks... So what government black >lists does this get me on? Is there anybody that have an informed answer to that question? JFA PGP 2048 bits key at: http://w3.citenet.net/users/jf_avon ID:C58ADD0D 52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From bplib at wat.hookup.net Mon Apr 8 04:54:18 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Mon, 8 Apr 1996 19:54:18 +0800 Subject: the cost of untracability? In-Reply-To: <m0u65hy-0008ynC@pacifier.com> Message-ID: <Pine.OSF.3.91.960408012840.5780D-100000@nic.wat.hookup.net> On Sun, 7 Apr 1996, jim bell wrote: > That assumes that there is "profit" from exchanging currencies. On any > given transaction, there is never any "profit." The only thing that might > be called a profit is a difference in exchange rates, and that really isn't > an increase in wealth at any point. Ask that CPA to look it up. If I recall correctly, don't currency traders make REAL money by doing just that. By moving money into different currencys and taking advantage of minor fluctuations and differences in exchange rates at different exchanges, these traders sometimes make a LOT of REAL money. I am not sure, but I think that it is called arbitrage trading or something like that. Just my $.02 US - $.05 Canadian <G> Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From WlkngOwl at unix.asb.com Mon Apr 8 05:03:57 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 8 Apr 1996 20:03:57 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <199604080500.BAA19015@unix.asb.com> This comes from the FTC Privacy List, and is somewhat relevant.... (The the "Crypto" in the title isn't, oddly...). Some thoughts... (er, questions): 1. What are the implications for log-on systems that rely on recognition of faces (supposedly impossible for hackers to describe and exploit)? 2. Legal implications for witnesses? ------- Forwarded Message Follows ------- Date: Sun, 7 Apr 1996 08:24:18 -0700 From: taxhaven at ix.netcom.com (Adam Starchild ) Subject: British Study Claims That Photo Credit Cards Don't Work To: privacy at ftc.gov "Crypto-ID" Cards Not Effective Recent studies into the effectiveness of photo credit cards have cast doubt over their ability to cut fraud. Dr. Richard Kemp, of the Department of Psychology at Westminster University, London, organized an experiment involving a London supermarket to test the cards in "the real world." The supermarket was staffed by six people who were all warned to be on the look out for fraudulent credit cards. Dr. Kemp arranged for 44 of his students to pose as shoppers and test the staffs' ability to spot photo-card misuse. Each student was armed with four cards. One showed the student as they were, one showed the student wearing make-up, one showed an individual who vaguely resembled the student and the last card depicted someone who looked nothing like the bearer. People usually recognize photographs of individuals based on a familiarity of the subject. A photograph captures only one angle and expression out of thousands of different combinations. People will recognize photographs of family, friends and well known individuals easily. But how easy is it to accurately compare a photograph with the face of a perfect stranger? At a recent conference, Dr. Kemp said that matching a photo to a stranger's face was "too difficult." He also said that in a non- experimental situation, such as a supermarket, the incidence of fraud detection would be even lower. The results of Dr. Kemp's supermarket experiment proved very interesting. In all, the majority of fraudulent cards were accepted. Amazingly, 35 per cent of the cards bearing a photograph of someone completely different from the student were accepted. A massive 64 per cent of cards bearing a similar individual were also accepted. Another factor which seems to further prove Dr. Kemp's point is that 14 per cent of cards bearing a true likeness of the student were rejected. A few British banks are already offering customers the opportunity to have their photograph etched onto their cards. They claim a reduction in fraud has resulted from this. Dr. Kemp's findings would seem to contradict this belief. Dr. Nicky Towell, one of Dr. Kemp's researchers, said "There is a widely held assumption that photo credit cards are a cheap and effective way of stopping fraud. But this is not the case." No one can tell how well photo credit cards will catch on. But with the majority of people carrying at least one, if not more cards of some sort, how long will it be before photos become compulsory? The government knows that the introduction of ID cards is a political hot potato, but how many people would notice if they turned the cards we already have into crypto-ID cards? Reprinted from The Mouse Monitor, The International Journal of Bureau-Rat Control, a periodical published by Scope International for its customers. Scope International is on the Worldwide Web at http://www.britnet.co.uk/Scope/ Posted by Adam Starchild The Offshore Entrepreneur at http://www.au.com/offshore The privacy list is run automatically by the Majordomo list manager. Send a "help" command to majordomo at ftc.gov for assistance. Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From hal9001 at panix.com Mon Apr 8 05:10:19 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 8 Apr 1996 20:10:19 +0800 Subject: Someone's screwing around with anon.penet.fi Message-ID: <v02140b02ad8e488551b4@[166.84.254.3]> At 18:37 4/6/96, Chris Walter wrote: >In article ><cypherpunks.Pine.BSF.3.91.960406114609.5026B-100000 at kirk.edmweb.com> >Steve Reid <steve at edmweb.com> writes: > >> Here's another one of them unsolicited messages from anon.penet.fi. > >I also got one of these right after I posted to cypherpunks. I >normally just lurk, and the address that was used is the machine I >read and post news on(we have a gateway to the mailing list). So I am >pretty sure it is related to my posting to cypherpunks. > >I have written to the administrators at anon.penet.fi asking about this >and informing them. I'll pass on any relevant info they send me. While taking to anon.penet.fi will help, the one to talk to is the list owner and ask them to clean up their act. They should either reject any attempt to use ANxxx at anon.penet.fi IDs in lieu of the correct NAxxx at anon.penet.fi form, automatically convert the registration to NAxxx at anon.penet.fi, or parse the membership list for ANxxx at anon.penet.fi IDs and fix them to the NAxxx form. If the list is run by Majordomo, there is a patch that fixes the problem by correcting the address list [or it may be outgoing address] (and I think keeping it clean at subscribe time). From mixmaster at remail.obscura.com Mon Apr 8 05:17:03 1996 From: mixmaster at remail.obscura.com (Mixmaster) Date: Mon, 8 Apr 1996 20:17:03 +0800 Subject: the cost of untracability?Re: the cost of untracability? Message-ID: <199604080650.XAA01741@sirius.infonex.com> [Please excuse the minor taxpunks diversion; there's a relevant point here, aside from the fact that we're approaching April 15 and discussing technologies that will let some people not care if they're approaching April 15 in a few years :-] At 09:28 AM 4/7/96 -0800, Jim Bell wrote: >FWIW, I think that there is no capital-gains-type tax on currency >conversions. In other words, if I take dollars and buy yen today, >and the interconvert rate changes and I convert back and make a >"profit," that is not considered income. What it's worth is fairly minimal, i.e. the IRS doesn't see it that way. If you did transaction Y and then transaction X and now have $100 more than you did before you started, they think that's capital gain, whether you were buying and selling Yen, soybeans, or mutual funds. The only difference if you're buying and selling ecash from Bank Foo is that it may be easier to not tell them about the transaction if it were all encrypted and outside your home jurisdiction. What they don't know won't hurt them... On the other hand, depending on what country your bank is in, there may be taxes or fees or bribes charged by the bank's home country, which would get passed along to you either directly or indirectly. > And most of the "interest" will simply be the avoided inflation loss > that would have otherwise occurred. Buying ecash may be equivalent > to buying an absolutely non-inflating currency that the government > can't manipulate. No, it's equivalent to buying private-bank currency, which may be denominated in dollars or ECUs or gold or yen or pesos or zorkmids, which may be inflatable by some government, or may be backed only by the full faith and credit of the anonymous remailer in Panama that you reach your ostensibly Cayman-Islands e-bank through. Now for the slight cypherpunks relevance - assuming that you're banking in some currency other than your home country's government's, whether it's hard currency like Swiss Francs or soft metal like gold or a mixture like ECUs or shares of Fidelity Mercury Fund, if you to pay taxes on the net result of transactions, you'll probably want a timestamped log of what you did when, and ideally a good data set of the highest, lowest, and instantaneous prices of the backing currency on several markets, so you can report your profits and losses pessimistically. (For most kinds of accounts, you'd want those sources to be totally separate, but for captive currencies like BankFoo Non-Inflatable Zorkmids, you might want to get them together, though you might want to have two accounts, one of which is quiet and subscribes to the price reports and another where your real transactions happen.) Alice du Gnome-ynous. From ddfr at best.com Mon Apr 8 05:56:14 1996 From: ddfr at best.com (david friedman) Date: Mon, 8 Apr 1996 20:56:14 +0800 Subject: "Contempt" charges likely to increase Message-ID: <v02130502ad8dd64ae9b2@[205.149.171.135]> Unicorn wrote: > No ISP in its right mind is going to ask for trouble. If I'm a >prosecutor and I suspect that the ISP may be complicit in hiding >evidence, I'm going to ask for a search and seizure warrant (a la sun >devil) and just walk in and take the equipment I believe the data to be >on and then satisify myself that it's unattainable. Last semester I taught a seminar on computers, crime, and privacy and we had, as a guest lecturer one evening, Silicon Valley's one full time computer cop (he works for the SC County D.A.'s office). One of his comments was that ISP's were generally very cooperative, because they knew that he could legally impose large costs on them by seizing their systems as evidence. David Friedman From raph at CS.Berkeley.EDU Mon Apr 8 12:10:26 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 9 Apr 1996 03:10:26 +0800 Subject: List of reliable remailers Message-ID: <199604081350.GAA03874@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = "<remail at miron.vip.best.com> cpunk pgp special"; $remailer{"portal"} = "<hfinney at shell.portal.com> cpunk pgp hash"; $remailer{"alumni"} = "<hal at alumni.caltech.edu> cpunk pgp hash"; $remailer{"bsu-cs"} = "<nowhere at bsu-cs.bsu.edu> cpunk hash ksub"; $remailer{"c2"} = "<remail at c2.org> eric pgp hash reord"; $remailer{"penet"} = "<anon at anon.penet.fi> penet post"; $remailer{"hacktic"} = "<remailer at utopia.hacktic.nl> cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = "<remailer at flame.alias.net> cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = "<homer at rahul.net> cpunk pgp hash filter"; $remailer{"mix"} = "<mixmaster at remail.obscura.com> cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = "<remailer at bi-node.zerberus.de> cpunk pgp hash ksub ek"; $remailer{"vishnu"} = "<mixmaster at vishnu.alias.net> cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = "<robo at c2.org> cpunk hash mix"; $remailer{"replay"} = "<remailer at replay.com> cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = "<remailer at spook.alias.net> cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = "<remailer at armadillo.com> mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = "<cpunk at remail.ecafe.org> cpunk mix"; $remailer{"wmono"} = "<wmono at valhalla.phoenix.net> cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = "<remailer at shinobi.alias.net> cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = "<amnesia at chardos.connix.com> cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = "<mix at remail.gondolin.org> cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = "<remailer at tjava.com> cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = "<pamphlet at idiom.com> cpunk pgp hash latent cut ?"; $remailer{'alpha'} = '<alias at alpha.c2.org> alpha pgp'; $remailer{'gondonym'} = '<alias at nym.gondolin.org> alpha pgp'; $remailer{'nymrod'} = '<nymrod at nym.alias.net> alpha pgp'; $remailer{'cubed'} = '<alias at alias.alias.net> alpha pgp'; $remailer{"lead"} = "<mix at zifi.genetics.utah.edu> cpunk pgp hash latent cut ek"; $remailer{"treehole"} = "<remailer at mockingbird.alias.net> cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = "<remailer at meaning.com> cpunk pgp hash latent cut"; $remailer{"exon"} = "<remailer at remailer.nl.com> cpunk pgp hash latent cut ek"; $remailer{"vegas"} = "<remailer at vegas.gateway.com> cpunk pgp hash latent cut"; $remailer{"haystack"} = "<haystack at holy.cow.net> cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = "<ncognito at gate.net> mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 8 Apr 96 6:48:25 PDT remailer email address history latency uptime ----------------------------------------------------------------------- cubed alias at alias.alias.net *+#********* 15:15 100.00% exon remailer at remailer.nl.com **-*++++***+ 7:10 100.00% ecafe cpunk at remail.ecafe.org ######*#+### :53 99.99% shinobi remailer at shinobi.alias.net ###*###+-.-# 57:53 99.96% ncognito ncognito at gate.net **-###***#*# 1:58 99.95% spook remailer at spook.alias.net **+****+**** 19:38 99.92% mix mixmaster at remail.obscura.com --*-+-+-++++ 4:47:31 99.92% amnesia amnesia at chardos.connix.com -+++----++- 2:23:46 99.89% portal hfinney at shell.portal.com #*##- *##### 6:42 99.89% alpha alias at alpha.c2.org ++**++ ++++* 43:53 99.83% vishnu mixmaster at vishnu.alias.net **--+*+--.-* 5:31:24 99.82% treehole remailer at mockingbird.alias.net -+++---..-+ 7:01:45 99.73% alumni hal at alumni.caltech.edu -###-### ### 25:20 99.66% vegas remailer at vegas.gateway.com #+##-* -***+ 1:08:32 99.49% hacktic remailer at utopia.hacktic.nl ****** ***** 8:32 99.37% flame remailer at flame.alias.net ------ ---- 4:10:53 98.99% penet anon at anon.penet.fi _..._---.-- 27:54:21 98.63% replay remailer at replay.com +**+ -**** 15:48 98.40% nymrod nymrod at nym.alias.net *+--**+--. * 6:11:27 98.39% c2 remail at c2.org -+++ +++++++ 40:17 97.18% gondonym alias at nym.gondolin.org -+---+ .- 16:49:10 89.13% extropia remail at miron.vip.best.com -- ------- 7:03:22 88.90% gondolin mix at remail.gondolin.org -----+ .- 15:51:19 88.04% haystack haystack at holy.cow.net ***+*#*-## 47:06 84.29% lead mix at zifi.genetics.utah.edu ++++ 38:07 69.04% nemesis remailer at meaning.com ***** 2:39:59 38.60% tjava remailer at tjava.com 1:02 -3.94% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jya at pipeline.com Mon Apr 8 13:15:12 1996 From: jya at pipeline.com (John Young) Date: Tue, 9 Apr 1996 04:15:12 +0800 Subject: RAS_put Message-ID: <199604081507.LAA11674@pipe3.nyc.pipeline.com> 4-08-96 WSJ eyes the Rasputin of the plot linking: 1. Encryption export 2. Microsoft 3. The Seychelles 4. Internet regulation 5. Privacy rights 6. Immigration reform 7. Anti-taxation 8. The computer industry RAS_put From WlkngOwl at UNiX.asb.com Mon Apr 8 14:41:59 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Tue, 9 Apr 1996 05:41:59 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don' Message-ID: <199604081600.MAA15467@unix.asb.com> On 8 Apr 96 at 11:44, Declan B. McCullagh wrote: > Fascinating stuff. I've used Mike Godwin's driver's license to buy a > beer when I didn't have mine with me. And, trust me, we look nothing > alike. *chuckle* It was a semi-common practice when I was in high school to show licenses to buy beer, because they never looked at the birth dates. The state got wise to it and now put in big red letters "UNDER 21" on minor's licenses.... Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From jimbell at pacifier.com Mon Apr 8 14:42:19 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Apr 1996 05:42:19 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u6JO3-00090zC@pacifier.com> At 11:03 PM 4/7/96 -0700, david friedman wrote: >Unicorn wrote: > >> No ISP in its right mind is going to ask for trouble. If I'm a >>prosecutor and I suspect that the ISP may be complicit in hiding >>evidence, I'm going to ask for a search and seizure warrant (a la sun >>devil) and just walk in and take the equipment I believe the data to be >>on and then satisify myself that it's unattainable. > >Last semester I taught a seminar on computers, crime, and privacy and we >had, as a guest lecturer one evening, Silicon Valley's one full time >computer cop (he works for the SC County D.A.'s office). One of his >comments was that ISP's were generally very cooperative, because they knew >that he could legally impose large costs on them by seizing their systems >as evidence. It is exactly this attitude that we need to change. I presume you saw my comment from a day ago, when I pointed out that before 1968, local phonecos were doing wiretaps without any sort of court order, simply because the local cops (or FBI) asked, even though those requesting the tap could not use the evidence in court. And even _that_ level of cooperation was presumably done without any plausible risk that the prosecutor could sieze a phone switch for non-cooperation. It is even likely that the phoneco could have acted to lose the prosecutor/police his job if they had decided to press and publicize what must have been an illegal request at the time. The fact they did not is telling. It was clearly not an "arm's length" relationship. It was a relationship of friendly people who regularly did favors for each other, playing with their customer's privacy. This is the reality that we must face and deal with: Officials abuse their positions all the time. They will do so if the system is designed to allow them to. Allowing officials to sieze an ISP's equipment is just asking for trouble. In my opinion, ISP's should be able to decide ahead of time whether to cooperate if they are asked for information. They should be entitled to take a position that they will (or will not) contract with their users to prevent any disclosure of information, and this decision should be legally binding on the prosecutor as well. The "feedback loop" is closed by the fact that bad publicity may accrue if the ISP refuses to cooperate, leading to a "market" of different ISP's with different standards. I am convinced that whatever benefit may arguably accrue from being able to subpoena information is far lower than the cost of loss of freedom that surely will occur if prosecutors are able to strong-arm ISP's into illegal cooperation, such as occurred with phonecos before 1968. I'm still waiting for somebody to show that the majority of crimes that are investigated using subpoena power are "malum in se" crimes, as opposed to "malum prohibitum" ones. Jim Bell jimbell at pacifier.com From declan+ at CMU.EDU Mon Apr 8 14:46:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Apr 1996 05:46:26 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work In-Reply-To: <199604080500.BAA19015@unix.asb.com> Message-ID: <slOHFry00YUv8B5Gwy@andrew.cmu.edu> Excerpts from internet.cypherpunks: 8-Apr-96 (Fwd) British Study Claims .. by "Deranged Mutant"@UNiX.a > The results of Dr. Kemp's supermarket experiment proved very > interesting. In all, the majority of fraudulent cards were > accepted. Amazingly, 35 per cent of the cards bearing a > photograph of someone completely different from the student were > accepted. A massive 64 per cent of cards bearing a similar > individual were also accepted. Another factor which seems to Fascinating stuff. I've used Mike Godwin's driver's license to buy a beer when I didn't have mine with me. And, trust me, we look nothing alike. -Declan From JonWienke at aol.com Mon Apr 8 15:06:24 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Tue, 9 Apr 1996 06:06:24 +0800 Subject: Spinners and compression functions Message-ID: <960408124222_464915004@emout10.mail.aol.com> In a message dated 96-04-08 04:01:28 EDT, stewarts at ix.netcom.com writes: >Data contains varying quantities of predictablity and unpredictability. >Some of the predictability has simple enough structure that a basic >compression function can find and exploit it to squash the data. >Some of the predictability doesn't. For what it's worth, compressing >the data before using it for other things does leave you with somewhat >more consistent entropy per byte for "typical" random input, because it >eliminates the easy stuff. That was the entire point of my original posting on this subject. I was proposing using a compression function on spinner data, which contains very little entropy and compresses well. (50 - 80% on idle loop timing data, depending on processor load) I don't believe I said anything about compressing image data of any kind, or audio recordings of humpback whales doing the wild thing, etc. Noise sphere plots of ZIP files look pretty good, regardless of how good or bad the plot of the unZIPed file looks. (Raw idle loop timing plots are terrible.) I have posted a longer reply to Perry via E-mail... Jonathan Wienke From mpd at netcom.com Mon Apr 8 15:29:46 1996 From: mpd at netcom.com (Mike Duvos) Date: Tue, 9 Apr 1996 06:29:46 +0800 Subject: Australia's New South Wales tries net-censorship In-Reply-To: <v02140b01ad8e4283e85d@[166.84.254.3]> Message-ID: <199604081601.JAA23412@netcom6.netcom.com> "Robert A. Rosenberg" <hal9001 at panix.com> writes: > At 17:47 4/6/96, David K. Merriman wrote: >> Makes me wonder if browser companies/authors couldn't be >> dragged into any such conflicts. If Person A inadvertently >> stumbles across Pedophiles 'R' Us on the net, and quickly >> moves on, I have yet to see a browser that lets him/her say >> "quick - delete that last cacheing operation", thus *making* >> him/her 'guilty' of criminal possession. > Netscape in the Cache Preferences has a button to delete > your cache contents so button would seem to serve this need > (while being a little overkill for this capability since it > deletes everything and you must then rebuild your cache from > scratch). While I doubt that many people inadvertantly stumble across the mother load of illegal porn on the Web, the "store and forward" nature of Usenet can certainly create such problems, particularly for those in the habit of grabbing all new messages in their favorite newsgroups before reading them. I'd be interested to know if the courts have ever had a case in which a person has been declared to have been in "possession" of illegal material merely by virtue of its momentary presence in their cache, screen buffer, or usenet spool. There is a case now involving the University of Pittsburgh in which the Feds are attempting to prove that an individual was in possession of certain child porn images on his own PC during a brief span of time in 1993. There was also a case in which a BBS operator was charged based on an allegedly illegal image found in a directory containing unchecked user uploads. Had the cops done nothing, the image would have been wiped shortly thereafter. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From peponmc at Fe3.rust.net Mon Apr 8 15:46:20 1996 From: peponmc at Fe3.rust.net (Michael C. Peponis) Date: Tue, 9 Apr 1996 06:46:20 +0800 Subject: They're running scared. Message-ID: <199604081638.MAA03875@Fe3.rust.net> -----BEGIN PGP SIGNED MESSAGE----- On Sun, 07 Apr 1996, jim bell wrote: [article snipped] >Articles such as this are interesting because they appear to be written >without any illusion that the interests of governments are anything other >than just that, interests of governments. They are NOT the interests >of the average citizen. Absolutly, and it seems that more and more thinking people are realizing this, as for the non-thinking ones, well we are better off without them, the only thing they contribute are problems Debate works to a point, but there comes a point and time where all that can be said, has been said, and we are past that point. Personally, I love national insecurity such as terrorist attacks and random bombings, wish there were more of them by more people. What they do is sow fear, instensify camps, and pit people against each other. Goverments are use to wars, where there are large, well-defined groups assult one another, they have huge problems dealing with small groups of people attack it or each other. That is what will eventually cause it to collapes, which is a good thing. For those who say that such an event would be catostrophic, that is a myth, I worked with someone from Berut a few years ago, when the goverment there collapesed. He said other than the perpetual mortor fire, and speratic bombings, life went on as usuall. People got up and went to work, people bought and sold, etc. From a microsopic scale, nothing had changed, it was only if you looked at the bigger picture that things were different, and quite frankly, those types of things do not effect us individually. I do not need an x trillion dollar economy to continue living at my standard of living, most of us on this list do not, the only people that benifit are the power brokers and the dumb, weak, and stupid. I have nothing against charity(that's what taxes amount to), but when charity reaches 50%+ of my income, and starts to erode my freedom, well now it's a problem. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMWkWWUUffSIjnthhAQHEiQP/Sp5+UfCFGmvEO/9nRFBLXBm9haPiJC/y oVCoKQi/jeCkXy1HaPjrrObFkV0fvRsHxk5GvHXfX9sIkFi/i9mrGafpXFUuRfkP qua2wYp91Omh39QptHThGgEKl0sdKBzw+/9uHCqwUyViqoZZBO7Y7kUGffT9XL9m 13VTjMTyFz4= =e+UM -----END PGP SIGNATURE----- Regards, Michael Peponis PGP Key Available from MIT KeyServer From jk at digit.ee Mon Apr 8 16:17:01 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Tue, 9 Apr 1996 07:17:01 +0800 Subject: Bank transactions on Internet Message-ID: <Pine.GSO.3.92.960408192320.16049B-100000@happyman> Suddenly some banks here in Estonia have decided that they must start offering banking services over Internet already during the next months. What worries me is that some of them are talking about using 40-bit SSL as the main security mechanism. What about banks in US and Europe, how many of them are using Internet and WWW to offer their services already? Is it possible to use WWW forms to make real transactions or can you just view your transaction history and account status? In case the banks are using WWW forms and SSL, are the services limited to 128-bit clients? How is the client authentication handled? Does the client just get a plain username and password? I had a look at some banks like Security First National Bank and some others, and it seems that they use just SSL + username/password for they banking services. Does this really work, especially with 40-bit keys? SSL with client certificates would seem a little bit more secure once it is available, but still not secure enough for real banking on Internet. Just curious (and confused), Juri Kaljundi jk at digit.ee From perry at piermont.com Mon Apr 8 16:49:15 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Apr 1996 07:49:15 +0800 Subject: Bank transactions on Internet In-Reply-To: <Pine.GSO.3.92.960408192320.16049B-100000@happyman> Message-ID: <199604081804.OAA03690@jekyll.piermont.com> > Suddenly some banks here in Estonia have decided that they must start > offering banking services over Internet already during the next months. > What worries me is that some of them are talking about using 40-bit SSL as > the main security mechanism. That seems very silly. Considering that you folks have no laws preventing you from using better I would suggest not doing something so foolish -- 40 bit RC4 is almost worthless as a cryptosystem as the recent paper on key lengths points out. Perr From declan+ at CMU.EDU Mon Apr 8 16:52:43 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Apr 1996 07:52:43 +0800 Subject: Australia's New South Wales tries net-censorship In-Reply-To: <199604081601.JAA23412@netcom6.netcom.com> Message-ID: <glOIyXm00YUvEJA6YF@andrew.cmu.edu> Excerpts from internet.cypherpunks: 8-Apr-96 Re: Australia's New South W.. by Mike Duvos at netcom.com > I'd be interested to know if the courts have ever had a case in > which a person has been declared to have been in "possession" of > illegal material merely by virtue of its momentary presence in > their cache, screen buffer, or usenet spool. > > There is a case now involving the University of Pittsburgh in > which the Feds are attempting to prove that an individual was in > possession of certain child porn images on his own PC during a > brief span of time in 1993. For it to be a crime, I would presume that the courts would require "guilty knowledge" of the act. (At least I hope they would!) As for the Pitt "child porn" case, I've spoken with the fellow's roommate and have some more info at: http://fight-censorship.dementia.org/fight-censorship/dl?num=1924 -Declan From perry at piermont.com Mon Apr 8 17:21:32 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Apr 1996 08:21:32 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604081756.NAA03659@jekyll.piermont.com> Jon asked why it is that I contend that a compression algorithm won't in the general case even out the entropy of a semi-random stream. The answer can be obtained by simply trying to run gzip over an image, preferably one that hasn't been compressed. The results are, in general, very bad, even though images are highly compressable (even losslessly). I leave the why up as an exercise to the reader. I have said before and I will say again that the only reliable way of dealing with a stream that has some amount of randomness mixed in with it that you wish to distil down into pure random bits is to use solid reasoning to figure out how many bits of entropy per unit of input you can actually expect to see, add a large fudge factor to cover your ass, and then distil down using a cryptographic hash. Anything else makes me highly nervous. If you can't estimate the amount of entropy in an input stream from first principles, then you are probably in trouble and should seek an input stream that you have a better handle on. Perry From tcmay at got.net Mon Apr 8 17:21:56 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 9 Apr 1996 08:21:56 +0800 Subject: the cost of untracability? Message-ID: <ad8ea41b030210048080@[205.199.118.202]> At 7:53 PM 4/7/96, Jim Gillogly wrote: >jim bell <jimbell at pacifier.com> writes: >>FWIW, I think that there is no capital-gains-type tax on currency >>conversions. In other words, if I take dollars and buy yen today, and the > >I bounced this off a CPA, who said she would be very suprised if this is >really the case: in general the IRS considers increases in wealth to be >taxable, and unless there's a specific exclusion for currency transactions >that she doesn't know about, she suspects this is not the case. As a >conceptual counterexample she points out that you are responsible for any >profit you make from selling your car for more than you pay for it (but, >as you might expect, you don't get to take a loss if you sell it for less). I think your CPA is clearly misinformed, or one of us has misunderstood the conditions under which her statement is true. For example, I read a fair number of corporate earnings reports, and can assure you that many companies report gains and losses on currency conversions. (Many companies use derivatives to hedge themselves against fluctuations in foreign currencies....) Similarly, if I consult the "Wall Street Journal" I find page after page of listings for currency prices, futures on currency prices, derivatives involving said currencies, and so on. I can easily be a "currency speculator" by calling my broker. It may come as a surprise to this CPA (and Jim Bell, from his later message), but gains in this market are taxable, and losses can offset gains, subject to the usual mumbo jumbo rules. It is certainly true that if one converts $300 into yen for a trip to Japan, to have to buy a few beers for cash (Tokyo is expensive), and upon returning to the U.S. their has been some slight gain (yes, a "profit"), that the IRS is not interested. This is a matter of practicality, given that such minor conversions are usually done in cash form, are too small to worry about (minimal gains...a few bucks in the example shown, and usually more than erased by the conversion rate differential). Try speculating _seriously_ in the dollar-yen conversion rate, through the various options listed in financial newspapers, and then telling the IRS that a $100,000 profit, say, is not taxable because of what a CPA said. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dwl at hnc.com Mon Apr 8 17:33:11 1996 From: dwl at hnc.com (David Loysen) Date: Tue, 9 Apr 1996 08:33:11 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <199604081810.LAA22544@spike.hnc.com> At 12:58 AM 4/8/96 +0000, you wrote: >This comes from the FTC Privacy List, and is somewhat relevant.... >(The the "Crypto" in the title isn't, oddly...). > >Some thoughts... (er, questions): >1. What are the implications for log-on systems that rely on >recognition of faces (supposedly impossible for hackers to describe >and exploit)? Does anybody know how well these systems work? If I don't shave over the weekend will my computer know who I am Monday morning? Is my credit card going to have my face digitized and encoded onto the mag stipe for comparision with a video camera image at the time of sale? >2. Legal implications for witnesses? > I think many eyewitness accounts are already taken with a grain of salt, at least as far as picking a suspect. Certainly in court the lawyers say whatever makes their case look better. >------- Forwarded Message Follows ------- >Date: Sun, 7 Apr 1996 08:24:18 -0700 >From: taxhaven at ix.netcom.com (Adam Starchild ) >Subject: British Study Claims That Photo Credit Cards Don't Work >To: privacy at ftc.gov > > "Crypto-ID" Cards Not Effective > > Recent studies into the effectiveness of photo credit cards >have cast doubt over their ability to cut fraud. Dr. Richard >Kemp, of the Department of Psychology at Westminster University, >London, organized an experiment involving a London supermarket to >test the cards in "the real world." Most if not all credit card issuing banks use some form of fraud detection software. The next generation of these products will be analyzing transaction data from the card clearing banks in real time to stop fraudulent transactions before they are complete. Expect to see more "may I see your ID" questions as these systems flag transactions as possible fraud. I have had a credit card with my photo on it for several years, I can't ever remember a sales person who seemed at all interested in comparing the photo to me. > The supermarket was staffed by six people who were all >warned to be on the look out for fraudulent credit cards. Dr. >Kemp arranged for 44 of his students to pose as shoppers and test >the staffs' ability to spot photo-card misuse. Each student was >armed with four cards. One showed the student as they were, one >showed the student wearing make-up, one showed an individual who >vaguely resembled the student and the last card depicted someone >who looked nothing like the bearer. > People usually recognize photographs of individuals based on >a familiarity of the subject. A photograph captures only one >angle and expression out of thousands of different combinations. >People will recognize photographs of family, friends and well >known individuals easily. But how easy is it to accurately >compare a photograph with the face of a perfect stranger? At a >recent conference, Dr. Kemp said that matching a photo to a >stranger's face was "too difficult." He also said that in a non- >experimental situation, such as a supermarket, the incidence of >fraud detection would be even lower. > The results of Dr. Kemp's supermarket experiment proved very >interesting. In all, the majority of fraudulent cards were >accepted. Amazingly, 35 per cent of the cards bearing a >photograph of someone completely different from the student were >accepted. A massive 64 per cent of cards bearing a similar >individual were also accepted. Another factor which seems to >further prove Dr. Kemp's point is that 14 per cent of cards >bearing a true likeness of the student were rejected. > A few British banks are already offering customers the >opportunity to have their photograph etched onto their cards. >They claim a reduction in fraud has resulted from this. Dr. >Kemp's findings would seem to contradict this belief. Dr. Nicky >Towell, one of Dr. Kemp's researchers, said "There is a widely >held assumption that photo credit cards are a cheap and effective >way of stopping fraud. But this is not the case." > No one can tell how well photo credit cards will catch on. >But with the majority of people carrying at least one, if not >more cards of some sort, how long will it be before photos become >compulsory? The government knows that the introduction of ID >cards is a political hot potato, but how many people would notice >if they turned the cards we already have into crypto-ID cards? > > >Reprinted from The Mouse Monitor, The International Journal of >Bureau-Rat Control, a periodical published by Scope International >for its customers. Scope International is on the Worldwide Web >at http://www.britnet.co.uk/Scope/ > > >Posted by Adam Starchild > The Offshore Entrepreneur at http://www.au.com/offshore > > > >The privacy list is run automatically by the Majordomo list manager. >Send a "help" command to majordomo at ftc.gov for assistance. > >Rob. > >--- >Send a blank message with the subject "send pgp-key" >to <WlkngOwl at unix.asb.com> for a copy of my PGP key. > > dwl at hnc.com David Loysen 619-546-8877 x245 From JonWienke at aol.com Mon Apr 8 17:38:34 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Tue, 9 Apr 1996 08:38:34 +0800 Subject: Spinners and compression functions Message-ID: <960408150007_186997947@emout06.mail.aol.com> I received this via private email, and have been asked by the sender to post to cpunks. >Subj: Re: Spinners and compression functions >Date: 96-04-08 12:49:29 EDT >From: eli+ at GS160.SP.CS.CMU.EDU >Sender: eli+ at GS160.SP.CS.CMU.EDU >To: JonWienke at aol.com > >In article ><+cmu.andrew.internet.cypherpunks+clNRbLm00UfAE109Nf at andrew.cmu.edu> you >write: >>Run the spinner output through a PKZip type compression >>function, and then seed a PRNG with the output from that. This would >provide >>a means of gauging the amount of entropy that has been fed into the PRNG, >>(count the bytes output from the compression function) which will allow the >>program to disallow any output from the PRNG until a sufficient amount of >>entropy has been fed into it. > >If pkzip were a perfect compressor (which doesn't exist), this would >work well. What you're doing is measuring entropy with respect to >pkzip's model of the input language, which can be arbitrarily far off >from the entropy you'd get with a more powerful model. This means >that an attacker who understands the video retrace (or whatever) can >get an edge on you. You really can't tell if data is random by >looking at it -- for example, Nisan published a generator based on >universal hash functions that provably passes all space-bounded tests, >which most statistical tests are. > >Compressing the data probably won't hurt (*probably*, and assuming you >take the header off!). But Unix compress won't make data look >statistically random, and I doubt pkzip will either. Neither one will >give you a useful estimate of the entropy in the data stream. You >have to guess that yourself, and then use a strong hash function to >get it down to that point. > >-- >. Eli Brandt usual disclaimers . >. eli+ at cs.cmu.edu PGP key on request . >. violation of 18 U.S.C. 1462: "fuck". From sameer at c2.org Mon Apr 8 17:39:42 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 9 Apr 1996 08:39:42 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604081804.OAA03690@jekyll.piermont.com> Message-ID: <199604081941.MAA00812@atropos.c2.org> > > > > Suddenly some banks here in Estonia have decided that they must start > > offering banking services over Internet already during the next months. > > What worries me is that some of them are talking about using 40-bit SSL as > > the main security mechanism. Please point these banks to Apache-SSL (http://www.algroup.co.uk/Apache-SSL/). They can run SSL without using 8-cent RC4. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From rngaugp at alpha.c2.org Mon Apr 8 18:34:10 1996 From: rngaugp at alpha.c2.org (rngaugp at alpha.c2.org) Date: Tue, 9 Apr 1996 09:34:10 +0800 Subject: "Contempt" charges likely to increase Message-ID: <199604081656.MAA00598@miron.vip.best.com> This is why raw symetric ciphers should be used, without headers. PGP should have an option to omit its headers when using the -c switch. People should not be forced to use outside programs such as stealth. In the absence of cryptanalysis, the output of a symetric cipher looks like random bytes. Every one should have a hardware RNG on their computer. "I am sorry your honor, that is a file of random numbers that I was using to check the output of my RNG." Or "I am sorry your honor that is a one-time pad I was planning to use." Or how about the purloined letter method? A few years back, a hack to PGP was published, which gave the user the option of directly controling the idea key used when encrypting/decrypting with RSA. There even was a option to make the idea key used in encrypting key wrong (that is, different than specified in the encrypted RSA message). "I am sorry your honor, that file is encrypted so that only obiwan at galaxy.far.far.away can decrypt. It is too bad that obiwan is outside the jusisdiction of the court." (But in fact I can decrypt by directly specifying the idea key.) By using the wrong idea key, I can fix it so that in the unlikely event that someone finds obiwan, obiwan finds that his secret key does not work. (Because the key decrypted by RSA is wrong.) With a little thought. you could change the above senerio to use obiwan at alpha.c2.org and fix it so that obiwan does not actually exist, and his secret key has been destroyed. (Create obiwan at alpha.c2.org, but fixit so that his reply block points off into the weeds. Create a public/secret PGP keys for obiwan and send the public key to the public key servers, using remailers. Using remailers, publish a few signed articles in obiwan's name. Then wipe obiwan's secret key with pgp -w.) You can now claim that you started a private encrypted conversation with obiwan at alpha.c2.org. Who unfortunately can not be found. From unicorn at schloss.li Mon Apr 8 19:15:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 9 Apr 1996 10:15:58 +0800 Subject: the cost of untracability? In-Reply-To: <m0u65hy-0008ynC@pacifier.com> Message-ID: <Pine.SUN.3.91.960408154753.398D-100000@polaris.mindport.net> On Sun, 7 Apr 1996, jim bell wrote: > At 12:53 PM 4/7/96 PDT, Jim Gillogly wrote: > > > >jim bell <jimbell at pacifier.com> writes: > >>FWIW, I think that there is no capital-gains-type tax on currency > >>conversions. In other words, if I take dollars and buy yen today, and the > > > >I bounced this off a CPA, who said she would be very suprised if this is > >really the case: in general the IRS considers increases in wealth to be > >taxable, and unless there's a specific exclusion for currency transactions > >that she doesn't know about, she suspects this is not the case. As a > >conceptual counterexample she points out that you are responsible for any > >profit you make from selling your car for more than you pay for it (but, > >as you might expect, you don't get to take a loss if you sell it for less). > > That assumes that there is "profit" from exchanging currencies. On any > given transaction, there is never any "profit." The only thing that might > be called a profit is a difference in exchange rates, and that really isn't > an increase in wealth at any point. Ask that CPA to look it up. Instead I'm going to ask the author to look up "taxable event." Seems Mr. Bell now has an LL.M. in taxation. > This makes sense: If the currency in my pocket becomes less valuable due to > inflation, I cannot deduct the loss. If it becomes MORE valuable due to > deflation, I do not need to declare the difference as income. Currency > transactions only generate "profits" from a change in conversion rates, > which are simply differences in inflation rate between two currencies. This assumes that the e-cash is never converted into anything other than more e-cash. It also assumes that the IRS will not assess taxes on currency held in a foreign denomination by converting it (theoretically) to U.S. currency values first. In fact this is precisely what is done. If the e-cash you are holding in your pocket, or whatever, changes dramaticaly in value because of a change in currency rate, then that's profit. If Mr. Bell's supposition were true I could make 20 million dollars speculating on DM or SwFr and never pay the IRS so long as I didn't convert the currency to U.S. denominations. > >>interconvert rate changes and I convert back and make a "profit," that is > >>not considered income. If that's the case, then ecash has an excellent > >>precedent behind it to avoid any taxes on interest, especially if that > >>interest is, in effect, paid by increasing the inherent value of the > >>currency. > > > >My tame CPA also volunteered the information that the IRS is very interested > >and concerned about how they're going to capture transaction information for > >electronic transactions, and they do think it's in their bailiwick... she's > >read some articles on it. > > The answer is, "They're not!" That's right, you heard me. It's uphill all > the way for the IRS. I hope Mr. Bell is correct in this, but the battle is not over yet. U.S. banks will almost certainly not participate in a totally anonymous e-cash scheme any time in the next pair of decades. Offshore banks will be the key. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Mon Apr 8 19:52:06 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 9 Apr 1996 10:52:06 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <m0u66D6-0008z3C@pacifier.com> Message-ID: <Pine.SUN.3.91.960408153813.398C-100000@polaris.mindport.net> On Sun, 7 Apr 1996, jim bell wrote: > The following is a comment of mine that Unicorn didn't respond to. My > comments are included as well. I repeat this because I just saw a quote from > Lysander Spooner which was appropriate under the circumstances. Those who > read Unicorn's notes will notice that he frequently ignores embarrassing > gaffes that he makes. > > [beginning of re-quote] > > > At 08:56 PM 3/30/96 -0500, Black Unicorn wrote: > >> Naturally, you won't address this > >> problem, but the man-on-the-street is more realistic about his own privacy. > >> How many times must I raise this issue? How many times do you ignore it? > >> Face it, people are smarter than you give them credit for. They will simply > >> not tolerate any more shit from the government. > > > >Funny, the latest primary has been one of the highest voter turn outs in > >quite a while (except in Deleware). Considering those are the law-and-order > >types who are most likely to invade personal liberities, I think its a > >bit hard to make the case that the temper of the country is anything but > >very pro-political process. > > Unicorn again displays his cluelessness. > > To put it in simple terms that even you should be able to understand, the > fact that a drowning person moves his arms and legs around a lot doesn't > mean that he LIKES to swim, it may merely mean that he likes drowning even > less. > > [end of re-quote] > > > Spooner's quote follows: > > "Doubtless the most miserable of men, under the most oppressive > government in the world, if allowed the ballot, would use it, if they > could see any chance of thereby meliorating their condition. But it > would not, therefore, be a legitimate inference that the government > itself, that crushes them, was one which they had voluntarily set up, or > even consented to." > > Lysander Spooner I didn't respond to this part originally because I grew tired of typing "Yadda yadda yadda" everytime Mr. Bell lapsed into another psycho-political babble session. What this has to do with Mr. Bell's position, that citizens as a whole had grown so discontented in the United States that they were prepared to rebell actively in large numbers, is unclear. In fact the Spooner quote adds more to my position than Mr. Bell's: "if allowed the ballot, would use it, if they could see any chance of thereby meliorating their condition." Seems that even according to Spooner, the citizens of the U.S. aren't hopeless yet. In fact there is ample evidence that citizens who have come to believe that a sovereign is beyond redemption refuse to participate in the political process any longer. Iran, Iraq, the former Soviet Union, Turkey, the Baltic States are all examples. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nyap at mailhub.garban.com Mon Apr 8 19:52:45 1996 From: nyap at mailhub.garban.com (Noel Yap) Date: Tue, 9 Apr 1996 10:52:45 +0800 Subject: RC4 improvement idea Message-ID: <9604082133.AA15440@mailhub.garban.com> > I got a paper from the cryptography technical report server > "http://www.itribe.net/CTRS/" about a weak class of RC4 keys. The > report said that with some keys, it was possible to predict what some > parts of the State-Box would be. I was thinking of a way to fix this, > and had this idea: > > do some sort of hashing function with the key that derives a number > between 55 and 500 or something like that, then scrabmle the S-box that > many times. In this way, the chances that the State-Box will have any > correlation becomes extremely small. I think it is 1/125 to begin with > anyway, so this would make it around 1/(125*NumPasses). And since the > exact number of passes is a function of the key, the cracker won't know > how many times it went through. I tried this out and having 1000s of > passes doesn't effect the randomness of the state-box in any negative > way, possibly it makes it more random? If anyone has any thoughts I'd > love to hear them. The S-Boxes in DES were optimized to hinder Differential Cryptanalysis. I've seen no studies on the effectiveness of jumbling the S-Boxes during encryption -- even Biham and Shamir's book doesn't mention it -- but, I figure, if it helps, DES would probably already be doing it (unless of course the NSA thought the jumbling would make too good an algorithm). From nyap at mailhub.garban.com Mon Apr 8 19:53:16 1996 From: nyap at mailhub.garban.com (Noel Yap) Date: Tue, 9 Apr 1996 10:53:16 +0800 Subject: RC4 improvement idea Message-ID: <9604082143.AA15502@mailhub.garban.com> > For one key in 256, you can tell what eight bits of the state box are. > For one key in 64000 you can tell what sixteen bits of the state box are, > and so on and so forth. > > Such keys are not weak. Any statistical correlation can be used to an attacker's advantage. Maybe your kid sister might not be able to figure it out, but someone else out there will. From weaver at harry.bwi.wec.com Mon Apr 8 20:09:46 1996 From: weaver at harry.bwi.wec.com (JR Weaver) Date: Tue, 9 Apr 1996 11:09:46 +0800 Subject: Bank transactions on Internet In-Reply-To: <Pine.GSO.3.92.960408192320.16049B-100000@happyman> Message-ID: <9604081642.ZM1632@harry.bwi.wec.com> On Apr 8, 2:04pm, Perry E. Metzger wrote: > Subject: Re: Bank transactions on Internet > > > Suddenly some banks here in Estonia have decided that they must start > > offering banking services over Internet already during the next months. > > What worries me is that some of them are talking about using 40-bit SSL as > > the main security mechanism. > > That seems very silly. Considering that you folks have no laws > preventing you from using better I would suggest not doing something > so foolish -- 40 bit RC4 is almost worthless as a cryptosystem as the > recent paper on key lengths points out. > > Perr >-- End of excerpt from Perry E. Metzger I can verify that Security First Internet Bank uses 40-bit SSL + Username/Password. Their HTTP server also supports 128-bit SSL, however they do not suggest one over the other. I took it upon myself after opening an account with SFNB to purchase my own copy of 128-bit Netscape Navigator. You can make transactions over the net and SFNB does not limit you to 128-bit. Is it really that easy to break 40-bit? Don't you need access to a "fair amount of cpu power" to brute force crack 40bit? As far as I know client authentication is strictly username & password. What other authentication system exists?? J.R.Weaver From adam at lighthouse.homeport.org Mon Apr 8 21:44:58 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 9 Apr 1996 12:44:58 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't In-Reply-To: <199604081810.LAA22544@spike.hnc.com> Message-ID: <199604082244.RAA20072@homeport.org> David Loysen wrote: | Most if not all credit card issuing banks use some form of fraud detection | software. The next generation of these products will be analyzing | transaction data from the card clearing banks in real time to stop | fraudulent transactions before they are complete. Expect to see more "may I | see your ID" questions as these systems flag transactions as possible fraud. | I have had a credit card with my photo on it for several years, I can't ever | remember a sales person who seemed at all interested in comparing the photo | to me. Most merchant agreements prohibit asking for more ID beyond the card. As to the issue of 'do people look at photos?' they don't even look at signatures. I know because I carried a card around for 2 years before anyone noticed that I hadn't signed it. The person who noticed asked me to sign the card (without showing other ID!) before handing over the computer I was buying. Adam cpunk relevance? Most security that relies on people being awake is broken. Security that relies on people with no financial interest in a transactions security is broken. Studying how security breaks today is a good idea. -- "It is seldom that liberty of any kind is lost all at once." -Hume From m5 at vail.tivoli.com Mon Apr 8 21:53:57 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 9 Apr 1996 12:53:57 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychangers! In-Reply-To: <ad8ea2c0010210042ee1@[205.199.118.202]> Message-ID: <3169901C.3A71@vail.tivoli.com> Timothy C. May wrote: > >That assumes that there is "profit" from exchanging currencies. On any > >given transaction, there is never any "profit." The only thing that might > >be called a profit is a difference in exchange rates, and that really isn't > >an increase in wealth at any point. Ask that CPA to look it up. > > There are people and companies who make a nice business in currency > exchange, ranging from the large companies one finds in international > airline terminals and banks to the smaller, "Mom and Pop" moneychangers one > finds in barrios and other such places. > > These moneychangers attempt to make a "profit" on each exchange (else > they'd hardly stay in business). > > It will probably come as a surprise to them that, according to both a CPA > and Jim Bell, no taxes are owed on their businesses, as "no wealth was > created." This sounds like the kind of thing that the mysterious "Alternative Minimum Tax" was designed for. One area that I *know* it applies to is incentive stock options offered to employees of a company. If you have such things (like, let's say you were hired to clean the monitors at Netscape last January, and they gave you a thousand options because your limp and stutter were so cute), and you exercise the options but don't immediately sell the stock, then your taxable income is figured based on the "paper" gain you made by transforming your $0.10/share options into $100/share stock. You get to deduct the taxes you pay now when you decide to sell your stock and realize actual gain, but AMT is real and it can bite (particularly if you're unwise enough to exercise while you're in the post-IPO lockout period and that period overlaps April 15th). ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From tcmay at got.net Mon Apr 8 22:12:03 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 9 Apr 1996 13:12:03 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychangers! Message-ID: <ad8ea2c0010210042ee1@[205.199.118.202]> At 1:23 AM 4/8/96, jim bell wrote: >At 12:53 PM 4/7/96 PDT, Jim Gillogly wrote: >> >>jim bell <jimbell at pacifier.com> writes: >>>FWIW, I think that there is no capital-gains-type tax on currency >>>conversions. In other words, if I take dollars and buy yen today, and the >> >>I bounced this off a CPA, who said she would be very suprised if this is >>really the case: in general the IRS considers increases in wealth to be >>taxable, and unless there's a specific exclusion for currency transactions >>that she doesn't know about, she suspects this is not the case. As a >>conceptual counterexample she points out that you are responsible for any >>profit you make from selling your car for more than you pay for it (but, >>as you might expect, you don't get to take a loss if you sell it for less). > >That assumes that there is "profit" from exchanging currencies. On any >given transaction, there is never any "profit." The only thing that might >be called a profit is a difference in exchange rates, and that really isn't >an increase in wealth at any point. Ask that CPA to look it up. There are people and companies who make a nice business in currency exchange, ranging from the large companies one finds in international airline terminals and banks to the smaller, "Mom and Pop" moneychangers one finds in barrios and other such places. These moneychangers attempt to make a "profit" on each exchange (else they'd hardly stay in business). It will probably come as a surprise to them that, according to both a CPA and Jim Bell, no taxes are owed on their businesses, as "no wealth was created." Don't believe everything you read on this list, folks. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Mon Apr 8 22:18:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Apr 1996 13:18:49 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604081642.ZM1632@harry.bwi.wec.com> Message-ID: <199604090025.UAA28599@jekyll.piermont.com> "JR Weaver" writes: > Is it really that easy to break 40-bit? Don't you need access to a > "fair amount of cpu power" to brute force crack 40bit? The rest of this article is a direct quotation from Blaze et al in the paper they wrote on minimal safe key lengths. Note that they show that it is easy enough to make a cracker that costs eight cents (CENTS!) per solution, and not that hard to get it down to 1/10th of a cent! Full paper at: ftp://ftp.research.att.com/dist/mab/keylength.txt } There is no need to have the resources of an institution of higher }education at hand, however. Anyone with a modicum of computer }expertise and a few hundred dollars would be able to attack 40-bit }encryption much faster. An FPGA chip --- costing approximately $400 }mounted on a card --- would on average recover a 40-bit key in five }hours. Assuming the FPGA lasts three years and is used continuously }to find keys, the average cost per key is eight cents. } } A more determined commercial predator, prepared to spend $10,000 }for a set-up with 25 ORCA chips, can find 40-bit keys in an average of }12 minutes, at the same average eight cent cost. Spending more money }to buy more chips reduces the time accordingly: $300,000 results in }a solution in an average of 24 seconds; $10,000,000 results in an }average solution in 0.7 seconds. } } As already noted, a corporation with substantial resources can }design and commission custom chips that are much faster. By doing }this, a company spending $300,000 could find the right 40-bit key in }an average of 0.18 seconds at 1/10th of a cent per solution; a larger }company or government agency willing to spend $10,000,000 could find }the right key on average in 0.005 seconds (again at 1/10th of a cent }per solution). (Note that the cost per solution remains constant }because we have conservatively assumed constant costs for chip }acquisition --- in fact increasing the quantities purchased of a }custom chip reduces the average chip cost as the initial design and }set-up costs are spread over a greater number of chips.) From alanh at mailhost.infi.net Mon Apr 8 22:35:58 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Tue, 9 Apr 1996 13:35:58 +0800 Subject: the cost of untracability? In-Reply-To: <199604080217.AA24295@mail.crl.com> Message-ID: <Pine.SV4.3.91.960408201825.12112B-100000@larry.infi.net> Gold is still loaned out between producers. For whatever reason, the money gained in the transaction is called "rent", not "interest". Some time ago, the Bank of Portugal took a big loss when it loaned out gold - and the borrower defaulted. From thecrow at iconn.net Mon Apr 8 23:11:45 1996 From: thecrow at iconn.net (Jack Mott) Date: Tue, 9 Apr 1996 14:11:45 +0800 Subject: questions about bits and bytes Message-ID: <3169BE82.274@iconn.net> This may be a bit of a no brainer, but everything I have read sorta skips over this point. a bit is 1 or 0 8 bits make up a byte (0-255) If I have a 5 byte key, does that make it a 40 bit key? The only reason this doesn't make sense to me is it seems useless to use 5 byte keys, yet that is what companies export since the government limits keys to 40 bits. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From perry at piermont.com Mon Apr 8 23:23:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Apr 1996 14:23:24 +0800 Subject: NSA Budget In-Reply-To: <19960408.181433.15302.0.zalchgar@juno.com> Message-ID: <199604090129.VAA28654@jekyll.piermont.com> zalchgar writes: > Is there a public release of the NSA's annual Budget. No. From perry at piermont.com Mon Apr 8 23:25:46 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Apr 1996 14:25:46 +0800 Subject: RC4 improvement idea In-Reply-To: <9604082133.AA15440@mailhub.garban.com> Message-ID: <199604090017.UAA28573@jekyll.piermont.com> Noel Yap writes: > The S-Boxes in DES were optimized to hinder Differential > Cryptanalysis. I've seen no studies on the effectiveness of > jumbling the S-Boxes during encryption -- even Biham and Shamir's > book doesn't mention it -- but, I figure, if it helps, DES would > probably already be doing it (unless of course the NSA thought the > jumbling would make too good an algorithm). Your conclusion may be correct, but your reasoning is faulty. DES was built to be run in hardware, which doesn't make S-Box jumbling easy; it was in fact built to be run on the hardware of twenty years ago, which was far more constrained than our hardware is now. Perry From unicorn at schloss.li Mon Apr 8 23:28:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 9 Apr 1996 14:28:08 +0800 Subject: the cost of untracability? In-Reply-To: <199604071953.MAA03973@mycroft.rand.org> Message-ID: <Pine.SUN.3.91.960408152836.398A-100000@polaris.mindport.net> On Sun, 7 Apr 1996, Jim Gillogly wrote: > > jim bell <jimbell at pacifier.com> writes: > >FWIW, I think that there is no capital-gains-type tax on currency > >conversions. In other words, if I take dollars and buy yen today, and the > > I bounced this off a CPA, who said she would be very suprised if this is > really the case: in general the IRS considers increases in wealth to be > taxable, and unless there's a specific exclusion for currency transactions > that she doesn't know about, she suspects this is not the case. As a > conceptual counterexample she points out that you are responsible for any > profit you make from selling your car for more than you pay for it (but, > as you might expect, you don't get to take a loss if you sell it for less). Gains on currency 'speculation' (which this example is, even in the absence of intent to profit) are most certainly included in income for the purposes of U.S. tax. Moreover, they are not capital gains income in the case of short term transactions like this. As a result, instead of the lower rate on capital gains, they will be taxed at normal graduated rates. In addition, to prevent funds from being removed to non-resident aliens or foreign entities where tax enforcement and collection is difficult, there is a 30% withholding requirement in the event the payee is not a U.S. citizen or resident (for tax purposes). Note that this requirement is imposed on the paying entity regardless of the disposition of the funds. That would mean that if the e-cash bank were to pay profits to a foreign payee without withholding, the IRS would hold the bank itself liable and let the bank deal itself with collecting the tax from the account holder on its own time and after paying the IRS. > >interconvert rate changes and I convert back and make a "profit," that is > >not considered income. If that's the case, then ecash has an excellent > >precedent behind it to avoid any taxes on interest, especially if that > >interest is, in effect, paid by increasing the inherent value of the > >currency. > > My tame CPA also volunteered the information that the IRS is very interested > and concerned about how they're going to capture transaction information for > electronic transactions, and they do think it's in their bailiwick... she's > read some articles on it. > > Jim Gillogly > 17 Astron S.R. 1996, 19:52 > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From eay at mincom.oz.au Mon Apr 8 23:49:27 1996 From: eay at mincom.oz.au (Eric Young) Date: Tue, 9 Apr 1996 14:49:27 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604081642.ZM1632@harry.bwi.wec.com> Message-ID: <Pine.SOL.3.91.960409104403.28771C-100000@orb> On Mon, 8 Apr 1996, JR Weaver wrote: > with SFNB to purchase my own copy of 128-bit Netscape Navigator. You can make > transactions over the net and SFNB does not limit you to 128-bit. Is it really > that easy to break 40-bit? Don't you need access to a "fair amount of cpu > power" to brute force crack 40bit? As far as I know client authentication is Put put it in a word, 'yes'. > strictly username & password. What other authentication system exists?? This would be a very good system to attack. Last year during the 'break SSL export' saga, I was able to seach 2^39 of the key space mostly using networked workstations that were 486DX50's and sparc 20's. This took 2 week and basically I ran for 12 hours each night and no-one at work really knew I was doing this. Well I now have a pentium 100 and they are starting to appear all over the place, they run my code 3 times faster. This now means that some-one like me, working in a large software company, if it was fitted out with lots of pentiums would be able to definitly get your username and password in less than 10 days with basically no-one knowing that this had been done. Hell, I still have my software sitting around, it is automated, it would only take me a month, with no intervention from me until I get the email with the results. Please remember that I'm not talking about theory. Besides the person working next to me, no-one at work knew I was participating in the brute force beaking attempt. Well this is not totally true, the owner of the SGI with 6 R4400 CPU's noticed that I was using a few of the CPU's but they did not know what the programs were doing :-). I would say that RC4 40 should not be used if possible, especially to do with anything to do with banking. eric (just putting in his own 2 certs worth). -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From declan+ at CMU.EDU Tue Apr 9 00:44:39 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Apr 1996 15:44:39 +0800 Subject: International Net-Censorship Efforts Update Message-ID: <8lOQ_Jy00YUvN==nMc@andrew.cmu.edu> I've just doubled the number of international net-censorship efforts that I track on my web page: <http://www.cs.cmu.edu/~declan/zambia/>. Included are new updates reporting on Germany, France, Australia, Singapore, Canada, and China, among others. Please send me reports on countries I've missed! -Declan -------------------------------------------------------------------------- OTHER INTERNATIONAL NET-CENSOR EFFORTS By Declan McCullagh declan at well.com http://www.cs.cmu.edu/~declan/zambia/ France, China, Germany, Singapore, Jordan, the U.S., and many other countries are moving towards tighter control of the Internet. France and Germany want to see an international agreement of information controls emerge. Recently China required all of its estimated 40,000 Internet users to register at the local police station. This international crackdown marks a turning point in the development of the Net. Germany Germany cuts off access to holocaust revisionist web site (1/96) German Internet update, new laws planned (3/29/96) Los Angeles Times on German vs. U.S. netcensorship (3/13/96) German minister predicts collapse of governments (3/12/96) Germany's CompuServe net-censorship (12/31/95) France French government bans controversial book (1/96) French Jewish students sue ISPs for revisionist materials (3/14/96) French Jewish students sue ISPs for revisionist materials (3/15/96) France calls for "global Internet rules" (2/3/96) Europe Swiss statement on voice over Internet (3/16/96) Sweden proposes CDA-type law to control Internet (4/3/96) Italian net-censorship necessary, says Simon Wiesenthal Ctr (1/11/96) Turkey cracks down on Internet (2/18/96) Belgium bans non-escrowed encryption (1/10/96) Asia and Pacific Rim Singapore leader condemns Net (3/7/96) Indonesia attacks Net (3/11/96) Malaysia complains about uncensored Net, censors it (3/11/96) Singapore censors political, religious net.info (3/6/96) China China cracks down on Internet, "state security" cited (1/24/96) China's anti-cyberporn efforts (2/4/96) New York Times on China's net.crackdown (2/5/96) China's history of Net-regulation, cyberporn concerns (1/1/96) China requires Internet users to register with police (2/16/96) U.S. State Dept criticizes China's net.censorship (3/8/96) China applauds German net.censorship (1/11/96) Australia Australia considers net.legislation (2/13/96) New South Wales tries net-censorship (4/3/96) Australians upset by German Zundelcensorship (4/7/96) Canada Letter to Canadian minister (3/19/96) Canada needs to regulate Net, says Simon Wiesenthal Ctr (2/20/96) Middle East Persian Gulf States reluctant to move online (4/6/96) Jordan installs Internet screening facility (1/8/96) Saudi Arabian government says no unrestricted Net access (1/10/96) -------------------------------------------------------------------------- From unicorn at schloss.li Tue Apr 9 00:59:29 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 9 Apr 1996 15:59:29 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <m0u5Q3q-0008xlC@pacifier.com> Message-ID: <Pine.SUN.3.91.960406132040.2832E-100000@polaris.mindport.net> On Fri, 5 Apr 1996, jim bell wrote: > At 03:49 AM 4/5/96 -0500, Black Unicorn wrote: > >On Thu, 4 Apr 1996, jim bell wrote: > > >> I really don't think you're giving me enough credit. I am fully aware that > >> in the past, the organizations on which wire-tap-type subpoenas were served > >> (primarily AT+T, "The phone company") were very cooperative with the police > >> and probably "never" challenged the subpoena. There is the law, and there > is > >> the usual reaction to that law, and I expect that much of Unicorn's > position > >> is based on a (false) assumption that this reaction will necessarily > >> continue unchanged. > > > >Now, if this is your postion, let's see some support. > > You do the research. Until 1968, Federal wiretaps were illegal, by the > Federal communications Act of 1934. I was asking for you to support your position that my 'assumption' that "this reaction" will continue (i.e. that telecos and ISP's would cooperate with investigations), was false. What the history of wiretaps has to do with this, except that it supports my position the government has enough intimidation power to bully their way, is not clear. > > >From Encyclopedia Brittanica, 1970, vol 23 page 592: Uh huh. Ok. > It is reasonable to assume that most wiretaps, when they were done, were > assisted by the local phone company (usually AT+T). In other words, AT+T > assisted the government in illegal actions. Actually, this is not reasonable to assume, mostly because it's false. While some very small number of illegal wiretaps might have involved phone company complicity, the vast majority of illegal wiretaps were of the alligator clip vareity and require little if any phone company assistance. This is why Digital Telephony was such a big deal. What happened in 1968 > was that Congress, recognizing this situation, decided to "compromise": > They declared those wiretaps legal, if a warrant was obtained, and and a sop > to the cops they allowed that evidence into court. This is indeed a creative intrepretation. But them's the details. > The fundamental point is that if AT+T would engage in illegal activity to > benefit the cops or Feds, they would certainly go less far to give the > government what it wants, whether or not that was illegal. Clearly this was > (and is) a non-arm's length relationship. I don't follow. Phone company does outrageous things to help feds, so it's safe to assume that they would do less? > >very credible threat of financial and custodial sanctions. Obstruction, > >or conspiracy is a crime, and in the case of the FBI, a federal crime of > >some magnitude. > > As usual, you misrepresent the situation. You're setting up a straw man. > "Appeals" are not "obstruction." And appeals come after equipment has been seized. > >While some ISP's may indeed feel they are able to resist the whims and > >enforcement powers of the United States, they are likely to be offshore, > >small, and viewing themselves as out of the reach of U.S. jurisdiction. > > You continue to build that straw man. > > And I notice that you said "whims"? What did you mean by this? Are you > suggesting that there is something wrong or illegal with "resisting the > whims" of the government if that government has no legal basis for > compelling cooperation with those "whims"? I think it's interesting that > with each paragraph you set little traps for yourself, and fall into them so > embarrassingly. I have never offered the view that these things are not distasteful. You see inconsistancies in my view because you have assigned that position to me. The reality is that all court rulings require a bit of whim. We differ in that I don't suggest killing judges is the way to deal with it. [...] > >It is worth bearing in mind that subpoenas are not the only tool that > >authorities can use to affect compliance. In many cases authorities > >simply seize the equipment and hold it for the statuatory period before > >which they are required to file charges in. The Ripco BBS in Chicago, > >victim of the Sun Devil raids, is a prime example. In that case the > >equipment was seized (via sealed warrant which later proved to authorize > >seizure of "computer or other electronic equipment of any nature." and in > >actuality resulted in the seizure of everything from disks to printers > >to telephones), and held for five years before finally being returned. > >Clearly it was obsolete by this time. No charges have been filed. > > What I repeatedly find amazing about Unicorn's commentary is that he lists > actions and behaviors of government that most of the rest of us find > disgusting or egregious, and then he seems to take the position that it is > impossible to prevail in court against those actions. Change the sentence above to indicate that I take the position that is it "difficult in the extreme to prevail in court against those actions." and you have hit my position on the head exactly. Again, you find this amazing because you have attributed to me an approval of this status quo which I do not have. > Even if that limited opinion were true, to the extent it's true that merely > goes to show why we can't expect justice from courts, and why we're going to > have to set up a system to ensure that these egregious actions get punished. I find it interesting that Mr. Bell, who demands formalism as a rule when reading the bill of rights, is so quick to condemn officials to death without their right to due process. > >In practice many ISP's or phone co's will not have the opportunity to > >defend the matter in court without their services and equipment being > >forcibly seized preemptively. > > Oh, really? Do you realize what you've just admitted? You're your own > worst enemy. Let me quote you something you said below: > > >There are ways to resist compelled discovery. These are not they. > > Sounds like a big contradiction, right? You can't even keep your story > straight! Your loyalty to the truth is nil. Yet another trap you set for yourself. How is this a contradiction? Service providers can expect to have their equipment preemptively seized if there is reason to believe the data might be destroyed (this is the sun devil example) and as such if you want to resist compelled discovery as an ISP, an open policy that you will assist the account holder in thawarting the authorities is not the way to do it. > >What you have described is a crime. Your "clever" lawsuit isn't going to > >fool any judge, or anyone else. > > There is a big difference between "not fooling the judge" and becoming a > crime. As I pointed out before, these are exactly the kinds of issues that > have "never" been enthusiastically challenged by an ISP or telco. Your > assumption that such challenges will never happen, or will fail is touching. Ripco BBS and Steve Jackson Games both contested their seizures with passion. It didn't get them their equipment back any sooner. > >> My point in the first paragraph that I am quoted in above is > >> that many of the challenges that have never been made against wiretap > >> subpoenas, due to a closer-than-arms-length relationship between the > phoneco > >> and the government, _will_ be challenged. > > > >This argument relies heavily on the absence of other persuasion to comply > >with wiretaps, which, as I have demonstrated, exist in abundance. Thus the > >thing falls in upon itself. > > The error you just made is to confuse the issue of adjudication and > enforcement. All you just said was that, once the final decision is made, > it can be enforced. I don't think it's necessary for me to challenge that > claim, for the purposes of my point. My point is that challenges to > subpoenas can and do occur, WHEN THE PERSON OR CORPORATION NAMED _wants_ to > do them, and up until now that organization regularly failed to do so. The result will simply be resort to seizure warrants to get the equipment, followed by contempt charges for refusal of the account holder or ISP to reveal the key. You can fight this, sure, but it's only going to do you any good if you win. In any event the ISP will be out the equipment for the duration. Prosecutors are not going to take these developments sitting down. > >You're claiming that a court is going to distinguish the case where a > >small ISP/telco refuses to comply with a compelled discovery order from a > >case where a large telco typically complies with a discovery on the basis > >that the large company complies only under compulsion or in self interest? > > > >This amounts to "A obeys the law because he wants to. B doesn't want to > >obey the law, therefore B need not." > > Further "straw-man" behavior. You just misrepresented the issue. I'll > re-write it: > > "A obeys not only the law without question, but also agrees with all > requests even if they are beyond the legal scope of the subpoena, and > generously helps the cops, challenging nothing. B challenges everything, > and uses 'every trick in the book' to eliminate or minimize his obligations > under the law" > > There, that's better. > And so how is B less required to comply with the law, including cooperating with lawfully issued search and seizure warrants executed by duly appointed law enforcement officials, appearing to testify at the request of the court and complying with court orders? > >As I have tried to explain to Mr. Bell before, the days of legal > >formalism are over. Substance over form prevails today. > > What, exactly, does this mean? Are you saying, "The Constitution is dead"? > Are you implicitly acknowledging here that my points are, or at least, WERE > valid under a previous interpretation of the Constitution? What, exactly, > happened to change this? Who passed which law to change it? Study your history. Card catalogue under "Schools of American Legal Thought." > > >The substance > >of this transaction is to inform the client that an investigation is > >ongoing. This is a major no-no, whatever Mr. Bell thinks he knows. > > "major no-no"? It sure is interesting how Unicorn uses thes high-falutin > legal terms like "major no-no" to describe the intricacies of subpoena law. I thought it might be easier for you to understand. Clearly this was my error. > >> (and, in fact, may be > >> required under my contract with him, should he be obligated to do a tap or > >> know one exists.) > > > >As I explained before, contracts are void to the extent they are > >illegal. > > Unicorn proves, once again, that a little knowledge is a dangerous thing. > > But I don't think that FAILING to send a particular certification (that the > ISP isn't under subpoena) constitutes an "illegal" contract. The > fulfillment of that term is not legally required, absent a contract, and > likewise it is not generally prohibited if it is part of a contract. It > looks like the government has no basis to object to either sending that > certification or failing to. Mr. Bell proves that no knowledge is a dangerous thing. It was Mr. Bell's position that an ISP would provide warning to an account holder, and if it refused it would be subject to the consequences of breeching some agreement. This was how he 'got around' the problem of the authorities compelling the ISP to cooperate in their investigation. To do so, he argued, would expose the ISP to contractual liability. A clause in a contract which reads, and to be clear would have to read, "ISP shall send regular certifications until such time as law enforcement officials, civil litigants, or other parties unrelated to the account holder enquire as to or require disclosure of account holder's personal information or data." Now, please tell me how this clause, and the warning therein, is passive resistance. > In a government-centric philosophy enthusiastically promoted by Unicorn, > government is the only enforcer. In the real, digital world of the future, > digital reputations will enforce behavior. A practice by an ISP to tolerate > subpoenas without legal challenge will become well-known, and that ISP will > shrink to oblivion unless he changes his policies. I merely acknowledge that government centric enforcement is the status quo. Any approval thereof is your imposition. > >Mr. Bell's response? "Well, then we'll kill him and enforce > >the contract that way." > > Given the repeated admissions you make that the government can and does > engage in outrageous behavior, I'd say that extra-legal enforcement is > clearly warranted. And there we differ. > >Incorrect. They have been challenged time and time again in the context > >of compelled discovery. Time and time again compelled discovery has been > >required, TRO's forbidding the destruction of documents and other > >evidence issued, search warrants and seizure effected in place of subpoena. > > For a different class of people and corporations, yes. Not ISP's, and as > far as I know, telephone companies have never pushed the envelope. If you > have any specific contrary examples, show me. I can't comment as to ISPs. BBSs have been a frequent victim of compelled discovery and preemptive seizure. Why precisely you think that court's will make a distinction must be an interesting chain of logic. Compelled discovery is a wide judicial tool. I don't know what the circumstances under which it would be ruled illegitimate would be. I am almost positive that these circumstances would not include an uncooperative and or obstructive (legal or illegal) ISP. > >The telco in past has not complied with such orders because of some grand > >government conspiracy, > > You statement is wildly in error. AT+T clearly did phone taps for the > government prior to 1968 PRECISELY due to "some grant conspiracy": It > certainly didn't do them because AT+T was _legally_obligated_ to. Well I'm afraid you'll have to back this up with more than assumptions and the encyclopedia. > >although I realized Mr. Bell finds such things > >immensely sexy. It has complied because its officers faced criminal and > >financial sanctions for non-compliance. > > Which is an interesting statement, given the fact that I pointed out that in > the period of 1930-1968, the phone company assisted with ILLEGAL wiretaps. > Are you suggesting that during that time frame, they actually violated the > law under threat of "criminal and financial sanctions for non-compliance"? > What kind of government threatens people with "criminal and financial > sanctions" for NOT assisting it with illegality? > > Yikes! Somehow I think your morality is about as warped as it comes. Yet > another trap you set for yourself, and you jumped right in. The only trap I fell into was bothering to respond to you. > > > > >There are ways to resist compelled discovery. These are not they. > > What you haven't explained or demonstrated is how ISPs could become more > agressive in their defenses. This failure is typical of you: Your bag of > tricks is empty _unless_you_are_paid_. You're pretty socialist for a libertarian > Jim Bell > > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From cpunk at remail.ecafe.org Tue Apr 9 01:15:18 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Tue, 9 Apr 1996 16:15:18 +0800 Subject: NSA Budget Message-ID: <199604090146.CAA03627@pangaea.hypereality.co.uk> >Is there a public release of the NSA's annual Budget. >If so is there a quarterly release. -Erinn ----- Yes, there are annual and quarterly reports released to the public which describe in meticulous detail expenditures for the agency's program, personnel and equipment: 1. The program of services and information supplied to government and other intelligence organizations, US and foreign, with terms of each client contract. 2. US employees, their organization, skills, duties and longevity of service; their names, ranks, identification codes, secure communication methods and home addresses; the location of workplaces; the continued training each is scheduled to receive; leaves of absence and destinations while absent. 3. Foreign nationals covertly employed worldwide, with information on each as per 2. 4. A comprehensive listing of all types of world-wide equipment operated; its detailed design, function and output; where it is located; its designers, manufacturers and purchase cost; its schedule of amortization; and its schedule for replacement and/or upgrade, with fifteen-year projected procurement. 5. Special short- and long-term contracts with governmental and non-governmental organizations, US and foreign for one-time projects, by goal, personnel and equipment. 6. Special projects with other US and foreign counter- intelligence to issue disinformation about the agency. 7. Special section on world-wide US and foreign cryptology: cryptanalysis, cryptography, steganography, codes, cyphers, glyphs, mimes; each ranked for security and ease of cracking; governmental and non-governmental parties using each; names of cooperative and resistant cryptographers and cooperating pseudo-cryptographers. 8. Sub-section on methods of Internet traffic and language analysis; operation and surveillance of anonymous remailers, bulletin boards and mail lists; lists of cooperative and resistant educational institutions and commercial organizations. 9. Appendices on: black operations; transparent operations; methods for managing cooperative and resistant governmental and non-governmental persons. The public is invited to study and/or download these reports anonymously at: http://nsa.dod.gov/~reports/quarterly.txt From fotiii at crl.com Tue Apr 9 01:48:29 1996 From: fotiii at crl.com (Frank O. Trotter, III) Date: Tue, 9 Apr 1996 16:48:29 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychangers! Message-ID: <199604090336.AA03230@mail.crl.com> Lets state it simply, if you make a gain by holding a currency then it must be included in your reported income. At least one writer correctly stated that the IRS likely does not care about small amounts taken on a trip, but they are technically reportable. Same goes for a loss, it is a deduction (with string attached of course) from taxable income. Aside from ecash, helping people to exchange currency is my day job so I see this all the time, especially this month each year. Best FOT Disclaimer: Personal not corporate thoughts.... Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From frissell at panix.com Tue Apr 9 01:49:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 9 Apr 1996 16:49:34 +0800 Subject: the cost of untracability? Message-ID: <2.2.32.19960408231626.00c90cc8@panix.com> At 03:36 PM 4/8/96 -0400, Black Unicorn wrote: >In addition, to prevent funds from being removed to non-resident aliens >or foreign entities where tax enforcement and collection is difficult, >there is a 30% withholding requirement in the event the payee is not a >U.S. citizen or resident (for tax purposes). The withholding tax applies only if the payee is not a resident of a jurisdiction with a tax treaty with the US. Net banking will further muddy the waters on this because of the difficulty of telling the residency of customers particularly in the case of accounts transferred to third parties for profit -- a worthwhile future business activity. DCF From ddfr at best.com Tue Apr 9 02:06:42 1996 From: ddfr at best.com (david friedman) Date: Tue, 9 Apr 1996 17:06:42 +0800 Subject: "Contempt" charges likely to increase Message-ID: <v02130506ad8f34b49dc3@[129.210.77.17]> >It is exactly this attitude that we need to change. I presume you saw my >comment from a day ago, when I pointed out that before 1968, local phonecos >were doing wiretaps without any sort of court order, ... >I'm still waiting for somebody to show that the majority of crimes that are >investigated using subpoena power are "malum in se" crimes, as opposed to >"malum prohibitum" ones. > >Jim Bell Have you read _The Hacker Crackdown_? I think it is pretty clear that part of what was going on there involved law enforcement people deliberately punishing BBS operators for behavior that was wicked but not illegal--basically facilitating communications involved in committing crimes (credit card number theft and the like). The punishment consisted of seizing the computer and backups and holding it for a year or so as "evidence"--without ever filing charges. Conceivably the owner could have taken legal action--but doing so would give the law enforcement people an incentive to file charges, thus imposing large costs on the owner even if he was innocent of any crime and could eventually prove it. I suspect that a good deal of this goes on in most law enforcement systems, in one form or another. Charging and convicting people is costly, even if they are guilty--and there is often behavior that law enforcement people want to prevent that is not even illegal. On the other hand, there are lots of things police can do that impose sizable costs but do not require a conviction, such as arresting you, holding you in a cell overnight, but never actually trying you for anything. David Friedman David Friedman School of Law Santa Clara University From zalchgar at juno.com Tue Apr 9 02:46:56 1996 From: zalchgar at juno.com (zalchgar) Date: Tue, 9 Apr 1996 17:46:56 +0800 Subject: NSA Budget Message-ID: <19960408.181433.15302.0.zalchgar@juno.com> Is there a public release of the NSA's annual Budget. If so is there a quarterly release. -Erinn From jimbell at pacifier.com Tue Apr 9 02:56:15 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Apr 1996 17:56:15 +0800 Subject: Australia's New South Wales tries net-censorship Message-ID: <m0u6V7Z-0008yYC@pacifier.com> At 01:40 PM 4/8/96 -0400, Declan B. McCullagh wrote: >Excerpts from internet.cypherpunks: 8-Apr-96 Re: Australia's New South >W.. by Mike Duvos at netcom.com >> I'd be interested to know if the courts have ever had a case in >> which a person has been declared to have been in "possession" of >> illegal material merely by virtue of its momentary presence in >> their cache, screen buffer, or usenet spool. >> >> There is a case now involving the University of Pittsburgh in >> which the Feds are attempting to prove that an individual was in >> possession of certain child porn images on his own PC during a >> brief span of time in 1993. > >For it to be a crime, I would presume that the courts would require >"guilty knowledge" of the act. (At least I hope they would!) But what is "guilty knowledge"? Let's suppose I'm web-browsing, and I come across something I shouldn't. If I'm aware of caching, I _know_ that the stuff is in my memory or HD or somewhere, and I _know_ it's illegal. Does that constitute "guilty knowledge"? What if a person is unaware of this caching? Does he lack the same guilty knowledge? See, this is the problem with the "guilty knowledge" idea: It really isn't knowledge which should be illegal, intent is vital. Part of the reason "our" system is so screwed up is that police can misrepresent our actions in this way. I have an easy solution for this: _NO_ information should be illegal. None. Jim Bell jimbell at pacifier.com From hal9001 at panix.com Tue Apr 9 03:11:01 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 9 Apr 1996 18:11:01 +0800 Subject: Australia's New South Wales tries net-censorship Message-ID: <v02140b01ad8f39982775@[166.84.254.3]> At 9:01 4/8/96, Mike Duvos wrote: >I'd be interested to know if the courts have ever had a case in >which a person has been declared to have been in "possession" of >illegal material merely by virtue of its momentary presence in >their cache, screen buffer, or usenet spool. If you want a real world analogy, there are cases where overeager USPS Inspectors who want to "get" someone have sent them porno as a Return Receipt Requested Item and then raided before the person had had a chance to open the package. That is possession under the Law. From jimbell at pacifier.com Tue Apr 9 03:16:08 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 9 Apr 1996 18:16:08 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u6Vu2-0008xuC@pacifier.com> At 03:23 PM 4/8/96 -0800, david friedman wrote: >Have you read _The Hacker Crackdown_? I think it is pretty clear that part >of what was going on there involved law enforcement people deliberately >punishing BBS operators for behavior that was wicked but not >illegal--basically facilitating communications involved in committing >crimes (credit card number theft and the like). The punishment consisted of >seizing the computer and backups and holding it for a year or so as >"evidence"--without ever filing charges. > >Conceivably the owner could have taken legal action--but doing so would >give the law enforcement people an incentive to file charges, thus imposing >large costs on the owner even if he was innocent of any crime and could >eventually prove it. > >I suspect that a good deal of this goes on in most law enforcement systems, >in one form or another. Charging and convicting people is costly, even if >they are guilty--and there is often behavior that law enforcement people >want to prevent that is not even illegal. On the other hand, there are lots >of things police can do that impose sizable costs but do not require a >conviction, such as arresting you, holding you in a cell overnight, but >never actually trying you for anything. >David Friedman >School of Law >Santa Clara University This is yet another one of the many reasons I advocate a system, AP, that some people around here call "extremely radical." (By today's standards it _is_ "extremely radical," but only in the sense that many sheeple seem ready to continue to tolerate the status quo.) I assert that if there is a mechanism in existence over the medium to long term to allow officialdom to punish people without conviction for things that are not even crimes, then I see nothing wrong with setting up a different system to punish these _officials_, without conviction, for things that THEY would claim are not crimes. If those officials wish to avoid this punishment, they should resign or even better, use their powers to immediately eliminate that unfair and unjustified punishment for ordinary citizens. But I guess this solution is a bit too obvious for some, huh? B^) Maybe we should call it "Contempt of Citizenry." Jim Bell jimbell at pacifier.com From steve at edmweb.com Tue Apr 9 03:19:59 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 9 Apr 1996 18:19:59 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <199604081656.MAA00598@miron.vip.best.com> Message-ID: <Pine.BSF.3.91.960408224407.8748C-100000@kirk.edmweb.com> > In the absence of cryptanalysis, the output of a symetric cipher > looks like random bytes. > Every one should have a hardware RNG on their computer. > "I am sorry your honor, that is a file of random numbers that I > was using to check the output of my RNG." > Or > "I am sorry your honor that is a one-time pad I was planning > to use." But, would the average jury understand what a RNG is? The prosecution would probably argue that "It's a tool used by terrorists and child pornographers so that they can create 'codes' to communicate with each other". If they say that, they could probably even supress any explaination of what a RNG actually is, by claiming that it's "to dangerous to allow into public record". The Phrack E911 document was supressed in that way. In some countries I could see people being charged with an offence just for having a RNG... The output looks encrypted, and I heard that in France (and other countries) it is illegal to create anything that even *looks* encrypted. :( Disclaimer: IANAL From alanh at mailhost.infi.net Tue Apr 9 04:09:39 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Tue, 9 Apr 1996 19:09:39 +0800 Subject: e$ Signorage In-Reply-To: <199604080206.WAA29767@jekyll.piermont.com> Message-ID: <Pine.SV4.3.91.960408195750.12112A-100000@larry.infi.net> The Board of Governors of the Federal Reserve Bank is a government agency. Everyone else in the Fed - really the various regional Feds - are not government employees. Perry explicitly mentions that there are overhead expenses that detract from the profit - videlicet, the US Treasury doesn't pay the operating expenses of the Fed. Therefor, the profits do not go to the US TReasury. Certainly, the Board is in total control of the picture. And the Treasury doesn't need the profits. HEck, somewhere around here, I've got a quote of a Fed Regional President from the 1940's, in which he says that the govt doesn't need revenues beyond the current interest payable. TEchnically correct, but politically incorrect. Although, some of us may live to see such a scenario. It's happened to lots of countries, and the sky didn't fall down. People just got sloshed downward on the real-income-in-constant-dollars scale, via the mechanism of inflation. This is not a Conspiracy Theory (tm), this is history. We've already experienced a massive loss of affluence in this country since October 1973, and it didn't cause a revolution. That's why people like Greenspan make the big bucks. From jamesd at echeque.com Tue Apr 9 04:12:03 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 9 Apr 1996 19:12:03 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <199604090654.XAA16860@dns2.noc.best.net> > > Some thoughts... (er, questions): > > 1. What are the implications for log-on systems that rely on > > recognition of faces (supposedly impossible for hackers to describe > > and exploit)? At 11:19 AM 4/8/96 -0700, David Loysen wrote: > Does anybody know how well these systems work? Yes: They don't work. > If I don't shave over the > weekend will my computer know who I am Monday morning? Shaving probably will not be a problem, but holding your head at a slightly different angle, or having slightly different lighting, or combing your hair differently will screw up the system totally, unless the system has radically improved since the last time I read up on it. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Tue Apr 9 04:39:18 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 9 Apr 1996 19:39:18 +0800 Subject: questions about bits and bytes Message-ID: <199604090654.XAA16867@dns2.noc.best.net> At 09:33 PM 4/8/96 -0400, Jack Mott wrote: > a bit is 1 or 0 > 8 bits make up a byte (0-255) > If I have a 5 byte key, does that make it a 40 bit key? Yes. > The only > reason this doesn't make sense to me is it seems useless to use 5 byte > keys, yet that is what companies export since the government limits keys > to 40 bits. Yes, a 40 bit key is useless. What is it that does not make sense to you? --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From steve at edmweb.com Tue Apr 9 05:05:56 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 9 Apr 1996 20:05:56 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604081642.ZM1632@harry.bwi.wec.com> Message-ID: <Pine.BSF.3.91.960408235041.8873A-100000@kirk.edmweb.com> > Is it really that easy to break 40-bit? Don't you need access to a "fair > amount of cpu power" to brute force crack 40bit? I remember reading a recent paper at this URL: http://theory.lcs.mit.edu/~rivest/bsa-final-report.ascii They mentioned a Field Programmable Gate Array (FPGA), specifically a board-mounted AT&T Orca chip available for around $400. They said it could crack a 40-bit key in 5 hours (average). Sounds like anyone with root access on a major internet node could make a significant profit stealing credit card numbers. The FPGA sounds like a very interesting device, with quite a few legitimate uses... Has anyone out there seen one of these? (((cloaked sig file))) From declan+ at CMU.EDU Tue Apr 9 05:54:02 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Apr 1996 20:54:02 +0800 Subject: English translation of "Le Grand Secret" complete! In-Reply-To: <klOQHoO00YUvJ==pJO@andrew.cmu.edu> Message-ID: <clOQJL_00YUv9BgF5g@andrew.cmu.edu> The English translation of the banned book "Le Grand Secret" is complete! If your French is a little rusty, and you're curious about the book that caused the French government such headaches, you may want to check out: http://www.cs.cmu.edu/~declan/le-secret/ A group of volunteers performed this work without compensation. (I solicited help with the translation by putting a note on my web pages.) A German translation is now in progress, and I expect to have the text online by this summer. -Declan ------------------------------ THE BIG SECRET By Dr. Claude Gubler http://www.cs.cmu.edu/~declan/le-secret/ Chapters and translators: * Chapter 1 * Chapter 2 * Chapter 3 (Michel Eytan) * Chapter 4 (Francoise R. Corey) * Chapter 5 (Jennifer FitzGerald) * Chapter 6 (Jonathan Wallace) * Chapter 7 * Chapter 8 (E. Dean Detrich) * Chapter 9 (Kris Shapar) * Chapter 10 (Jean-Michel Prima) * Chapter 11 * Chapter 12 * Chapter 13 (Andrea Crain) Because of the sensitive political nature of this work, not everyone who helped translate Le Grand Secret into English wished to be listed here. Above are the names of those who chose to be identified. However, everyone who volunteered deserves thanks for donating their time and making this important work available to a wider audience. Andrea Crain, in particular, has spent endless hours coordinating this effort and ensuring the high quality of the final translation. Thanks, Andrea, for all your work. -Declan McCullagh, April 7, 1996 ------------------------------ From declan+ at CMU.EDU Tue Apr 9 06:31:08 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 9 Apr 1996 21:31:08 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <8lOUXbq00YUvBYs3cV@andrew.cmu.edu> The attached paper by Dr. Reed is worth reading -- I haven't seen this argument raised before. One portion that I found fascinating was: "It is quite silly to imagine that the Ascend router at the ISP can figure out if it is me or my child generating each packet." But that's exactly what the defenders of the CDA are claiming! Here's some background that might be interesting: When I was arguing with Bruce Taylor (an architect of the CDA) last week, we went 'round and 'round on the issue of children on the Net, as usual. He maintained that every Internet user has to have an account somewhere, so that account provider is able to tag accounts as minor or adult. To the best of my ability, I pointed out some of the technical problems with this, and he responded (I paraphrase from memory here) that technical problems can be solved by technical people: "Your side comes across to the court as saying that it can be done but we won't do it. You're a bunch of geeks who want to protect their porn and the court isn't going to buy it." He brought up IP Version 6, which the DoJ has focused on in cross-examination of one of our witnesses, Scott Bradner from the IETF: 13 Q Would it be fair to say, to summarize what you've just 14 said, that the IP Next Generation group is working on a new 15 generation of the IP Protocol itself? 16 A That is correct. 17 Q Does it have -- does the IP Next Generation group have 18 recommendations regarding a specific architecture of the 19 packet traffic on the Internet, including the format of the 20 packet? The DoJ and Taylor are going to argue that IP V6 can include such an adult/minor tag in each datagram! One of their key witnesses is Dan Olsen, the head of the computer science department at Brigham Young University and the incoming director of the Human Computer Interaction Institute at CMU. Olsen's background is NOT in distributed computing environments and protocol design -- but that minor detail notwithstanding, it looks like he'll be testifying this Friday that such a tagging scheme is technically possible. Chris Hansen from the ACLU told me last Friday: "Olsen is going to push this tagging idea that the government has, that you can imbed in your tag -- in your address -- an adult or minor tag. They're going to suggest that the market will come into existence that will make that tagging relevant." Comments? -Declan --------------------------------------------------------------------------- Enforcing the CDA Improperly May Pervert Internet Architecture by David P. Reed Friends - I'd like to call your attention to a situation where misguided politics (of the "ends-justify-means" sort) threatens one of the fundamental principles of Internet architecture, in a way that seems like a slippery slope. I do not normally take public stands of a political nature, and I do not participate much in Internet architecture anymore, but I'd like to call your attention to a very severe perversion of the Internet architectural philosophy that is being carried out in the name of political and commercial expediency. No matter what you believe about the issues raised by the Communications Decency Act, I expect that you will agree that the mechanism to carry out such a discussion or implement a resolution is in the agreements and protocols between end users of the network, not in the groups that design and deploy the internal routers and protocols that they implement. I hope you will join in and make suggestions as to the appropriate process to use to discourage the use of inappropriate architectural changes to the fundamental routing architecture of the net to achieve political policy goals. As you know, I am one of the authors, along with Saltzer and Clark, of the paper "End-to-end arguments in decentralized computer systems", which first characterized in writing the primary approach to the Internet's architecture since it was conceived, which approach arguably has been one of the reasons for its exponential growth. This philosophy - avoid building special functionality into the net internals solely to enforce an end-to-end policy - has led to the simplicity, low cost, and radical scalability of the Internet. One of the consequences is that IP routers do not enforce policies on a packet-by-packet basis, so routers can be extremely simple beasts, compared to the complex beasts that characterize even the simplest telephone central office switch. End-to-end policies are implemented by intelligence at the ends (today, the PCs and servers that communicate over the many consolidated networks that make up the Internet). I just read in Inter at ctive Week (March 25, 1996) that Livingston plans to announce an "Exon box" - a router that is designed to enable ISPs to restrict access to "indecent sites" or unrated sites unless an "adult" enters an authorization code when opening a session to enable the router to transmit packets to the site. The scam seems to be that Livingston has colluded with Senator Exon's staff to propose a "solution" to enable ISP's to implement parental controls. Exon's staff is using the announced solution as an example to demonstrate how simply ISPs can enforce local community standards and parental controls, thus supporting interpretations of the CDA requiring all access providers to include such capability in their boxes. Exon's staff is quoted as encouraging ISP's to install such functionality into the routers that serve as access points for nets. Since I use an Ascend P50 ISDN router to make frequent, short, bandwidth-on-demand ISDN connections from my "Family LAN" to an Ascend multi-line ISDN router at my commercial Internet Service Provider, I am worried that this model is completely unworkable for me, and for others that will eventually use such a practical system. My family has minor children and adults who all happily access the Internet. My ISP has no clue whatsoever whether a child or adult has initiated the call, and in fact, if my child and I are both on different computers in different rooms, it is quite silly to imagine that the Ascend router at the ISP can figure out if it is me or my child generating each packet. It is appalling to me that Livingston, which has some responsibility as a router provider to assist in the orderly growth of the net, is pandering to Exon's complete misunderstanding of how the Internet is built. I would hope that Ascend, with its much larger share of the ISP market, and other router companies such as Cisco and Bay Networks, would take a principled and likely popular position that the "Exon box" is not the way to go about this. I would hope that ISP's would in general avoid use of Livingston's products, and also refuse to cave into Exon's pressure. I believe, though I may be wrong, that Livingston has contributed to the RADIUS technology that many ISP's use to manage dialup access charging in a way that is consistent with ethe end-to-end philosophy, but any credit they are due is overwhelmed by the Exon box insanity. I do work to protect my children from inappropriate material, but pressure from Senators to mandate technically flawed solutions, and opportunistic, poorly thought-through technologies from companies like Livingston are not helpful. If you agree, please join me in attempting to call off any tendency for other router vendors and protocol designers to develop Exon box features. It would seem that the appropriate place for content restrictions, such as "parental controls", are in the end-to-end agreements between content providers and their users, not in the internal switching architecture of the net. - David P. Reed Notes: The end-to-end paper was edited and republished in several forms (with slight variations in title), generalizing its observations to systems beyond the distributed systems that were its original focus; the final and most accessible one is: Saltzer, J.H., D.P. Reed, and D.D. Clark, End-To-End Arguments in System Design. ACM Transactions on Computer Systems, 1984. 2(4) p. 277-288. I don't have any more details on Livingston's technology or its marketing plans than what was presented in Inter at ctive Week. The Inter at ctive Week article apparently based its information on 'sources' describing a planned announcement, and also quoted Exon's staff. It is possible that Livingston will choose not to announce or position its technology in this form. It seems less likely that Exon's staff will change its position on forcing ISP's to adopt some kind of technological solution, however. - David [After considering Dr. Reed's comments, I asked him whether he objects to firewalls in general. His reply: No, I think firewalls of the sort now deployed can be OK (e.g., packet filters), as a minimal line of defense. However, they are inherently flawed, in ways that are well understood (reading Cheswick and Bellovin gives good insight here). Most security threats ultimately require end-to-end policies and must be implemented with end-to-end solutions. As the paper points out, sometimes one can optimize cost of implementing and end-to-end solution by including some functionality that is not end-to-end. Firewalls may reduce the cost. --CEL] From steve at edmweb.com Tue Apr 9 07:03:36 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 9 Apr 1996 22:03:36 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work In-Reply-To: <199604081810.LAA22544@spike.hnc.com> Message-ID: <Pine.BSF.3.91.960408222428.8748B-100000@kirk.edmweb.com> > Is my credit card going to have my face digitized and encoded onto the mag > stipe for comparision with a video camera image at the time of sale? I think we all know how stupid that would be... Way too easy for someone to put their own face on a card. For it to be effective, there would have to be some central Big Brotherly computer with all the faces stored there. Mind you, from that British study, it seems that fudging the face isn't really necessary. :-/ I recall, some months ago there were plans to have a fingerprinting system at the Canada/US border and people could get accross faster if they had a card with their fingerprint stored on it. Even the news media was able to figure out how easy it would be to fudge it. The main idea of having the fingerprints on the card, though, was to avoid that Big Brotherly computer. I don't know whatever happened to that plan. (((cloaked sig file))) From cme at acm.org Tue Apr 9 07:12:39 1996 From: cme at acm.org (Carl Ellison) Date: Tue, 9 Apr 1996 22:12:39 +0800 Subject: Disclosure of Public Knowledge to Foreigners Message-ID: <v02140b0fad8f98cb0085@[168.143.8.144]> At 05:33 4/3/96, Timothy C. May wrote: >There is a reasonable chance the Supreme Court would see the overall >absurdity of a situation where the knowledge is freely available to 200 >million adult Americans, with no restrictions whatsover on publication, >discussion, etc., and yet uttering this knowledge in front of a foreigner >is a crime. > >I don't think this would pass Constitutional muster, as the lawyers like >to say. > >(The British at least have an Official Secrets Act. Much as I dislike that >Act, at least they are more consistent in the sense of classifying things >as being secret. How can the U.S. argue that knowledge available in any >large library or bookstore to anyone who wants it, citizen or not, may not >be "disclosed" to foreigners? If it's common knowledge, it's common >knowledge!) This assumes that the purpose of the ITAR restrictions is to keep a secret. To the extent that the gov't argues that, they have no case as you point out. However, the ITAR is there specifically to frustrate US businesses if they should want to sell or give away crypto overseas. The rules, despite their illogic, achieve that goal. I would like to believe that the Supremes would rule that the Gov't has no right to use what amounts to a secrecy provision just for harrassment -- but they might not. I had Mike Nelson say to my face, 1.5 years ago, that he knows good crypto is available to foreigners -- he just wants to make damn sure it doesn't come in shrink-wrapped packages from US companies. I can't judge the constitutionality of that position but it holds together logically. ["don't let American products hurt American interests" the battle cry runs] - Carl +--------------------------------------------------------------------------+ | Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme | | PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | "Officer, officer, arrest that man! He's whistling a dirty song." | +---------------------------------------------- Jean Ellison (aka Mother) -+ From erc at dal1820.computek.net Tue Apr 9 07:30:54 1996 From: erc at dal1820.computek.net (erc at dal1820.computek.net) Date: Tue, 9 Apr 1996 22:30:54 +0800 Subject: NSA Budget Message-ID: <199604090919.FAA24636@dal1820.computek.net> One could only wish... :) ______________________________ Reply Separator _________________________________ Subject: NSA Budget Sent To: cypherpunks at toad.com Author: cpunk at remail.ecafe.org Reply To: cpunk at remail.ecafe.org Date: 4/9/96 3:07:19 AM >Is there a public release of the NSA's annual Budget. >If so is there a quarterly release. -Erinn ----- Yes, there are annual and quarterly reports released to the public which describe in meticulous detail expenditures for the agency's program, personnel and equipment: 1. The program of services and information supplied to government and other intelligence organizations, US and foreign, with terms of each client contract. 2. US employees, their organization, skills, duties and longevity of service; their names, ranks, identification codes, secure communication methods and home addresses; the location of workplaces; the continued training each is scheduled to receive; leaves of absence and destinations while absent. 3. Foreign nationals covertly employed worldwide, with information on each as per 2. 4. A comprehensive listing of all types of world-wide equipment operated; its detailed design, function and output; where it is located; its designers, manufacturers and purchase cost; its schedule of amortization; and its schedule for replacement and/or upgrade, with fifteen-year projected procurement. 5. Special short- and long-term contracts with governmental and non-governmental organizations, US and foreign for one-time projects, by goal, personnel and equipment. 6. Special projects with other US and foreign counter- intelligence to issue disinformation about the agency. 7. Special section on world-wide US and foreign cryptology: cryptanalysis, cryptography, steganography, codes, cyphers, glyphs, mimes; each ranked for security and ease of cracking; governmental and non-governmental parties using each; names of cooperative and resistant cryptographers and cooperating pseudo-cryptographers. 8. Sub-section on methods of Internet traffic and language analysis; operation and surveillance of anonymous remailers, bulletin boards and mail lists; lists of cooperative and resistant educational institutions and commercial organizations. 9. Appendices on: black operations; transparent operations; methods for managing cooperative and resistant governmental and non-governmental persons. The public is invited to study and/or download these reports anonymously at: http://nsa.dod.gov/~reports/quarterly.txt From hal9001 at panix.com Tue Apr 9 07:54:50 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 9 Apr 1996 22:54:50 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychangers! Message-ID: <v02140b05ad8f4000a8a0@[166.84.254.3]> At 12:48 4/8/96, Timothy C. May wrote: >There are people and companies who make a nice business in currency >exchange, ranging from the large companies one finds in international >airline terminals and banks to the smaller, "Mom and Pop" moneychangers one >finds in barrios and other such places. > >These moneychangers attempt to make a "profit" on each exchange (else >they'd hardly stay in business). But they make their profit by charging a fee for the transaction not just by the float in the exchange rates. For example, if the current official rate is $1=�125 and you are converting Dollars to Yen, they may only give you 115 Yen keeping the other �10 as a processing fee. From daw at cs.berkeley.edu Tue Apr 9 08:19:56 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Tue, 9 Apr 1996 23:19:56 +0800 Subject: RC4 improvement idea In-Reply-To: <199604060539.VAA22611@dns1.noc.best.net> Message-ID: <4kdcad$57@joseph.cs.berkeley.edu> In article <199604060539.VAA22611 at dns1.noc.best.net>, <jamesd at echeque.com> wrote: > At 12:01 PM 4/5/96 -0500, Jack Mott wrote: > >I got a paper from the cryptography technical report server > >"http://www.itribe.net/CTRS/" about a weak class of RC4 keys. > > The report was bogus: > > For one key in 256, you can tell what eight bits of the state box are. > For one key in 64000 you can tell what sixteen bits of the state box are, > and so on and so forth. > > Such keys are not weak. No, the report was right: the weak keys are real. For one key in 256, you have a 13.6% chance of recovering 16 bits of the original key. On average, the work factor per key recovered is reduced by a factor of 35 (i.e. the effective keylength is reduced by 5.1 bits) by using this class of weak keys. - quoting from the report I've experimentally confirmed this effect myself. Andrew Roos did some good work. Take care, -- Dave Wagner From tallpaul at pipeline.com Tue Apr 9 09:30:47 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 10 Apr 1996 00:30:47 +0800 Subject: Australia's New South Wales tries net-censorship Message-ID: <199604091200.IAA28410@pipe6.nyc.pipeline.com> On Apr 09, 1996 01:47:39, '"Robert A. Rosenberg" <hal9001 at panix.com>' wrote: >At 9:01 4/8/96, Mike Duvos wrote: > >>I'd be interested to know if the courts have ever had a case in >>which a person has been declared to have been in "possession" of >>illegal material merely by virtue of its momentary presence in >>their cache, screen buffer, or usenet spool. > >If you want a real world analogy, there are cases where overeager USPS >Inspectors who want to "get" someone have sent them porno as a Return >Receipt Requested Item and then raided before the person had had a chance >to open the package. That is possession under the Law. > I think this is more "conspiracy" not "possession" under the law. Perhaps an attorney on the list could comment. But I am interested to read more about such "cases." Could R.A. Rosenberg post the case cites? --tallpaul From attila at primenet.com Tue Apr 9 10:51:42 1996 From: attila at primenet.com (attila) Date: Wed, 10 Apr 1996 01:51:42 +0800 Subject: Subject: Re: They're running scared. Message-ID: <199604090637.XAA17445@usr5.primenet.com> ** Reply to note from jim bell <jimbell at pacifier.com> 04/08/96 09:53am -0800 = At 04:33 PM 4/8/96 GMT, attila wrote: = >** Reply to note from jim bell <jimbell at pacifier.com> 04/07/96 8:32pm -0800 = > = >Jim: = > = > a very sensible article. = = And it is the kind of article that you would never have seen in the = "mainstream press" more than 2-3 years ago, and probably not before the = middle of 1995. One of the implicit functions of the press has been to make = it appear that there is no reasonable opposition to the government in total. = Now, they have begun to admit that ever larger proportions of the = population are soured on the whole concept. = Time's dual attack on Hillary, one orchestrated by someone she tried to control, the other just pure analysis of the situation is very surprising. they are part of the big-money NWO whose "duty" is to keep the sheep informed of the will of the government (and make it appear benevolent. However, let's face it, Hillary has guts: "Bill Gates is greedy because he has amassed a fortune of US$ 15,000,000,000 ($15 billion) but the US Government is a helpful Village because it takes US$ 1,400,000,000,000 ($1.4 trillion) from us each year and does good things with it." --Hillary Clinton that takes one bitch of a person to make that arrogant statement --and the cover picture tells it all --ridden hard and put away wet many, many times --and not in the conventional sense. Susan Thosases and she make a real pair. Their actions, or those of Bubba and the rest of the CFR of which george Bush is the hatchet man, show an absolute contempt for the Constitution. = = > not to be critical over your work in general, but your polemics and = too-far = >radicalism makes it hard to swallow. = = I admit to my polemics. However, saying my position is "too far radicalism" = is quite relative. The average person today is a product of a system which, = in effect, has brainwashed him (to use an old, out-of-favor term) to believe = in the idea that the government has the authority to run just about = everything it chooses to. I, and increasing numbers of people, disagree. = If you have an alternative solution to the "government problem" I'm anxious = to see it. Relative to the sheep, I am "radical," but compared to people = who do indeed see there is a problem, I think I fit right in. = = > I may be an anarchist at heart, but = >anarchy explicitely implies personal responsibility --which few people have. = >the trick is to figure how the idealism of anarchy can survive in a society of = >non-responsible individuals. = = With all due respect, I think I've already figured it out. At least, I = discovered a path that we must at least investigate, because it could lead = us to the goal. politics of assassination? hired guns? I do not think I would have any difficulty with the concept in theory; just that we would run out of targets too soon and be forced back to economic terrorism. I do know, WITHOUT A DOUBT, that I will NOT participate in such a matter. The prophet, Joseph Smith said: The Constitution is not a law, but it empowers the people to make laws... The Constitution tells us what shall not be lawful tender... The legislture has ceded up to us the privilege of enacting such laws as are not inconsitent with the Constitution of the United States... The different states, and even the Congress itself have passed many laws diametrically contrary to the Constitution of the United States. ...Shall we be such fools as to be governed by its laws, which are unconstitutional? No!... The Constitution acknowledges that the people have all the power not reserved to itself. I am a lawyer. I am a big lawyer and comprehend heaven, earth, and hell. to bring forth knowledge that shall cover up all lawyers, doctors, and other big bodies. This is the doctrine of the Constitution, so help me God.... Now, this may not agree with your thinking (and there are pages more of Joseph Smith's statements on defending the Constitution), but I think he hit it on the head. Secondly, Thomas Jefferson stated: "I hold it that a little rebellion, now and then, is a good thing, and as necessary in the political world as storms in the physical... It is a medicine necessary for the sound health of government" --Thomas Jefferson (1743-1826) or maybe: Democracy is a form of government under which everyone has the freedom to elect officials to restrict his freedom. or to put in more succintly, I think an old Doonesbury cartoon that had Duke (representing the NRA) testifying before a Senate subcommittee summed it up nicely..... Senator: "And we and the American people have had enough of you and your fanatic organization!" Duke: "I see Senator, shall I put you down for a million postcards?" Senator: "Don't you threaten me, mister!" Politicians only understand one thing. I am not a pacifist; I do believe in fighting for what is right; I did my duty in the 60s (in spades) --I could have asked the Church for the CO form; after the way the government used us (particularly the "black" battalionsfor which I was the CO) solely to test new weaponry and build up the military-industrial economics, by 1980 it hit me as to the extent I, and the rest of us, had been betrayed, yes, our government has a problem: greed, and power. Joseph Smith, however, did say: The Constitution should contain a provision that every officer of the Government who should neglect or refuse to extend the protection guaranteed in the Constitution should be subject to caputal punishment, and then the President of the United States would not say, "Your cause is just, but I can do nothing for you." Anarchy which degenerates to mob rule is untenable. What I do not see in your treatises is any planning for the future --once mob rule reigns, the next step is tribal councils, chiefs, and chiefs of chiefs --and I do not mean elected chiefs. As it has been, it will be. Man never learns from history --he just repeats it. -- "Don't hunt wild game, hunt lawyers! They provide better sport, suffer from severe overpopulation, and besides, they taste just like chicken!! -- Obscenity is a crutch for inarticulate motherfuckers. Fuck the CDA! cc: Cypherpunks <cypherpunks at toad.com> From m5 at vail.tivoli.com Tue Apr 9 11:16:53 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 10 Apr 1996 02:16:53 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work In-Reply-To: <199604090654.XAA16860@dns2.noc.best.net> Message-ID: <316A5EB3.29AF@vail.tivoli.com> jamesd at echeque.com wrote: > > If I don't shave over the > > weekend will my computer know who I am Monday morning? > > Shaving probably will not be a problem, but holding your head at a slightly > different angle, or having slightly different lighting, or combing your > hair differently will screw up the system totally, unless the system has > radically improved since the last time I read up on it. There are supposedly some new techniques that look at the infrared signature of your face (like, I guess, distribution & position of hot & cold spots), and that's less likely to be fooled by facial hair and other superficial disguises. It's probably a fairly simple technology, and could be applied to the credit card ID problem. Note that the mag strip encoding, which is clearly not very secure, could be replaced by one of the newer optical coding systems. Those would probably be somewhat harder to fake (you'd need to manufacture cards, and probably couldn't simple "re-record" over a stolen one.) An interesting question, to me, is what is the actual pattern of criminal activity involving stolen/fake credit cards? Is it a matter of huge criminal syndicates creating fake cards, or is it mostly crimes of opportunity where stolen cards are boldly presented by the thief (or by someone the thief sold the card to)? ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From m5 at vail.tivoli.com Tue Apr 9 11:37:27 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 10 Apr 1996 02:37:27 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <8lOUXbq00YUvBYs3cV@andrew.cmu.edu> Message-ID: <316A6175.74DA@vail.tivoli.com> Declan B. McCullagh wrote: > The attached paper by Dr. Reed is worth reading -- I haven't seen this > argument raised before. One portion that I found fascinating was: > > "It is quite silly to imagine that the Ascend router at the ISP can > figure out if it is me or my child generating each packet." > > But that's exactly what the defenders of the CDA are claiming! Here's > some background that might be interesting: I sent a letter to the Economist last year pointing this out after reading an article containing the offhand statement, "... and of course it is entirely feasible to control Internet content" (or something like that). I don't have those magic two letters at the front of my name though. It seems so utterly obvious. When you connect to an ISP via PPP or SLIP, all the ISP is doing is routing packets. > Chris Hansen from the ACLU told me last Friday: "Olsen is going to push > this tagging idea that the government has, that you can imbed in your > tag -- in your address -- an adult or minor tag. They're going to > suggest that the market will come into existence that will make that > tagging relevant." Uhh... what about the rather obvious problem that some of these new fangled computers can support an enormous spread of information? My web site at io.com has no offensive materials (though I recently rated it as basically "Satan's Headquarters" via SurfWatch), but other stuff at io.com may well be offensive. Packets routed out through io's interface will of course all come from the same address. Maybe they're suggesting that every disk block in the universe should have its own IP address. Hmm, maybe there's a use after all for those 24 byte OSI addresses... _____c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From declan+ at CMU.EDU Tue Apr 9 11:59:32 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 10 Apr 1996 02:59:32 +0800 Subject: Australia's New South Wales tries net-censorship In-Reply-To: <v02140b01ad8f39982775@[166.84.254.3]> Message-ID: <UlOamXW00YUvE5qMUy@andrew.cmu.edu> Excerpts from internet.cypherpunks: 9-Apr-96 Re: Australia's New South W.. by Robert Rosenberg at panix.c > If you want a real world analogy, there are cases where overeager USPS > Inspectors who want to "get" someone have sent them porno as a Return > Receipt Requested Item and then raided before the person had had a chance > to open the package. That is possession under the Law. That is also one of the times the Feds are permitted to allow child porn out of their possession -- when they send it to someone via USPS and are waiting to spring on the unfortunate perp as he or she is opening it. This from conversations with former Federal prosecutors. -Declan From jk at digit.ee Tue Apr 9 13:18:09 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Wed, 10 Apr 1996 04:18:09 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604081941.MAA00812@atropos.c2.org> Message-ID: <Pine.GSO.3.92.960409171558.9284C-100000@happyman> On Mon, 8 Apr 1996 sameer at c2.org wrote: > > > Suddenly some banks here in Estonia have decided that they must start > > > offering banking services over Internet already during the next months. > > > What worries me is that some of them are talking about using 40-bit SSL as > > > the main security mechanism. > > Please point these banks to Apache-SSL > (http://www.algroup.co.uk/Apache-SSL/). They can run SSL without > using 8-cent RC4. What is the use of 128-bit server, as there are still no 128-bit WWW clients freely available in Europe? (Workhorse has 128-bit SSL, but the client is still far from perfect). Of course I believe that SSL server with source code available is still much more secure, as your own consultants can have a look at the code, that's why I personally would rate Apache-SSL higher than commercial applications like Thawte consulting Sioux. J�ri Kaljundi jk at digit.ee From jk at digit.ee Tue Apr 9 13:32:35 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Wed, 10 Apr 1996 04:32:35 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604081946.AA00048@saloon.fivepaces.com> Message-ID: <Pine.GSO.3.92.960409172308.9284D-100000@happyman> On Mon, 8 Apr 1996, Jim Philips wrote: > I work with Security First. I would like to add that we use SSL 128 bit key > with 40 secret, but it is not the only security feature we have. So far, it > has been the means for encrypting data coming to and from the Bank. We also > have a site certificate from Verisign and multiple layers of internal > security at the site. I cannot agree that this encryption is "worthless". As far as I understand anyone can fairly easy crack the 40-bit SSL your bank is using, and you must be lucky nobody has done it yet with your account. Still it seems odd that banks are telling their customers about secure communications without having any real security. J�ri Kaljundi jk at digit.ee From jk at digit.ee Tue Apr 9 13:34:44 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Wed, 10 Apr 1996 04:34:44 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604090025.UAA28599@jekyll.piermont.com> Message-ID: <Pine.GSO.3.92.960409173030.9284E-100000@happyman> On Mon, 8 Apr 1996, Perry E. Metzger wrote: > The rest of this article is a direct quotation from Blaze et al in the > paper they wrote on minimal safe key lengths. Note that they show that > it is easy enough to make a cracker that costs eight cents (CENTS!) > per solution, and not that hard to get it down to 1/10th of a cent! > > } There is no need to have the resources of an institution of higher > }education at hand, however. Anyone with a modicum of computer > }expertise and a few hundred dollars would be able to attack 40-bit > }encryption much faster. An FPGA chip --- costing approximately $400 > }mounted on a card --- would on average recover a 40-bit key in five > }hours. Assuming the FPGA lasts three years and is used continuously > }to find keys, the average cost per key is eight cents. This AT&T Orca or FPGA chip or whatever the name is, is it freely available device and how easy would it be to get one? I am not sure I understand what it is, but even in case you would have to write the code to crack RC4 and program the chip yourself, that does not seem very hard thing to do. What I am asking is if this cracking device would be available to anyone with 400$ and some computer knowledge? J�ri Kaljundi jk at digit.ee From blane at aa.net Tue Apr 9 15:32:05 1996 From: blane at aa.net (Brian C. Lane) Date: Wed, 10 Apr 1996 06:32:05 +0800 Subject: WWW User authentication Message-ID: <31676b78.52447450@mail.aa.net> I just finished writing a cgi script to allow users to change their login passwords via a webpage. I currently have the webpage being authenticated with the basic option (uuencoded plaintext). MD5 would be nicer, but how many browsers actually support it? When the user changes their password, the form sends their name, old password, and new password with it, in the clear. This is no worse than changing your password across a telnet connection, but I'd like it to be more secure, but useable by a large number of browsers. Any advice? Brian ------- <blane at aa.net> -------------------- <http://www.aa.net/~blane> ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From jya at pipeline.com Tue Apr 9 15:41:07 1996 From: jya at pipeline.com (John Young) Date: Wed, 10 Apr 1996 06:41:07 +0800 Subject: WRY_cfp Message-ID: <199604091611.MAA01539@pipe1.nyc.pipeline.com> 4-09-96 FT reports on CFP, with wry comments about eavesdropping on cpunkish issues and notables: encryption blanc et noir; sci-fi scenarios; Garfinkel and Chaum on e- money; CDA; cyber-terrorism, -porno, -child abuse, and -crime; suits cold-sweating secrets. For the sweaters, a related sheepswooly vaunts Open Market's "industrial strength" OM-products for secure Net biz. WRY_cfp From froomkin at law.miami.edu Tue Apr 9 15:43:03 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 10 Apr 1996 06:43:03 +0800 Subject: Singapore & the net Message-ID: <Pine.SUN.3.91.960409121152.4778I-100000@viper.law.miami.edu> Reuters reports Singapore has issued new regulations relating to the Internet today. Anyone have a pointer or details? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From bshantz at nwlink.com Tue Apr 9 15:52:15 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Wed, 10 Apr 1996 06:52:15 +0800 Subject: unsubscrive Message-ID: <199604091623.JAA05150@montana.nwlink.com> Time May Wrote: >Maybe these dweebs are posting from an alternate universe? A universe in >which not even messages explaining that "unsubscrive," "unsuscribe," >"undescribe," "unscribe," and "unimbibe" are not valid alternate spellings >of "unsubscribe." > >I've copied my short explanation of how to subscribe and unsubcribe too >many times to do it again; and it is clear that these folks are either >doing this out of spite, are not reading any of the messages we send them, >or think it funny. I agree with you to a point, Tim. They probably haven't read the messages about how to properly unsubscrive. Not because they are dweebs or because they think it's funny. they probably haven't read the messages because they have 2 or 3 thousand messages in their inbox and they're all from cpunks. Unfortunately, this time, I have to give them the benefit of the doubt for being ignorant. I don't think they're being vindictive. How many of them have posted Unsub messages after being told the proper way to unsub? Brad This may kill off the Cypherpunks list even where Detweiler's massive rants failed. (Now that Detweiler's cabin in Montana has been raided, and one of his tentacles carried off, who will fill his shoes? Vlad the VZNuri is well on his way to matching Detweiler's volume, if not his obsessiveness.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jeffb at sware.com Tue Apr 9 15:52:19 1996 From: jeffb at sware.com (Jeff Barber) Date: Wed, 10 Apr 1996 06:52:19 +0800 Subject: WWW User authentication In-Reply-To: <31676b78.52447450@mail.aa.net> Message-ID: <199604091558.LAA22026@jafar.sware.com> Brian C. Lane writes: > I just finished writing a cgi script to allow users to change their login > passwords via a webpage. I currently have the webpage being authenticated > with the basic option (uuencoded plaintext). MD5 would be nicer, but how > many browsers actually support it? AFAIK, none. I don't see how this would be helpful anyway. If you MD5 the password, I won't be able to snoop the password off the wire, but I can simply snoop the MD5 hash off the wire instead and since that's what your authentication check must now be against, what does this buy you? > When the user changes their password, the form sends their name, old > password, and new password with it, in the clear. This is no worse than > changing your password across a telnet connection, but I'd like it to be > more secure, but useable by a large number of browsers. > > Any advice? Well, if you use SSL, it's useable by a "large number of browsers" since Netscape has such a large share of the browser market. And then all of the things you're doing w.r.t. authentication are hidden, at least from casual eavesdroppers and others too if you use more than the 40-bit option. There's really no other choice to reach a large number of browsers. -- Jeff From perry at piermont.com Tue Apr 9 15:58:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 10 Apr 1996 06:58:54 +0800 Subject: Bank transactions on Internet In-Reply-To: <Pine.GSO.3.92.960409173030.9284E-100000@happyman> Message-ID: <199604091603.MAA02105@jekyll.piermont.com> > This AT&T Orca or FPGA chip or whatever the name is, is it freely > available device If you mean "do they sell them commercially" the answer is yes. > What I am asking is if this cracking device would be > available to anyone with 400$ and some computer knowledge? You would have to be smart but yes. There are many such devices, by the way. .pm From perry at piermont.com Tue Apr 9 16:00:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 10 Apr 1996 07:00:54 +0800 Subject: NSA Budget In-Reply-To: <9604091030.ZM2472@harry.bwi.wec.com> Message-ID: <199604091605.MAA02111@jekyll.piermont.com> "JR Weaver" writes: > http://www.fas.org/pub/gen/fas/irp/commission/budget.htm > > This page reveals the FY96 NSA budget at $3.6 billion. It doesn't give any details, though. The general size of the NSA budget was known for a long time based on inference -- see "The Puzze Palace". In any case, they are not now making a habit of releasing budget numbers, but you can find out how much they in general spend. Certainly the original poster's request for detailed quarterly reports isn't going to be met... Perry From ddt at lsd.com Tue Apr 9 16:06:10 1996 From: ddt at lsd.com (Dave Del Torto) Date: Wed, 10 Apr 1996 07:06:10 +0800 Subject: [NOISE] Federal Bureau of Indigestion Message-ID: <v03005f07ad903c476596@[192.187.167.52]> [forwards mercifully elided] The following is a direct quote from the Center for Strategic and International Studies report on GLOBAL ORGANIZED CRIME; the author who introduces the story swears it's true. FBI agents conducted a raid of a psychiatric hospital in San Diego that was under investigation for medical insurance fraud. After hours of reviewing thousands of medical records, the dozens of agents had worked up quite an appetite. The agent in charge of the investigation called a nearby pizza parlor with delivery service to order a quick dinner for his colleagues. The following telephone conversation took place and was recorded by the FBI because they were taping all conversations at the hospital. Agent: Hello. I would like to order 19 large pizzas and 67 cans of soda. Pizza Guy: And where would you like them delivered? Agent: We're over at the psychiatric hospital. PM: The psychiatric hospital? Agent: That's right. I'm an FBI agent. PM: You're an FBI agent? Agent: That's correct. Just about everybody here is. PM: And you're at the psychiatric hospital? Agent: That's correct. And make sure you don't go through the front doors. We have them locked. You will have to go around to the back to the service entrance to deliver the pizzas. PM: And you say you're all FBI agents? Agent: That's right. How soon can you have them here? PM: And everyone at the psychiatric hospital is an FBI agent? Agent: That's right. We've been here all day and we're starving. PM: How are you going to pay for all of this? Agent: I have my checkbook right here. PM: And you're _all_ FBI agents? Agent: That's right. Everyone here is an FBI agent. Can you remember to bring the pizzas and sodas to the service entrance in the rear? We have the front doors locked. Pizza Guy: I don't _think_ so... >click< From frissell at panix.com Tue Apr 9 16:08:08 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 10 Apr 1996 07:08:08 +0800 Subject: Open Systems, Closed Systems, & Killer Apps Message-ID: <2.2.32.19960409153328.0075c2c0@panix.com> At the Digital Commerce Society of Boston lunch last Tuesday, I had an epiphany. I finally got the answer to the great question of our age: Why do open systems beat closed systems? One of the peculiar things about today is how successful open systems have become. Closed systems like Communism, X.25, and IBM have fallen to markets, TCP/IP, and the personal computer respectively. And this has happened all over the world in institutions with incredibly varied political and social systems. We were discussing the Chinese government's proposal to maintain a monopoly ISP in China that would censor the connections of its peons and as usual I pointed out the many ways that such restrictions could be overcome (Don't tell T. May about the draft defining a new MIME type "TCP/IP packet". I know he hates MIME). Which led to the response "Sure a few techies will be able to overcome the restrictions but the masses won't and the government won't mind a little leakage as long as they maintain overall control." To which I retorted "ordinary people will overcome the technical barriers if they have sufficient motivation." Which brought up the subject of what are the "killer apps" for the Net. What will motivate people enough to choose open communication even though it's hard and sometimes even dangerous. Which led to: The killer app of open systems is not any particular application it is the openness, the freedom itself. The denizens of the DDR had to overcome the Stasi, barbed wire, mines, walls, tank traps, etc to adopt an open systems architecture. Learning to use a few TCP/IP tricks (or building them into applications and using those applications) is much easier than breaching the Berlin Wall. Open systems whether MarketEarth or TCP/IP let you trade/communicate at will with anyone else. This leads to more trade/communication which leads to more wealth (or non-monetary satisfaction). Since people are able to do more things that they want to do (unblocked by hierarchies) it is only natural that they are more satisfied with the results (and there are more results to be satisfied with). After all, a hierarchical system can only produce outcomes directed by the hierarchy (in the best case). But the top of the hierarchy is much smaller than the bottom of the hierarchy so it can only think of, deal with, and authorize a small number of activities. So the system can only do a few things. I should have known this before since it is implicit in my favorite article from the Economist "THE INCREDIBLE SHRINKING COMPANY" 15 December 1990 (http://www.ios.com/~lroth/CLIPS/Bussiz.html) "Part of the answer [as to why firms are shrinking] may lie in the fact that, loth though they are to admit it, top people's capacity to deal with information is limited. There is no technical reason why a Wall Street investment house should not line the walls of the managing director's office with screens, showing second-by-second price movements for thousands of securities. But there is not much a single person could do with all that information. So the best way to take advantage of increases in the amount of information coming into the firm is to push decision-making down the corporate hierarchy, to where the flow is manageable by a single mind: on Wall Street, a trader." [And if you don't, the market will.] Hierarchies my be able to produce a lot of a limited range of products: megatons of sandy concrete and dead bodies like Communism, or globe-spanning private networks like X.25, or millions of pounds of Armonk Iron like IBM, but they can't produce as broad or satisfactory or an output or in the end as *large* an output as open systems can. The Net or the Market can produce an incredible range of products that no *one* would ever think of (save for the *one* who did). And since people are more likely to find things that they want in the whole range of "products," open systems encourage more activity and hence more "wealth." Additionally, the absence of the need to ask permission from Gosplan, or the Sysadmin, or some marketing committee obviously makes it possible to do more faster. You not only save the begging and committee decision time, you can do things that others might think bad or peculiar. No need to convince strangers about the value of your idea prior to trying it out. You get to just do it. Now none of these differences between open systems and hierarchies meant much when the bulk of the world's population had to spend all of its time growing food to survive, but now... Choice exists and choices will be made. Hierarchies will try and resist the spread of open systems but they will not be successful and their failures will come faster and be much more obvious as time goes on. If one organization resists "successfully," people and money will drain away from it to other organizations where they are allowed a fuller range of choice. The success of open systems will help the spread of those systems into the surviving bastions of hierarchy. That's why I'm the Pangloss of Cypherpunks "everything's for the best in the best of all possible worlds". I know that this is all Kindergarten stuff but sometimes simple things are hard to see. People today are offered a choice between two ways of doing things: 1) You get to do what you want and (by the way) have a vast wealth of "things" to own/use. or 2) You have to do what other people tell you and (unfortunately) make do with less of everything including choice, money, and "toys." I wonder what choice people will make? DCF From secret at secret.alias.net Tue Apr 9 16:26:49 1996 From: secret at secret.alias.net (K00l Secrets) Date: Wed, 10 Apr 1996 07:26:49 +0800 Subject: None Message-ID: <199604091645.LAA19569@paulsdesk.phoenix.net> > Shaving probably will not be a problem, but holding your head at a > slightly different angle... will screw up the system totally, > unless the system has radically improved since the last time I read > up on it. Well, the systems I have seen are quite good at finding people's eyes. Scaling (for distance), and rotation (for the angle of your head) therefore don't really confuse the system once it has your eyes. From frantz at netcom.com Tue Apr 9 16:47:17 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 10 Apr 1996 07:47:17 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <199604091714.KAA27317@netcom9.netcom.com> At 2:51 AM 4/9/96 -0400, Declan B. McCullagh wrote: >... >The DoJ and Taylor are going to argue that IP V6 can include such an >adult/minor tag in each datagram! One of their key witnesses is Dan >Olsen, the head of the computer science department at Brigham Young >University and the incoming director of the Human Computer Interaction >Institute at CMU. Declan - One of the migration paths suggested for IPV4 to IPV6 migration is to tunnel IPV4 packets within IPV6 packets. IPV4 packets do not provide for an adult/minor tag, so until the transition to IPV6 is fairly well along, this approach will be ineffective. If the people who are worried about minor's accessing smut want something this century, they should go with PICS. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From reagle at MIT.EDU Tue Apr 9 16:56:53 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Wed, 10 Apr 1996 07:56:53 +0800 Subject: Bank transactions on Internet Message-ID: <9604091701.AA29911@rpcp.mit.edu> At 04:31 PM 4/8/96 -0700, you wrote: >I agree with Jim at SFNB that the encryption made possible by VeriSign >server certificates is an integral part of remote banking on the Web. >However, I would encourage Security First and other banks looking at the Web >to focus increased attention on client certificates AND to migrate away from >their dependence on user passwords. I brought this up with SFNB a month or so ago (when I opened my account) and the word then was that client side certificates would be avaible within a month or so, my time guestimate (based on what they were saying) was half-a-year. >Admittedly, client certificate >functionality has not yet been available but it will probably be standard by >mid-1996. Let's hope so, I am not keeping significant funds in that account until I have a certificate. >Yes---it is true that security is never absolute. I hope Eric Young does attempt to crack a 40-bit SFNB session as he mentioned on cpx today. >As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches >passwords. I suspected this, and was further exposed because of a common problem with using Netscape and the like from student accounts (with a big 10M quota), say on MIT's athena, where I like my disk cache to reside in the workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others sprinkled their passwords in a million "public" cache's before SFNB stuck the tag no-cache tag in. OBJava: do java applets have access to the cache, would it be possible to write one of the little nasties that keep an eye on the cache? >Additionally, people tend to use a single password for 10 or more of their >relationships and one compromise, compromises all. Indeed! How many people use their easily crack "ftp:/etc/passwds" password for SFNB? _______________________ Regards, The best way to have a good idea is to have lots of ideas. - Linus Pauling Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From asgaard at sos.sll.se Tue Apr 9 17:19:49 1996 From: asgaard at sos.sll.se (Asgaard) Date: Wed, 10 Apr 1996 08:19:49 +0800 Subject: They're running scared. In-Reply-To: <199604081638.MAA03875@Fe3.rust.net> Message-ID: <Pine.HPP.3.91.960409185501.7014B-100000@cor.sos.sll.se> On Mon, 8 Apr 1996, Michael C. Peponis wrote: > Personally, I love national insecurity such as terrorist attacks and > random bombings, wish there were more of them by more people. A big problem with random bombings is that one self can become part of the random targets. Asgaard From unicorn at schloss.li Tue Apr 9 17:44:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 10 Apr 1996 08:44:05 +0800 Subject: the cost of untracability? In-Reply-To: <2.2.32.19960408231626.00c90cc8@panix.com> Message-ID: <Pine.SUN.3.91.960409132018.17470A-100000@polaris.mindport.net> On Mon, 8 Apr 1996, Duncan Frissell wrote: > At 03:36 PM 4/8/96 -0400, Black Unicorn wrote: > > >In addition, to prevent funds from being removed to non-resident aliens > >or foreign entities where tax enforcement and collection is difficult, > >there is a 30% withholding requirement in the event the payee is not a > >U.S. citizen or resident (for tax purposes). > > The withholding tax applies only if the payee is not a resident of a > jurisdiction with a tax treaty with the US. Agreed, but with qualification. Most, but not all, tax treaties include provisions limiting or eliminating the foreign soruce withholding tax. Note, however, that these are typically only treaties that also provide for information sharing and enforcement of foreign tax judgments. Offshore jurisdictions which do not permit information sharing, jurisdictions without mutual legal assistance agreements, and offshore jurisdictions which do not have treaties at all with the United States (i.e. jurisdictions where one would want to actually hold assets and feel them secure) are going to expose the payee to this liability. It's a trade off unless one finds a jurisdiction without such a treaty which is at the same time unwilling to cooperate and withhold the taxes. Even in the event this jurisdiction is used, if the payor has assets in the United States they will be attachable to satisfy the payee's 30% withholding tax. In my view it is best to opt for banking secrecy jurisdictions and financial entities that hold no significant assets in the United States. Net banking will further muddy > the waters on this because of the difficulty of telling the residency of > customers particularly in the case of accounts transferred to third parties > for profit -- a worthwhile future business activity. Agreed. > DCF --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From arager at hibbertco.com Tue Apr 9 17:45:40 1996 From: arager at hibbertco.com (Anton Rager) Date: Wed, 10 Apr 1996 08:45:40 +0800 Subject: NSA Budget - NOT! Message-ID: <n1383078154.35440@imailgw.hibbertco.com> Wouldn't it be great if it were true!!!!!!! -- sorry folks -- doesn't seem to exist 1. - No domain of dod.gov -- there is info for nsa.gov...just not dod.gov 2. - No valid URL of http://nsa.dod.gov/~reports/quarterly.txt -- no page returned This must be a joke....I was gullible enough to try anyway. ____________ Original Message Follows _____________________________________ Yes, there are annual and quarterly reports released to the public which describe in meticulous detail expenditures for the agency's program, personnel and equipment: 1. The program of services and information supplied to government and other intelligence organizations, US and foreign, with terms of each client contract. 2. US employees, their organization, skills, duties and longevity of service; their names, ranks, identification codes, secure communication methods and home addresses; the location of workplaces; the continued training each is scheduled to receive; leaves of absence and destinations while absent. 3. Foreign nationals covertly employed worldwide, with information on each as per 2. 4. A comprehensive listing of all types of world-wide equipment operated; its detailed design, function and output; where it is located; its designers, manufacturers and purchase cost; its schedule of amortization; and its schedule for replacement and/or upgrade, with fifteen-year projected procurement. 5. Special short- and long-term contracts with governmental and non-governmental organizations, US and foreign for one-time projects, by goal, personnel and equipment. 6. Special projects with other US and foreign counter- intelligence to issue disinformation about the agency. 7. Special section on world-wide US and foreign cryptology: cryptanalysis, cryptography, steganography, codes, cyphers, glyphs, mimes; each ranked for security and ease of cracking; governmental and non-governmental parties using each; names of cooperative and resistant cryptographers and cooperating pseudo-cryptographers. 8. Sub-section on methods of Internet traffic and language analysis; operation and surveillance of anonymous remailers, bulletin boards and mail lists; lists of cooperative and resistant educational institutions and commercial organizations. 9. Appendices on: black operations; transparent operations; methods for managing cooperative and resistant governmental and non-governmental persons. The public is invited to study and/or download these reports anonymously at: http://nsa.dod.gov/~reports/quarterly.txt From jimbell at pacifier.com Tue Apr 9 18:44:27 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Apr 1996 09:44:27 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <m0u6iqv-0008ymC@pacifier.com> At 07:57 AM 4/9/96 -0500, Mike McNally wrote: >jamesd at echeque.com wrote: >There are supposedly some new techniques that look at the infrared >signature of your face (like, I guess, distribution & position of >hot & cold spots), and that's less likely to be fooled by facial >hair and other superficial disguises. It's probably a fairly simple >technology, and could be applied to the credit card ID problem. I think this is based on looking at your face with near-infrared, not the medium and far (thermal) infrared. Near infrared is supposed to penetrate flesh far better, so your blood vessels are visible and form a pattern which can be recognized. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Tue Apr 9 18:49:43 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 10 Apr 1996 09:49:43 +0800 Subject: NSA Budget In-Reply-To: <19960408.181433.15302.0.zalchgar@juno.com> Message-ID: <Pine.SUN.3.91.960409133756.17470D-100000@polaris.mindport.net> On Mon, 8 Apr 1996, zalchgar wrote: > Is there a public release of the NSA's annual Budget. No. > If so is there a quarterly release. No. One can, however, get an idea of the size because of the various screwups the budget committee makes. For example. This year a bar chart (to scale) representing the various agencies was released without exact numbers attached. The idea was to give the policy makers an idea about what the relation between the intelligence agencies was in terms of budget without giving away the exact figure. Of course the office of intelligence policy and review released a report giving the size of the entire intelligence budget. I believe the Washington Post had some reporter who pulled out a ruler and measured all the bars, then published the figures that went to each agency based on the total figure released. A quick search of the papers (last month?) will probably give you the figures. > -Erinn --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From m5 at vail.tivoli.com Tue Apr 9 19:11:16 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 10 Apr 1996 10:11:16 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <199604091738.NAA00421@universe.digex.net> Message-ID: <316AA1FC.6ED1@vail.tivoli.com> Scott Brickner wrote: > Given your position, io.com is only accessible to adults in the world > of the CDA advocates. Just upgrade your IP software to refuse > connections from minors. It's not "my" IP software. I pay io for an account. What you're saying is that every ISP would have to decide whether to be completely G-rated or else open to anybody. Sigh. That's probably what the CDA crowd wants. It's hard not to become consumed by hatred. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From sameer at c2.org Tue Apr 9 19:28:51 1996 From: sameer at c2.org (sameer at c2.org) Date: Wed, 10 Apr 1996 10:28:51 +0800 Subject: Job at C2.NET Message-ID: <199604091734.KAA01513@atropos.c2.org> See http://www.c2.net/jobs/ JUNIOR SYSTEM ADMINISTRATOR / TECHNICAL SUPPORT Responsibilities: Responsible for day-to-day administration of UNIX servers, network, and dialin modem pool. Configure and install new servers and network connections. Handle account creation, web server maintanence, DNS setup. Maintain newsserver, webserver, nameserver. Communicate with customers and respond to customer inquiries regarding products and services. Perform low-level technical support for basic customer concerns. Maintain website. Requirements: UNIX (SunOS and FreeBSD) administration experience. Experience with BIND, Apache, INN. Strong C, Perl, general programming background. Good communication skills. Experience dealing with customers and related support issues. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From sjb at universe.digex.net Tue Apr 9 21:08:38 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 10 Apr 1996 12:08:38 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <316A6175.74DA@vail.tivoli.com> Message-ID: <199604091738.NAA00421@universe.digex.net> Mike McNally writes: >Declan B. McCullagh wrote: >> The attached paper by Dr. Reed is worth reading -- I haven't seen this >> argument raised before. One portion that I found fascinating was: >> >> "It is quite silly to imagine that the Ascend router at the ISP can >> figure out if it is me or my child generating each packet." >> >> But that's exactly what the defenders of the CDA are claiming! Here's >> some background that might be interesting: > >I sent a letter to the Economist last year pointing this out after reading >an article containing the offhand statement, "... and of course it is >entirely feasible to control Internet content" (or something like that). >I don't have those magic two letters at the front of my name though. It >seems so utterly obvious. When you connect to an ISP via PPP or SLIP, >all the ISP is doing is routing packets. Wait a second. I don't know that it's really as impossible as you think. Given the CDA advocates' hypothesis that anonymity is a Bad Thing (tm), it's reasonable for them to assume that the ISP can arrange to have a policy requiring that it know who's making the SLIP/PPP connection. It's not too hard to have *every* packet generated by a given connection flagged with an IP option indicating "adult" or "minor". It's not that different from the "Security Classification" option that's already in the IP spec. Incoming connections to a server are then already marked, leaving no excuses for servers that deliver contraband to such connections. The only technical problem comes when the SLIP/PPP link serves a mixed group of users, as described in Dr Reed's paper. In this case, I'd think the ISP would be responsible for verifying that the person requesting the "adult-flagged" service is really an adult, and *that* person is responsible for what happens to the data after it's delivered. It'd be no different from the case where an adult goes into an adult bookstore, buys contraband, and gives it to a minor. The bookstore isn't accountable. The argument that this is technically infeasible is hooey. This doesn't address the issue of whether it's a Good Thing (tm), though. Dr Reed argues that such end-to-end policies are best left out of the network layer, but admits that adding support to the network layer may reduce the implementation cost. It's still expensive, though, since all providers of indecent material and all participating ISPs have to upgrade their software. What possibilities does it leave for anonymity? ISPs that don't participate in the packet flagging might permit anonymous connections, since it's entirely up to the information provider whether to deliver the requested data. Adult content providers who deliver contraband to unflagged connections are asking for trouble. >> Chris Hansen from the ACLU told me last Friday: "Olsen is going to push >> this tagging idea that the government has, that you can imbed in your >> tag -- in your address -- an adult or minor tag. They're going to >> suggest that the market will come into existence that will make that >> tagging relevant." > >Uhh... what about the rather obvious problem that some of these new >fangled computers can support an enormous spread of information? My >web site at io.com has no offensive materials (though I recently rated >it as basically "Satan's Headquarters" via SurfWatch), but other stuff >at io.com may well be offensive. Packets routed out through io's >interface will of course all come from the same address. Given your position, io.com is only accessible to adults in the world of the CDA advocates. Just upgrade your IP software to refuse connections from minors. My response to the censors' position that too much stuff on the 'net is unsuitable for children is: "Keep 'em off the net, then." I'd rather have internet access by minors generally forbidden than have censorship. From declan+ at CMU.EDU Tue Apr 9 21:14:13 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 10 Apr 1996 12:14:13 +0800 Subject: Singapore & the net In-Reply-To: <Pine.SUN.3.91.960409121152.4778I-100000@viper.law.miami.edu> Message-ID: <AlOhGTG00YUvMZAX8K@andrew.cmu.edu> Excerpts from internet.cypherpunks: 9-Apr-96 Singapore & the net by Michael Froomkin at law.mia > Reuters reports Singapore has issued new regulations relating to the > Internet today. Anyone have a pointer or details? Some Singapore lawyerperns have responded to my net.censorship update page with corrections. I'll track down the mail and forward to the list. -Declan From frantz at netcom.com Tue Apr 9 21:19:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 10 Apr 1996 12:19:48 +0800 Subject: Bank transactions on Internet Message-ID: <199604091732.KAA29261@netcom9.netcom.com> At 12:13 AM 4/9/96 -0700, Steve Reid wrote: >> Is it really that easy to break 40-bit? Don't you need access to a "fair >> amount of cpu power" to brute force crack 40bit? > >I remember reading a recent paper at this URL: > http://theory.lcs.mit.edu/~rivest/bsa-final-report.ascii >They mentioned a Field Programmable Gate Array (FPGA), specifically a >board-mounted AT&T Orca chip available for around $400. They said it could >crack a 40-bit key in 5 hours (average). Sounds like anyone with root >access on a major internet node could make a significant profit stealing >credit card numbers. > >The FPGA sounds like a very interesting device, with quite a few >legitimate uses... Has anyone out there seen one of these? I was hoping a hardware type would answer this question, and give references to manufacture's spec sheets, but not having seen such an answer, here is a software person's answer. Gate arrays are a common part of complex electronics. If you are viewing this answer on a screen, it is quite probable that there is one right before your nose. They come in two basic forms, mask programmed and field programmed. Mask programmed gate arrays are an array of logic gates, which are "programmed" to an application by a final metalization layer. They are quite inexpensive when ordered in quantity. Field Programmed Gate Arrays (FPGAs) are designed for prototyping designs, and can programmed electrically. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Tue Apr 9 21:59:03 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Apr 1996 12:59:03 +0800 Subject: [NOISE] Federal Bureau of Indigestion Message-ID: <m0u6lsa-0008zUC@pacifier.com> At 09:15 AM 4/9/96 -0700, Dave Del Torto wrote: >[forwards mercifully elided] > >FBI agents conducted a raid of a psychiatric hospital in San Diego that was >under investigation for medical insurance fraud. After hours of reviewing >thousands of medical records, the dozens of agents had worked up quite an >appetite. The agent in charge of the investigation called a nearby pizza >parlor with delivery service to order a quick dinner for his colleagues. Funny stuff deleted. >PM: And everyone at the psychiatric hospital is an FBI agent? >Agent: That's right. We've been here all day and we're starving. >PM: How are you going to pay for all of this? >Agent: I have my checkbook right here. >PM: And you're _all_ FBI agents? >Agent: That's right. Everyone here is an FBI agent. Can you remember > to bring the pizzas and sodas to the service entrance in the rear? > We have the front doors locked. >Pizza Guy: I don't _think_ so... >click< I'm waiting for Unicorn to claim that the next phone call to the pizza shop was from a judge, who was placing a subpoena on the next 19 pizzas that shop produced, and ordered them delivered to the hospital for psychiatric evaluation. B^) Jim Bell jimbell at pacifier.com From alano at teleport.com Tue Apr 9 22:14:00 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 10 Apr 1996 13:14:00 +0800 Subject: [noise] Re: They're running scared. Message-ID: <2.2.32.19960409202520.0093ba00@mail.teleport.com> At 06:59 PM 4/9/96 +0200, Asgaard wrote: >On Mon, 8 Apr 1996, Michael C. Peponis wrote: > >> Personally, I love national insecurity such as terrorist attacks and >> random bombings, wish there were more of them by more people. > >A big problem with random bombings is that one self can become part >of the random targets. The question is if they are truly random bombings and how do we determine if they are. And if they are truly random, how can they be adapted as a source for a good cryptosystem? ("We are sorry for the delays in the transmision. We had to let a few more bombs go off.") How many bits of entropy do you get from an explosion anyways? (Depends on how close you are to the blast...) ];> --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From jimbell at pacifier.com Tue Apr 9 22:36:33 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Apr 1996 13:36:33 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u6mlr-0008zkC@pacifier.com> At 03:46 PM 4/8/96 -0400, Black Unicorn wrote: >> Spooner's quote follows: >> >> "Doubtless the most miserable of men, under the most oppressive >> government in the world, if allowed the ballot, would use it, if they >> could see any chance of thereby meliorating their condition. But it >> would not, therefore, be a legitimate inference that the government >> itself, that crushes them, was one which they had voluntarily set up, or >> even consented to." >> >> Lysander Spooner > >I didn't respond to this part originally because I grew tired of typing >"Yadda yadda yadda" everytime Mr. Bell lapsed into another >psycho-political babble session. And the rest of us are tired of seeing those non-responses! >What this has to do with Mr. Bell's position, that citizens as a whole had >grown so discontented in the United States that they were prepared to rebell >actively in large numbers, is unclear. In fact the Spooner quote adds >more to my position than Mr. Bell's: > >"if allowed the ballot, would use it, if they could see any chance of >thereby meliorating their condition." > >Seems that even according to Spooner, the citizens of the U.S. aren't >hopeless yet. Aside from the fact that Lysander Spooner has been dead for a LONG time, and thus has no opinion concerning 1996 America, your "logic" is atrocious. He is saying: "If people think it might help, they might use the ballot." He is _not_ saying: "If people use the ballot, it means they think it might help." Maybe such subtleties of logic are beyond you... >In fact there is ample evidence that citizens who have come to believe >that a sovereign is beyond redemption refuse to participate in the >political process any longer. Iran, Iraq, the former Soviet Union, >Turkey, the Baltic States are all examples. I think that the main reason this observation is hilarious is that one frequent complaint from media types is (and has been, for decades) that there is a nearly steadily-decreasing voter turnout at the polls in the US. It is not my intention to make the same foolish logical error that you did. I won't claim, absolutely, that failure to participate in an election _must_ be evidence that people believe "a sovereign is beyond redemption." But since you've stepped into it, I intend to rub your nose in it as well. To whatever extent you believe your last claim, you should be willing to accept the obvious conclusion that many of the American public don't believe that the government is worth trying to retrieve, and they haven't for years. Which means that, as usual, you've ended up shooting yourself in your own foot. When you said: >>> >Funny, the latest primary has been one of the highest voter turn outs in >>> >quite a while (except in Deleware). Considering those are the law-and-order >>> >types who are most likely to invade personal liberities, I think its a >>> >bit hard to make the case that the temper of the country is anything but >>> >very pro-political process. I pointed out, correctly, that mere participation in the vote doesn't evidence any claim that a person is "very pro-political process." You've done a piss-poor job defending this. And you've forgotten that to whatever extent voter turnout is up with respect to past years, it is only "up" because it has been dramatically down for decades. You need to explain why a citizen, or citizens as a group, should be obligated to tolerate this political situation for decades without doing anything to bypass the political system when they appear to not believe in a reasonable likelihood that it'll fix itself. Jim Bell jimbell at pacifier.com From s1113645 at tesla.cc.uottawa.ca Tue Apr 9 23:06:11 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Wed, 10 Apr 1996 14:06:11 +0800 Subject: [reputationpunks] Article on Moody's Message-ID: <Pine.3.89.9604091832.A19718-0100000@tesla.cc.uottawa.ca> This week's Economist has a nice tidbit on bond rating agencies and antitrust on page 80. A comment on firms that trade mostly on their reps. Is an unsolicited rating by a for-profit agency an act of free speach or an act of defamation? From fletch at ain.bls.com Tue Apr 9 23:32:29 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Wed, 10 Apr 1996 14:32:29 +0800 Subject: WWW User authentication In-Reply-To: <199604091558.LAA22026@jafar.sware.com> Message-ID: <9604092033.AA27923@outland.ain_dev> > AFAIK, none. I don't see how this would be helpful anyway. If you > MD5 the password, I won't be able to snoop the password off the wire, > but I can simply snoop the MD5 hash off the wire instead and since > that's what your authentication check must now be against, what does > this buy you? It would require a previous shared secret, but wouldn't the following protocol work (pardon my ASCII diagram): Q - Shared secret; Both server and client know this R - Random challenge; Server sends in clear to client wanting to be authenticated. Server Client 1) Request auth 2) Send R 3) Send back MD5( R, Q ) 4) Compare recieved value to computed value Granted this straight off the cuff, and you can't securely change Q via this protocol (unless you store previous MD5(R,Q)'s and use that as the next Q (i.e. Q_n+1 = MD5(R,Q_n))). Once someone gets MD5 in Java done, you could send an applet that would handle the protocol client side. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From stillson at ashd.com Tue Apr 9 23:44:53 1996 From: stillson at ashd.com (Chris Stillson) Date: Wed, 10 Apr 1996 14:44:53 +0800 Subject: WWW User authentication Message-ID: <199604092100.QAA21158@bach.ashd.com> At 11:58 4/9/96 -0400, Jeff Barber wrote: >Brian C. Lane writes: > >> I just finished writing a cgi script to allow users to change their login >> passwords via a webpage. I currently have the webpage being authenticated >> with the basic option (uuencoded plaintext). MD5 would be nicer, but how >> many browsers actually support it? > >AFAIK, none. I don't see how this would be helpful anyway. If you >MD5 the password, I won't be able to snoop the password off the wire, >but I can simply snoop the MD5 hash off the wire instead and since >that's what your authentication check must now be against, what does >this buy you? > > Well, that isn't exactly how digest authentication works. In fact mister barber should figure out what he is talking about before saying anything. But, you can't really use a hash function to send the new password. >> When the user changes their password, the form sends their name, old >> password, and new password with it, in the clear. This is no worse than >> changing your password across a telnet connection, but I'd like it to be >> more secure, but useable by a large number of browsers. >> >> Any advice? > >Well, if you use SSL, it's useable by a "large number of browsers" since >Netscape has such a large share of the browser market. And then all of >the things you're doing w.r.t. authentication are hidden, at least from >casual eavesdroppers and others too if you use more than the 40-bit option. >There's really no other choice to reach a large number of browsers. > > >-- Jeff Once again mister barber is being an idiot. netscape is not a "large number of browsers". He is right that ssl is probably a good way to go. (shttp would be better :) ) You might be able to hack something together with java that did some kind of clever thing, but then you are limited again. CGI just isn't made for sending secure information. As far as digest (MD5) authenitcation goes, I know that the spyglass browser, and most of its derivatives (like m-soft i-net explorer) can use it. I know cause I did a lot of the QA on it. The real problem is finding a server that supports it. I don't know if apache or ncsa do, but they could probably be hacked to do it. If you download a spyglass server, I know it works (I did a lot of the early QA on that too ). But that probably doesn't help too much. You should probaly find something better than the web to do it. Chris ############################################ Chris Stillson Chief Rocket Scientist Resident Web Geek Hip Young Nerd Second Rate graphic designer Unix Guru In other words, Webmaster American Software & Hardware Distributors fluffy at ashd.com Check out our web site-> http://www.ashd.com Cause I did it all.... stop the CDA. Check http://www.eff.org ############################################ From frissell at panix.com Wed Apr 10 00:21:51 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 10 Apr 1996 15:21:51 +0800 Subject: Open Systems, Closed Systems, & Killer Apps Message-ID: <2.2.32.19960409182717.009e146c@panix.com> At 11:33 AM 4/9/96 -0400, Duncan Frissell wrote: >I should have known this before since it is implicit in my favorite article >from the Economist "THE INCREDIBLE SHRINKING COMPANY" 15 December 1990 > >(http://www.ios.com/~lroth/CLIPS/Bussiz.html) Try http://www.ios.com/~lroth/clips/bussiz.html instead. DCF From declan at well.com Wed Apr 10 01:38:08 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 10 Apr 1996 16:38:08 +0800 Subject: Background on Singapore net-censorship Message-ID: <Pine.3.89.9604091414.A1621-0100000@well> Michael, here's the message I was forwarded. Thanks to Joon-Nie for corrections to the articles I included, mainly from the NYT/WP and the Reuters/AP wire. -Declan ---------- Forwarded message ---------- Date: Wed, 10 Apr 96 03:57:22 EDT From: Lau Joon-Nie <joonlau at pacific.net.sg> Subject: [Fwd: Re: International Net-Censorship Efforts Update] Spotted this in a newsgroup, but I would caution readers against wholesale reliance on its contents without some official verification as not all of it may be entirely correct (at least the Singapore bits weren't - which I have amended). rgds, joon-nie =========BEGIN FORWARDED MESSAGE========= In soc.culture.singapore, "Declan B. McCullagh" <declan+ at CMU.EDU> wrote: >I've just doubled the number of international net-censorship efforts >that I track on my web page: <http://www.cs.cmu.edu/~declan/zambia/>. >Included are new updates reporting on Germany, France, Australia, >Singapore, Canada, and China, among others. Please send me reports on >countries I've missed! >-Declan >-------------------------------------------------------------------------- > > OTHER INTERNATIONAL NET-CENSOR EFFORTS > By Declan McCullagh > declan at well.com > http://www.cs.cmu.edu/~declan/zambia/ > > France, China, Germany, Singapore, Jordan, the U.S., and many other > countries are moving towards tighter control of the Internet. France > and Germany want to see an international agreement of information > controls emerge. Recently China required all of its estimated 40,000 > Internet users to register at the local police station. This > international crackdown marks a turning point in the development of > the Net. > > Germany > > Germany cuts off access to holocaust revisionist web site (1/96) > German Internet update, new laws planned (3/29/96) > Los Angeles Times on German vs. U.S. netcensorship (3/13/96) > German minister predicts collapse of governments (3/12/96) > Germany's CompuServe net-censorship (12/31/95) > > France > > French government bans controversial book (1/96) > French Jewish students sue ISPs for revisionist materials (3/14/96) > French Jewish students sue ISPs for revisionist materials (3/15/96) > France calls for "global Internet rules" (2/3/96) > > Europe > > Swiss statement on voice over Internet (3/16/96) > Sweden proposes CDA-type law to control Internet (4/3/96) > Italian net-censorship necessary, says Simon Wiesenthal Ctr (1/11/96) > Turkey cracks down on Internet (2/18/96) > Belgium bans non-escrowed encryption (1/10/96) > > Asia and Pacific Rim > > Singapore leader condemns Net (3/7/96) ^^^^^^^^^^^^^^^^^^^^^^^^ This phrase is at best vague. My guess is that he's referring to the news conference on 5 Mar 96 given by S'pore's Information and the Arts Minister Brig-Gen George Yeo where it was announced that S'pore would be implementing a regulatory framework to inter alia, block off objectionable sites, deem all content providers (except those "acting in personal capacity" - yet to be defined) as licensed, and requiring certain types of content providers (those publishing religious, political or racial content/discussions on websites, and certain online newspapers, in particular those already selling hardcopy versions in S'pore) to register themselves with the S'pore Broadcasting Authority. BG Yeo did not in any way "condemn" the internet. On the contrary, if my memory serves me correctly, he said S'pore was going full steam ahead with providing people with access eg. through schools, and that there were already an estimated 100,000 internet users in S'pore. For full text of the news release, see: http://www.antcrc.utas.edu.au/~kwe_chia/sef/SBA.html > Indonesia attacks Net (3/11/96) > Malaysia complains about uncensored Net, censors it (3/11/96) Again, this is not entirely accurate. If I recall correctly, Malaysian Information Minister said some censorship was necessary and agreed with S'pore that ASEAN should work tog to come up with some standards. A day or two later, M'sian Prime Minister Mahathir said something to the effect that censorship was not possible and that education was the key. No active measures by M'sia as far as I'm aware of. Perhaps TM Tan can enlighten us. :) > Singapore censors political, religious net.info (3/6/96) This was in relation to the news conference on 5 Mar 96 mentioned above on the *planned* regulatory framework. Details and legislation have yet to be tabled in Parliament so none of the proposals mentioned in the release have been carried out as yet although S'pore IASPs have, for several months now, been blocking off access to some 40-50 "objectionable sites" (read: pornographic) from a list given to them by the authorities. Framework details are expected within the next 2 months. Meanwhile a S'pore netter has submitted on 30/3/96 a petition supported by 40 signatories to the authorities against inter alia, regulation of political, religious, racial expression of ideas, and suggesting that govt ministries set up PR depts to counter such ideas if need be. > China > > China cracks down on Internet, "state security" cited (1/24/96) > China's anti-cyberporn efforts (2/4/96) > New York Times on China's net.crackdown (2/5/96) > China's history of Net-regulation, cyberporn concerns (1/1/96) > China requires Internet users to register with police (2/16/96) > U.S. State Dept criticizes China's net.censorship (3/8/96) > China applauds German net.censorship (1/11/96) > > Australia > > Australia considers net.legislation (2/13/96) > New South Wales tries net-censorship (4/3/96) > Australians upset by German Zundelcensorship (4/7/96) > > Canada > > Letter to Canadian minister (3/19/96) > Canada needs to regulate Net, says Simon Wiesenthal Ctr (2/20/96) > > Middle East > > Persian Gulf States reluctant to move online (4/6/96) > Jordan installs Internet screening facility (1/8/96) > Saudi Arabian government says no unrestricted Net access (1/10/96) >-------------------------------------------------------------------------- =========END FORWARDED MESSAGE========= *---------------------------* Lau Joon-Nie joonlau at pacific.net.sg "Even God has a Geiger-complex" - Dr Aaron Shut, Chicago Hope - *---------------------------* From alano at teleport.com Wed Apr 10 02:46:10 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 10 Apr 1996 17:46:10 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <2.2.32.19960409221018.0093c1a0@mail.teleport.com> At 12:44 PM 4/9/96 -0500, Mike McNally wrote: >Scott Brickner wrote: >> Given your position, io.com is only accessible to adults in the world >> of the CDA advocates. Just upgrade your IP software to refuse >> connections from minors. > >It's not "my" IP software. I pay io for an account. What you're saying >is that every ISP would have to decide whether to be completely G-rated >or else open to anybody. Then they go on about how every school in the country needs to be connected to the net... I am wondering where they got the idea that the net is someplece they want their children to be. They don't let them play in distant parks inhabited by scary old men and drunks, yet they want them to play on the "information Superhighway". The CDA types seem to view the net the same way that they view TV in the classrooms. They expect it to be as easy to control as well. Get them all staring at the box and they will quiet down and do as they are told. What these people do not seem to understand is what is going to happen when their kids are exposed to the diverse opinions present on the net. Forget the porno... What are the parents who believe in Creationism going to do when little Johnny runs into a good skeptical site debunking all that crap? What are they going to do when the little liberal kids are exposed to the works of conservitives? Or Biblical Inerentists kidlets are exposed to the debunkings of that faith? Or Dorthy Denning's kids (if she has any) get exposed to the writings of the subversive known as Tim May? The CDA proponents want the ideas presented to their kids be controled ones. The existance of freedom on the net is a threat to that control. Porno is used as the (net)scapegoat, but there are far more threatening ideas out there to that kind of mindset. They just know that if they tell you their true goals, then people will not go along with them. If you want to know their real fears, read the stuff they write for the "faithful". It is far more revealing. ("Remember: It is not a conspiracy if you can subscribe to their newsletter.") >Sigh. That's probably what the CDA crowd wants. It's hard not to become >consumed by hatred. When reading Lovecraft, i always wondered what could be written down that would drive men mad. Lovecraft always described it as some cosmic horror. The cosmic is too far removed for most people to understand. I have always thought that instead, it described how the world worked and the driving motivations behind it, with the firm understanding that there was not a damn thing you could do to stop it. The understanding that the world is driven by the forces of ignorance and stupidity is enough to drive you to the brink. The Necronomicon was not written by the Mad Arab, it was written by Scott Adams. --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From sandfort at crl.com Wed Apr 10 03:38:04 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 10 Apr 1996 18:38:04 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <Pine.SUN.3.91.960409192104.24728B-100000@crl6.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Black Unicorn wrote: > >I didn't respond to this part originally because I grew tired of typing > >"Yadda yadda yadda" everytime Mr. Bell lapsed into another > >psycho-political babble session. To which Jim Bell wrote: > And the rest of us are tired of seeing those non-responses! Exactly for whom is Bell speaking? Jimbo, please let us know who has given you a limited powers of attorney to be their mouthpiece. It's sad when someone (correctly) deems their opinions too weak to stand without (dare I say it?) pseudo- spoofing by reference. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From nobody at replay.com Wed Apr 10 03:38:51 1996 From: nobody at replay.com (Name Withheld by Request) Date: Wed, 10 Apr 1996 18:38:51 +0800 Subject: onyma Message-ID: <199604100105.DAA09113@utopia.hacktic.nl> tcmay at got.net (Timothy C. May) writes: >Not meant to be snide, even if sounded that way. I just get confused by >your various nyms The term `nym' is erroneus: The Greek words are an-onym, pseud-onym, syn-onym, hom-onym pp, derived from `onyma', name. From gnu at toad.com Wed Apr 10 03:39:47 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 10 Apr 1996 18:39:47 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <199604100202.TAA16568@toad.com> I thought that most or all of the cypherpunk anonymous remailers don't keep records. Not even on backup tapes. The whole idea is that there aren't logs. But maybe they have found some remailers that are non-cypherpunk. And I haven't verified the truth of what's in the msg below. If anyone hears anything, please let me (or eff at eff.org) know. John Gilmore Date: Tue, 9 Apr 1996 18:27:02 -0700 To: fight-censorship+ at andrew.cmu.edu, eric at remailer.net, farber at cis.upenn.edu (Dave Farber) From: jwarren at well.com (Jim Warren) Subject: (fwd fyi - NOT verified!!) very urgent news Seems like it's just a tad overbroad, if true. Another example of, "all the 'justice' that one can buy"? --jim >Date: Tue, 9 Apr 1996 15:44:52 -0700 (PDT) >From: shelley thomson <sthomson at netcom.com> >Subject: very urgent news >To: jwarren at well.com > >Hello, Jim Warren: > > The church of scientology plans to subpoena the records of every >anonymous remailer in the USA. > > I publish a news/black humor magazine on the net called **Biased >Journalism**. As a journalist I have covered the collision between the >church of scientology and the net. My last three issues have focused on >legal action by the church against Grady Ward and Keith Henson. > > Today I had a note from Grady Ward, whose deposition was finished >today. He said that they asked him a lot of questions about me, and >warned me that they may issue a subpoena for me and a demand for my >email. > > The church presumably intends to claim that I am not a real >journalist because I only publish on the net. I need to prepare a legal >defense, and needless to say, can't afford a lawyer. If you can direct >me to any resources, I would appreciate it very much. > > On the basis of events today, Ward believes the church will >issue subpoenas for the records of every anonymous remailer in the USA. > > If these records are delivered to the church, our First Amendment >rights go with them. > > Shelley Thomson > > publisher, **Biased Journalism** > 800-731-0717 voice message From jimbell at pacifier.com Wed Apr 10 03:41:25 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 10 Apr 1996 18:41:25 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u6pfx-00090gC@pacifier.com> At 07:08 PM 4/9/96 -0700, Bill Frantz wrote: >At 3:21 PM 4/9/96 -0800, jim bell wrote: >>And the rest of us are tired of seeing those non-responses! > >I wish to state that Jim Bell does not speak for me. Tell me, what is the most exciting, interesting, and imaginative usage of "Yadda Yadda Yadda" that _you_ remember, Bill? From alanh at mailhost.infi.net Wed Apr 10 03:47:37 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Wed, 10 Apr 1996 18:47:37 +0800 Subject: Disclosure of Public Knowledge to Foreigners In-Reply-To: <v02140b0fad8f98cb0085@[168.143.8.144]> Message-ID: <Pine.SV4.3.91.960409214927.10780F-100000@larry.infi.net> I thought the framework for all ITAR considerations is - contract law. From tallpaul at pipeline.com Wed Apr 10 03:54:36 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 10 Apr 1996 18:54:36 +0800 Subject: [NOISE] Federal Bureau of Indigestion Message-ID: <199604100144.VAA00629@pipe5.nyc.pipeline.com> On Apr 09, 1996 14:24:47, 'jim bell <jimbell at pacifier.com>' wrote: >At 09:15 AM 4/9/96 -0700, Dave Del Torto wrote: >>[forwards mercifully elided] >> >>FBI agents conducted a raid of a psychiatric hospital in San Diego that was >>under investigation for medical insurance fraud. After hours of reviewing >>thousands of medical records, the dozens of agents had worked up quite an >>appetite. The agent in charge of the investigation called a nearby pizza >>parlor with delivery service to order a quick dinner for his colleagues. > >Funny stuff deleted. > >>PM: And everyone at the psychiatric hospital is an FBI agent? >>Agent: That's right. We've been here all day and we're starving. >>PM: How are you going to pay for all of this? >>Agent: I have my checkbook right here. >>PM: And you're _all_ FBI agents? >>Agent: That's right. Everyone here is an FBI agent. Can you remember >> to bring the pizzas and sodas to the service entrance in the rear? >> We have the front doors locked. >>Pizza Guy: I don't _think_ so... >click< > >I'm waiting for Unicorn to claim that the next phone call to the pizza shop >was from a judge, who was placing a subpoena on the next 19 pizzas that shop >produced, and ordered them delivered to the hospital for psychiatric >evaluation. B^) > >Jim Bell >jimbell at pacifier.com > > Never trust or wait for lawyers, Jim. Go directly to the psychiatric hospital. Go to the back door. Tell them you're only there to do research. --tallpaul From anonymous at nowhere Wed Apr 10 03:55:35 1996 From: anonymous at nowhere (Senator Exon) Date: Wed, 10 Apr 1996 18:55:35 +0800 Subject: No Subject Message-ID: <199604100152.DAA25396@spoof.bart.nl> Borrowing inspiration from May, a page from Scheier and some code from Gutman... Hard disk space being cheap now, Bob creates several distinct disk partitions and uses Peter Gutman's Secure File System, or equivalent, to encrypt all of them. First, Bob fills all of them with innocous data. Next, Bob writes one or more partition with secrets. Bob arranges that no one knows the pass phrases for some of the innocous partitions by luring the cat across the keyboard or having his six year old punch something in while he is out of the room. Bob carefully and publically documents the fact that he did this without indicating which partitions and how many partitions are actually useful. In addition to regularly using the secret partitions, Bob periodically updates the innocous partitions, who's pass phrases he does know, with more uninteresting but contemporary data. When ordered to do so, Bob could reveal the pass phrases to the innocuous data and to as much of the secret data as he felt necessary. Bob could not be forced to reveal all of the pass phrases as he does not know all of them. Naturally, the disk encryption routines would not store pass phrases but only a validating hash, that even Bob could not reproduce for all of the partitions. Practically, Bob cannot be forced to reveal the pass phrases to any alleged remaining secret data, since this might not exist. To further encourage this belief Bob might associate innocous data with a first pass phrase, mildly embarrasing data with a second, and so on, and then, after revealing the first, gradually allow himself to be be coaxed into revealing the second and disclose a third only after the rubber hoses came out. Since all of the partitions have similar content, no statistic should reveal which is which. Bob might have a bit refresher routine periodically nibble read and rewrite the whole disk so that no electronic characteristic exists that reveals record age. No doubt, a judge might whimsically keep Bob in jail for a while, trying to assure that he has revealed all of the pass phrases, but the judge can never be certain, even when Bob has disclosed everything. This situation creates doubt that Bob is in contempt, even when he is, and makes a prison term relatively pointless, unless for revenge. From declan+ at CMU.EDU Wed Apr 10 04:01:48 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 10 Apr 1996 19:01:48 +0800 Subject: CoS supoenas records of all anonymous remailers? (Unverified) In-Reply-To: <v02120d15ad90bdb89412@[206.15.66.107]> Message-ID: <4lOlC8i00YUvAxX4Ar@andrew.cmu.edu> [FWIW, Biased Journalism is a reasonably reputable source. --Declan] ---------- Forwarded message begins here ---------- Date: Tue, 9 Apr 1996 18:27:02 -0700 To: fight-censorship+ at andrew.cmu.edu, eric at remailer.net, farber at cis.upenn.edu (Dave Farber) From: jwarren at well.com (Jim Warren) Subject: (fwd fyi - NOT verified!!) very urgent news Seems like it's just a tad overbroad, if true. Another example of, "all the 'justice' that one can buy"? --jim >Date: Tue, 9 Apr 1996 15:44:52 -0700 (PDT) >From: shelley thomson <sthomson at netcom.com> >Subject: very urgent news >To: jwarren at well.com > >Hello, Jim Warren: > > The church of scientology plans to subpoena the records of every >anonymous remailer in the USA. > > I publish a news/black humor magazine on the net called **Biased >Journalism**. As a journalist I have covered the collision between the >church of scientology and the net. My last three issues have focused on >legal action by the church against Grady Ward and Keith Henson. > > Today I had a note from Grady Ward, whose deposition was finished >today. He said that they asked him a lot of questions about me, and >warned me that they may issue a subpoena for me and a demand for my >email. > > The church presumably intends to claim that I am not a real >journalist because I only publish on the net. I need to prepare a legal >defense, and needless to say, can't afford a lawyer. If you can direct >me to any resources, I would appreciate it very much. > > On the basis of events today, Ward believes the church will >issue subpoenas for the records of every anonymous remailer in the USA. > > If these records are delivered to the church, our First Amendment >rights go with them. > > Shelley Thomson > > publisher, **Biased Journalism** > 800-731-0717 voice message > From anon-remailer at utopia.hacktic.nl Wed Apr 10 04:04:15 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 10 Apr 1996 19:04:15 +0800 Subject: No matter where you go, there they are. Message-ID: <199604091750.TAA13469@utopia.hacktic.nl> Location-based System Delivers User Authentication Breakthrough By Dorothy E. Denning and Peter F. MacDoran Copyright(c), 1996 - Computer Security Institute - All Rights Reserved Top - Help Existing user authentication mechanisms are based on information the user knows (e.g., password or PIN), possession of a device (e.g, access token or crypto- card), or information derived from a personal characteristic (biometrics). None of these methods are foolproof. Passwords and PINs are often vulnerable to guessing, interception or brute force search. Devices can be stolen. Biometrics can be vulnerable to interception and replay. A new approach to authentication utilizes space geodetic methods to form a time- dependent location signature that is virtually impossible to forge. The signature is used to determine the location (latitude, longitude and height) of a user attempting to access a system, and to reject access if the site is not approved for that user. With location-based controls, a hacker in Russia would be unableto log into a funds transfer system in the United States while pretending to come from a bank in Argentina. Location-based authentication can be used to control access to sensitive systems, transactions or information. It would be a strong deterrent to many potential intruders, who now hide behind the anonymity afforded by their remote locations and fraudulent use of conventional authentication methods. If the fraudulent actors were required to reveal their location in order to gain access, their anonymity would be significantly eroded and their chances of getting caught would increase. Authentication through geodetic location has other benefits. It can be continuous, thereby protecting against channel hijacking. It can be transparent to the user. Unlike most other types of authentication information, a user's location can serve as a common authenticator for all systems the user accesses. These features make location-based authentication a good technique to use in conjunction with single log-on. Another benefit is there is no secret information to protect either at the host or user end. If a user's authentication device is stolen, use of the device will not compromise the system but only reveal the thief's location. A further benefit of geodetic-derived location signatures is that they provide a mechanism for implementing an electronic notary function. The notary could attach a location signature to a document as proof that the document existed at a particular location and instant in time. The use of geographic location can supplement or complement other methods of authentication, which are still useful when users at the same site have separate accounts and privileges. Its added value is a high level of assurance against intrusion from any unapproved location regardless of whether the other methods have been compromised. In critical environments, for example, military command and control, telephone switching, air traffic control, and banking, this extra assurance could be extremely important in order to avoid a potential catastrophe with reverberations far beyond the individual system cracked. How it works International Series Research (Boulder, CO) has developed a technology for achieving location-based authentication. Called CyberLocator, the technology makes use of the microwave signals transmitted by the twenty-four satellite constellation of the Global Positioning System (GPS). Because the signals are everywhere unique and constantly changing with the orbital motion of the satellites, they can be used to create a location signature that is unique to a particular place and time. The signature, which is computed by a special GPS sensor connected to a small antenna, is formed from bandwidth compressed raw observations of all the GPS satellites in view. As currently implemented, the location signature changes every five milliseconds. However, there are options to create a new signature every few microseconds. When attempting to gain access to a host server, the remote client is challenged to supply its current location signature. The signature is then configured into packets and transferred to the host. The host, which is also equipped with a GPS sensor, processes the client signature and its own simultaneously acquired satellite signals to verify the client's location to within an acceptable threshold (a few meters to centimeters, if required). For two-way authentication, the reverse process would be performed. In the current implementation, location signatures are 20,000 bytes. For continuous authentication, an additional 20 bytes per second are transferred. Re- authorization can be performed every few seconds or longer. The location signature is virtually impossible to forge at the required accuracy. This is because the GPS observations at any given time are essentially unpredictable to high precision due to subtle satellite orbit perturbations, which are unknowable in real-time, and intentional signal instabilities (dithering) imposed by the U.S. Department of Defense selective availability (SA) security policy. Further, because a signature is invalid after five milliseconds, the attacker cannot spoof the location by replaying an intercepted signature, particularly when it is bound to the message (e.g., through a checksum or digital signature). Continuous authentication provides further protection against such attacks. Conventional (code correlating and differential) GPS receivers are not suitable for location authentication because they compute latitude, longitude and height directly from the GPS signals. Thus, anyone can report an arbitrary set of coordinates and there is no way of knowing if the coordinates were actually calculated by a GPS receiver at that location. A hacker could intercept the coordinates transmitted by a legitimate user and then replay those coordinates in order to gain entry. Typical code correlating receivers, available to civilian users, are also limited to 100 meter accuracy. The CyberLocator sensors achieve meter (or better) accuracy by employing differential GPS techniques at the host, which has access to its own GPS signals as well as those of the client. DGPS methods attenuate the satellite orbit errors and cancel SA dithering effects. Where it works Location-based authentication is ideal for protecting fixed sites. If a company operates separate facilities, it could be used to restrict access or sensitive transactions to clients located at those sites. For example, a small (7 cm x 7 cm) GPS antenna might be placed on the rooftop of each facility and connected by cable to a location signature sensor within the building. The sensor, which would be connected to the site's local area network, would authenticate the location of all users attempting to enter the protected network. Whenever a user ventured outside the network, the sensor would supply the site's location signature. Alternatively, rather than using a single sensor, each user could be given a separate device, programmed to provide a unique signature for that user. Location-based authentication could facilitate telecommuting by countering the vulnerabilities associated with remote access over dial-in lines and Internet connections. All that would be needed is a reasonably unobstructed view of the sky at the employee's home or remote office. Related application environments include home banking, remote medical diagnosis and remote process control. Although it is desirable for an antenna to be positioned with full view of the sky, this is not always necessary. If the location and environment are known in advance, then the antenna can be placed on a window with only a limited view of the sky. The environment would be taken into account when the signals are processed at the host. For remote authentication to succeed, the client and host must be within 2,000 to 3,000 kilometers of each other so that their GPS sensors pick up signals from some of the same satellites. By utilizing a few regionally deployed location signature sensors (LSS), this reach can be extended to a global basis. For example, suppose that a bank in Munich needs to conduct a transaction with a bank in New York and that a London-based LSS provides a bridge into Europe. Upon receiving the location signatures from London and Munich, the New York bank can verify the location of the Munich bank relative to the London LSS and the London LSS relative to its own location in New York. The technology is also applicable to mobile computing. In many situations, it would be possible to know the general vicinity where an employee is expected to be present and to use that information as a basis for authentication. Even if the location cannot be known in advance, the mere fact that remote users make their locations available will substantially enhance their authenticity. In his new book, The Road Ahead, Bill Gates predicts that wallet PCs, networked to the information highway, will have built-in GPS receivers as navigational assistants. With the CyberLocator technology, these PC receivers can also perform authentication while being a factor of ten less expensive than conventional code correlating receivers (most of the processing is executed in the host rather than the remote units), which only achieve 100 meter accuracy, and a factor of a hundred less expensive than conventional DGPS receivers. Location-based authentication is a powerful new tool that can provide a new dimension of network security never before possible. The CyberLocator technology is currently operational in a portable demonstration. Dorothy E. Denning is professor of computer science at Georgetown University (Washington, D.C.) and consultant to ISR. She can be reached at 202-687-5703 or denning at cs.georgetown.edu. Peter F. MacDoran is president and CEO of International Series Research, Inc. (Boulder, CO). He can be reached at 303-447- 0300 or pmacdorn at isrinc.com. $0$AD From alanh at mailhost.infi.net Wed Apr 10 04:07:45 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Wed, 10 Apr 1996 19:07:45 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychangers! In-Reply-To: <199604090336.AA03230@mail.crl.com> Message-ID: <Pine.SV4.3.91.960409213907.10780E-100000@larry.infi.net> > Date: Mon, 8 Apr 1996 22:43:55 -5 > From: Frank O. Trotter, III <fotiii at crl.com> > Aside from ecash, helping people to exchange currency is my day job > so I see this all the time, especially this month each year. There is a guy in Tennessee who publishes a newsletter called _The Moneychanger_. He is one of those Constitutionalists. He did put himself through hell to get acquited of an IRS charge - he is a dealer in gold and silver and claimed that he wasn't selling anything, only changing denominations of Money, with no profits. He won the federal case; the IRS called their buds at the Tenn Dept of Revenue and had him indicted on a failure-to-remit-sales-tax charge. He was convicted on that by the Jury but he is appealing; meanwhile he only deals with out-of-Tenn people. Which just goes to show that convictions/acquitals under a jury system have a lot of random-walk flavor. Further reference at the OJ Simpson newsgroups. From stevenw at best.com Wed Apr 10 04:34:22 1996 From: stevenw at best.com (Steven Weller) Date: Wed, 10 Apr 1996 19:34:22 +0800 Subject: RISKS: Compuserve "secure" login Message-ID: <v01540b01ad90cf8c8249@[206.86.1.35]> ------------------------------ Date: Thu, 04 Apr 1996 19:34:12 +0200 From: Heinz-Bernd Eggenstein <eggenste at noether.informatik.uni-dortmund.de> Subject: CompuServe's "secure login protocol": two steps forward, one back Summary: a new CompuServe Information Service (CIS) logon protocol was designed to prevent passive and active attacks (where the attacker impersonates a CompuServe node) but a flawed implementation in the WinCIM 2.0(.1) client software still allows active attacks. Version 2.0 of the "WinCIM" access software introduced a new logon protocol. Previous versions of the software had transmitted the user's UID AND his/her password in plaintext during logon. The risks are obvious, especially when connecting via the Internet to CompuServe (e.g. to save long distance telephone charges). The new, "secure logon protocol" is a challenge-response type protocol where the "challenge" is to compute a keyed hash-function, the key is derived from the shared secret, the user's password: 1) The client (WinCIM) generates a pseudorandom string of bits, its "nonce" (RB) 2) The client transmits the user's UID (e.g. 12345,6789) and the additional parameter "/secure:1" to request a secure login. 3) The host transmits its pseudo random nonce (RA) (The old protocol would instead prompt for the password) 4) client sends RB to the host 5) client computes UR:=MD5(S|Z|RA|RB|S) and sends it to the host (where S (128 bits) is a function of the password, "|" stands for concatenation, Z is a 128bits block of 0s and MD5 is the well known message digest function.) 6) The host performs the same calculation with it's copy of the user's password. If the results match, the host sends HR:=MD5(S|Z|RB|RA|S) (Note the symmetry in the calculation of HR and UR) 7) The client software verifies HR with it's copy of the password to make sure the host is really a CIS node (!) (See the script-files cserve.scr and seclog.scr in the subdirectory SCRIPTS of a WINCIM 2.0(.1) installation, WinCim is available via anon. ftp at ftp.compuserve.com). Weaknesses: a) The scriptfile cserve.scr (versions 3.8 & 3.8.1) has the following bug: even after requesting a secure logon, the client software will fall back into the old protocol when receiving a "Password" prompt (Client: "I want a secure logon" Host:"OK, but anyway, give me your password" Client "Well ok then, here it is ..."). It will send the password in plaintext! This makes the protection against active attacks (see step 7) obsolete. b) A timeout condition or even an invalid HR response form the host will (seclog.scr & cserve.scr version 3.8.1) restart the protocol (it won't disconnect!), using *the same* client-nonce RB again, instead of generating a new one. If a spoofing host can predict RB as in this situation, it can pick the same nonce, leading to HR=UR=MD5(S|Z|RB|RB|S), so the host can just send back UR as HR. Note that unlike a), b) does not compromise the user's password. There may be other ways to predict the client software's nonce e.g. *if* the PRNG used by WinCIM is predictable (this calls for further investigation). Note that *offline* dictionary attacks to guess the password are possible after a passive, eavesdropping attack (so you still have to pick a "good" password). It's debatable whether CIS's password recommendation (<word><non-alphanum. char.><word>, both words unrelated, e.g. apple at battery) is adequate in this context). I notified CIS about these weaknesses and I was informed that they are "fixed" now, no details were given about the fix (source: Britta Herbst, German customer support (11111.754 at compuserve.com)). Risks? The new protocol is obviously an improvement over the old, plaintext-password-only version. It's debatable whether protection against active attacks is at all necessary for access to an online service. However, CIS itself designed it's protocol to prevent spoofing attacks. Anyway, I think this a good example how to half-ruin a good protocol by embedding it into carelessly written code. Credits: Thanks to Gary Brown (70003.1215 at compuserve.com) for sending me information on the implementation of the new protocol). Heinz-Bernd Eggenstein [usual disclaimers] ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From JonWienke at aol.com Wed Apr 10 04:37:29 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Wed, 10 Apr 1996 19:37:29 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <960409222650_372463464@emout04.mail.aol.com> In a message dated 96-04-08 21:04:26 EDT, Perry Metzger writes: >Jon asked why it is that I contend that a compression algorithm won't >in the general case even out the entropy of a semi-random stream. I am not talking about any "general case," I proposed compressing spinner data, which has sequences of repeating numbers interspersed with occasional quasi-random fluctuations. I am not saying that compression is a "magic wand" that will fix data streams with a lot of "fake" entropy, such as the RND() function available in many BASIC's, which I think most of us will agree blows chunks. >The answer can be obtained by simply trying to run gzip over an image, >preferably one that hasn't been compressed. The results are, in >general, very bad, even though images are highly compressable (even >losslessly). I leave the why up as an exercise to the reader. I have ZIPed the aforementioned spinner data with the built-in ZIP routines in the PC Tools for Windows file manager. Except for some very slight banding (which appears to be caused by the ZIP headers) the noise sphere plots look pretty good. All files are available upon request for independent verification. >I have said before and I will say again that the only reliable way of >dealing with a stream that has some amount of randomness mixed in with >it that you wish to distil down into pure random bits is to use solid >reasoning to figure out how many bits of entropy per unit of input you >can actually expect to see, add a large fudge factor to cover your >ass, and then distil down using a cryptographic hash. I have no disagreements with this. I merely proposed using the compression function as a means of roughly estimating entropy and preventing the seeding of the hash/PRNG with potentially "weak key" type data. >Anything else >makes me highly nervous. If you can't estimate the amount of entropy >in an input stream from first principles, then you are probably in >trouble and should seek an input stream that you have a better handle >on. Would anyone like to propose a means of measuring entropy that we can all agree on? I haven't seen anything yet that everyone likes. Jonathan Wienke From stend at grendel.texas.net Wed Apr 10 04:43:11 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Wed, 10 Apr 1996 19:43:11 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work In-Reply-To: <199604090654.XAA16860@dns2.noc.best.net> Message-ID: <199604100204.VAA30139@grendel.texas.net> >>>>> Mike McNally writes: MM> jamesd at echeque.com wrote: >> > If I don't shave over the > weekend will my computer know who I >> am Monday morning? >> >> Shaving probably will not be a problem, but holding your head at a >> slightly different angle, or having slightly different lighting, or >> combing your hair differently will screw up the system totally, >> unless the system has radically improved since the last time I read >> up on it. MM> There are supposedly some new techniques that look at the infrared MM> signature of your face (like, I guess, distribution & position of MM> hot & cold spots), and that's less likely to be fooled by facial MM> hair and other superficial disguises. It's probably a fairly MM> simple technology, and could be applied to the credit card ID MM> problem. So if I'm running a fever, or just been exercising, it wouldn't recognize me, right? Doesn't sound like that would be much better. -- #include <disclaimer.h> /* Sten Drescher */ ObCDABait: For she doted upon their paramours, whose flesh is as the flesh of asses, and whose issue is like the issue of horses. [Eze 23:20] Unsolicited email advertisements will be proofread for a US$100/page fee. From die at pig.die.com Wed Apr 10 05:23:11 1996 From: die at pig.die.com (Dave Emery) Date: Wed, 10 Apr 1996 20:23:11 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604091732.KAA29261@netcom9.netcom.com> Message-ID: <9604100239.AA12152@pig.die.com> > > At 12:13 AM 4/9/96 -0700, Steve Reid wrote: > >> Is it really that easy to break 40-bit? Don't you need access to a "fair > >> amount of cpu power" to brute force crack 40bit? > > > >I remember reading a recent paper at this URL: > > http://theory.lcs.mit.edu/~rivest/bsa-final-report.ascii > >They mentioned a Field Programmable Gate Array (FPGA), specifically a > >board-mounted AT&T Orca chip available for around $400. They said it could > >crack a 40-bit key in 5 hours (average). Sounds like anyone with root > >access on a major internet node could make a significant profit stealing > >credit card numbers. > > > >The FPGA sounds like a very interesting device, with quite a few > >legitimate uses... Has anyone out there seen one of these? > > I was hoping a hardware type would answer this question, and give > references to manufacture's spec sheets, but not having seen such an > answer, here is a software person's answer. > > As a hardware(and sometimes software) type who has used these sorts of parts in real designs several things need be said. First, the $400 cost is about what the physical chip and test board would cost, it does not include the cost of the software packages required to generate the programming information for the chip and simulate and verify the design. While this software can sometimes be pirated or "borrowed" from an employer or school or even the chip distributors, charges for a legitimate copy of the software for programming many kinds of FPGA's can run in the low to mid thousands and it it is usually dongle protected. And the more advanced software packages that take high level descriptions of the logic in languages such as VHDL and compile them into the special optimized forms required to get speed out of FPGAs with highly assymetric routing delays through their interconnect networks are considerably more expensive and may require RISC workstation hardware (most of them ran only on Suns or HP in the past) and unix rather than just a high end PC running Win 95. Costs of this sort of software package and workstation run as high as $50K per seat. And it is rather unlikely that one could make a high clock speed high performance hardware based key cracker work without traditional high speed logic debugging tools such as a fast logic analyzer (if we are talking 5-10 ns clock especially) and a 1 ghz or so digital scope. These kinds of gear, though sometimes available after hours to engineers working for more liberal companies or schools, cost many thousands of dollars and are not garden variety items available to any hacker. And finally, depending on the technology of the part being used, there may be a significant cost in the order of at least hundreds if not thousands of dollars for a specialized programmer capable of programming ("burning") the FPGA with the interconnect patterns generated by the software. These tend to either be specialized to one kind of part and maybe modestly cheap (hundreds of dollars) or universal and several thousands of dollars (such as DataIO gear). And at least in my experiance (I may be unusually stupid and careless and clumsy or may not be) even if the parts are a few times reprogrammable (as CMOS FPGAs often are these days) one can assume that one will fry, or break the pins off, or reprogram one time too many the FPGA or FPGA's before one gets the design working. This means that it would be realistic to assume several parts would be consumed by the prototyping effort, they may not be cheap and this adds up too. So whilst someone working with these parts as part of their job or schooling might well have access to all the required resources on an informal basis and be able to build a key cracker in evenings or weekends for little more than the cost of the chip and a PC board to hold it, it should be realistically noted that the actual cost of equiping a lab from scratch with the required resources is more on the order of tens to hundreds of thousands of dollars rather than $400. I must hasten to add that high density FPGAs have many many legitimate uses in prototyping logic and producing products in small volumes too small to justify the tooling costs of doing mask programmed gate arrays (which tend to be significantly faster and easier to design, but cost $5-100K NRE to set up custom masks for fabrication). The current generation of them make it possible to build logic systems in one small chip that a few years ago would have been large PC boards full of PALs and other logic. Actually designing a workable key cracker for say RC-4 would be a significant design challenge even with current parts, but probably not something that someone skilled in the art (and of course reasonably bright) couldn't handle. (At first blush I think in the case of RC-4 the pipelined key scheduling logic required would be the very hard thing to make efficient). And the availablity of simulation and timing analysis tools would make the process of creating such a deamon largely a software or logic programming exercise that could be mostly carried out over weeks or months of effort on a workstation or high performance PC, rather than something that requires the intensive resources of an extensive hardware lab for a long period. Unfortunately, like so many hacker projects these days, the cost of reproducing multiple copies of a cracker and the skill level required is very minimal compared to the real logic programming talent and architectural insight it would take to fit one into a FPGA or two. So once one is built, there can be hundreds or thousands of copies made and put to work in the underground by all sorts of evil people who wouldn't have a prayer of designing one from scratch, Dave Emery die at die.com From mpd at netcom.com Wed Apr 10 07:21:47 1996 From: mpd at netcom.com (Mike Duvos) Date: Wed, 10 Apr 1996 22:21:47 +0800 Subject: Job at C2.NET In-Reply-To: <199604091734.KAA01513@atropos.c2.org> Message-ID: <199604092335.QAA14762@netcom13.netcom.com> > JUNIOR SYSTEM ADMINISTRATOR / TECHNICAL SUPPORT My experience has been that few people flock to apply for jobs whose titles contain certain magic words like "junior" or "trainee." Such things can be embarrassing when explaining to professional friends exactly what one does for a living. Since titles cost nothing, compared to real perqs like an office with a window, expensive furniture, or sliding doors opening out into a lush tropical garden, it behooves employers to make them as impressive-sounding as possible. It's sort of the high-tech version of McDonalds' "Burger Flipper of the Month" plaque. Might I therefore suggest some alternatives... DEPUTY SYSTEM ADMINISTRATOR ASSISTANT DIRECTOR OF SYSTEM ADMINISTRATION SENIOR TECHNICAL CONSULTANT, UNIX SERVER DIVISION SENIOR VICE PRESIDENT FOR ONLINE SERVICES Nothing to do with crypto, of course, but it does help to give the junior dorks some self-esteem. :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From dsmith at midwest.net Wed Apr 10 07:23:17 1996 From: dsmith at midwest.net (David E. Smith) Date: Wed, 10 Apr 1996 22:23:17 +0800 Subject: WWW User authentication Message-ID: <199604092101.QAA23912@cdale1.midwest.net> > I just finished writing a cgi script to allow users to change their login > passwords via a webpage. I currently have the webpage being authenticated > with the basic option (uuencoded plaintext). MD5 would be nicer, but how > many browsers actually support it? A straight MD5 probably isn't supported by any of them, but then again MD5 is not necessarily going to help too much. The sort of people that need a web page to change their password aren't likely to use overly complex passwords (mixed-case, scrambled-in numbers, et al.) So if a snoop can get the MD5, her chances of getting a password aren't all that bad. > When the user changes their password, the form sends their name, old > password, and new password with it, in the clear. This is no worse than > changing your password across a telnet connection, but I'd like it to be > more secure, but useable by a large number of browsers. Your best bet is to try to implement it via SSL, but as I understand it that limits you on your server options quite a bit. Netscape and Apache have it, as I understand; I think that's about it actually. But that's far from my areas of expertise. dave From fotiii at crl.com Wed Apr 10 07:32:09 1996 From: fotiii at crl.com (Frank O. Trotter, III) Date: Wed, 10 Apr 1996 22:32:09 +0800 Subject: Bulletin: Cypherpunks say no taxes owed by moneychanger Message-ID: <199604100422.AA21534@mail.crl.com> I know Frankin and will see him next week. His argument, which I have around here somewhere if I could get my paper life organized, realtes to gold and silver in certain situations. If I find it I will reference it, otherwise I'll ask if he will post to this group. FOT > Date: Tue, 9 Apr 1996 21:48:17 -0400 (EDT) > From: Alan Horowitz <alanh at mailhost.infi.net> > To: "Frank O. Trotter, III" <fotiii at crl.com> > Cc: cypherpunks at toad.com > Subject: Re: Bulletin: Cypherpunks say no taxes owed by moneychangers! > > Date: Mon, 8 Apr 1996 22:43:55 -5 > > From: Frank O. Trotter, III <fotiii at crl.com> > > Aside from ecash, helping people to exchange currency is my day job > > so I see this all the time, especially this month each year. > > There is a guy in Tennessee who publishes a newsletter called _The > Moneychanger_. He is one of those Constitutionalists. He did put himself > through hell to get acquited of an IRS charge - he is a dealer in gold > and silver and claimed that he wasn't selling anything, only changing > denominations of Money, with no profits. He won the federal case; the IRS > called their buds at the Tenn Dept of Revenue and had him indicted on a > failure-to-remit-sales-tax charge. He was convicted on that by the Jury > but he is appealing; meanwhile he only deals with out-of-Tenn people. > > Which just goes to show that convictions/acquitals under a jury system > have a lot of random-walk flavor. Further reference at the OJ Simpson > newsgroups. > > Frank O. Trotter, III - fotiii at crl.com www.marktwain.com - Fax: +1 314 569-4906 -------------------------------------------- From ahilsenb at cln.etc.bc.ca Wed Apr 10 08:05:21 1996 From: ahilsenb at cln.etc.bc.ca (Alex Hilsenbeck) Date: Wed, 10 Apr 1996 23:05:21 +0800 Subject: They're running scared. In-Reply-To: <Pine.HPP.3.91.960409185501.7014B-100000@cor.sos.sll.se> Message-ID: <Pine.3.89.9604092240.B7784-0100000@cln> On Tue, 9 Apr 1996, Asgaard wrote: > On Mon, 8 Apr 1996, Michael C. Peponis wrote: > > > Personally, I love national insecurity such as terrorist attacks and > > random bombings, wish there were more of them by more people. > > A big problem with random bombings is that one self can become part > of the random targets. > > Asgaard > >>A bigger problem may be the fact that those doing the bombing are very often uneducated in their method. Either they are disappointed as their bombs die, or type with two fingers on one hand for the remainder of their frustrated lives Wildcat From pfarrell at netcom.com Wed Apr 10 09:11:26 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Thu, 11 Apr 1996 00:11:26 +0800 Subject: DC-area cypherpunks physical meeting with Saturday Message-ID: <199604091907.MAA17825@netcom3.netcom.com> As advertised, the next DCCP meeting will be this weekend, April 13, at 3:00 at Digex. see http://www.isse.gmu.edu/~pfarrell/dccp/ for a tiny bit more info. As usual, topics and speakers welcome. Pat Pat Farrell grad student http://www.isse.gmu.edu/students/pfarrell Infor. Systems and Software Engineering, George Mason University, Fairfax, VA PGP key available via finger or request #include standard.disclaimer From frissell at panix.com Wed Apr 10 09:21:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Apr 1996 00:21:34 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <2.2.32.19960409175739.00764464@panix.com> At 08:09 AM 4/9/96 -0500, Mike McNally wrote: >I sent a letter to the Economist last year pointing this out after reading >an article containing the offhand statement, "... and of course it is >entirely feasible to control Internet content" (or something like that). >I don't have those magic two letters at the front of my name though. It >seems so utterly obvious. When you connect to an ISP via PPP or SLIP, >all the ISP is doing is routing packets. Or as I said in my letter to the Economist on their article "Censoring Cyberspace:" ******************* You suggest that Internet Service Providers might be required to employ "stop lists" supplied by their national censors to block objectionable material. The current focus is on banning smut. But no doubt many nations will want to ban various political and religious views as well. Surely, you know that anyone with a direct (TCP/IP) connection to the Internet (all Windows95 owners, for example) is not dependent on service providers for anything beyond a physical connection. Everyone who has such a local dial-in account is able to link to any site in the world at no additional cost. No long distance phone calls are necessary. ********************* A lot of people who know nothing of the nets think that they can be controlled "like magzines and newspapers" in the words of a Bell Atlantic exec. Like the Bavarian prosector, they will learn. DCF From frantz at netcom.com Wed Apr 10 09:31:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 11 Apr 1996 00:31:32 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199604100206.TAA19148@netcom9.netcom.com> At 3:21 PM 4/9/96 -0800, jim bell wrote: >And the rest of us are tired of seeing those non-responses! I wish to state that Jim Bell does not speak for me. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Wed Apr 10 10:03:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 11 Apr 1996 01:03:21 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <199604091714.KAA27317@netcom9.netcom.com> Message-ID: <199604091838.OAA02349@jekyll.piermont.com> Bill Frantz writes: > One of the migration paths suggested for IPV4 to IPV6 migration is to > tunnel IPV4 packets within IPV6 packets. IPV4 packets do not provide for > an adult/minor tag, so until the transition to IPV6 is fairly well along, > this approach will be ineffective. Neither, for that matter, do IPv6 packets -- there is no provision for them. Furthermore, were anyone to create an end to end header of that sort, it would be eight bytes of wasted space in every packet in the net, especially since the implementation of such a tag is a technical impossibility as there is no way to force the originating system to tell the truth. The internet and the culture are coming into conflict in a big way, and I don't believe that both of them can survive. Perry From jimbell at pacifier.com Wed Apr 10 10:06:50 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 11 Apr 1996 01:06:50 +0800 Subject: Watch your language, Shabbir. Message-ID: <m0u6qZK-0008y1C@pacifier.com> When the Leahy bill was proposed, BTW was one of the organizations that came out in favor of it. Despite later substantial criticism and direct contacts, Mr. Safdar never defended his original position on this bill against these objections. I just saw something which may explain a bit about VTW's positions: VTW BillWatch #41 VTW BillWatch: A weekly newsletter tracking US Federal legislation affecting civil liberties. BillWatch is published at the end of every week as long as Congress is in session. (Congress is in session) BillWatch is produced and published by the Voters Telecommunications Watch (vtw at vtw.org) (We're not the EFF :-) Issue #41, Date: Wed Apr 3 12:41:46 EST 1996 Do not remove this banner. See distribution instructions at the end. ___________________________________________________________________________ TABLE OF CONTENTS Introduction from the Editor (Steven Cherry) A tragic story about a wiretap (Shabbir J. Safdar) [stuff deleted] A TRAGIC STORY ABOUT A WIRETAP by Shabbir J. Safdar, VTW Board (New York, NY) This week most of VTW's staff attended the Computers, Freedom, and Privacy conference in Cambridge Massachusetts. I go to the conference every year to recharge my batteries, put names to faces, and enjoy the synergy that can only come with face-to-face dialogue. [stuff deleted] One, while wiretaps have probably been effective in other cases, they were not effective in this one. While we can grant law enforcement the benefit of the doubt in other cases, the existence of this one shows that a wiretap is not the "silver bullet" of law enforcement that we have been led to believe. Another observation that can be made is that this parallels the key escrow debate very closely. No reasonable person is objecting to the FBI's right to conduct a wiretap. However what is being debated is the extent to which individuals and law enforcement can go to accomplish their duties. The Clinton Administration is striving for a world where everyone is forced to speak in a form of encryption that is easily decoded by law enforcement. The public and industry is striving for a world where they continue to have private conversations. [end of quote] Look, very carefully, at the last paragraph quoted above. Mr. Safdar says, "No reasonable person is objecting to the FBI's right to conduct a wiretap." Huh? "FBI's right"???? Maybe this is a bit too basic for comprehension, but governments have no "rights" by any definition I've ever heard. "Rights" are the possessions of individuals, and occasionally individuals authorize governments to do things. But that does not mean that those governments possess a "right," especially not one on such a flimsy and transitory principles as wiretaps. Government certainly does not possess a "right" that supercedes the wishes of the public, or the Constitution. Safdar's note appears to pre-date my commentary where I pointed out that before 1968, wiretaps in America were illegal, but were done anyway simply because the cops wanted to. That doesn't sound like a "right," now, does it? If it were a "right" then it couldn't be given by law, or taken away by law. But nobody I've ever met claims that the cops aren't at least legally obligated to follow the law, whether or not they actually do. I don't like sloppy rhetoric. Even worse, claiming that "no reasonable person" would object to a non-existent "right" is truly outrageous. I know _plenty_ of people who would claim that the government, and by extension the FBI, possesses no "right" to do wiretaps (this position would be echoed by essentially every libertarian). I know many people who think that the government shouldn't be able to do wiretaps at all. VTW's header above claims "We're not the EFF," but it's hard to tell this from Mr. Safdar's propaganda. Now I understand why he didn't defend his position on the Leahy bill against criticism. VTW is sounding more and more like "EFF" all the time. Jim Bell jimbell at pacifier.com From declan+ at CMU.EDU Wed Apr 10 10:06:59 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 11 Apr 1996 01:06:59 +0800 Subject: CDA Court Challenge: Update #5 Message-ID: <slOnt1W00YUv9D5F8c@andrew.cmu.edu> ----------------------------------------------------------------------------- The CDA Challenge, Update #5 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this update: Yet Another CDA Lawsuit: Fred Cherry v. Janet Reno Deception and deceit from DoJ's Jason Baron URLs for the DoJ's dirty picture list The true identity of Grey Flannel Suit April 9, 1996 PITTSBURGH, PA -- Fred Cherry wants a Federal court to uphold his right to flame. Lambasting "homonazis" on USENET is his inalienable right under the First Amendment, argues the notorious netizen in his anti-CDA lawsuit filed yesterday in New York City on behalf of "Johns and Call Girls United Against Repression, Inc." Cherry's beef with the law is that under its ban on "indecency," when he gets flamed by "Australian homosexual nazis" he won't be able to flame back. His complaint charges that his "Australian opponent will have MORE freedom of speech" than he does -- unless the CDA is struck down. The self-taught amateur lawyer attached 20 pages of net.flamage as his sole exhibit. One example that was spammed all the way from soc.men to alt.christnet.second-coming.real-soon-now: "Your ass is so blocked up that you do need some therapeutic relief for your constipation -- a condition which has backlogged all the shit right back up into your head, Fred." The indefatigable Cherry replied: So, ramming a huge dick up my ass would be a therapeutic measure, would it? You homos are the chief cause of AIDS in the United States with your huge dicks being rammed up each other's asses. And then you homos go around whining that the government isn't doing enough to find a cure for AIDS. [12/22/95] Ya gotta love this guy. He sent me mail describing his legal strategy, concluding: "Can anyone deny that I am indeed the greatest amateur lawyer since Caryl Chessman?" Of course Chessman -- California's "Red Light Bandit" rapist -- was executed in 1960, his jailhouse lawyering failing him in the end. Cherry's lawsuit was easy to prepare. He grabbed the ACLU's complaint from their web site, printed it out, added a few grafs about his net.nazi adversaries, and trotted off to Federal court. When Cherry filed his suit, which he's moved from Brooklyn to Federal court in Manhattan, he wrote: I am primarily a political activist, working for the repeal of laws criminalizing adult prostitution and the patronizing of adult prostitutes. Over the past thirty years I have found that, in the United States, homosexuals are the worst enemies of the civil rights of women prostitutes and their male clients. The Cherry v. Reno case, refiled at docket number 96 Civ. 2498, most likely will be consolidated with the American Reporter case, which is also moving forward in the U.S. Second Circuit Court of Appeals. A.R. editor Joe Shea will probably fight it. Shea refused to join our lawsuit because he can't stand the ACLU and wants to do his own thing, so he'll probably try to keep Cherry's case from being joined with his. In fact, he accused the ACLU of putting Cherry up to it. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ I would never have suspected the DoJ attorneys of trying to deceive Federal judges, but now I wonder. The DoJer I've had the most contact with is Jason Baron, a short, portly guy who tries to land roundhouse punches during cross-examination but instead keeps slipping up on technical terms. He also wrote the Justice Department's reply to our initial complaint. In that brief, the Civil Division lawyer uncritically cited Marty Rimm's cyberporn study -- featured last summer on the cover of TIME magazine -- as an authoritative reference on net.smut: This article describes material located primarily on USENET newsgroups, i. at 1865-76, and on adult commercial bulletin boards (BBS), i. at 1876-1905. Defendants offer this as an initial reference of the availability and nature of obscene and indecent material from some on-line sources, such as USENET and BBS. [sic] Maybe Baron thought nobody would notice. But there's no excuse for not knowing that the study was deliberately fraudulent: The New York Times printed an editorial exposing it; Rimm's connections with "family values" groups have come to light; Donna Hoffman and I run extensive web sites debunking the study; Carnegie Mellon University claims to be investigating the ethical misdeeds of their former undergraduate. Even attorneys who used to work within Baron's division of the Justice Department complain that Baron deliberately foisted this fraud off on Federal judges: I'm embarrassed... They should have mentioned that the "study" came under heavy critical fire almost immediately upon release. I trust the opposition will make hay of this omission. In this context, this "study" is not just another controversial report, but one whose provenance is well known to be in doubt among the relevant actors. That much should have been ackowledged in the quoted footnote, at least along the lines of, "While the methodology of this study has been challenged, defendants believe it to represent..." etc. [4/7/96] By citing this study and appending its complete text without informing the court that it was a hoax, Baron revealed the impoverished ethics of the Justice Department. Interestingly, the Code of Professional Responsibility and the Rules of Professional Conduct make it a disciplinable offense for a lawyer to "knowingly use perjured testimony or false evidence." Under Title 11, attorneys can be sanctioned for introducing false evidence. Perhaps we shouldn't be too surprised by all this. After all, Baron is the same attorney who confuses EFF with IETF -- not to mention his additional duties as the DoJ's courtroom-cop. Recall that when I was asking the mysterious Grey Flannel Suit a question, Baron came over and interrupted us. Now I've learned that he's threatening to report me to "higher authorities" if I talk to his witnesses again. (!) Yeah, Grey Flannel Suit is going to take the stand. He's none other than the DoJ's cybersexpert witness -- Special Agent Howard A. Schmidt from the Air Force Office of Special Investigations. Guess that explains why Baron was so desperate to keep me from talking with him the other day. Baron's authoritarian streak showed again during the March 21 hearing, when I joined some members of the press in paging through the ACLU's copy of the DoJ's dirty pictures binder. Baron charged over and snatched it away, snarling: "Not available to the public." Well, the URLs ended up in my mailbox anyway, so here they are for your amusement: http://www.pu55y.com/hotsex/join.html http://shack.bianca.com/shack/misc/terms.html http://www.intergate.net/untmi/obbs1.html http://www.whitman.edu/~burkotwt/pornpics/lady941.jpg http://www.wizard.com/~gl944vx/gifs/01_21.jpg http://www.vegaslive.com/sgguests/ginger.html news:4hrs89k%24oap at what.why.net http://monkey.hooked.net/monkey/m/grinder/nikkita/graphics/nikki36.jpg news:313F56FD.3F19 at access.mountain.net news:4hb94m%24sij at asp.erinet.com http://www.sexvision.com/web2.htm news:314048f.1657746 at news.netwalk.com The DoJ has full-color printouts of these images, which are sexually explicit but *not* obscene -- Baron wanted to remind the court that placing these JPEGs online publicly would not be a criminal act without the CDA. For someone who's defending a ban on smutty stuff on the Net, Baron is surprisingly embarrassed to talk about it. Vanderbilt Professor Donna Hoffman reports: [Baron] deposed me for over 7 hours, beginning on a Monday morning at 9am. The most interesting part of the deposition was when he brought out several large binders and started going through some of the material in them and looking increasingly uncomfortable. Eventually, he spoke and started to apologize saying he might have to show me some materials and his New England background made him feel uncomfortable about it. He honestly was squirming and sweating a bit and then, after a brief lunch, we resumed and he did eventually show me some materials, but they were not surprising or of the type that I would have thought would make him squirm like that. I did wonder if it was some sort of "act," but he seemed genuinely embarassed. In hindsight, I wonder if it was because I am a woman and that was really the part that made the idea of showing me sexually explicit materials uncomfortable for him. I guess that Baron is a true "gentleman" who believes that certain topics like dirty pictures are unmentionable in mixed company. Avoiding embarrassment is just another reason to censor the stuff! On April 12, Grey Flannel Suit (aka Special Agent Schmidt) will take the stand and snarf around the net for dirty pix. He'll be followed by our last witness, MIT's Albert Vezza, and then BYU/CMU's Dan Olsen. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on 4/12, possibly 4/15, 4/26 for rebuttal, and 6/3 for closing arguments. Mentioned in this CDA update: DoJ's brief citing Marty Rimm's cyberporn study: <http://www.law.miami.edu/~froomkin/seminar/ACLU-Reno-TRO-Justice-brief.htm> Text of complaint from Fred Cherry v. Janet Reno: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2108> Flamewar attached as exhibit to Fred Cherry v. Janet Reno: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2109> Fred Cherry's reasons why he filed his lawsuit: <http://fight-censorship.dementia.org/fight-censorship/dl?num=1911> Relevant excerpt from Fred Cherry's original complaint: <http://fight-censorship.dementia.org/fight-censorship/dl?num=1891> Rimm ethics critique <http://www.cs.cmu.edu/~declan/rimm/> Censorship at CMU <http://joc.mit.edu/> The American Reporter <http://www.newshare.com/Reporter/today.html> Grey Flannel Suit <howardas at aol.com> Previous cases DoJer Jason Baron worked on: <http://www.eff.org/pub/Legal/Cases/Armstrong_v_President/> <http://snyside.sunnyside.com/cpsr/government_info/info_access/PROFS_CASE/> Joe Shea's complaints about ACLU wanting to "stand alone in the limelight": <http://fight-censorship.dementia.org/fight-censorship/dl?num=2014> <http://fight-censorship.dementia.org/fight-censorship/dl?num=2036> <http://fight-censorship.dementia.org/fight-censorship/dl?num=2037> This report and previous CDA Updates are available at: <http://www.epic.org/free_speech/censorship/lawsuit/> <http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/> <http://fight-censorship.dementia.org/top/> To subscribe to the fight-censorship mailing list for future CDA updates and related net.censorship discussions, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: <http://www.eff.org/> <http://www.aclu.org/> <http://www.cdt.org/> ----------------------------------------------------------------------------- From frantz at netcom.com Wed Apr 10 10:08:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 11 Apr 1996 01:08:32 +0800 Subject: Tense visions of future imperfect Message-ID: <199604091857.LAA06933@netcom9.netcom.com> > Financial Times, April 9, 1996, p. 13. > > > Tense visions of future imperfect > > Victoria Griffith eavesdrops on writers at a conference > about privacy and the Net > >... > > Martha's Vineyard-based author Simson Garfinkel, for > instance, came up with a few terrifying scenarios about Net > crime for a discussion group with David Chaum, the founder > of the electronic money group DigiCash. In one, a thief > went on an electronic spending spree with stolen digital > cash. In another, an elderly woman was electronically > robbed of her life savings. In the third, the stability of > the US economy was at stake. > > Garfinkel described it like this: "My name is Agent > Jenkins. I'm an investigator with the secret service, > working on a counterfeiting case. And it's tough. Last > year, my office got a priority call from an economist at > Stanford. The economist was looking at something called the > money supply and velocity and both were increasing a little > too fast. They just didn't add up. The economist finally > figured an organisation was printing its own electronic > money -- just like the US government does. > > "This counterfeit currency looked just like the real thing, > except it was a fraud. She even found some of it -- a > digital dollar that was signed and sealed by the US > government's secret key, yet had a serial number that had > never been issued. The money that was being made was on the > Net. It was everywhere and nowhere. And it was encrypted, > so that we wouldn't even know it if we found it. Last > month, we estimate, the total fraud was up to $900,000 a > month, and it is increasing still." I don't see how this third scam would work in a system such as DigiCash which uses online clearing. Unissued serial numbers would be refused when presented for clearing. One scenario which would work (and could be used for scams 1 and 2) is either stealing digital cash, or counterfeiting issued, but unredeemed serial numbers. In either case, if you spend it before the rightful owner does, that rightful owner gets, as a minimum, a lot of hassle, and might lose the cash. If this kind of scam, particularly the counterfeiting scam, occurs too often, public trust in the cash will disappear, and people will refuse to buy it. Note that people trying to maintain anonymity are particularly vulnerable since they have to hold cash for a period of time to defeat traffic analysis attacks. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stevenw at best.com Wed Apr 10 10:08:37 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 11 Apr 1996 01:08:37 +0800 Subject: RISKS: Social Security (sic) Administration fraud Message-ID: <v01540b00ad90ceb34f24@[206.86.1.35]> ---------------------------------------------------------------------- Date: Sun, 7 Apr 1996 22:12:30 -0500 (CDT) From: Sean Reifschneider <jafo at tummy.com> Subject: The weakest link: Social (In)security Administration The URL "http://www.nando.net/newsroom/ntn/info/040696/info5_14984.html" reports "one of the biggest breaches of security of personal data held by the federal government". Apparently several employees of the Social Security Administration sold information including SSNs and mother's maiden names of more than 11,000 people to a credit-card fraud ring. The fraud ring was able to use this information to activate cards which were stolen from the mail. Citibank had implemented a scheme which required customers to "activate" their credit cards when they receive them by calling a phone number and providing personal information like their mothers maiden name. It seems that while systems are being designed to protect our property, it's just causing the crime to move closer to the person. If someone steals your credit card from the mail or your car from the parking lot, you're probably at a safe distance. Instead, they are forced to carjack your car at a stoplight because of your alarm system, or find out personal information about you. Similarly, I heard about home breakins on alarmed houses in which the burglar would regularly trigger the alarm and be careful to leave no traces. Once the police stopped coming (because the alarm was faulty), they were free to break in and swipe whatever they like. No matter how secure the system, the weakest link can be the clerk who's paid $12K/year to work on the system. It doesn't take much money to convince this person to hand out our personal information. This sort of thing kind of makes the hassle I went through in keeping my SSN from my insurance company. If you've never tried it, for me it was a huge hassle... Apparently, all of my claims needed to be handled by hand by one of the supervisors. Of course, if everyone did it, their $4/hour clerks could take care of it. Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com> URL: <http://www.tummy.com/xvscan> HP-UX/Linux/FreeBSD X11 scanning software. [Also noted by Monty Solomon <monty at roscom.COM> quoting from Edupage, and WOODWARD at BINAH.CC.BRANDEIS.EDU (Beverly Woodward), who cited the article in "U.S. Workers Stole Data on 11,000, Agency Says" in *The New York Times*, 06 Apr 1996, p. 6, from which most other reports seem to have been drawn. PGN] ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From etu2 at cegep-sept-iles.qc.ca Wed Apr 10 10:41:30 1996 From: etu2 at cegep-sept-iles.qc.ca (etu2 at cegep-sept-iles.qc.ca) Date: Thu, 11 Apr 1996 01:41:30 +0800 Subject: NSA Budget - NOT! Message-ID: <199604100731.DAA12937@mail.quebectel.com> cool|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!At 10:04 09/04/1996 -0700, Anton Rager wrote: >Wouldn't it be great if it were true!!!!!!! -- sorry folks -- doesn't seem to >exist > >1. - No domain of dod.gov -- there is info for nsa.gov...just not dod.gov >2. - No valid URL of http://nsa.dod.gov/~reports/quarterly.txt -- no page >returned > > >This must be a joke....I was gullible enough to try anyway. > > >____________ Original Message Follows _____________________________________ > > > Yes, there are annual and quarterly reports released to the > public which describe in meticulous detail expenditures for > the agency's program, personnel and equipment: > > 1. The program of services and information supplied to > government and other intelligence organizations, US and > foreign, with terms of each client contract. > > 2. US employees, their organization, skills, duties and > longevity of service; their names, ranks, identification > codes, secure communication methods and home addresses; > the location of workplaces; the continued training each > is scheduled to receive; leaves of absence and > destinations while absent. > > 3. Foreign nationals covertly employed worldwide, with > information on each as per 2. > > 4. A comprehensive listing of all types of world-wide > equipment operated; its detailed design, function and > output; where it is located; its designers, > manufacturers and purchase cost; its schedule of > amortization; and its schedule for replacement and/or > upgrade, with fifteen-year projected procurement. > > 5. Special short- and long-term contracts with governmental > and non-governmental organizations, US and foreign for > one-time projects, by goal, personnel and equipment. > > 6. Special projects with other US and foreign counter- > intelligence to issue disinformation about the agency. > > 7. Special section on world-wide US and foreign cryptology: > cryptanalysis, cryptography, steganography, codes, > cyphers, glyphs, mimes; each ranked for security and > ease of cracking; governmental and non-governmental > parties using each; names of cooperative and resistant > cryptographers and cooperating pseudo-cryptographers. > > 8. Sub-section on methods of Internet traffic and language > analysis; operation and surveillance of anonymous > remailers, bulletin boards and mail lists; lists of > cooperative and resistant educational institutions and > commercial organizations. > > 9. Appendices on: black operations; transparent operations; > methods for managing cooperative and resistant > governmental and non-governmental persons. > > The public is invited to study and/or download these > reports anonymously at: > > http://nsa.dod.gov/~reports/quarterly.txt > > > > > > A la prochaine, Gilles From stewarts at ix.netcom.com Wed Apr 10 11:07:11 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 11 Apr 1996 02:07:11 +0800 Subject: questions about bits and bytes Message-ID: <199604100704.AAA21788@toad.com> At 09:33 PM 4/8/96 -0400, Jack Mott wrote: >This may be a bit of a no brainer, but everything I have read sorta >skips over this point. a bit is 1 or 0. 8 bits make up a byte (0-255). Be careful writing code - sometimes a byte is -128 to 127 instead of 0 to 255. Also, there are machines (mostly old kinky ones) that use bytes of sizes other than 8 bits. >If I have a 5 byte key, does that make it a 40 bit key? Not always; bytes may have extra baggage with them such as start&stop bits (when you're transmitting async), or parity bits. DES uses 56 bit keys, but they're really 8 bytes with the high bit of each byte ignored. But, yeah, 5 bytes is normally 40 bits. >The only reason this doesn't make sense to me is it seems useless to use 5 byte >keys, yet that is what companies export since the government limits keys >to 40 bits. What's bothering you about it? The fact that it's not a multiple of 4? (No problem, think of it as a character string.) The fact that it's way too short to protect any real information, and you've always been taught to use passwords longer than that, even for computer accounts without real money in them? Well, yeah, it is - so what? A 40-bit key would take few days to crack with general-purpose 486 or Pentium PCs, though a gate-array would make it easy to use the right kinds of logic operations to crack it much faster. Are you puzzled that the government doesn't care about your ability to protect your money or your information? Think if it from their perspective - if special equipment makes it cost 8 cents to crack a key, they'd probably have to only crack semi-interesting-looking messages, as opposed to hoovering down anything they could find, and wouldn't that be a shame for National Security.... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From anon-remailer at utopia.hacktic.nl Wed Apr 10 11:21:03 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 11 Apr 1996 02:21:03 +0800 Subject: No matter where you go, there they are. Message-ID: <199604091755.TAA13648@utopia.hacktic.nl> Location-based System Delivers User Authentication Breakthrough By Dorothy E. Denning and Peter F. MacDoran Copyright(c), 1996 - Computer Security Institute - All Rights Reserved Top - Help Existing user authentication mechanisms are based on information the user knows (e.g., password or PIN), possession of a device (e.g, access token or crypto- card), or information derived from a personal characteristic (biometrics). None of these methods are foolproof. Passwords and PINs are often vulnerable to guessing, interception or brute force search. Devices can be stolen. Biometrics can be vulnerable to interception and replay. A new approach to authentication utilizes space geodetic methods to form a time- dependent location signature that is virtually impossible to forge. The signature is used to determine the location (latitude, longitude and height) of a user attempting to access a system, and to reject access if the site is not approved for that user. With location-based controls, a hacker in Russia would be unableto log into a funds transfer system in the United States while pretending to come from a bank in Argentina. Location-based authentication can be used to control access to sensitive systems, transactions or information. It would be a strong deterrent to many potential intruders, who now hide behind the anonymity afforded by their remote locations and fraudulent use of conventional authentication methods. If the fraudulent actors were required to reveal their location in order to gain access, their anonymity would be significantly eroded and their chances of getting caught would increase. Authentication through geodetic location has other benefits. It can be continuous, thereby protecting against channel hijacking. It can be transparent to the user. Unlike most other types of authentication information, a user's location can serve as a common authenticator for all systems the user accesses. These features make location-based authentication a good technique to use in conjunction with single log-on. Another benefit is there is no secret information to protect either at the host or user end. If a user's authentication device is stolen, use of the device will not compromise the system but only reveal the thief's location. A further benefit of geodetic-derived location signatures is that they provide a mechanism for implementing an electronic notary function. The notary could attach a location signature to a document as proof that the document existed at a particular location and instant in time. The use of geographic location can supplement or complement other methods of authentication, which are still useful when users at the same site have separate accounts and privileges. Its added value is a high level of assurance against intrusion from any unapproved location regardless of whether the other methods have been compromised. In critical environments, for example, military command and control, telephone switching, air traffic control, and banking, this extra assurance could be extremely important in order to avoid a potential catastrophe with reverberations far beyond the individual system cracked. How it works International Series Research (Boulder, CO) has developed a technology for achieving location-based authentication. Called CyberLocator, the technology makes use of the microwave signals transmitted by the twenty-four satellite constellation of the Global Positioning System (GPS). Because the signals are everywhere unique and constantly changing with the orbital motion of the satellites, they can be used to create a location signature that is unique to a particular place and time. The signature, which is computed by a special GPS sensor connected to a small antenna, is formed from bandwidth compressed raw observations of all the GPS satellites in view. As currently implemented, the location signature changes every five milliseconds. However, there are options to create a new signature every few microseconds. When attempting to gain access to a host server, the remote client is challenged to supply its current location signature. The signature is then configured into packets and transferred to the host. The host, which is also equipped with a GPS sensor, processes the client signature and its own simultaneously acquired satellite signals to verify the client's location to within an acceptable threshold (a few meters to centimeters, if required). For two-way authentication, the reverse process would be performed. In the current implementation, location signatures are 20,000 bytes. For continuous authentication, an additional 20 bytes per second are transferred. Re- authorization can be performed every few seconds or longer. The location signature is virtually impossible to forge at the required accuracy. This is because the GPS observations at any given time are essentially unpredictable to high precision due to subtle satellite orbit perturbations, which are unknowable in real-time, and intentional signal instabilities (dithering) imposed by the U.S. Department of Defense selective availability (SA) security policy. Further, because a signature is invalid after five milliseconds, the attacker cannot spoof the location by replaying an intercepted signature, particularly when it is bound to the message (e.g., through a checksum or digital signature). Continuous authentication provides further protection against such attacks. Conventional (code correlating and differential) GPS receivers are not suitable for location authentication because they compute latitude, longitude and height directly from the GPS signals. Thus, anyone can report an arbitrary set of coordinates and there is no way of knowing if the coordinates were actually calculated by a GPS receiver at that location. A hacker could intercept the coordinates transmitted by a legitimate user and then replay those coordinates in order to gain entry. Typical code correlating receivers, available to civilian users, are also limited to 100 meter accuracy. The CyberLocator sensors achieve meter (or better) accuracy by employing differential GPS techniques at the host, which has access to its own GPS signals as well as those of the client. DGPS methods attenuate the satellite orbit errors and cancel SA dithering effects. Where it works Location-based authentication is ideal for protecting fixed sites. If a company operates separate facilities, it could be used to restrict access or sensitive transactions to clients located at those sites. For example, a small (7 cm x 7 cm) GPS antenna might be placed on the rooftop of each facility and connected by cable to a location signature sensor within the building. The sensor, which would be connected to the site's local area network, would authenticate the location of all users attempting to enter the protected network. Whenever a user ventured outside the network, the sensor would supply the site's location signature. Alternatively, rather than using a single sensor, each user could be given a separate device, programmed to provide a unique signature for that user. Location-based authentication could facilitate telecommuting by countering the vulnerabilities associated with remote access over dial-in lines and Internet connections. All that would be needed is a reasonably unobstructed view of the sky at the employee's home or remote office. Related application environments include home banking, remote medical diagnosis and remote process control. Although it is desirable for an antenna to be positioned with full view of the sky, this is not always necessary. If the location and environment are known in advance, then the antenna can be placed on a window with only a limited view of the sky. The environment would be taken into account when the signals are processed at the host. For remote authentication to succeed, the client and host must be within 2,000 to 3,000 kilometers of each other so that their GPS sensors pick up signals from some of the same satellites. By utilizing a few regionally deployed location signature sensors (LSS), this reach can be extended to a global basis. For example, suppose that a bank in Munich needs to conduct a transaction with a bank in New York and that a London-based LSS provides a bridge into Europe. Upon receiving the location signatures from London and Munich, the New York bank can verify the location of the Munich bank relative to the London LSS and the London LSS relative to its own location in New York. The technology is also applicable to mobile computing. In many situations, it would be possible to know the general vicinity where an employee is expected to be present and to use that information as a basis for authentication. Even if the location cannot be known in advance, the mere fact that remote users make their locations available will substantially enhance their authenticity. In his new book, The Road Ahead, Bill Gates predicts that wallet PCs, networked to the information highway, will have built-in GPS receivers as navigational assistants. With the CyberLocator technology, these PC receivers can also perform authentication while being a factor of ten less expensive than conventional code correlating receivers (most of the processing is executed in the host rather than the remote units), which only achieve 100 meter accuracy, and a factor of a hundred less expensive than conventional DGPS receivers. Location-based authentication is a powerful new tool that can provide a new dimension of network security never before possible. The CyberLocator technology is currently operational in a portable demonstration. Dorothy E. Denning is professor of computer science at Georgetown University (Washington, D.C.) and consultant to ISR. She can be reached at 202-687-5703 or denning at cs.georgetown.edu. Peter F. MacDoran is president and CEO of International Series Research, Inc. (Boulder, CO). He can be reached at 303-447- 0300 or pmacdorn at isrinc.com. $0$AD From stewarts at ix.netcom.com Wed Apr 10 11:40:21 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 11 Apr 1996 02:40:21 +0800 Subject: Disclosure of Public Knowledge to Foreigners Message-ID: <199604100705.AAA21823@toad.com> >>Date: Tue, 9 Apr 1996 15:44:52 -0700 (PDT) >>From: shelley thomson <sthomson at netcom.com> >> The church of scientology plans to subpoena the records of every >>anonymous remailer in the USA. ... >> On the basis of events today, Ward believes the church will >>issue subpoenas for the records of every anonymous remailer in the USA. >> If these records are delivered to the church, our First Amendment >>rights go with them. They can have all the records for the pamphlet remailer from the relevant time periods - it doesn't keep any. I may have to start some sort of short-term log-keeping to deal with spam problems (for now, I've shut it down, because of a particularly hostile kind of spam that would require grepping the body of each outgoing message to stop, and I haven't written code for that.) If I do start logging, I'll probably also insist that all incoming traffic be encrypted. And there are certainly ECPA issues involved in a subpoena, as well as major First-Amendment issues, reporter shield law issues (though I gather those vary by state), and such. Good luck! # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From sjb at universe.digex.net Wed Apr 10 11:58:14 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 11 Apr 1996 02:58:14 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <316AA1FC.6ED1@vail.tivoli.com> Message-ID: <199604091805.OAA01959@universe.digex.net> Mike McNally writes: >Scott Brickner wrote: >> Given your position, io.com is only accessible to adults in the world >> of the CDA advocates. Just upgrade your IP software to refuse >> connections from minors. > >It's not "my" IP software. I pay io for an account. What you're saying >is that every ISP would have to decide whether to be completely G-rated >or else open to anybody. Not necessarily. The ISP could provide a configuration mechanism for "self ratings" which the IP software would recognize. Mislabeling would be punishable the same way showing nekkid pictures of your wife to your neighbor's kid is. >Sigh. That's probably what the CDA crowd wants. It's hard not to become >consumed by hatred. Too true. I wish they'd grow up and realize that information is inherently harmless. "Sticks and stones may break my bones..." From perry at piermont.com Wed Apr 10 11:59:11 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 11 Apr 1996 02:59:11 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604091750.TAA13469@utopia.hacktic.nl> Message-ID: <199604101241.IAA04877@jekyll.piermont.com> Anonymous writes: > > Location-based System Delivers User > Authentication Breakthrough > > By Dorothy E. Denning and Peter F. MacDoran > Copyright(c), 1996 - Computer Security Institute - All Rights Reserved > Top - Help > A bunch of us heard about this a while back, and I was in on an exchange between several people including Phil Karn and Dorothy Denning. The gist of it is that Denning et al believe they have something -- and they are smart people -- but all the smart people who understand both GPS and crypto think its total bunk and not at all hard to fake being anywhere at all. I would say that I go with the latter. Perry From rah at shipwright.com Wed Apr 10 12:00:38 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 11 Apr 1996 03:00:38 +0800 Subject: onyma Message-ID: <v02120d08ad9150c3c1ee@[199.0.65.105]> At 9:05 PM 4/9/96, Name Withheld by Request wrote: > The term `nym' is erroneus: The Greek words are an-onym, pseud-onym, > syn-onym, hom-onym pp, derived from `onyma', name. Ah. I get it. Like Bass-omatic... <Siddown, Bob!> But, but, wasn't Bass-o-matic crypto, once? Cheers, Bob -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- From m5 at vail.tivoli.com Wed Apr 10 12:34:22 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 11 Apr 1996 03:34:22 +0800 Subject: RISKS: Social Security (sic) Administration fraud In-Reply-To: <v01540b00ad90ceb34f24@[206.86.1.35]> Message-ID: <316BB624.5813@vail.tivoli.com> Steven Weller quotes Sean Reifschneider: > ... Apparently several employees of the Social > Security Administration sold information including SSNs and mother's > maiden names of more than 11,000 people to a credit-card fraud ring. But nothing like that would ever happen at a Federal key escrow agency. No way. Inconceivable. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From m5 at vail.tivoli.com Wed Apr 10 12:39:40 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 11 Apr 1996 03:39:40 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work In-Reply-To: <199604090654.XAA16860@dns2.noc.best.net> Message-ID: <316BB329.1E57@vail.tivoli.com> Sten Drescher wrote: > MM> There are supposedly some new techniques that look at the infrared > MM> signature of your face > > So if I'm running a fever, or just been exercising, it > wouldn't recognize me, right? Doesn't sound like that would be much > better. But it could be that it looks for patterns of where the hot & cold zones are, and since exercise doesn't rearrange the concentrations of blood vessels beneath your skin, the matching might still be possible. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From pcw at access.digex.net Wed Apr 10 13:44:51 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 11 Apr 1996 04:44:51 +0800 Subject: No matter where you go, there they are. Message-ID: <v02140b09ad916e6d8a17@[199.125.128.5]> Hmm. Here's an interesting question. Let's say that there are 3 satellites in view broadcasting signals f1(t), f2(t) and f3(t). The way the system triangulates is to compute the distance from a location to a satellite by timing the arrival of a signal. So if signal f2(t) arrives at t+3 milliseconds, then the receiver is 3 lightmilliseconds away from satellite 2. For sake of simplicity, let the coordinates be expressed in distance from the satellites. (2,3,1) would mean a distance of 2, 3 and 1 light milliseconds from satellites 1,2 and 3 respectively. Okay, so why can't I just tape the signals I get from each of the three satellites. Let these be T1(t), T2(t) and T3(t). Assume we can easily synchronize them so that T1(t-o1)=f1(t). That is, we figure out our coordinates (o1,o2,o3), and subtract the offset from each tape. Then if we want to pretend to be at coordinate (a1,a2,a3), we simply say that we just received values T1(t-o1+a1), T2(t-o2+a2), T3(t-o3+a3). Or course, I could be completely missing some neat feature of DGPS. I really don't know the details of how it works and this could be completely wrong. Any thoughts? -Peter From hfinney at shell.portal.com Wed Apr 10 14:31:41 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 11 Apr 1996 05:31:41 +0800 Subject: Tense visions of future imperfect Message-ID: <199604101433.HAA16637@jobe.shell.portal.com> From: frantz at netcom.com (Bill Frantz) > >[Description of dcash counterfeiting scam, presumably done by stealing > > the bank's public key] > I don't see how this third scam would work in a system such as DigiCash > which uses online clearing. Unissued serial numbers would be refused when > presented for clearing. DigiCash banks do not issue serial numbers. Serial numbers are randomly chosen by the user when he withdraws his cash. He blinds the serial number before presenting the cash to be signed by the bank during withdrawal. So the bank never sees serial numbers until they are spent. The uniqueness of serial numbers results solely from having a large enough random space that matches are unlikely. What the bank does is keep a list of all spent serial numbers, not all issued ones (since it doesn't know those). That way it can detect double spending. We have had some discussions here about how banks could recognize this kind of counterfeiting, similar to the statistical measures mentioned in Garfinkel's scenario, and steps that could be taken. Hal From frissell at panix.com Wed Apr 10 14:53:31 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Apr 1996 05:53:31 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <2.2.32.19960410010847.00c91674@panix.com> At 12:38 PM 4/9/96 -0500, Scott Brickner wrote: >Wait a second. I don't know that it's really as impossible as you >think. Given the CDA advocates' hypothesis that anonymity is a Bad >Thing (tm), it's reasonable for them to assume that the ISP can arrange >to have a policy requiring that it know who's making the SLIP/PPP >connection. It's not too hard to have *every* packet generated by a >given connection flagged with an IP option indicating "adult" or >"minor". Of course that doesn't overcome the "technical problem" of getting the IETF to adopt that change in the protocols and getting a significant number of sites to adopt the new protocol. Even if you impose a substitutte on the IETF, it doesn't stop them from wandering off and creating their independent protocols and seeing whether the "official" or the "unofficial" get adopted. DCF From frissell at panix.com Wed Apr 10 14:53:33 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Apr 1996 05:53:33 +0800 Subject: Protocols at the Point of a Gun Message-ID: <2.2.32.19960410134837.0075cc14@panix.com> -----BEGIN PGP SIGNED MESSAGE----- At 02:38 PM 4/9/96 -0400, Perry E. Metzger wrote: >The internet and the culture are coming into conflict in a big way, >and I don't believe that both of them can survive. > >Perry Well this is as good a time and place as any to ask the question that none of the opposition seems to have asked (perhaps because they don't know enough to ask): How do you force geographically dispersed nodes on a distributed network to adopt a set of officially mandated protocols? But first a reading assignment: "How Anarchy Works--Inside the Internet Engineering Task Force" from Wired. http://www.hotwired.com/wired/3.10/departments/electrosphere/ietf.html So, now we know that the IETF has been pretty successful as a means of standards setting. We then have to go on to discuss how The Great Enemy might undertake to intervene in this process. Questions: 1) Are there any official agencies currently involved in drafting substitute protocols? 2) Do the public employees on the IETF behave any differently from the private employees? 3) Do the world's governments have the programming talent? 4) Do the world's governments have a way to get users at all levels to adopt their protocols? I don't know the answer to these questions. We know that governments would like to impose things like the Simple Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) Protocols. The Heathen Chinee have proposed their own entry into the protocol design process as have many of the other governments. Do they have any idea yet how to go about it? Do we? DCF -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWu7OYVO4r4sgSPhAQFw8wP/SONzr+vOKaIw3NQPTF4o1xk4hVFrlWEs y5fLcrh2jHlejPMvdoTNJIvZ0nsgLNJU8QsW+goRzl9B37/8U9oG8A0CgvOu9Wr9 2aP+zkHjTYldvtGuOWXNoq7tdQDGY5cGzMTJZO0WRwMBhpO+BnOGPPN2MqxMOPIK vbIgly4DEI8= =57wn -----END PGP SIGNATURE----- From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Wed Apr 10 15:11:41 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Thu, 11 Apr 1996 06:11:41 +0800 Subject: No matter where you go, there they are. Message-ID: <9604101822.AA1919@> >Location-based System Delivers User >Authentication Breakthrough >By Dorothy E. Denning and Peter F. MacDoran Nice april fools article... After all, position information is nothing more than a particular phase shift (time delay) between GPS data streams received from the set of satellites overhead. If I report the datastreams received -- or information about them -- then someone can calculate where I am. (Indeed, there are GPS applications where the device whose position is of interest doesn't actually decode the GPS data, it merely reports what it receives to some central data collection site, where the arithmetic is done.) If I want to pretend to be somewhere else, all I have to do is some simple geometry to calculate the time delays I want to report, and then phase-shift the GPS streams from their received position to where they would be at the other place. Note that relying on the PP code (military code) in the GPS stream is no help, since I don't need to be able to interpret the PP stream in order to pretend to be elsewhere, I merely need to know where I am and where I want to be, to insert the right phase shift. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From bshantz at nwlink.com Wed Apr 10 15:16:20 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Thu, 11 Apr 1996 06:16:20 +0800 Subject: The last I'll say on the unsubscribing thing Message-ID: <199604101611.JAA14641@montana.nwlink.com> I'm did not say that the people sending the messages to "unsubscrive" were justified in what they did. YES, it is written in the welcome message. I just think that maybe we need to be a little tolerant of a few people out of 1200 who made an honest mistake. I still believe that the people sending the messages haven't read Tim's "nth Fucking Time" message. Or his "Under attack by foreigners" message. Or my response about their lack of ignorance. (Tim, I just mentioned your messages because they came to mind. **GRIN**) Steve, I even think that they didn't read your "unsubscrive list" message, which I thought was wonderful. I just think that instead of complaining to the list they're trying to remove themselves from, we should send them mail individually. I'm sure that Tim already has. (at least he said he did...i think.) Since I posted yesterday, I have received a nubmer of messages from people interested in removing themselves from Cypherpunks. I sent them the paragraph from the welcome message. And that was that. Brad From frissell at panix.com Wed Apr 10 15:20:47 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 11 Apr 1996 06:20:47 +0800 Subject: Open Systems, Closed Systems, & Killer Apps Message-ID: <2.2.32.19960410141442.00766f04@panix.com> -----BEGIN PGP SIGNED MESSAGE----- Various correspondents have pointed out that X.25 is an "open system" in that it is not proprietary. I knew that. I was thinking more of hierarchical vs peer-to-peer. I have been under the impression that TCP/IP connections are more peer-to-peer between different sorts of networks (or nodes) than X.25. Isn't X.25 more of a standard for a single network? Don't X.25 networks need someone more "in charge" than TCP/IP networks, or am I mixing up different layers on the OSI reference model? Which gives me an opportunity to post the only mnemonic that I ever created: Read from the bottom up: (and) Anarchists Application Progressives Presentation (back when it was Communication, it was Commies) Socialists Session Trust Transport Never Network Departments Data Link Police Physical DCF -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWvBIYVO4r4sgSPhAQHmegP/bPmRjFRpbczDfQTpTbfGgnLmuvWp6cBb J62Rp/LW0tOnBOW4rrf/d88AUTlh4sesn1daxn+3LEL1zgSaZromjW6i+lRSK+cw AkShAuuTJUwzG44Li473au5b32jhw6VK2ZMTcZBWAo2f4kl5zLOgpMwKM1Cb6s8b /StrGFRLmd0= =5gXR -----END PGP SIGNATURE----- From hfinney at shell.portal.com Wed Apr 10 15:26:41 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 11 Apr 1996 06:26:41 +0800 Subject: No matter where you go, there they are. Message-ID: <199604101553.IAA20688@jobe.shell.portal.com> Peter - didn't they say that the checking station is also listening to the satellites? That way they can tell that you are playing back signals that you taped earlier because they won't match what the satellites are broadcasting right now. I think your idea would work if you wanted to pretend to be at a point which was _farther_ from each of the satellites than where you actually are. Then you could delay all of the signals. But the only way to be farther would be to be deep underground. You might be able to pretend to be at the center of the earth, but that is not very useful. Actually I suppose this only applies to those satellites which are shared between you and the checkin station. If you are far away then maybe you only share one or two. If you know which ones those are, you can lie to your heart's content about other ones, and for the shared ones you can again delay the signal and claim to be farther than you are. If their authenticated repeaters are used then you have to assume the checking station has all the satellite signals and again the best you can do is pretend to be a Mole Man. Hal From joneswr at fsg.prusec.com Wed Apr 10 15:36:08 1996 From: joneswr at fsg.prusec.com (Jones) Date: Thu, 11 Apr 1996 06:36:08 +0800 Subject: BoS: No matter where you go, there they are. In-Reply-To: <199604091750.TAA13469@utopia.hacktic.nl> Message-ID: <96Apr10.102406edt.35724@prufire1.prusec.com> Anonymous wrote: > > Location-based System Delivers User > Authentication Breakthrough > > By Dorothy E. Denning and Peter F. MacDoran > Copyright(c), 1996 - Computer Security Institute - All Rights Reserved > Top - Help > > Existing user authentication mechanisms are based on information the user > knows (e.g., password or PIN), possession of a device (e.g, access token or > crypto- card), or information derived from a personal characteristic > (biometrics). None of these methods are foolproof. Passwords and PINs are > often vulnerable to guessing, interception or brute force search. Devices > can be stolen. Biometrics > can be vulnerable to interception and replay. > > A new approach to authentication utilizes space geodetic methods to form a > time- dependent location signature that is virtually impossible to forge. > The signature is used to determine the location (latitude, longitude and > height) of a user attempting to access a system, and to reject access if > the site is not approved for that user. With location-based controls, a > hacker in Russia would be unableto log into a funds transfer system in the > United States while pretending to come from a bank in Argentina. > > Location-based authentication can be used to control access to sensitive > systems, transactions or information. It would be a strong deterrent to > many potential intruders, who now hide behind the anonymity afforded by > their remote locations and fraudulent use of conventional authentication > methods. If the fraudulent actors were required to reveal their location in > order to gain access, their anonymity would be significantly eroded and > their chances of getting caught would increase. > [SNIP] > > How it works > > International Series Research (Boulder, CO) has developed a technology for > achieving location-based authentication. Called CyberLocator, the > technology makes use of the microwave signals transmitted by the > twenty-four satellite constellation of the Global Positioning System (GPS). > Because the signals are everywhere unique and constantly changing with the > orbital motion of the satellites, they can be used to create a location > signature that is unique to a particular place and time. The signature, > which is computed by a special GPS sensor connected to a small antenna, is > formed from bandwidth compressed raw observations of all the GPS satellites > in view. As currently implemented, the location signature changes every > five milliseconds. However, there are options to > create a new signature every few microseconds. > [SNIP] So what if WORST case: So, everyone starts using this system. Especially the banks and exchanges. And nothing goes wrong for a long time and we really start to rely on it. What happens when one of the satellite gets hit by a meteor? Telephone systems can be re-routed. Does the authentication system break down? What if more than one gets hit? The earth passes close to the asteroid belt every so often. Thats why you can see shooting stars more often at certain times of the year. What if some country wanted to test out their new missile that knocks out satellites and takes a shot at some of the GPS. Obviously an act of war but could they shutdown the world bank? So far we use satellites to route information originating on terra ferma. This would mean relying on data originating from the satellite net to do business. And more so relying on data from more than one to come up with a computed value. Have we never lost a satellite to a rock? It doesn't even have to be a big rock. Just one moving at 100,000 mph. What happens during solar flare storms. Does the signal still make it through? Would the world buy into relying on a satellite system controlled by the USA? The possibilities for new 007 episodes just multiplied. RJ From Q101NOW at st.vse.cz Wed Apr 10 15:51:30 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Thu, 11 Apr 1996 06:51:30 +0800 Subject: CoS supoenas records of all anonymous remailers? Message-ID: <62B33F2344@st.vse.cz> - > The church of scientology plans to subpoena the records of every - >anonymous remailer in the USA. Isn't this in violation of the Electronic Communication Privacy Act? glenn From jeremey at forequest.com Wed Apr 10 16:47:06 1996 From: jeremey at forequest.com (Jeremey Barrett) Date: Thu, 11 Apr 1996 07:47:06 +0800 Subject: WWW User authentication In-Reply-To: <31676b78.52447450@mail.aa.net> Message-ID: <Pine.BSI.3.91.960409181051.8349Q-100000@newton.forequest.com> Right now, the only solution I know of is to use cookies for browsers that support them, and do all the MD5-ing yourself. That excludes some browsers, but you can support those in the totally insecure manner. On Tue, 9 Apr 1996, Brian C. Lane wrote: > > I just finished writing a cgi script to allow users to change their login > passwords via a webpage. I currently have the webpage being authenticated > with the basic option (uuencoded plaintext). MD5 would be nicer, but how > many browsers actually support it? > > When the user changes their password, the form sends their name, old > password, and new password with it, in the clear. This is no worse than > changing your password across a telnet connection, but I'd like it to be > more secure, but useable by a large number of browsers. > > Any advice? > > Brian > > ------- <blane at aa.net> -------------------- <http://www.aa.net/~blane> ------- > Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) > ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeremey Barrett Senior Software Engineer jeremey at forequest.com The ForeQuest Company http://www.forequest.com/ "less is more." -- Mies van de Rohe. Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gage, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." -- 'fortune` output From alanh at mailhost.infi.net Wed Apr 10 17:22:35 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Thu, 11 Apr 1996 08:22:35 +0800 Subject: NSA Budget In-Reply-To: <19960408.181433.15302.0.zalchgar@juno.com> Message-ID: <Pine.SV4.3.91.960409213025.10780B-100000@larry.infi.net> > Date: Mon, 8 Apr 1996 18:14:32 MST > From: zalchgar <zalchgar at juno.com> > Is there a public release of the NSA's annual Budget. If so is there a > quarterly release. (N)o (S)uch (A)ccounting From jimbell at pacifier.com Wed Apr 10 17:28:58 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 11 Apr 1996 08:28:58 +0800 Subject: No matter where you go, there they are. Message-ID: <m0u74QI-0008yEC@pacifier.com> At 08:41 AM 4/10/96 -0400, Perry E. Metzger wrote: > >Anonymous writes: >> >> Location-based System Delivers User >> Authentication Breakthrough >> >> By Dorothy E. Denning and Peter F. MacDoran >> Copyright(c), 1996 - Computer Security Institute - All Rights Reserved >> Top - Help >> > >A bunch of us heard about this a while back, and I was in on an >exchange between several people including Phil Karn and Dorothy >Denning. The gist of it is that Denning et al believe they have >something -- and they are smart people -- but all the smart people who >understand both GPS and crypto think its total bunk and not at all >hard to fake being anywhere at all. I would say that I go with the >latter. The latter is far closer to the truth. First off, GPS signals can be faked. In fact, there are commercial boxes sold that generate a full synthetic constellation of GPS signals; these boxes are usually intended to simulate motion of a vehicle when the GPS unit under test is actually stuck in a laboratory or factory floor. If such a box were connected to an amplifier of a few tens or hundreds of milliwatts, it would be possible to park near a potential target and deny him service by making it look like his signal came from anywhere else around the world. (Military boxes would detect this because of A/S, however.) And if you had a receiver at some specific location at which you intend to appear to be connected at, it is likely that full data describing the motions of the satellites could be supplied to any other location on the Internet needing well under 14,400 bps. Jim Bell jimbell at pacifier.com From jwarren at well.com Wed Apr 10 18:07:22 1996 From: jwarren at well.com (Jim Warren) Date: Thu, 11 Apr 1996 09:07:22 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailerrecords? Message-ID: <v02120d22ad91a456c038@[206.15.66.107]> >To: cypherpunks at toad.com >Subject: Scientologists may subpoena anonymous remailer records >Date: Tue, 09 Apr 1996 19:02:39 -0700 >From: John Gilmore <gnu at toad.com> > >I thought that most or all of the cypherpunk anonymous remailers don't >keep records. Not even on backup tapes. The whole idea is that there >aren't logs. But maybe they have found some remailers that are >non-cypherpunk. ... My understanding is that anon remailers come in two flavors: All of then anonomize X's msg to Y before forwarding it to Y as being "from" anonymous source, Z. The first flavor keeps a record matching X with Z. This allows it to accept responses to Z that it then re-matches and forwards back to X. The second flavor simply forwards without retaining any matching records at all. Of course, this then prohibits responses to the original msg sender via that remailer. My understanding is that the most famous remailer, anon.penet.fi, is of the first flavor -- and was raided by reps of the Church of Scientology, several years ago, with a Finnish search warrant, and that this produced some [much?] of the evidence against their opponent who had allegedly been splattering COS copyrighted "works" all over the net. (Interesting application of private property rights -- protecting religious secrets.) --jim And ... if I were a surveillance-oriented government agency, I would insert "watchers" at appropriate regional and national hubs that would routinely and automatically monitor every message ever sent to every identified remailer -- so as to protect against those evil whistle-blowers who dare to expose such govt's arrogance, abuses and/or wrong-doing, and the one or two vile terrorists who are stupid enough to use the net for communications without using world-available uncrackable crypto (that are the U.S. govt's official excuse for wanting to wiretap us all.) From sthomson at netcom.com Wed Apr 10 18:07:27 1996 From: sthomson at netcom.com (shelley thomson) Date: Thu, 11 Apr 1996 09:07:27 +0800 Subject: CoS supoenas records of all anonymous remailers? (Unverified) In-Reply-To: <4lOlC8i00YUvAxX4Ar@andrew.cmu.edu> Message-ID: <Pine.3.89.9604101026.A17584-0100000@netcom17> On Tue, 9 Apr 1996, Declan B. McCullagh wrote: > [FWIW, Biased Journalism is a reasonably reputable source. --Declan] Thank you, Declan. Grady is a sharp guy and he spent hours with the church lawyers. If he thinks this is likely to happen I would take the possibility seriously. I sent the note to Jim Warren because I thought the community should know of the possibility. A little advance notice might enable someone to prepare a legal defense. I hope that remailers will resist turning over their records even if there is no useful information in them. We'll probably know in a few days whether Grady's guess is correct. Meanwhile, if you are going to pass my letter around please snip the personal stuff. Shelley From perry at piermont.com Wed Apr 10 18:16:17 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 11 Apr 1996 09:16:17 +0800 Subject: No matter where you go, there they are. In-Reply-To: <9604101822.AA1919@> Message-ID: <199604101740.NAA05885@jekyll.piermont.com> Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com writes: > >Location-based System Delivers User > >Authentication Breakthrough > > >By Dorothy E. Denning and Peter F. MacDoran > > Nice april fools article... Alas, Dorothy Denning et al think its real. Perry From jya at pipeline.com Wed Apr 10 18:37:23 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Apr 1996 09:37:23 +0800 Subject: RSA_dog Message-ID: <199604101708.NAA21887@pipe2.nyc.pipeline.com> IDC Government ("Better Government Through IT Research") has snail-mailed an 8-page report on the January 1996 RSA Data Security Conference on "The Future of Cryptography." For math hermits untracked by the RSA bloodhound: RSA_dog From llurch at networking.stanford.edu Wed Apr 10 18:57:04 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 11 Apr 1996 09:57:04 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u736N-0008yBC@pacifier.com> Message-ID: <Pine.ULT.3.92.960410115410.13427A-100000@Networking.Stanford.EDU> On Wed, 10 Apr 1996, jim bell wrote: > >Be careful writing code - sometimes a byte is -128 to 127 instead of 0 > >to 255. Also, there are machines (mostly old kinky ones) that use > >bytes of sizes other than 8 bits. > > No, Bill, a "byte" has ALWAYS been 8-bits. Not that it really matters, but you're wrong; if you're talking about an asynchronous data stream, a byte is however many bits it takes to express one character. If you're using ASCII, it's 8; if you're using Baudot, it's 5. If you're talking about data in computers, then I think you're right, a byte is always 8 bits. -rich From mirele at xmission.com Wed Apr 10 19:31:25 1996 From: mirele at xmission.com (mirele at xmission.com) Date: Thu, 11 Apr 1996 10:31:25 +0800 Subject: Scientology harassing anon.penet.fi again! Message-ID: <199604101848.MAA11645@xmission.xmission.com> forwarded from rnewman at cybercom.net (Ron Newman): Here's what Grady said to me in several messages. Note that they seem to be after anon.penet.fi again too. (He has given me blanket permission to distribute his e-mail to me to anyone who may find it of use.) ------- Date: Thu, 04 Apr 1996 08:52:38 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> I've just received e-mail from: kaj.malmberg at mallu.pp.fi (Kaj Malmberg) The Poilice CID in Helsinki who is being pushed by the criminal cult yet again to get a search warrant for Julf's anonymous remailer, claiming I have been violating my injunction to post cult crap. I told him that as usual the criminal cult is lying and that I gave him and Julf explicit permission to investigate any or all of my posts I have ever made through the remailer. The criminal cult is trying to use the fact of my injunction to further their own conspiracy theories. South Africa, Finland, where does it end? Grady ------------- Date: Fri, 05 Apr 1996 07:41:25 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: Kaj Malmberg, Finland At 10:11 AM 4/5/96 -0500, you wrote: >Why did you give them this permission? I think it sets a VERY bad >precedent. Chris Schafmeister was upset when I mentioned this >on the IRC channel yesterday afternoon -- he thinks you're being >too nice, polite, and cooperative for your own good. I like to err on the side of openness. Each to their own I suppose. Basically I trust Kaj to sense who is the criminal perpetrator in this case. I also sent him the set of trial stipulations in the Snow White case that ought to give him very interesting background on the criminal cult. >In my opinion, Julf and the Finnish cop should Just Say No >to the CoS. He is still free to do as he wishes. ------------ Date: Tue, 09 Apr 1996 14:16:32 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: a few more questions No one was with me. Total hours day one: 7.5 Total hours day two: 3.25 hours, as per order of Judge Infante. Also I believe all american anonymous remailers will be subpoenaed for their records as will all my ISPs, and contents of safety deposit box held as evidence. At 04:56 PM 4/9/96 -0400, you wrote: >Was anyone with you (on YOUR side) at either day's deposition? > >How many hours total did you go each day? > -------- Date: Tue, 09 Apr 1996 19:37:57 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? I don't know what's up today, but Julf wrote yesterday to tell me that my id grady at northcoast.com had NOT been used to go through his remailer. No word on what the police are doing to subpoena his system, if they are. Grady -------------- Date: Tue, 09 Apr 1996 22:57:26 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? That is all he told me: that he could verify to authorities that grady at northcoast.com had not used his remailer. He didn;t mention anyone else or how he was helping the CID with their inquiries. Yes, you can put this datum on the web. At 01:52 AM 4/10/96 -0500, you wrote: >Was something else used to go through his remailer? > >Has he said anything in public about this? > >Should I post your message about it on my web site? Grady Ward | | http://www.northcoast.com/~grady +1 707 826 7715 | | (voice/24hr FAX) | 34877c8566839cb7 | grady at northcoast.com | aeab8ec5e5ee97fe | -- Ron Newman rnewman at cybercom.net Web: http://www.cybercom.net/~rnewman/home.html mirele at xmission.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ ------END GEEK CODE BLOCK------ From JonWienke at aol.com Wed Apr 10 19:38:46 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 11 Apr 1996 10:38:46 +0800 Subject: No matter where you go, there they are. Message-ID: <960410155213_466752269@emout07.mail.aol.com> In a message dated 96-04-10 10:33:19 EDT, D. Denning allegedly writes: >For two-way authentication, the reverse process would be performed. In the >current implementation, location signatures are 20,000 bytes. For >continuous authentication, an additional 20 bytes per second are >transferred. Re- authorization can be performed every few seconds or >longer. The location signature is virtually impossible to forge at the >required accuracy. This is because the GPS observations at any given time >are essentially unpredictable to high precision due to subtle satellite >orbit perturbations, which are unknowable in real-time, and intentional >signal instabilities (dithering) imposed by the U.S. Department of Defense >selective availability (SA) security policy. Further, because a signature >is invalid after five milliseconds, the attacker cannot spoof the location Umm, excuse me, but doesn't it take longer than 5 ms for a data packet to transit from point A to point B? We ARE talking about transmitting via the Net here, aren't we? >by replaying an intercepted signature, particularly when it is bound to the Replaying an intercepted signature would completely unnecessary. GPS positions are calculated by comparing the phase differential between several different satellite signals. It would be trivial for anyone who understands the inner workings of reprogram their GPS receiver (or build a hacked one) to give a false location. Simply calculate the distances to the satellites relative to your position, (GPS already does this to determine your position) and then calculate them in reference to another location. (This other location would have to be close enough to receive signals from four of the same satellites that you are receiving, if I remember GPS specs correctly.) Phase-shifting the signals according to the distance differences between your true location and the other location yields a signal set that can be fed into any GPS receiver to yield the other location, in real time. >message (e.g., through a checksum or digital signature). Continuous >authentication provides further protection against such attacks. See above. Is this a troll? Jonathan Wienke From droelke at rdxsunhost.aud.alcatel.com Wed Apr 10 20:04:55 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 11 Apr 1996 11:04:55 +0800 Subject: Bank information protected by 40-bit encryption.... Message-ID: <9604101921.AA25061@spirit.aud.alcatel.com> If you are the worring sort (or are looking for a ripe target) point your browser at: https://www.diginsite.com/clients.html There is a list of 23 Credit Unions - some (or all) of which allow transactions to be done over the net. A brief once over shows that it requires Netscape 2.0 or better so you will have encryption, but it does not warn you when you are using only a 40-bit session key vs. a 128-bit key. (Netscape wizards - is there a way that the server can detect this so that a warning message could be put up?) They also have some other information about their security at: http://www.diginsite.com/security/security.html I think it is GREAT that this kind of functionality is coming. I also think that the pioneers like this had better be prepared to be targets as I am sure they will be. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From byrd at ACM.ORG Wed Apr 10 20:09:55 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Thu, 11 Apr 1996 11:09:55 +0800 Subject: CoS and anon remailers Message-ID: <2.2.32.19960410184928.00688328@tiac.net> Here's more details. For quite some time the Church of Scientology has been pestered by an anonymous poster "Scamizdat" who regularly has been spilling cult secrets onto the net. These include directions on how to harrass critics. Scamizdat (whoever he is or they are) appears to have been using anonymous chained remailers. Grady Ward, a critic of the cult, has been taunting the cult with "Have you stopped Scamizdat yet?" I believe that Grady is almost certainly NOT Scamizdat. The church appears to have concluded that Grady is Scamizdat, has sued him, applied for a writ of seizure to raid his house (denied), and asked for a deposition (granted). It appears that Scientology is interesting in getting into the records of American anon remailers. They are also interested in anon.penet.fi. Once before, they raided anon.penet.fi when some of their internal information leaked out onto the net, and that poster has never been heard from again. Someone asked if this wouldn't violate the ECPA. In the past the cult has seized whole computers, complete with email, and ignored court orders to return them. The whole story may be found on http://www.cybercom.net/~rnewman/scientology/home.html Here is a file I got from Ron Newman's web page: --------------- Article 78833 of alt.religion.scientology: Path: news.cybercom.net!dial2-30.cybercom.net!user From: rnewman at cybercom.net (Ron Newman) Newsgroups: alt.privacy.anon-server,alt.religion.scientology,comp.org.eff.talk Subject: Warning - Scientology attacking remailers again! Date: Wed, 10 Apr 1996 11:15:40 -0500 Organization: Cyber Access Internet Services (617) 396-0491 Lines: 138 Distribution: inet Message-ID: <rnewman-1004961115400001 at dial2-30.cybercom.net> NNTP-Posting-Host: dial2-30.cybercom.net Keywords: Scientology remailers anon penet anonymous Grady Ward Xref: news.cybercom.net alt.privacy.anon-server:3524 alt.religion.scientology:78833 comp.org.eff.talk:25569 The following are a series of messages from Grady Ward, which he has authorized me to distribute to the Net at large. Grady is being sued by the Church of Scientology for alleged copyright violation (they claim he is the mysterious "Scamizdat", which he denies.) For more details, see http://www.cybercom.net/~rnewman/scientology/grady/home.html http://www.northcoast.com/~grady/ According to Grady, the CoS has once again demanded access to anon.penet.fi, and may soon subpoena other remailers as well: ------- Date: Thu, 04 Apr 1996 08:52:38 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> I've just received e-mail from: kaj.malmberg at mallu.pp.fi (Kaj Malmberg) The Poilice CID in Helsinki who is being pushed by the criminal cult yet again to get a search warrant for Julf's anonymous remailer, claiming I have been violating my injunction to post cult crap. I told him that as usual the criminal cult is lying and that I gave him and Julf explicit permission to investigate any or all of my posts I have ever made through the remailer. The criminal cult is trying to use the fact of my injunction to further their own conspiracy theories. South Africa, Finland, where does it end? Grady ------------- Date: Fri, 05 Apr 1996 07:41:25 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: Kaj Malmberg, Finland At 10:11 AM 4/5/96 -0500, you wrote: >Why did you give them this permission? I think it sets a VERY bad >precedent. [deleted] was upset when I mentioned this >yesterday afternoon -- he thinks you're being >too nice, polite, and cooperative for your own good. I like to err on the side of openness. Each to their own I suppose. Basically I trust Kaj to sense who is the criminal perpetrator in this case. I also sent him the set of trial stipulations in the Snow White case that ought to give him very interesting background on the criminal cult. >In my opinion, Julf and the Finnish cop should Just Say No >to the CoS. He is still free to do as he wishes. ------------ Date: Tue, 09 Apr 1996 14:16:32 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: a few more questions At 04:56 PM 4/9/96 -0400, you wrote: >Was anyone with you (on YOUR side) at either day's deposition? > >How many hours total did you go each day? No one was with me. Total hours day one: 7.5 Total hours day two: 3.25 hours, as per order of Judge Infante. Also I believe all american anonymous remailers will be subpoenaed for their records as will all my ISPs, and contents of safety deposit box held as evidence. -------- Date: Tue, 09 Apr 1996 19:37:57 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? I don't know what's up today, but Julf wrote yesterday to tell me that my id grady at northcoast.com had NOT been used to go through his remailer. No word on what the police are doing to subpoena his system, if they are. Grady -------------- Date: Tue, 09 Apr 1996 22:57:26 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? At 01:52 AM 4/10/96 -0500, you wrote: >Was something else used to go through his remailer? > >Has he said anything in public about this? > >Should I post your message about it on my web site? That is all he told me: that he could verify to authorities that grady at northcoast.com had not used his remailer. He didn;t mention anyone else or how he was helping the CID with their inquiries. Yes, you can put this datum on the web. -------------- Date: Wed, 10 Apr 1996 07:17:01 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? Ron, Yes do please distribute my messages as you deem necessary. Some people ought to be aware of what is coming down. My feeling is that they will be doing anything they can to attempt to produce "hard evidence" that I am part of the Grand Conspiracy. I would say it is virtually certain that U.S. anon remailers will be subpoenaed as well as any foreign ones in which they can handle the authorities. Grady Ward | | http://www.northcoast.com/~grady +1 707 826 7715 | | (voice/24hr FAX) | 34877c8566839cb7 | grady at northcoast.com | aeab8ec5e5ee97fe | -- Ron Newman rnewman at cybercom.net Web: http://www.cybercom.net/~rnewman/home.html From byrd at ACM.ORG Wed Apr 10 20:17:36 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Thu, 11 Apr 1996 11:17:36 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailer records? Message-ID: <2.2.32.19960410193734.00694638@tiac.net> At 11:01 AM 4/10/96 -0700, Jim Warren wrote: >My understanding is that the most famous remailer, anon.penet.fi, is of the >first flavor -- and was raided by reps of the Church of Scientology, >several years ago, with a Finnish search warrant, and that this produced >some [much?] of the evidence against their opponent who had allegedly been >splattering COS copyrighted "works" all over the net. (Interesting >application of private property rights -- protecting religious secrets.) The story is weirder than that. The first poster of church secrets (with lots of commentary) was Dennis Erlich, an ex-scientologist. Dennis was raided and sued, and is awaiting trial. His ISP, Tom Klemesrud, refused to cancel Dennis' account, and so was sued, and is awaiting trial. A lady met Klemesrud in a bar, identified herself as an IRS agent, and talked her way into Klemesrud's apartment. She proceeded to remove her clothes and spread blood all over the apartment. She there identified herself as a representative of the Church of Scientology. Klemesrud posted an account of this bizarre affair to alt.religion.scientology, and an anonymous poster "-AB-", using anon.penet.fi, posted a differing version of events. The Church went ballistic over this post, and raided anon.penet.fi to find the identity of -AB-. This turned out to be an alumni account at Cal Tech. The poster has never been heard from again. The raid on anon.penet.fi occurred in Feb. 1995. "Scamizdat" has never used anon.penet.fi, and his (their?) identity is still unknown. From iang at cs.berkeley.edu Wed Apr 10 21:48:12 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 11 Apr 1996 12:48:12 +0800 Subject: RC4 on FPGAs (Was: Bank transactions on Internet) In-Reply-To: <199604091732.KAA29261@netcom9.netcom.com> Message-ID: <4kh71n$cl3@abraham.cs.berkeley.edu> Coincidentaly enough, this is part of my project for my Hardware class. I'll let you know when I have it working. I'm using Altera FLEX 81188s, though the 10K models (with built-in RAM) would be _way_ faster... - Ian From jeffb at sware.com Wed Apr 10 21:50:01 1996 From: jeffb at sware.com (Jeff Barber) Date: Thu, 11 Apr 1996 12:50:01 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <9604101921.AA25061@spirit.aud.alcatel.com> Message-ID: <199604102054.QAA23703@jafar.sware.com> Daniel R. Oelke writes: > If you are the worring sort (or are looking for a ripe target) > point your browser at: > https://www.diginsite.com/clients.html > > There is a list of 23 Credit Unions - some (or all) of which > allow transactions to be done over the net. > > A brief once over shows that it requires Netscape 2.0 or > better so you will have encryption, but it does not warn you > when you are using only a 40-bit session key vs. a 128-bit key. > (Netscape wizards - is there a way that the server can detect > this so that a warning message could be put up?) Yes. Netscape servers pass three (additional) environment variables to CGI programs when used with SSL. For a 40-bit invocation, you get: HTTPS=ON HTTPS_KEYSIZE=128 HTTPS_SECRETKEYSIZE=40 So, you can distinguish 40- versus 128-bit usage. -- Jeff From abostick at netcom.com Wed Apr 10 22:01:42 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 11 Apr 1996 13:01:42 +0800 Subject: [NOISE] Re: onyma In-Reply-To: <199604100105.DAA09113@utopia.hacktic.nl> Message-ID: <to+ax8m9LM7U085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604100105.DAA09113 at utopia.hacktic.nl>, nobody at replay.com (Name Withheld by Request) wrote: > tcmay at got.net (Timothy C. May) writes: > > >Not meant to be snide, even if sounded that way. I just get confused by > >your various nyms > > The term `nym' is erroneus: The Greek words are an-onym, pseud-onym, > syn-onym, hom-onym pp, derived from `onyma', name. > I am a professional freelance editor and copyeditor. It is my job to see that the language used by authors conforms to the rigid dictates of style, spelling, and grammar. As an experienced professional in this field, I have learned that where rules of spelling, grammar, vocabulary come from is *usage*. Words become accepted parts of the language because people start to use them. The acceptance of words is recognized by their adoption in to lexicons and dictionaries, but this is description, not prescription. If you want to be linguistically correct and ensure that 'onyma' prevails over 'nym,' you've got a lot of catching up to do. 'Nym' is is clearly established by usage on the Cypherpunks list, and I expect it's only a matter of time before it starts showing up in print media, if it hasn't already, and get listings in the Jargon File, then dictionaries, etc. You can't fight usage; it is usage that makes the language as she is spoke what it is. - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMWvs5uVevBgtmhnpAQER0wMAwwaSOvUPKrC1p4WbMuWtJAeeYx5V2Wuv weaRhr0bhbQ70y4IZ+ZkBGN4YcLfVSUV9MZCylEJcoASEzeJL3rV42H02j3+HIjl v6v82ylpCLZBpGWyKfHrF7/zYRjCgUiZ =362B -----END PGP SIGNATURE----- From JonWienke at aol.com Wed Apr 10 22:23:28 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 11 Apr 1996 13:23:28 +0800 Subject: Message not deliverable Message-ID: <960410164932_268662594@emout10.mail.aol.com> >Subj: Message not deliverable >Date: 96-04-10 11:51:09 EDT >From: Administrator_at_DCACINTS at dca.com (Administrator) >To: JonWienke at aol.com [body text deleted] Has anyone else been getting these when they post to cpunks? I get one every time I post. I emailed the administrator at dca.com, a few weeks ago, but nothing has changed. Anyone got suggestions? Jonathan Wienke From shamrock at netcom.com Wed Apr 10 23:51:04 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 11 Apr 1996 14:51:04 +0800 Subject: Protocols at the Point of a Gun Message-ID: <v02120d2bad91ecd377cc@[192.0.2.1]> At 9:48 4/10/96, Duncan Frissell wrote: [...] >We know that governments would like to impose things like the Simple >Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) >Protocols. There is one thing about the proposed minor flag addition to IP that I don't understand. [No, I am not surprised by this. Mandatory authorization to establish a connection and an "Internet Driver License", probably in the form or a smart card are coming]. If my computer creates the IP packet, what is there to prevent me from modifying the value of the "Minor/Adult" flag at my leisure? -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From stewarts at ix.netcom.com Thu Apr 11 00:20:18 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 11 Apr 1996 15:20:18 +0800 Subject: Tense visions of future imperfect Message-ID: <199604102201.PAA13082@toad.com> At 10:59 AM 4/9/96 -0800, frantz at netcom.com (Bill Frantz) wrote: >> Financial Times, April 9, 1996, p. 13. >> Garfinkel described it like this: "My name is Agent >> Jenkins. I'm an investigator with the secret service, >> working on a counterfeiting case. And it's tough. Last >> year, my office got a priority call from an economist at >> Stanford. The economist was looking at something called the >> money supply and velocity and both were increasing a little >> too fast. They just didn't add up. The economist finally >> figured an organisation was printing its own electronic >> money -- just like the US government does. Personally, I find the idea that the government could hope to track the economy so closely as to notice a $10M/year addition to the money supply to be disturbing (though it was done in a science fiction story about 20 years ago :-) With digital cash, it's also unrealistic - we finally have a technology for moving money around _without_ them being able to track it all, if we want to deploy it. >> "This counterfeit currency looked just like the real thing, >> except it was a fraud. She even found some of it -- a >> digital dollar that was signed and sealed by the US >> government's secret key, yet had a serial number that had >> never been issued. The money that was being made was on the >> Net. It was everywhere and nowhere. And it was encrypted, >> so that we wouldn't even know it if we found it. Last >> month, we estimate, the total fraud was up to $900,000 a >> month, and it is increasing still." > >I don't see how this third scam would work in a system such as DigiCash >which uses online clearing. Unissued serial numbers would be refused when >presented for clearing. In Chaum's DigiCash, the payer makes up the serial number, blinds it, and has the bank sign it blind, so the bank never knows the number until the payee deposits it. So this doesn't work. (The payee knows the number when he receives it from the payer, but in online operation he deposits it right away.) (There are alternative ways to structure transactions so the payee issues the serial number, or even so the bank does, but they're not needed.) What the bank _does_ know is whether the total number of digibucks with its signature on them that it's received is larger than the number it's signed - so if their private signature key has been stolen by counterfeiters, they'll know for sure once the counterfeiting level exceeds the amount of float of outstanding digibucks they've issued; they may suspect it earlier if the redemption level is high enough that the float statistics look real funny. On the other hand, with Chaum's system, what role would the US government have in issuing digibucks, rather than banks doing it? The one-big-bank approach doesn't scale well, though I suppose the Feds could pay member banks with digibucks instead of paperbucks or journal entries if they wanted to, and FedBucks might be more spendable in some markets than VisaBucks or TwainBucks or MeritaKroner or HKL$ or YakuzaYen or Chemical$ or CocaRubles. >If this kind of scam, particularly the counterfeiting scam, >occurs too often, public trust in the cash will disappear, and people will >refuse to buy it. In a multiple-bank scenario, that works fine. With a government-issued legal-tender digital currency, it's an offer you can't refuse... >Note that people trying to maintain anonymity are particularly vulnerable >since they have to hold cash for a period of time to defeat traffic >analysis attacks. Holding digital cash for a long time isn't difficult - it's easier than holding paper cash for a long time, since you can keep multiple encrypted copies (so stealing them isn't very useful to the thief and isn't as damaging to the victim), and you can stash floppies in smaller, less armored safe deposit boxes than you'd need for large quantities of cash. Of course, if you happen to become dead while you're storing it, the paper cash is far more useful to your heirs, so I assume we'll have a government-sponsored cash-escrow system announced soon to protect the government's interest in collection of inheritance taxes... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From hoz at univel.telescan.com Thu Apr 11 00:21:51 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 11 Apr 1996 15:21:51 +0800 Subject: No matter where you go, there they are. Message-ID: <199604102136.OAA12316@toad.com> At 10:04 AM 4/10/96 -0400, Peter Wayner wrote: > >Hmm. Here's an interesting question. Let's say that there are 3 >satellites in view broadcasting signals f1(t), f2(t) and f3(t). >...Okay, so why can't I just tape the signals I get from each of >the three satellites. >Or course, I could be completely missing some neat feature of >DGPS. ... Any thoughts? I have read that GPS uses encryption to place time-dependent, location-dependent inaccuracies into the signals. Innacuracies small enough so they are not a problem for civilian navigation, (mostly) but large enough to prevent GPS from being a useful method of military targeting for anyone who does not hold the keys. Perhaps Ms. Denning is suggesting that the US feral government could act as a "trusted server" (and she has repeatedly suggested such trust) and tell us whether a GPS that "thinks" it's at some location, right now, is REALLY at some known location. From wb8foz at nrk.com Thu Apr 11 00:48:49 1996 From: wb8foz at nrk.com (David Lesher) Date: Thu, 11 Apr 1996 15:48:49 +0800 Subject: No matter where you go, there they are. In-Reply-To: <9604101822.AA1919@> Message-ID: <199604102224.SAA07900@nrk.com> > > >Location-based System Delivers User > >Authentication Breakthrough > > >By Dorothy E. Denning and Peter F. MacDoran > > Nice april fools article... I doubt it, only because having met her at GAK meetings, IMHO she lacks the humor gene.... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From sjb at universe.digex.net Thu Apr 11 01:06:27 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 11 Apr 1996 16:06:27 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <2.2.32.19960410010847.00c91674@panix.com> Message-ID: <199604102307.TAA24312@universe.digex.net> Duncan Frissell writes: >At 12:38 PM 4/9/96 -0500, Scott Brickner wrote: > >>Wait a second. I don't know that it's really as impossible as you >>think. Given the CDA advocates' hypothesis that anonymity is a Bad >>Thing (tm), it's reasonable for them to assume that the ISP can arrange >>to have a policy requiring that it know who's making the SLIP/PPP >>connection. It's not too hard to have *every* packet generated by a >>given connection flagged with an IP option indicating "adult" or >>"minor". > >Of course that doesn't overcome the "technical problem" of getting the IETF >to adopt that change in the protocols and getting a significant number of >sites to adopt the new protocol. Even if you impose a substitutte on the >IETF, it doesn't stop them from wandering off and creating their independent >protocols and seeing whether the "official" or the "unofficial" get adopted. Actually, the IP layer specifies "options", but doesn't use all of them. I think undefined options aren't interpreted by the router, except to observe the "copy on fragment" bit's setting. Even if they are, using the existing "security compartment" instead of defining a new option could do the same thing. Using security compartment might permit the use of existing equipment everywhere, making the transition to this scheme require only reconfiguration of a subset of existing routers. IPv4 is so stable now that adopting a new option is *very* unlikely to break anything in existing routers. Let's say that option class 1 (currently unused) is used for the information. Option number 1 means "adult", option number 2 means "not adult". Neither option requires parameters, so they only mean one more octet per packet (13 if security compartment is used). The "copy on fragment" bit is set in both. Now, let's assume the worst: the CDA is upheld through a few of these court cases. The IETF's raison d'etre is to facilitate usage of the Internet, privacy isn't a goal per se. With all the US members scrambling to figure out how to cope with CDA, *many* of the members might consider something like this to be a relatively easy protocol fix. Routers that don't accept packets directly from customers will already work fine. At the borders of autonomous systems, system owners may categorize each link as "adult", "non adult", or "unspecified". "Unspecified" means they can use an existing router, and assumes that the other end bears responsibility for having the right "adulthood" option. For "adult" or "non adult", they need a router with software modified to put the right option in all packets. For switched connections, like SLIP or PPP, the router needs to know who's on the other end and put the appropriate options in the packets. Ultimately, a relatively small number of network components need to be changed, and almost all of them may be changed through fairly simple software updates. Still think the IETF would refuse? From rah at shipwright.com Thu Apr 11 01:33:35 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 11 Apr 1996 16:33:35 +0800 Subject: DCSB: Gold Denominated Burmese Opium Futures? Message-ID: <v02120d01ad91ae0e2a95@[199.0.65.105]> -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Perry E. Metzger "Possible Futures: The Impact of Ubiquitous High Speed Networking on Intermediation and Regulation" or "With Spring Street Brewing shares trading on the web, are gold denominated Burmese opium futures inevitable?" *Monday*, May 6, 1996 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Perry Metzger is the President of Piermont Information Systems Inc., a consulting firm specializing in communications and computer systems security. He has worked for, or consulted to, the New York financial community for most of the last decade. He has been strongly involved with the Internet Engineering Task Force's security area for some time, and is the author of several security related RFCs. He is also the co-chair of the IETF's Simple Public Key Infrastructure working group, which is developing public key cryptographic standards for the internet. Networking technology is racing far ahead of culture. Fiber optics offer the possibility of cheap truly ubiquitous internet service in the tens of gigabits per second within the decade, and cheap high speed mobile connectivity is also likely. We will likely live in a world where anyone can sit in a park with a cheap laptop and communicate over a multi-megabit per second channel to any other civilized location on the planet. This development may radically change our culture, and with it the nature of regulation and intermediation in the marketplace. Although opium futures trading might not be inevitable, the scope of the trends we are facing should not be underestimated. Mr. Metzger will discuss these and similar developments; he will also discuss the limits to our ability to predict or alter the course such changes will take. This meeting of the Digital Commerce Society of Boston will be held on *Monday*, May 6, 1996 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. Please note that this meeting is on *Monday* this month, due to a scheduling problem at the Harvard Club. We go back to meeting on the first Tuesday of the month in June. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, March 30, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: June Dan Shutzer FSTC July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWv8/PgyLN8bw6ZVAQGu/gQAkdtTIsK6rbboD6NRVjpZD8WFMXgZGlOB 5MA4znnY/XC6qNvVseRRq0wcPukNsGoQdCE8LwwqS2oWdyMXlWdUO7RK+CgCvOGj 48HjCVcgItM4V3BW9W5CM897zBWAwfcCkfbzngwuhzinu0MHWgPK/MMSFX73/dtH 2kg/41CA6MM= =Tfdk -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From tcmay at got.net Thu Apr 11 02:08:29 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 11 Apr 1996 17:08:29 +0800 Subject: Digital Cash Escrow Message-ID: <ad91bd700a02100484a7@[205.199.118.202]> At 10:14 PM 4/10/96, Bill Stewart wrote: >Of course, if you happen to become dead while you're storing it, >the paper cash is far more useful to your heirs, so I assume we'll have >a government-sponsored cash-escrow system announced soon to protect >the government's interest in collection of inheritance taxes... Don't give them ideas, Bill! They are known to monitor our list for insights into what to regulate next, and I can see the 15-watt lightbulbs going on over their heads as they ponder the wonderful opportunities presented by "digital cash escrow." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From allyn at allyn.com Thu Apr 11 02:29:19 1996 From: allyn at allyn.com (Mark Allyn 206-860-9454) Date: Thu, 11 Apr 1996 17:29:19 +0800 Subject: CDA Court Challenge: Update #5 In-Reply-To: <slOnt1W00YUv9D5F8c@andrew.cmu.edu> Message-ID: <199604110234.TAA22950@mark.allyn.com> snatched it away, snarling: "Not available to the public." Well, the URLs ended up in my mailbox anyway, so here they are for your amusement: http://www.pu55y.com/hotsex/join.html http://shack.bianca.com/shack/misc/terms.html http://www.intergate.net/untmi/obbs1.html http://www.whitman.edu/~burkotwt/pornpics/lady941.jpg http://www.wizard.com/~gl944vx/gifs/01_21.jpg http://www.vegaslive.com/sgguests/ginger.html news:4hrs89k%24oap at what.why.net http://monkey.hooked.net/monkey/m/grinder/nikkita/graphics/nikki36.jpg news:313F56FD.3F19 at access.mountain.net news:4hb94m%24sij at asp.erinet.com http://www.sexvision.com/web2.htm news:314048f.1657746 at news.netwalk.com You forgot one: http://clearplastic.com From ses at tipper.oit.unc.edu Thu Apr 11 02:30:44 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 11 Apr 1996 17:30:44 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u736N-0008yBC@pacifier.com> Message-ID: <Pine.SOL.3.91.960410182824.5230D-100000@chivalry> No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. That's why we have the word octet. --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From frantz at netcom.com Thu Apr 11 02:31:55 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 11 Apr 1996 17:31:55 +0800 Subject: No matter where you go, there they are. Message-ID: <199604110019.RAA05628@netcom9.netcom.com> At 8:41 AM 4/10/96 -0400, Perry E. Metzger wrote: Anonymous writes: > > Location-based System Delivers User > Authentication Breakthrough > > By Dorothy E. Denning and Peter F. MacDoran > Copyright(c), 1996 - Computer Security Institute - All Rights Reserved > Top - Help > When I first started reading the paper I said to myself, "Ah, they are going to have a box that provides digitally signed GPS locations." I still think they might try that as plan "B". Combined with a password or biometrics to prevent unauthorized use of the box, they might have a useful, if limited, system. A few other practical problems with the system they DID describe that haven't been mentioned: (1) GPS doesn't work well near the walls of canyons. The positions reported can be off by a considerable distance. This problem probably also applies in the steel and glass canyons of cities. (2) Consumer grade GPS receivers have problems acquiring satalites in forested areas. The same problem probably will also occur in skyscrapers. Using your portable in some client's office will involve shoving an antenna out the non-openable window. With these problems, I just can't see GPS authentication being popular for the masses. For some military and industrial uses it may solve a real problem. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Thu Apr 11 02:32:07 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 11 Apr 1996 17:32:07 +0800 Subject: questions about bits and bytes Message-ID: <m0u7BgI-00091BC@pacifier.com> At 06:29 PM 4/10/96 -0700, Simon Spero wrote: >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. I notice you gave no examples. Why is that? Jim Bell jimbell at pacifier.com From declan+ at CMU.EDU Thu Apr 11 02:45:31 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 11 Apr 1996 17:45:31 +0800 Subject: Scientologists may subpoena anonymous remailer records? In-Reply-To: <Pine.SUN.3.91.960410112759.13271B-100000@eff.org> Message-ID: <4lP0MUS00YUv4jzXV4@andrew.cmu.edu> ---------- Forwarded message begins here ---------- Date: Wed, 10 Apr 1996 11:38:58 -0700 (PDT) From: Declan McCullagh <declan at eff.org> To: fight-censorship+ at andrew.cmu.edu cc: rnewman at cybercom.net, grady at northcoast.com, kaj.malmberg at mallu.pp.fi, sthomson at netcom.com Subject: Re: Anonymous Remailer threat: Scientologists may subpoena anonymous remailer records? Ron, thanks for the background about the CoS's renewed attempts to get a search warrant for anon.penet.fi. I hope you don't get dragged into this any more than you already are. Grady Ward writes below, in a message dated this morning: > I would say it is virtually certain that U.S. anon remailers will > be subpoenaed as well as any foreign ones in which they can handle > the authorities. Yikes! Jim's alert was timely. -Declan [This message is archived at http://fight-censorship.dementia.org/top/] // declan at eff.org // I do not represent the EFF // declan at well.com // Date: Wed, 10 Apr 1996 10:18:35 -0500 From: Ron Newman <rnewman at cybercom.net> Subject: Re: Clams subpoena'ing anonymous remailer records? Here's what Grady said to me in several messages. Note that they seem to be after anon.penet.fi again too. (He has given me blanket permission to distribute his e-mail to me to anyone who may find it of use.) ------- Date: Thu, 04 Apr 1996 08:52:38 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> I've just received e-mail from: kaj.malmberg at mallu.pp.fi (Kaj Malmberg) The Poilice CID in Helsinki who is being pushed by the criminal cult yet again to get a search warrant for Julf's anonymous remailer, claiming I have been violating my injunction to post cult crap. I told him that as usual the criminal cult is lying and that I gave him and Julf explicit permission to investigate any or all of my posts I have ever made through the remailer. The criminal cult is trying to use the fact of my injunction to further their own conspiracy theories. South Africa, Finland, where does it end? Grady ------------- Date: Fri, 05 Apr 1996 07:41:25 -0800 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: Kaj Malmberg, Finland At 10:11 AM 4/5/96 -0500, you wrote: >Why did you give them this permission? I think it sets a VERY bad >precedent. Chris Schafmeister was upset when I mentioned this >on the IRC channel yesterday afternoon -- he thinks you're being >too nice, polite, and cooperative for your own good. I like to err on the side of openness. Each to their own I suppose. Basically I trust Kaj to sense who is the criminal perpetrator in this case. I also sent him the set of trial stipulations in the Snow White case that ought to give him very interesting background on the criminal cult. >In my opinion, Julf and the Finnish cop should Just Say No >to the CoS. He is still free to do as he wishes. ------------ Date: Tue, 09 Apr 1996 14:16:32 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: a few more questions [Regarding the depositions. --Declan] No one was with me. Total hours day one: 7.5 Total hours day two: 3.25 hours, as per order of Judge Infante. Also I believe all american anonymous remailers will be subpoenaed for their records as will all my ISPs, and contents of safety deposit box held as evidence. At 04:56 PM 4/9/96 -0400, you wrote: >Was anyone with you (on YOUR side) at either day's deposition? > >How many hours total did you go each day? > -------- Date: Tue, 09 Apr 1996 19:37:57 -0700 To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? I don't know what's up today, but Julf wrote yesterday to tell me that my id grady at northcoast.com had NOT been used to go through his remailer. No word on what the police are doing to subpoena his system, if they are. Grady -------------- Date: Tue, 09 Apr 1996 22:57:26 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? That is all he told me: that he could verify to authorities that grady at northcoast.com had not used his remailer. He didn;t mention anyone else or how he was helping the CID with their inquiries. Yes, you can put this datum on the web. At 01:52 AM 4/10/96 -0500, you wrote: >Was something else used to go through his remailer? > >Has he said anything in public about this? > >Should I post your message about it on my web site? Grady Ward | | http://www.northcoast.com/~grady +1 707 826 7715 | | (voice/24hr FAX) | 34877c8566839cb7 | grady at northcoast.com | aeab8ec5e5ee97fe | -- Ron Newman rnewman at cybercom.net Web: http://www.cybercom.net/~rnewman/home.html Here are some other messages that Grady sent me in the last few days. I'll put some of this on my web site in the near future. ------------ Date: Tue, 09 Apr 1996 13:34:20 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: deposition At 11:05 AM 4/9/96 -0500, you wrote: >When are the remaining 1.5 hours of deposition scheduled? >Are you holding firm to the 9 hour limit? I held firm to my nine hour limit; they held firm to their 2+ day limit. Hogan called me a "liar" on the record, a term I reciprocated on the record. This time there were a lot of questions about you two, Ron and Shelley. I predict that you two will be served a subpoena soon to either be deposed yourself or to have your e-mail and archives produced in evidence. We got onto the phone with Judge Infante and he told us to finish by 12:15. Which we did. The only other issue is that the cult wanted to immediately seize my safety deposit box contents. I asked that any seizures be made pursuant to a Special Master or other neutral party taking control and analyzing the significance of the contents of the backup disks therein. We got back on the phone with Infante and while he did not sanction the seizure by the scientologists, he did "freeze" the contents so as to preserve possible evidence. Grady We finished as per the Judges order at 12:15. The criminal cultists were somewhat unhappy at their interrogation being cut short. One strange man whose picture I will post soon was apparently the go-between between Warren McShane and ??? (speculating David Miscavige/OSA). The receptionist said she had not seen as many faxes in one day as had come to her office during my deposition. He was constantly ferrying stuff from the fax to McShane and Kobrin or constantly talking on a cellphone. But he and McShane looked for the world as simply carrying out their master's orders. ------------- Date: Tue, 09 Apr 1996 13:36:27 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: who were the CoS lawyers who deposed you? Hogan and Eric Lieberman. Both were assisted by Kobrin and McShane. Also in the room was a cult computer expert, and a couple of helpers for Lieberman and McShane. ---------- Date: Tue, 09 Apr 1996 13:41:46 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: Henson page added, Grady page updated Today's deposition realaudio will be available as depo_7 through depo_10 in about an hour at my site. You were the topic of some detailed questions about e-mail and phone conversations. ------------ To: Ron Newman <rnewman at cybercom.net> From: Grady Ward <grady at northcoast.com> Subject: Re: who did they ask about in the depo, besides Shelley and me? At 06:38 PM 4/9/96 -0400, you wrote: >Someone listened to one of the files and noticed that they asked >about Maureen Garde. Who else did they ask about? They were most interested in *you*, then Jeff Jacobsen, then Keith Henson, then each of the other list people in turn. If I were a betting man, I would say you are going to be subpoenaed to be deposed real soon now. -------------- Date: Wed, 10 Apr 1996 07:17:01 -0700 To: rnewman at cybercom.net (Ron Newman) From: Grady Ward <grady at northcoast.com> Subject: Re: what is the latest regarding penet? Ron, Yes do please distribute my messages as you deem necessary. Some people ought to be aware of what is coming down. My feeling is that they will be doing anything they can to attempt to produce "hard evidence" that I am part of the Grand Conspiracy. I would say it is virtually certain that U.S. anon remailers will be subpoenaed as well as any foreign ones in which they can handle the authorities. I did tell you that they sprung a surpise motion on me and Judge Infante during day #2 of the deposition by asking him if their computer expert could make copies of the contents thereof to look for contraband? I objected on the grounds that it was a thinly disguised seizure request (which had already been denied by Judge Whyte) and that the box contained much private material such as letters to my wife, etc. The judge did agree to another motion however made by Hogan to "freeze" the contents of the box to "preserve evidence". Obviously any motion that they make to examine the contents will be met by a demand that only a mutually agree 3rd party using an agreed upon protocol (i.e. grepping for an agreed list of patterns) will be permitted. No mass copying, no random cult fishing. Grady Ward | | http://www.northcoast.com/~grady +1 707 826 7715 | | (voice/24hr FAX) | 34877c8566839cb7 | grady at northcoast.com | aeab8ec5e5ee97fe | From jya at pipeline.com Thu Apr 11 02:51:17 1996 From: jya at pipeline.com (John Young) Date: Thu, 11 Apr 1996 17:51:17 +0800 Subject: NPR is talking about smart card purses... Message-ID: <199604110124.VAA01983@pipe3.nyc.pipeline.com> Responding to msg by rah at shipwright.com (Robert Hettinga) on Wed, 10 Apr 5:53 PM >Chase, Citi, MC and others are offering a stored value >card on the west side of Manhattan. They're saying >that smart cards are faster than cash. Stick the card >in, say yes to the amount. The terminals are wired >directly to a bank account, so we're looking at a book >entry system, it looks like... > >The announcer is breathless at the possibilities.... > >I wonder if this is CAFE, Mondex, or what? anyone >know? ---------- Yep, NYT has a story on it today, the testrun is in my own pigsty. It's by Citibank, Chase Manhattan, Mastercard and Visa: electronic cash loaded on a plastic card that can be used to make small purchases. The article also reviews the state of the art. Wanna see it from me, or try http://www.nytimes.com? From JonWienke at aol.com Thu Apr 11 04:32:49 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 11 Apr 1996 19:32:49 +0800 Subject: No matter where you go, there they are. Message-ID: <960410195146_466946290@emout04.mail.aol.com> In a message dated 96-04-10 17:49:32 EDT, you write: >Or course, I could be completely missing some neat feature of >DGPS. I really don't know the details of how it works and this >could be completely wrong. Any thoughts? Because of the fluctuations in the signals, random and otherwise, you would be detected if you used recordings that were more than a few seconds old. However, if you delayed all but one of the satellite signals by a few milliseconds (or fractions thereof) to get the desired phase relationship, you could effectively fake your position, and the delay would be masked by the delays inherent in the Net by a pretty good margin. The longer the average packet transfer delay between you and the other party, the farther you could fake your position from your real one without being detected. Jonathan Wienke From iang at cs.berkeley.edu Thu Apr 11 04:33:15 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Thu, 11 Apr 1996 19:33:15 +0800 Subject: Bay Area Meeting on Saturday? Message-ID: <4khh99$d44@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- So, will there be a Bay Area meeting on Saturday? Where? etc... - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWxHeUZRiTErSPb1AQHzlAP+N3q0syVT6pmrEDDUGfY7spKqJQkFDtcU HFbzihOAHsYLzgERQoi5yLe4487ApKTpqR8ohly28R0ZLA98tV0Ev/8KHaHYJxTn /3BAL/Xj2jtVS2gvKBzyshUnh7QqyZeq1jmV4Y+lRigFggiJgENrWSnJLKfr5zwM csc/0838gqw= =LcIY -----END PGP SIGNATURE----- From frantz at netcom.com Thu Apr 11 04:34:41 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 11 Apr 1996 19:34:41 +0800 Subject: Tense visions of future imperfect Message-ID: <199604110019.RAA05624@netcom9.netcom.com> At 7:33 AM 4/10/96 -0700, Hal wrote: >From: frantz at netcom.com (Bill Frantz) >> >[Description of dcash counterfeiting scam, presumably done by stealing >> > the bank's public key] >> I don't see how this third scam would work in a system such as DigiCash >> which uses online clearing. Unissued serial numbers would be refused when >> presented for clearing. > >DigiCash banks do not issue serial numbers. Serial numbers are randomly >chosen by the user when he withdraws his cash. ... Well, teach me to post without checking the protocol. Thanks Hal and Perry. Apologies to all - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sameer at c2.org Thu Apr 11 04:41:47 1996 From: sameer at c2.org (sameer) Date: Thu, 11 Apr 1996 19:41:47 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena In-Reply-To: <ad91b30d0902100413eb@[205.199.118.202]> Message-ID: <199604110423.VAA03176@infinity.c2.org> > > Sorry to sound picky, but I've just seen several messages all of which copy > a long dialog from some Finnish guy named Kaj. Some of the messages then > confuse the issues by confusing the types of remailers. > Frankly, I'm getting antsy. Is C2 going to get subpoena'd or not? I would be very disappointed if we don't. (Subpeonas envy!) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From tomw at netscape.com Thu Apr 11 05:22:12 1996 From: tomw at netscape.com (Tom Weinstein) Date: Thu, 11 Apr 1996 20:22:12 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <199604110445.VAA06906@atropos.c2.org> Message-ID: <316C919D.1372@netscape.com> sameer at c2.org wrote: > > > For Netscape servers, you can configure which ciphers you want to > > use. I'm sure Apache-SSL and most other SSL-capable servers have > > the same sort of thing. I know that Wells Fargo, at least, > > requires 128-bit encryption. > > (Yeah, Apache-SSL lets you do that too) > > Uh, but Wells Fargo doesn't. Just the other day I used > Netscape 1.x international (i.e. 8cent RC4) to get my bank balances > from Wells Fargo. Can you transfer money or just check balances? I'm pretty sure that they won't let you perform transactions unless you're using Netscape 2.0 with 128-bit encryption. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From stevenw at best.com Thu Apr 11 05:35:02 1996 From: stevenw at best.com (Steven Weller) Date: Thu, 11 Apr 1996 20:35:02 +0800 Subject: [UTTER NOISE] I am the very model of a modern teenage cyberpunk Message-ID: <v01540b03ad925147a073@[206.86.1.35]> >From the "humor" list. Thought you might enjoy. ------------------------------ Date: Wed, 10 Apr 1996 07:35:36 -0500 From: Randall Woodman <randallw at ADSS.ESY.COM> Subject: Humor: Teenage Cyberpunk I am the Very Model of a Modern Teenage Cyberpunk -author unknown I am the very model of a modern teenage Cyberpunk I rent my own apartment and it's full of electronic junk I own a VAX, a 486, I've even got a PDP I've finished Myst and Doom but I am stumped by Wing Commander III I'm very well aquainted too with matters pornographical I have a list of image sites, both overseas and national So if you want to see a picture of that Anna Nichole Smith I'll fire up my terminal and fetch for you a naughty GIF I'm totally an anarchist, the government I'd like to wreck, Though if they were to get blown up, who'd give to me my welfare cheque? In short if you need answers that concern your electronic junk, I am the very model of a modern teenage Cyberpunk I know the ancient myths about RTM, Pengo and Mitnick I 'hack' into computers and I then perform a credit check I scare all my non-hacker friends with tales of cracker theivery and even though I'm spouting crap they'll listen and believe in me I've learned to spot a troll and I've seen flames about the way I spell, I've traced badly forged cancels and seen napalm poured on AOL I've laughed at all the newbies and their flailing cries of "You all Suck!" I've been flamed by Carasso, with an anvil I have then been struck I've hung around in alt.tasteless and seen war waged on rec.pets.cats I've spent my time in talk.bizarre and used those stupid Relay Chats In short, if you need answers that concern your electronic junk, I am the very model of a modern teenage Cyberpunk Well postings like "MAKE.MONEY.FAST", I am now somewhat wary at, I have been "Global Killfiled" by the Joel Furr Commissariat, When rosebud posts a lengthy rant 'bout Microsoft she swears is true, I know that she is just another short lived kook without a clue When I have learnt what progress has been made upon the Internet, When I know something more than just a smattering of netiquette, In short when I can have a world-wide soapbox on which I can stand I've got no time for other things, like beer and trips to Disneyland My life outside the Internet is very very sad you see I cannot get my spots to fade, my social life's a tragedy, But still if you need answers that concern your electronic junk, I am the very model of a modern teenage Cyberpunk. (With apologies to G&S) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=} Randall {=- Editor without a clause. ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From sameer at c2.org Thu Apr 11 05:50:01 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 11 Apr 1996 20:50:01 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <316C919D.1372@netscape.com> Message-ID: <199604110453.VAA07113@atropos.c2.org> > > Can you transfer money or just check balances? I'm pretty sure that > they won't let you perform transactions unless you're using > Netscape 2.0 with 128-bit encryption. I was unaware the Wells Fargo let you transfer money with the web. I only checked my balance. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From tomw at netscape.com Thu Apr 11 05:50:50 1996 From: tomw at netscape.com (Tom Weinstein) Date: Thu, 11 Apr 1996 20:50:50 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <9604101921.AA25061@spirit.aud.alcatel.com> Message-ID: <316C8427.52BF@netscape.com> Daniel R. Oelke wrote: > > If you are the worring sort (or are looking for a ripe target) > point your browser at: > https://www.diginsite.com/clients.html > > There is a list of 23 Credit Unions - some (or all) of which > allow transactions to be done over the net. > > A brief once over shows that it requires Netscape 2.0 or > better so you will have encryption, but it does not warn you > when you are using only a 40-bit session key vs. a 128-bit key. > (Netscape wizards - is there a way that the server can detect > this so that a warning message could be put up?) For Netscape servers, you can configure which ciphers you want to use. I'm sure Apache-SSL and most other SSL-capable servers have the same sort of thing. I know that Wells Fargo, at least, requires 128-bit encryption. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From steve at edmweb.com Thu Apr 11 06:02:33 1996 From: steve at edmweb.com (Steve Reid) Date: Thu, 11 Apr 1996 21:02:33 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <199604100202.TAA16568@toad.com> Message-ID: <Pine.BSF.3.91.960410124929.11278D-100000@kirk.edmweb.com> > I thought that most or all of the cypherpunk anonymous remailers don't > keep records. Not even on backup tapes. The whole idea is that there > aren't logs. But maybe they have found some remailers that are When a person recieves a message from someone using an anonymous remailer, the return address will usually work, depending on the remailer. The return address is for an address on the remailer, and sending to that address, the remailer will forward the message back to the person who owns that anonymous address. The problem with that, of course, is that the remailer has to keep a record of who owns each anonymous account, so that it can direct the replies to the anonymous person. These records could be siezed. Also (not related to the records), if the remailer does not encrypt the replies that it forwards to the anonymous owner, it would be *very* vunlerable to traffic analysis... Just watch for your message leaving the remailer, and see the address of the anonymous person, or the address of the next remailer in the chain. I don't really know much about remailers, but I don't think there's much to know... If I'm mistaken about any of the above, I'm sure someone will correct me. BTW, has anyone out there created an anonymous web forwarder? I'm sure there are a lot of people out there who don't like the idea of having their email address in the log files of dozens of web servers... Creating a simple web forwarder wouldn't be hard. From rah at shipwright.com Thu Apr 11 06:11:50 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 11 Apr 1996 21:11:50 +0800 Subject: PEP Announcement (fwd) Message-ID: <v02120d03ad922e6be3fe@[199.0.65.105]> At 10:17 PM 4/10/96, you wrote: > Thanks for the good review, Bob. You're absolutely right about the > pgp/original message window problem. I wrestled with it through most of >the > development process, and it remains the interface element I'd like to > change most. I ended up choosing the PGP window because I didn't want the > user to be faced with the choice of saving it unencrypted or losing it > forever. I did think, however, that it automatically verified and added > keys on decryption. Are you sure it doesn't? Got me there. I didn't even check for it. Heh. Now I know better... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From dlv at bwalk.dm.com Thu Apr 11 06:18:37 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 11 Apr 1996 21:18:37 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u736N-0008yBC@pacifier.com> Message-ID: <JZX7LD7w165w@bwalk.dm.com> jim bell <jimbell at pacifier.com> writes: > >Be careful writing code - sometimes a byte is -128 to 127 instead of 0 to 25 > >Also, there are machines (mostly old kinky ones) that use bytes of sizes > >other than 8 bits. > > No, Bill, a "byte" has ALWAYS been 8-bits. One of the main reasons > the term "byte" was invented was because the term "word" (as in, "word > length") varied for different computers, especially in the 1960's. (In fact, > many computers of that era used word lengths other than 8, 16, 32, 64 bits, > as surprising as this may sound to the current crop of PC and Mac > afficionados.) This made it inconvenient to talk about memory capacities > unless you were referring to the same machine. The solution was to invent a > new term, "byte," which conviently had about the same size as an ASCII > character and was always 8 bits. I used to hack a CDC Cyber box designed by Seymour Cray before he started his oen company. It had the following curious features: 1 word = 10 _bytes_ = 60 bits 1 _byte_ = 6 bits Out of respect for Jim, I dug up the dox, which say: "On the 6600, the basic bit groupings are 6, 12, 15 and 30 bits". The dox consistently refer to the 6-bit chunks as "characters", never bytes. However I've heard people refer to 6 bits as bytes and to 3 bits (an octal digit) as nybbles. Naturally, the character set had only 64 symbols - no lowercase letters. Both integers and reals were 60 bits. Addresses in the instructions were 15 bits, but that was an address of a 60-bit word. Negative numbers were represented with one's compliment (i.e. -X = NOT X). Hence there were two zeroes: positive and negative. I believe BESM-6 also had 6-bit bytes. I have the dox for it someplace (in Russian) but can't find them offhand. Moral: it's not necessarily redundant to say '8-bit byte'. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From junger at pdj2-ra.F-REMOTE.CWRU.Edu Thu Apr 11 06:28:27 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Thu, 11 Apr 1996 21:28:27 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u736N-0008yBC@pacifier.com> Message-ID: <m0u799t-0004LyC@pdj2-ra.F-REMOTE.CWRU.Edu> jim bell writes: : >At 09:33 PM 4/8/96 -0400, Jack Mott wrote: : . . . . : >Also, there are machines (mostly old kinky ones) that use bytes of sizes : >other than 8 bits. : : No, Bill, a "byte" has ALWAYS been 8-bits. One of the main reasons : the term "byte" was invented was because the term "word" (as in, "word : length") varied for different computers, especially in the 1960's. (In fact, : many computers of that era used word lengths other than 8, 16, 32, 64 bits, : as surprising as this may sound to the current crop of PC and Mac : afficionados.) This made it inconvenient to talk about memory capacities : unless you were referring to the same machine. The solution was to invent a : new term, "byte," which conviently had about the same size as an ASCII : character and was always 8 bits. One trouble with this statement was that an ASCII character only has 7 bits. Another is that when I snuck into the IBM Executive Computer Concepts Course in the mid-sixties, we [a bunch of high-powered executives and me] were told, as I recall, that originally the term byte was used by some to represent 7 bits. IBM took credit for standardizing the term on 8 bits. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From tedwards at Glue.umd.edu Thu Apr 11 06:43:10 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Thu, 11 Apr 1996 21:43:10 +0800 Subject: Money supply is fake anyway Message-ID: <Pine.SUN.3.91.960410202317.1705C-100000@kolo.isr.umd.edu> > Garfinkel described it like this: "My name is Agent > Jenkins. I'm an investigator with the secret service, > working on a counterfeiting case. And it's tough. Last > year, my office got a priority call from an economist at > Stanford. The economist was looking at something called the > money supply and velocity and both were increasing a little > too fast. They just didn't add up. The economist finally > figured an organisation was printing its own electronic > money -- just like the US government does. Banks "invent" money on a daily basis. You would have to counterfeit a great deal of currency (probably more than it out there right not) before you would start making a serious impact on the money supply. That said, enough counterfeit money may change the way people value money, and may cause inflation. -Thomas From cjs at netcom.com Thu Apr 11 06:57:10 1996 From: cjs at netcom.com (Christopher J. Shaulis) Date: Thu, 11 Apr 1996 21:57:10 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v02120d2bad91ecd377cc@[192.0.2.1]> Message-ID: <199604110005.UAA00491@localhost.cjs.net> > At 9:48 4/10/96, Duncan Frissell wrote: > [...] > >We know that governments would like to impose things like the Simple > >Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) > >Protocols. > > There is one thing about the proposed minor flag addition to IP that I > don't understand. [No, I am not surprised by this. Mandatory authorization > to establish a connection and an "Internet Driver License", probably in the > form or a smart card are coming]. > > If my computer creates the IP packet, what is there to prevent me from > modifying the value of the "Minor/Adult" flag at my leisure? In the future, you will have to sign all packets (with a key conveniently available from verisign and noone else). Just kidding. =) Christopher From sameer at c2.org Thu Apr 11 06:59:44 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 11 Apr 1996 21:59:44 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <316C8427.52BF@netscape.com> Message-ID: <199604110445.VAA06906@atropos.c2.org> > For Netscape servers, you can configure which ciphers you want to use. > I'm sure Apache-SSL and most other SSL-capable servers have the same > sort of thing. I know that Wells Fargo, at least, requires 128-bit > encryption. (Yeah, Apache-SSL lets you do that too) Uh, but Wells Fargo doesn't. Just the other day I used Netscape 1.x international (i.e. 8cent RC4) to get my bank balances from Wells Fargo. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From tcmay at got.net Thu Apr 11 07:01:34 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 11 Apr 1996 22:01:34 +0800 Subject: Protocols at the Point of a Gun Message-ID: <ad91aa3306021004ff98@[205.199.118.202]> At 1:48 PM 4/10/96, Duncan Frissell wrote: >Well this is as good a time and place as any to ask the question that >none of the opposition seems to have asked (perhaps because they don't >know enough to ask): How do you force geographically dispersed nodes >on a distributed network to adopt a set of officially mandated protocols? > >But first a reading assignment: "How Anarchy Works--Inside the Internet >Engineering Task Force" from Wired. > >http://www.hotwired.com/wired/3.10/departments/electrosphere/ietf.html I'd also recommend Michael Froomkin's article "The Internet as a Source of Regulatory Arbitrage," available at http://www.law.miami.edu/~froomkin/arbitr.htm It gets into the nature of IETF-type stuff, especially vis-a-vis the difficulty jurisdictions have in enforcing parochial rules. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tomw at netscape.com Thu Apr 11 07:07:33 1996 From: tomw at netscape.com (Tom Weinstein) Date: Thu, 11 Apr 1996 22:07:33 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <199604110453.VAA07113@atropos.c2.org> Message-ID: <316C9890.41C6@netscape.com> sameer at c2.org wrote: > > > Can you transfer money or just check balances? I'm pretty sure that > > they won't let you perform transactions unless you're using > > Netscape 2.0 with 128-bit encryption. > > I was unaware the Wells Fargo let you transfer money with the > web. I only checked my balance. Sorry, I think I was hallucinating or something. You're right, they don't require 128-bit encryption and they only let you query your balance. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From tcmay at got.net Thu Apr 11 07:09:58 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 11 Apr 1996 22:09:58 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena Message-ID: <ad91f0580c0210047ab1@[205.199.118.202]> At 4:23 AM 4/11/96, sameer wrote: > Frankly, I'm getting antsy. Is C2 going to get subpoena'd or >not? I would be very disappointed if we don't. > (Subpeonas envy!) Good one! Just stay calm and try to maintain your sangfreud. --Tim THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From rah at shipwright.com Thu Apr 11 07:42:09 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 11 Apr 1996 22:42:09 +0800 Subject: NPR is talking about smart card purses... Message-ID: <v02120d01ad91dd279fbb@[199.0.65.105]> Chase, Citi, MC and others are offering a stored value card on the west side of Manhattan. They're saying that smart cards are faster than cash. Stick the card in, say yes to the amount. The terminals are wired directly to a bank account, so we're looking at a book entry system, it looks like... The announcer is breathless at the possibilities.... I wonder if this is CAFE, Mondex, or what? anyone know? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From hal9001 at panix.com Thu Apr 11 07:54:17 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 11 Apr 1996 22:54:17 +0800 Subject: [NOISE] Re: onyma Message-ID: <v02140b00ad91d0732a58@[165.254.158.226]> At 10:04 4/10/96, Alan Bostick wrote: >As an experienced professional in this field, I have learned that where >rules of spelling, grammar, vocabulary come from is *usage*. Words >become accepted parts of the language because people start to use them. >The acceptance of words is recognized by their adoption in to lexicons >and dictionaries, but this is description, not prescription. > >If you want to be linguistically correct and ensure that 'onyma' >prevails over 'nym,' you've got a lot of catching up to do. 'Nym' is >is clearly established by usage on the Cypherpunks list, and I expect >it's only a matter of time before it starts showing up in print media, >if it hasn't already, and get listings in the Jargon File, then >dictionaries, etc. > >You can't fight usage; it is usage that makes the language as she is >spoke what it is. I agree with you and I'll go further and state that the use of "nym" is due to it being the suffix of all the terms that are lumped into it _AND_ is spoken in them as a separate (and last) syllable. Use of ONYM would not be as obvious since the "o" is _part_ of the prior syllable _not_ the prior syllable (also none of the words use ONYMA so that is also not a good term to the general public <g>). This is a case of using the last syllable of a number of terms/words as a generic term for all of them (or the use of that syllable as a generic suffix to other words to create a new term with the connotation of that suffix's meaning [as in using -ism at the end of other words]). From tcmay at got.net Thu Apr 11 07:54:41 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 11 Apr 1996 22:54:41 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailerrecords? Message-ID: <ad91b30d0902100413eb@[205.199.118.202]> At 7:37 PM 4/10/96, Jim Byrd wrote: >The story is weirder than that. The first poster of church secrets (with >lots of commentary) was Dennis Erlich, an ex-scientologist. Dennis was >raided and sued, and is awaiting trial. His ISP, Tom Klemesrud, refused His ISP was Netcom. Klemesrud respresents Netcom. >to find the identity of -AB-. This turned out to be an alumni account at >Cal Tech. The poster has never been heard from again. This was without a doubt just a user of one of Hal Finney's remailers he runs out of an account at Caltech. (There's a tiny chance it was someone else, but it fits the description of Hal's "alumni" remailer exactly, and is almost certainly just that.) This is a Cypherpunk-style remailer, and Hal is one of the original Cypherpunks. The concept of "The poster has never been heard from again" is essentially meaningless, unless he or she or signed the message and established a persistent personna. Sorry to sound picky, but I've just seen several messages all of which copy a long dialog from some Finnish guy named Kaj. Some of the messages then confuse the issues by confusing the types of remailers. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From roger at coelacanth.com Thu Apr 11 07:57:33 1996 From: roger at coelacanth.com (Roger Williams) Date: Thu, 11 Apr 1996 22:57:33 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604100239.AA12152@pig.die.com> Message-ID: <9604102227.AA0401@sturgeon.coelacanth.com> >> At 12:13 AM 4/9/96 -0700, Steve Reid wrote: >> a board-mounted AT&T Orca chip available for around $400. They >> said it could crack a 40-bit key in 5 hours (average)... >> ... Has anyone out there seen one of these? >>>>> "Dave Emery" <die at pig.die.com> pessimised: > [... the tools are too expensive...] > [... and the skills required are too high...] > [... for anyone on cypherpunks...] Come on, Dave, this isn't alt.2600! Most of the subscribers to this list are professionals -- engineers, programmers, mathematicians, lawyers -- not phone phreaks. I'm sure that there are more than a few of us with the knowledge, experience, and free access to the resources needed to handle most relatively small-scale designs like this. (It's like saying that no one on cypherpunks has access to the distributed computing resources necessary to perform other sorts of brute-force cracking -- which is patently ludicrous.) For instance, from where I'm sitting in my *home* office, I can see the full development packages for Xilinx and AT&T FPGAs, Viewlogic VHDL, schematic, and simulation tools, an HP 1660A logic analyser, and a Tek THS 720 500 MHz digital scope. And I doubt if I'm the only one here who does this for a living. The problem isn't resources, but time and motivation -- what sort of situation would it take to get me (for instance), and one of cypherpunk's cryptography wizards, to take the time to collaborate on something like this. (BTW, if you're willing to break the design into a couple of FPGAs, like the Motorola MPA 1000 devices, you can find all the software you need for free...) -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From jsw at netscape.com Thu Apr 11 08:16:08 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 11 Apr 1996 23:16:08 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <9604101921.AA25061@spirit.aud.alcatel.com> Message-ID: <316CADBC.30D1@netscape.com> Tom Weinstein wrote: > For Netscape servers, you can configure which ciphers you want to use. > I'm sure Apache-SSL and most other SSL-capable servers have the same > sort of thing. I know that Wells Fargo, at least, requires 128-bit > encryption. Actually I don't think that Wells Fargo requires 128-bit. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jimbell at pacifier.com Thu Apr 11 08:28:54 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 11 Apr 1996 23:28:54 +0800 Subject: No matter where you go, there they are. Message-ID: <m0u7Ex6-00090pC@pacifier.com> At 02:36 PM 4/10/96 -0700, rick hoselton wrote: >At 10:04 AM 4/10/96 -0400, Peter Wayner wrote: >> >>Hmm. Here's an interesting question. Let's say that there are 3 >>satellites in view broadcasting signals f1(t), f2(t) and f3(t). >>...Okay, so why can't I just tape the signals I get from each of >>the three satellites. > >>Or course, I could be completely missing some neat feature of >>DGPS. ... Any thoughts? > >I have read that GPS uses encryption to place time-dependent, >location-dependent inaccuracies into the signals. Innacuracies >small enough so they are not a problem for civilian navigation, >(mostly) but large enough to prevent GPS from being a useful method >of military targeting for anyone who does not hold the keys. It's called "S/A" (Selective Availability) which is the NWO term for adding errors that "authorized" users can remove. (Not to be confused with A/S, or anti-spoofing) It was originally intended to be turned on in wartime to deny the enemy accurate fixes, but during the Gulf War military GPS receivers were so scarce that the soldiers had to use commercial products, so the S/A actually was turned OFF then! Since then, pressure has been building to turn off S/A, since its usefulness is nearly zero. Even so, the amplitude of S/A errors are only a little larger than natural errors caused by satellite timing errors, atmospheric propagation variations, etc. The result is that DGPS is useful, which is (more or less) a fixed antenna and GPS system which knows where it is, and subtracts where it "seems" to be by GPS every second, and broadcasts the resulting error data on some terrestrial system to receivers locally. The result is errors down to the 1-meter level and even lower. That system compensates for both natural errors and S/A, so the whole purpose of having S/A is negated. Eventually S/A will probably be turned off permanently, but even then we'll want to continue to use DGPS systems. > >Perhaps Ms. Denning is suggesting that the US feral government could >act as a "trusted server" (and she has repeatedly suggested such trust) >and tell us whether a GPS that "thinks" it's at some location, right now, >is REALLY at some known location. Denning's trust for the government is apparently boundless. Jim Bell jimbell at pacifier.com From jamesd at echeque.com Thu Apr 11 08:45:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 11 Apr 1996 23:45:00 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604110635.XAA08339@dns2.noc.best.net> At 10:36 PM 4/9/96 -0400, JonWienke at aol.com wrote: > Would anyone like to propose a means of measuring entropy that we can all > agree on? I haven't seen anything yet that everyone likes. Nor will you: To measure entropy is a deep unsolved philosophical and physical problem. Only a known distribution has a well defined entropy. If you do not know what kinds of order might be present in your data, you cannot define the entropy. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From me at muddcs.cs.hmc.edu Thu Apr 11 09:37:24 1996 From: me at muddcs.cs.hmc.edu (Michael Elkins) Date: Fri, 12 Apr 1996 00:37:24 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <199604110647.XAA05823@muddcs.cs.hmc.edu> Steve Reid writes: > When a person recieves a message from someone using an anonymous > remailer, the return address will usually work, depending on the > remailer. The return address is for an address on the remailer, and > sending to that address, the remailer will forward the message back to > the person who owns that anonymous address. > > The problem with that, of course, is that the remailer has to keep a > record of who owns each anonymous account, so that it can direct the > replies to the anonymous person. These records could be siezed. This is a very good reason to use one of the "alpha" pseudonym servers. These remailers in turn use other remailers to return the reply to the owner of the alias (crypted, of course). In this way, the server is operating in double-blind mode. However, the scariest thing about this is that the CoS was able to coerce the gov't in a foreign nation to get access to anon remailers. US remailers have always been suspect for just this reason, and I wait with bated breath to see whether or not the subpoena is issued. But if chaning outside the US won't even work, then the remailers aren't going to do a whole lot of good. > BTW, has anyone out there created an anonymous web forwarder? I'm sure > there are a lot of people out there who don't like the idea of having > their email address in the log files of dozens of web servers... Creating > a simple web forwarder wouldn't be hard. I've heard several people make this statement... Can anyone confirm that it is really possible to log the uid (username) of the person making the http request? I know they can get your ip address, but I'm skeptical of getting the username. me -- Michael Elkins <me at cs.hmc.edu> http://www.cs.hmc.edu/~me PGP key fingerprint = EB B1 68 32 3F B5 54 F9 6C AF 4E 94 5A EB 90 EC From tcmay at got.net Thu Apr 11 09:45:17 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 00:45:17 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <ad91b12508021004a169@[205.199.118.202]> At 8:12 PM 4/10/96, Steve Reid wrote: >> I thought that most or all of the cypherpunk anonymous remailers don't >> keep records. Not even on backup tapes. The whole idea is that there >> aren't logs. But maybe they have found some remailers that are > >When a person recieves a message from someone using an anonymous >remailer, the return address will usually work, depending on the >remailer. The return address is for an address on the remailer, and >sending to that address, the remailer will forward the message back to >the person who owns that anonymous address. Not the standard "Cypherpunks"-style remailers, except with some fairly cumbersome tricks with "reply blocks" and/or message pools. I think you are thinking of Julf's system, of which there is only one instance, his. >I don't really know much about remailers, but I don't think there's much >to know... If I'm mistaken about any of the above, I'm sure someone will >correct me. Glad to oblige. I note also that Jim Byrd and Jim Warren are unclear on some details. (To Jim Byrd, that "alumni account at Cal Tech" that you mentioned was one of the Cypherpunks remailers at Caltech that our own pioneering Hal Finney runs.) Cypherpunks remailers account for something like 29 out of 30 of all the world's remailers, by site count, though not volume. Sophisticated users know that the Cypherpunks model is the only robust one; Julf's approach has an ecological niche, but is highly vulnerable to the very subpoena approach used recently (not "several years ago" as Jim Warren says). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Thu Apr 11 09:49:40 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Fri, 12 Apr 1996 00:49:40 +0800 Subject: On computer face recognition: Message-ID: <199604110601.XAA05984@dns2.noc.best.net> On computer face recognition: >> Shaving probably will not be a problem, but holding your head at a >> slightly different angle... will screw up the system totally, >> unless the system has radically improved since the last time I read >> up on it. At 11:45 AM 4/9/96 -0500, K00l Secrets wrote: > Well, the systems I have seen are quite good at finding people's eyes. > Scaling (for distance), and rotation (for the angle of your head) > therefore don't really confuse the system once it has your eyes. Finding the eyes can only control for rotations in the plane of the image, when you tilt your head to one side. They cannot handle the much more common case of 3D rotations, where you look slightly to the right or slightly to the left of camera. Facial expressions also throw them badly. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jsw at netscape.com Thu Apr 11 09:50:57 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 12 Apr 1996 00:50:57 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <2.2.32.19960410134837.0075cc14@panix.com> Message-ID: <316CABB9.27F1@netscape.com> Duncan Frissell wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > At 02:38 PM 4/9/96 -0400, Perry E. Metzger wrote: > > >The internet and the culture are coming into conflict in a big way, > >and I don't believe that both of them can survive. > > > >Perry > > Well this is as good a time and place as any to ask the question that > none of the opposition seems to have asked (perhaps because they don't > know enough to ask): How do you force geographically dispersed nodes > on a distributed network to adopt a set of officially mandated protocols? > > But first a reading assignment: "How Anarchy Works--Inside the Internet > Engineering Task Force" from Wired. > > http://www.hotwired.com/wired/3.10/departments/electrosphere/ietf.html > > So, now we know that the IETF has been pretty successful as a means > of standards setting. We then have to go on to discuss how The Great > Enemy might undertake to intervene in this process. Given that the IETF has no "official" (whatever that means) sanction, what would prevent any other organization from coming in and trying to take over their turf? I saw an article today (sorry, can't remember where) that suggested a brewing fight between IETF and W3C over future HTTP and HTML standards. If someone stands up and says that the IETF is becoming too slow and overcome by bickering (not my opinion, just a what if), and that their new group is better suited to setting standards, who decides who is right, and based on what criteria? It seems that one aspect of anarchy is that anyone could move in and replace "their anarchy" with the "new anarchy". Just some philosophical pondering late one night... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Thu Apr 11 10:15:29 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 12 Apr 1996 01:15:29 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <9604101921.AA25061@spirit.aud.alcatel.com> Message-ID: <316CACF9.354D@netscape.com> Daniel R. Oelke wrote: > A brief once over shows that it requires Netscape 2.0 or > better so you will have encryption, but it does not warn you > when you are using only a 40-bit session key vs. a 128-bit key. > (Netscape wizards - is there a way that the server can detect > this so that a warning message could be put up?) There is an environment variable called HTTPS_KEYSIZE that is passed to cgi's by the HTTP server. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From declan+ at CMU.EDU Thu Apr 11 10:34:59 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 12 Apr 1996 01:34:59 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <Pine.SUN.3.91.960410225933.2006A-100000@kolo.isr.umd.edu> Message-ID: <ElP83e200YUvQ2hGt5@andrew.cmu.edu> Would anyone be interested in collaborating on a "Know Your Net Enemies" project? We'd start with a resource like Bob Chatelle's excellent web pages at <http://world.std.com/~kip/bcfenatl.html> and with permission build on it and list the deceptions and misrepresentations each Net-Enemy has engaged in -- what each has done to restrict liberty online. We'd include original documents and links as appropriate. Who would be listed? Well, there's the family values groups [AFA/CC/NLC/EE!/FOF/FRC], the green card spammers, Carnegie Mellon University, Marty Rimm, the Church of Scientology, the Simon Wiesenthal Center, the NSA, German state prosecutors, Senator Exon, Dorothy Denning, and so on. If each collaborator takes a particular group or person, this could be done relatively quickly. Then we'd put it online at EFF's web site, with prominent treatment. All contributors would receive full credit for their work, of course. Anyone interested? This would be a great resource. -Declan From jsw at netscape.com Thu Apr 11 10:35:06 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 12 Apr 1996 01:35:06 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604091701.AA29911@rpcp.mit.edu> Message-ID: <316C9EC4.405C@netscape.com> Joseph M. Reagle Jr. wrote: > > At 04:31 PM 4/8/96 -0700, you wrote: > >I agree with Jim at SFNB that the encryption made possible by VeriSign > >server certificates is an integral part of remote banking on the Web. > >However, I would encourage Security First and other banks looking at the Web > >to focus increased attention on client certificates AND to migrate away from > >their dependence on user passwords. > > I brought this up with SFNB a month or so ago (when I opened my > account) and the word then was that client side certificates would be > avaible within a month or so, my time guestimate (based on what they were > saying) was half-a-year. > > >Admittedly, client certificate > >functionality has not yet been available but it will probably be standard by > >mid-1996. > > Let's hope so, I am not keeping significant funds in that account > until I have a certificate. The release of Netscape Navigator that just started early beta, marketing named "Atlas", has support for client certificates. A spec detailing how to interoperate with it, similar to the one I wrote on SSL 2 server certificates, should be available before the final release of the product. > >As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches > >passwords. > > I suspected this, and was further exposed because of a common > problem with using Netscape and the like from student accounts (with a big > 10M quota), say on MIT's athena, where I like my disk cache to reside in the > workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others > sprinkled their passwords in a million "public" cache's before SFNB stuck > the tag no-cache tag in. The statement that "Netscape caches passwords" is not in itself true. It is true that if the no-cache header is not present, AND the site is using forms to enter passwords rather than HTTP auth, then the form post data(including password) will be cached. I've said here before that this bug is being fixed in the next beta of the upcoming release. The default for SSL pages will be not to cache at all. If they used HTTP auth, their passwords would not have gone into the cache. > OBJava: do java applets have access to the cache, would it be possible to > write one of the little nasties that keep an eye on the cache? No, Java does not have access to the cache, or any other file. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From mccoy at communities.com Thu Apr 11 11:32:04 1996 From: mccoy at communities.com (Jim McCoy) Date: Fri, 12 Apr 1996 02:32:04 +0800 Subject: No matter where you go, there they are. Message-ID: <v02140b02ad91db64cd39@[205.162.51.35]> At 8:53 AM 4/10/96, Hal is rumored to have typed: > Peter - didn't they say that the checking station is also listening > to the satellites? That way they can tell that you are playing back > signals that you taped earlier because they won't match what the > satellites are broadcasting right now. There is going to be processing and network delay involved here (unless Denning et al have figured out some way to communicate faster than the speed of light), so drift between the what you report and what the checking station and repeaters are hearing _at that time_ is inevitable. This is the loophole which allows Peter's attack, a loophole which cannot be closed (because the spoofer can always claim to be on a slower link than she really is and there is nothing the verifiyer can do to prove otherwise.) If I want to pretend to be closer to the receiver than my true location I simulate a slow link which gives me enough time to record what the signals would be at the near location and then quickly resend them to give the appearance of the spoofed location. In fact, I think that this really all boils down to trying to use GPS as a non-interactive proof of location, and the information posted about the system does not address the obvious attacks on such systems which are known from research into ZNPs. > If their authenticated repeaters are used then you have to assume the > checking station has all the satellite signals and again the best you can > do is pretend to be a Mole Man. The authenticated repeaters may collect all signals, _but the receiving station does not get them all at once_ because it will take time for the signals to propogate from the repeater back to the station attempting to determine location. Having all of the signals does not help the checking station other than allowing it to share a set of sats with the person attempting to authenticate. It still does not And perhaps more importantly, do you really want anyone you connect to on the net to know your location to the nearest 10 meters? What is Dennings fascination with building Big Brother? jim From perry at piermont.com Thu Apr 11 11:32:16 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 02:32:16 +0800 Subject: Message not deliverable In-Reply-To: <960410164932_268662594@emout10.mail.aol.com> Message-ID: <199604102200.SAA18397@jekyll.piermont.com> JonWienke at aol.com writes: > >Subj: Message not deliverable > >Date: 96-04-10 11:51:09 EDT > >From: Administrator_at_DCACINTS at dca.com (Administrator) > >To: JonWienke at aol.com > > [body text deleted] > > Has anyone else been getting these when they post to cpunks? Yes. > I get one every > time I post. I emailed the administrator at dca.com, a few weeks ago, but > nothing has changed. Anyone got suggestions? 1) Send mail to postmaster. 2) Track down dca.com's administrative or technical contacts from the whois database and call them on the phone. Perry From Clay.Olbon at dynetics.com Thu Apr 11 11:43:30 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Fri, 12 Apr 1996 02:43:30 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <v01540b03ad92aa94874e@[193.239.225.200]> At 11:10 AM 4/9/96, jim bell wrote: >At 07:57 AM 4/9/96 -0500, Mike McNally wrote: >>jamesd at echeque.com wrote: > >>There are supposedly some new techniques that look at the infrared >>signature of your face (like, I guess, distribution & position of >>hot & cold spots), and that's less likely to be fooled by facial >>hair and other superficial disguises. It's probably a fairly simple >>technology, and could be applied to the credit card ID problem. > >I think this is based on looking at your face with near-infrared, not the >medium and far (thermal) infrared. Near infrared is supposed to penetrate >flesh far better, so your blood vessels are visible and form a pattern >which can be recognized. > >Jim Bell >jimbell at pacifier.com Jim, Where did you get your info? Near IR is around 1-1.5 microns, at these wavelengths, the body radiates very little energy. I think most of the systems you are discussing use mid (3-5) or long-wave (8-12) IR, where objects that are room to body temp radiate most of their energy. Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon at mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL - Robert Heinlein, in various works --------------------------------------------------------------------------- From jimbell at pacifier.com Thu Apr 11 11:46:04 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 12 Apr 1996 02:46:04 +0800 Subject: questions about bits and bytes Message-ID: <m0u77OB-0008yfC@pacifier.com> At 12:00 PM 4/10/96 -0700, Rich Graves wrote: >On Wed, 10 Apr 1996, jim bell wrote: > >> >Be careful writing code - sometimes a byte is -128 to 127 instead of 0 >> >to 255. Also, there are machines (mostly old kinky ones) that use >> >bytes of sizes other than 8 bits. >> >> No, Bill, a "byte" has ALWAYS been 8-bits. > >Not that it really matters, but you're wrong; if you're talking about an >asynchronous data stream, a byte is however many bits it takes to express >one character. If you're using ASCII, it's 8; if you're using Baudot, it's >5. If you're talking about data in computers, then I think you're right, a >byte is always 8 bits. >-rich What's the old saying, "Those of you who think you know everything are very irritating to those of us who do." First off, serial binary formats for transmitted data are at least as old as the 1930's, and the term "byte" was coined in the early-middle 70's, as I recall. Therefore it is highly unlikely (and, in fact, wrong) that the term "byte" referred specifically to serial binary streams. In fact, the term "character" is the word used to describe a serial data object composed of bits. The length of that character can vary: As any ham knows (or ought to know!) many early teleprinters used a so-called 5-level (5 bits per character; there were shift characters inserted to multiply the available codes) code called Baudot, while more recent ones used the now-common, 7-bit ASCII code. A typical ASCII asynchronous character is transmitted using a start bit, seven or eight data bits, an optional parity bit, and one or more stop bits (usually 1, today, but it can be 1.5 or 2.) Jim Bell jimbell at pacifier.com From jk at digit.ee Thu Apr 11 12:08:06 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Fri, 12 Apr 1996 03:08:06 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <316C9890.41C6@netscape.com> Message-ID: <Pine.GSO.3.92.960411160334.16119J-100000@happyman> On Wed, 10 Apr 1996, Tom Weinstein wrote: > Sorry, I think I was hallucinating or something. You're right, they > don't require 128-bit encryption and they only let you query your > balance. Are there any banks besides SFNB then that use weak 40-bit encryption for anything more than balance queries or transaction history, and allow to make real transactions on-line? I know Merita in Finland allows bank transactions using 40-bit RC4, but they also use one-time passwords (every user gets a printed list with 40 or so password pairs, each of which you can use just once). Juri Kaljundi jk at digit.ee From jk at digit.ee Thu Apr 11 12:11:36 1996 From: jk at digit.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Fri, 12 Apr 1996 03:11:36 +0800 Subject: RC4 on FPGAs (Was: Bank transactions on Internet) In-Reply-To: <4kh71n$cl3@abraham.cs.berkeley.edu> Message-ID: <Pine.GSO.3.92.960411160924.16119K-100000@happyman> On 10 Apr 1996, Ian Goldberg wrote: > Coincidentaly enough, this is part of my project for my Hardware class. > I'll let you know when I have it working. I'm using Altera FLEX 81188s, > though the 10K models (with built-in RAM) would be _way_ faster... Once someone gets this kind of cracking device ready, I think it would be nice to make the information freely available, or start selling these for nominal price. This would also make an interesting device connected to Internet. In case of fast device people could use it either for free or pay using ecash for using it, and crack their SSL sessions. May be Netscape or Microsoft or someone else (may be even Community Connexion :) lobbying the government for allowing export of strong encryption could sponsor it. It should not be so expencive. Much more useful than amazing fish-cam or coke machine on Internet. Juri Kaljundi jk at digit.ee From perry at piermont.com Thu Apr 11 12:46:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 03:46:39 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v02120d2bad91ecd377cc@[192.0.2.1]> Message-ID: <199604111426.KAA20759@jekyll.piermont.com> Lucky Green writes: > There is one thing about the proposed minor flag addition to IP that I > don't understand. [No, I am not surprised by this. Mandatory authorization > to establish a connection and an "Internet Driver License", probably in the > form or a smart card are coming]. > > If my computer creates the IP packet, what is there to prevent me from > modifying the value of the "Minor/Adult" flag at my leisure? Nothing prevents you from doing that, not that there is any place to put such a flag. Moreover, it is highly unclear what the semantics are in general, or how an application would know about them, or what you do in tunnelling such packets, or what it means in a TCP stream if some packets are flagged and some aren't, etc, etc. The whole thing is a crock of shit. (Normally, I wouldn't say that but I'm trying to violate the CDA as often as possible these days.) Its yet another case of idiots who don't know technology pretending that technical people are magicians who can just do anything by waving a wand, and if we say something can't be done it must mean that we are being stubborn or some such. Reminds me of the train disaster section of "Atlas Shrugged". Ah, well. Perry From frissell at panix.com Thu Apr 11 12:51:19 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 12 Apr 1996 03:51:19 +0800 Subject: Protocols at the Point of a Gun Message-ID: <2.2.32.19960411140019.0075bfc8@panix.com> At 11:50 PM 4/10/96 -0700, Jeff Weinstein wrote: > Given that the IETF has no "official" (whatever that means) sanction, >what would prevent any other organization from coming in and trying to >take over their turf? I saw an article today (sorry, can't remember >where) that suggested a brewing fight between IETF and W3C over future >HTTP and HTML standards. If someone stands up and says that the IETF >is becoming too slow and overcome by bickering (not my opinion, just >a what if), and that their new group is better suited to setting standards, >who decides who is right, and based on what criteria? It seems that >one aspect of anarchy is that anyone could move in and replace "their >anarchy" with the "new anarchy". > > Just some philosophical pondering late one night... > > --Jeff Why nothing. Even your employer has done a bit of this protocol "forcing". The actual question though is would a successor organization(s) do anything significantly different. The question is can a *government* order protocols. IBM couldn't (after a while). If the government can't order protocols and protocols are created by (rough) mutual consent, I'll be happy and Dorothy won't be. DCF From trei at process.com Thu Apr 11 13:07:20 1996 From: trei at process.com (Peter Trei) Date: Fri, 12 Apr 1996 04:07:20 +0800 Subject: No matter where you go, there they are. Message-ID: <199604111412.HAA07137@toad.com> Well, we've pretty throughly convinced ourselves that Denning's scheme can be spoofed (I'm convinced, anyway.) It's actually worse than useless - it's a substantial security breach. To spoof being at a location, Mallory needs to know the location he is trying to spoof. With S/A off (as I understand it is now), he need to know the location within a couple meters, in three dimensions. Such precise location data is usually difficult to obtain, without actually visiting the site and recording the location using GPS. Mallory might be able to work out, for example, the location of the desk in the Oval office to that precision by triangulation (though setting up theodolites on Massachusetts Avenue may attract some attention :-) However, I defy him to find the location of a specific PC in NSA headquarters, or in a secured communications facility without actually visiting the desk carrying a GPS receiver (which he won't be allowed to do, unless he's got a damn good reason). However, since the protocol requires that Alice send out location data, once she starts using it she reveals her physical location to Eve, Mallory, and anyone ese who can see the packets. Since the nature of the protocol is that Alice's location does not change frequently (and needs to transmitted via a trusted channel to Bob when it does), after the first usage Mallory *knows* the physical location he is trying to simulate, and can use this information for future spoofing. The upshot of this is that Denning's scheme not only provides no security against spoofing, and leaks potentially sensitive data about locations. If Sadaam Huissain (sp?) had used this scheme during the Gulf War, we'd have been able to send a cruise missile directly to his keyboard. [These flaws in the protocol seem so obvious that I can't help but wonder if we're missing something - Dorothy isn't *that* stupid.] Peter Trei trei at Process.com From sam at inf.enst.fr Thu Apr 11 13:08:00 1996 From: sam at inf.enst.fr (Samuel Tardieu) Date: Fri, 12 Apr 1996 04:08:00 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <199604110647.XAA05823@muddcs.cs.hmc.edu> Message-ID: <qw6wx3mhnja.fsf@gargantua.enst.fr> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Michael" == Michael Elkins <me at muddcs.cs.hmc.edu> writes: Michael> I've heard several people make this statement... Can anyone Michael> confirm that it is really possible to log the uid (username) Michael> of the person making the http request? I know they can get Michael> your ip address, but I'm skeptical of getting the username. There is no general rule, it depends on your system, your system administrator, your browser, .... If you use Unix, there is no way to know who is at the other end of a socket without using either: 1) finger- or rusers-like information, which is only a guess than may easily be defeated; 2) a "identity daemon", which is run on port 113 and may be queried by a host to which a connection is being made. This kind of identity daemon sometimes has an option which makes it look for a file in the user's home directory before answering ; if this file is present, then the user-id won't be disclosed. It is also very time-consuming for a WWW server to make such a TCP connection each time a request is made, it slows down the request a lot. Anyway, the use of a proxy may help you in that the user-id will probably "nobody". You stay anonymous, unless your proxy's manager keeps the logs. The other way to get your identity is... getting cooperation from yourself ! There was a bug in Netscape 2.0 which made it possible to make you send a mail without even realizing it when browsing some pages (using a form with a mailto: action and a piece of JavaScript to submit the form). Other browsers may well send your user-id and/or you real name across the network in a browser-defined header. This must be checked on a browser per browser basis, since each browser is free to add any header it wants. Sam - -- "La cervelle des petits enfants, ca doit avoir comme un petit gout de noisette" Charles Baudelaire -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMW0Pk4FdzKExeYBpAQGyWAP+LwubZ9+aqzaP7Lq44Lhlztshp0YPslVF yioq8BGlxotMlLEQHdOyVHfjUGnV7U9eUdeT5jWplKmhpEVgYiYlOtHKX8JOLDno X7dhCQG14Q8bQctlS7UQ5EV10sM5CaNN4G+Cx05iSZ8VY+aFScdRlS77EMovMKD4 Y1YC8P41RdY= =l4BE -----END PGP SIGNATURE----- From Q101NOW at st.vse.cz Thu Apr 11 13:14:17 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Fri, 12 Apr 1996 04:14:17 +0800 Subject: Message not deliverable Message-ID: <799D7708F1@st.vse.cz> I've gotten these, too. glenn - From: JonWienke at aol.com - Date sent: Wed, 10 Apr 1996 16:49:33 -0400 - To: cypherpunks at toad.com - Subject: Re: Message not deliverable - >Subj: Message not deliverable - >Date: 96-04-10 11:51:09 EDT - >From: Administrator_at_DCACINTS at dca.com (Administrator) - >To: JonWienke at aol.com - - [body text deleted] - - Has anyone else been getting these when they post to cpunks? I get one every - time I post. I emailed the administrator at dca.com, a few weeks ago, but - nothing has changed. Anyone got suggestions? - - Jonathan Wienke - From froomkin at law.miami.edu Thu Apr 11 13:18:54 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Fri, 12 Apr 1996 04:18:54 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <Pine.BSF.3.91.960410124929.11278D-100000@kirk.edmweb.com> Message-ID: <Pine.SUN.3.91.960411101452.21542C-100000@viper.law.miami.edu> On Wed, 10 Apr 1996, Steve Reid wrote: > > I thought that most or all of the cypherpunk anonymous remailers don't > > keep records. Not even on backup tapes. The whole idea is that there > > aren't logs. But maybe they have found some remailers that are > > When a person recieves a message from someone using an anonymous > remailer, the return address will usually work, depending on the > remailer. The return address is for an address on the remailer, and The above is very confusing and stems, IMHO, from imprecise use of terms. It is important to distinguish between 4 types of remailers: * traceable pseudonymous * untraceable pseudonymous * traceable anonymous * untraceable anonymous The text quoted above is true if it describes a "traceable pseudonymous" remailer, e.g. anon.penet.fi. This is different from, say, a cypherpunks style remailer. For a full, perhaps tedious, explication of all this and other stuff too, see http://www.law.miami.edu/~froomkin/ocean1-7.htm an earlier, much shorter, and slightly dated, treatement of the anonymity issues only can be found at http://www.law.cornell.edu/jol/froomkin.htm [...] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warmish here. From jad at dsddhc.com Thu Apr 11 13:23:31 1996 From: jad at dsddhc.com (John Deters) Date: Fri, 12 Apr 1996 04:23:31 +0800 Subject: Digital Cash Escrow Message-ID: <2.2.32.19960411141740.00334790@labg30> At 08:11 PM 4/10/96 -0700, you wrote: >At 10:14 PM 4/10/96, Bill Stewart wrote: > >>Of course, if you happen to become dead while you're storing it, >>the paper cash is far more useful to your heirs, so I assume we'll have >>a government-sponsored cash-escrow system announced soon to protect >>the government's interest in collection of inheritance taxes... > >Don't give them ideas, Bill! They are known to monitor our list for >insights into what to regulate next, and I can see the 15-watt lightbulbs >going on over their heads as they ponder the wonderful opportunities >presented by "digital cash escrow." Sorry, but I couldn't shut up here. Isn't this list about the free flow of cryptographic information? Let's not be like the government and shut down what we talk about because we don't want certain people to know about the technology. Of course, your posting probably came out with tongue firmly in cheek, but hey, censorship is still censorship (is still shit, thank you CDA.) ObOtherListComplaint (doesn't everyone?): Has anyone suffered ill-effects by having their mail program filter Jim Bell's postings? Perhaps a 10-point-rise in their IQs? "Bytes are ALWAYS 8 bits" indeed. Has this child never been exposed to anything but PCs? Go dig up the manuals for a UNIVAC 1100, Jim. Why do you think the RFCs for IP specifically refer to "octets" as opposed to "bytes"? Because (they explain) "octet" is unambiguous, which then infers a certain ambiguity to "byte", now, doesn't it? -j, I'll go back to lurking now for a while... -- J. Deters >From our _1996_Conflict_of_Interest_Statement_, re: our No Gift policy: "If you receive any alcoholic beverages, for example, a bottle of wine, you must give the gift to your location Human Resources Manager." This memo is from the Senior V.P. of Human Resources. +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From hfinney at shell.portal.com Thu Apr 11 13:44:53 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 12 Apr 1996 04:44:53 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailer records? Message-ID: <199604111440.HAA05561@jobe.shell.portal.com> From: tcmay at got.net (Timothy C. May) > At 7:37 PM 4/10/96, Jim Byrd wrote: > >to find the identity of -AB-. This turned out to be an alumni account at > >Cal Tech. The poster has never been heard from again. > > This was without a doubt just a user of one of Hal Finney's remailers he > runs out of an account at Caltech. (There's a tiny chance it was someone > else, but it fits the description of Hal's "alumni" remailer exactly, and > is almost certainly just that.) Actually, this is not true. The poster, from rumors I have heard, was someone else with a Caltech alumni account (I don't know who). I have never been contacted by any representatives of Scientology with respect to this case. So it is apparently just a coincidence that this case involved the same system as my remailer. Hal From perry at piermont.com Thu Apr 11 14:19:41 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 05:19:41 +0800 Subject: Money supply is fake anyway In-Reply-To: <Pine.SUN.3.91.960410202317.1705C-100000@kolo.isr.umd.edu> Message-ID: <199604111444.KAA20811@jekyll.piermont.com> Thomas Grant Edwards writes: > Banks "invent" money on a daily basis. Really? Since when? .pm From ses at tipper.oit.unc.edu Thu Apr 11 14:33:56 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 12 Apr 1996 05:33:56 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604110005.UAA00491@localhost.cjs.net> Message-ID: <Pine.SOL.3.91.960411081147.6234C-100000@chivalry> On Wed, 10 Apr 1996, Christopher J. Shaulis wrote: > > In the future, you will have to sign all packets (with a key > conveniently available from verisign and noone else). No - the company that will bring it to you: AT&T :) Seriously - putting this sort of stuff at the IP layer is not doable; confidentiality and encryption, at least on a host-to-host basis is sensible (we know a protocol about that, don't we children) Application AND user level authentication doesn't fit so well below the application level. Simon p.s. Am I the only one to find it really wierd that the Unabomber had a pen-pal? Guess they don't last long.. --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From blake at bcdev.com Thu Apr 11 14:51:52 1996 From: blake at bcdev.com (Blake Coverett) Date: Fri, 12 Apr 1996 05:51:52 +0800 Subject: questions about bits and bytes Message-ID: <01BB279B.115D6C50@bcdev.com> > At 06:29 PM 4/10/96 -0700, Simon Spero wrote: > >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. > > I notice you gave no examples. Why is that? > > Jim Bell > jimbell at pacifier.com In a past life I worked on a Honeywell DPS8 box that had 36 bit words and 9 bit bytes. -Blake (recalling the random evil flags that extra bit was used for) From blane at aa.net Thu Apr 11 15:04:51 1996 From: blane at aa.net (Brian C. Lane) Date: Fri, 12 Apr 1996 06:04:51 +0800 Subject: WWW User authentication In-Reply-To: <199604091558.LAA22026@jafar.sware.com> Message-ID: <316c8b7a.17970650@mail.aa.net> On Tue, 9 Apr 1996 11:58:34 -0400 (EDT), you wrote: >AFAIK, none. I don't see how this would be helpful anyway. If you >MD5 the password, I won't be able to snoop the password off the wire, >but I can simply snoop the MD5 hash off the wire instead and since >that's what your authentication check must now be against, what does >this buy you? It could be implemented thus: Server and client have a shared secret. The server sends the time, or some random # to the client which MD5's this number and the secret, and sends the result back to the server which then checks is. Similar to the APOP command for POP3 that I've never seen implemented. Brian ------- <blane at aa.net> -------------------- <http://www.aa.net/~blane> ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From perry at piermont.com Thu Apr 11 15:22:00 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 06:22:00 +0800 Subject: questions about bits and bytes In-Reply-To: <Pine.SOL.3.91.960410182824.5230D-100000@chivalry> Message-ID: <199604111457.KAA20833@jekyll.piermont.com> Simon Spero writes: > No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. That's > why we have the word octet. Indeed, machines have come in all flavors of byte size. Byte size on PDP-6 descended machines, including the PDP-10 and DECSystem-20, was always variable -- byte pointers could extract any length from one bit to 36 bits, and byte size was an attribute of files under several operating systems that ran on that series. I remember that many of the MIT crowd favored 9 bit Extended ASCII, using the so called space-cadet keyboards that set the two high bits when control and meta were hit, and with the area we think of as the control characters being taken up by other symbols. "Byte" only came to mean "Eight Bits" consistantly in the last decade or less. "Octet" is the only really consistant term. Perry From perry at piermont.com Thu Apr 11 15:32:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 06:32:21 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <316CABB9.27F1@netscape.com> Message-ID: <199604111516.LAA20869@jekyll.piermont.com> Jeff Weinstein writes: > Given that the IETF has no "official" (whatever that means) sanction, I have no idea what that means. The IETF exists. Who would sanction it? Why would that sanction matter? > what would prevent any other organization from coming in and trying to > take over their turf? Nothing, except that all the people who "count" in the internet, a.k.a. "The Community", pay attention to us. If we become irrelevant to the community, we will fade away, which is as it should be. > I saw an article today (sorry, can't remember where) that suggested > a brewing fight between IETF and W3C over future HTTP and HTML > standards. I think way too much is made of that. Most of the same suspects attend both meetings from what I can tell, and the IETF isn't really under the illusion that we control HTML. Perry From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Thu Apr 11 15:33:25 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Fri, 12 Apr 1996 06:33:25 +0800 Subject: questions about bits and bytes Message-ID: <9604111803.AA6921@> >No, Bill, a "byte" has ALWAYS been 8-bits. Not so. It appears that the term "byte" originated in the IBM 360, where it is indeed 8 bits. And certainly all present day computers use "byte" to refer to an octet and not to any other size. That has not always been true. The CDC 6000 series used 6-bit characters, though those weren't usually referred to as "byte". On the other hand, on the PDP10 there were "byte instructions" which would operate on an arbitrary piece of the (36-bit) word. On that machine, "bytes" when used to store characters were often 9 bits long. That's where things like "meta" and "alt" started, see the Hacker's Dictionary. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From shamrock at netcom.com Thu Apr 11 15:34:29 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 12 Apr 1996 06:34:29 +0800 Subject: RC4 on FPGAs (Was: Bank transactions on Internet) Message-ID: <v02120d34ad92532c84fb@[192.0.2.1]> At 13:52 4/10/96, Ian Goldberg wrote: >Coincidentaly enough, this is part of my project for my Hardware class. >I'll let you know when I have it working. I'm using Altera FLEX 81188s, >though the 10K models (with built-in RAM) would be _way_ faster... Perhaps someone with access to such a beast would donate one to this very promising student? Seems like a good cause to me. :-) -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From blane at aa.net Thu Apr 11 15:36:17 1996 From: blane at aa.net (Brian C. Lane) Date: Fri, 12 Apr 1996 06:36:17 +0800 Subject: WWW User authentication In-Reply-To: <199604092101.QAA23912@cdale1.midwest.net> Message-ID: <316c8d64.18461422@mail.aa.net> On Tue, 9 Apr 1996 16:12:17 -0600, you wrote: >> I just finished writing a cgi script to allow users to change their login >> passwords via a webpage. I currently have the webpage being authenticated >> with the basic option (uuencoded plaintext). MD5 would be nicer, but how >> many browsers actually support it? > >A straight MD5 probably isn't supported by any of them, but then again >MD5 is not necessarily going to help too much. The sort of people >that need a web page to change their password aren't likely to >use overly complex passwords (mixed-case, scrambled-in numbers, >et al.) So if a snoop can get the MD5, her chances of getting a password >aren't all that bad. Hey! I'm not a total dunce! <G> The cgi I wrote (ok, ok, hacked) includes cracklib support. It won't let people enter simple passwords. >Your best bet is to try to implement it via SSL, but as I understand >it that limits you on your server options quite a bit. Netscape and >Apache have it, as I understand; I think that's about it actually. >But that's far from my areas of expertise. Yep, that's about it. And they want you to pay for using it in a commercial venture (which my system will be eventually), and I can't justify (or afford) the expense. Brian ------- <blane at aa.net> -------------------- <http://www.aa.net/~blane> ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From trei at process.com Thu Apr 11 15:59:05 1996 From: trei at process.com (Peter Trei) Date: Fri, 12 Apr 1996 06:59:05 +0800 Subject: GPS-based authentication Message-ID: <199604111525.IAA09240@toad.com> Ms Denning, Mr. MacDoran I've read with interest your proposed GPS-based authentication mechanism (it was posted to the cypherpunks mailing list). Can you confirm that you wrote this? Some people on the list think it may be a forgery. The participants of the list have noted some apparent vulnerabilities in the system, and I am curious as to how you address them. If you respond to me and give permission, I'll forward your response to the list. The problems are two-fold: 1. The system is easily spoofed. 2. It leaks sensitive location data. You say: " The signature ... is formed from bandwidth compressed raw observations of all the GPS satellites in view." " The location signature is virtually impossible to forge at the required accuracy. This is because the GPS observations at any given time are essentially unpredictable to high precision due to subtle satellite orbit perturbations, which are unknowable in real-time, and intentional signal instabilities (dithering) imposed by the U.S. Department of Defense selective availability (SA)." Could you substantiate this claim? Is there any reason a spoofer could not do the following? 1. Set up a receiver near (within a 1000 miles or so) of the site he is trying to spoof (he needs to be able to see roughly the same satellites as the spoofed site). 2. Extract from the signal he receives the psudo-random sequence sent from each satellite. 3. Buffer the sequence from each satellite for a brief period (the extreme case is 42 msec, the time it takes light to travel the diameter of the earth). 4. Re-assemble the aggregate signal with the appropriate delays for the location he is trying to spoof. These delays can be pre-computed. 5. Modulate a simulated 17 cm carrier appropriately to produce a synthesized signal, identical to that received at the location to be spoofed, and use that to fake his location. I note that there is commercially available test equipment to simulate GPS satellites, which transmit a signal appropriate for any location you dial into them (btw, setting one of these up near a location using your protocol leads to an interesting denial-of-service attack, since you can overwhelm the satellite signal with a false one giving a bogus location). Even if the spoofer has to extract sequence data from the real satellites, the storage requirement is not onerous, since he already knows just how long he has to delay each satellite's signal, and need buffer only the appropriate chunk for each satellite. While this *does* result in a slight delay while the sequence data for each satellite is gathered, the extreme case is 42 ms. Internet transmission delays on the order of 100 ms are common, so your system will have to accept location data which is this old. The computational load neccesary to spoof the signal is not excessive - it's essentially the reverse of that used to extract location data from the aggregate signal, a process which is not a one-way function. Thus, the signal can be spoofed. Second, your system broadcasts potentially sensitive location data. Your protocol will be a gold mine for the traffic analysts The data can be used for later spoofing attacks, or, in an operational situation, to target munitions. While encrypting the link can protect this data, if you can use encryption, you can also use digital signatures for authentication. Finally, GPS receivers don't work too well in steel-framed buildings. There are substantial shielding and multipath problems ( for your system to work, the antenna needs to be near the originating node, not on the roof). You do not appear to address these problems. Peter Trei trei at process.com -------------------------------------------------------- I append the original article, as it appeared on the list on April 10th. -------------------------------------------------------- Location-based System Delivers User Authentication Breakthrough By Dorothy E. Denning and Peter F. MacDoran Copyright(c), 1996 - Computer Security Institute - All Rights Reserved Top - Help Existing user authentication mechanisms are based on information the user knows (e.g., password or PIN), possession of a device (e.g, access token or crypto- card), or information derived from a personal characteristic (biometrics). None of these methods are foolproof. Passwords and PINs are often vulnerable to guessing, interception or brute force search. Devices can be stolen. Biometrics can be vulnerable to interception and replay. A new approach to authentication utilizes space geodetic methods to form a time- dependent location signature that is virtually impossible to forge. The signature is used to determine the location (latitude, longitude and height) of a user attempting to access a system, and to reject access if the site is not approved for that user. With location-based controls, a hacker in Russia would be unableto log into a funds transfer system in the United States while pretending to come from a bank in Argentina. Location-based authentication can be used to control access to sensitive systems, transactions or information. It would be a strong deterrent to many potential intruders, who now hide behind the anonymity afforded by their remote locations and fraudulent use of conventional authentication methods. If the fraudulent actors were required to reveal their location in order to gain access, their anonymity would be significantly eroded and their chances of getting caught would increase. Authentication through geodetic location has other benefits. It can be continuous, thereby protecting against channel hijacking. It can be transparent to the user. Unlike most other types of authentication information, a user's location can serve as a common authenticator for all systems the user accesses. These features make location-based authentication a good technique to use in conjunction with single log-on. Another benefit is there is no secret information to protect either at the host or user end. If a user's authentication device is stolen, use of the device will not compromise the system but only reveal the thief's location. A further benefit of geodetic-derived location signatures is that they provide a mechanism for implementing an electronic notary function. The notary could attach a location signature to a document as proof that the document existed at a particular location and instant in time. The use of geographic location can supplement or complement other methods of authentication, which are still useful when users at the same site have separate accounts and privileges. Its added value is a high level of assurance against intrusion from any unapproved location regardless of whether the other methods have been compromised. In critical environments, for example, military command and control, telephone switching, air traffic control, and banking, this extra assurance could be extremely important in order to avoid a potential catastrophe with reverberations far beyond the individual system cracked. How it works International Series Research (Boulder, CO) has developed a technology for achieving location-based authentication. Called CyberLocator, the technology makes use of the microwave signals transmitted by the twenty-four satellite constellation of the Global Positioning System (GPS). Because the signals are everywhere unique and constantly changing with the orbital motion of the satellites, they can be used to create a location signature that is unique to a particular place and time. The signature, which is computed by a special GPS sensor connected to a small antenna, is formed from bandwidth compressed raw observations of all the GPS satellites in view. As currently implemented, the location signature changes every five milliseconds. However, there are options to create a new signature every few microseconds. When attempting to gain access to a host server, the remote client is challenged to supply its current location signature. The signature is then configured into packets and transferred to the host. The host, which is also equipped with a GPS sensor, processes the client signature and its own simultaneously acquired satellite signals to verify the client's location to within an acceptable threshold (a few meters to centimeters, if required). For two-way authentication, the reverse process would be performed. In the current implementation, location signatures are 20,000 bytes. For continuous authentication, an additional 20 bytes per second are transferred. Re- authorization can be performed every few seconds or longer. The location signature is virtually impossible to forge at the required accuracy. This is because the GPS observations at any given time are essentially unpredictable to high precision due to subtle satellite orbit perturbations, which are unknowable in real-time, and intentional signal instabilities (dithering) imposed by the U.S. Department of Defense selective availability (SA) security policy. Further, because a signature is invalid after five milliseconds, the attacker cannot spoof the location by replaying an intercepted signature, particularly when it is bound to the message (e.g., through a checksum or digital signature). Continuous authentication provides further protection against such attacks. Conventional (code correlating and differential) GPS receivers are not suitable for location authentication because they compute latitude, longitude and height directly from the GPS signals. Thus, anyone can report an arbitrary set of coordinates and there is no way of knowing if the coordinates were actually calculated by a GPS receiver at that location. A hacker could intercept the coordinates transmitted by a legitimate user and then replay those coordinates in order to gain entry. Typical code correlating receivers, available to civilian users, are also limited to 100 meter accuracy. The CyberLocator sensors achieve meter (or better) accuracy by employing differential GPS techniques at the host, which has access to its own GPS signals as well as those of the client. DGPS methods attenuate the satellite orbit errors and cancel SA dithering effects. Where it works Location-based authentication is ideal for protecting fixed sites. If a company operates separate facilities, it could be used to restrict access or sensitive transactions to clients located at those sites. For example, a small (7 cm x 7 cm) GPS antenna might be placed on the rooftop of each facility and connected by cable to a location signature sensor within the building. The sensor, which would be connected to the site's local area network, would authenticate the location of all users attempting to enter the protected network. Whenever a user ventured outside the network, the sensor would supply the site's location signature. Alternatively, rather than using a single sensor, each user could be given a separate device, programmed to provide a unique signature for that user. Location-based authentication could facilitate telecommuting by countering the vulnerabilities associated with remote access over dial-in lines and Internet connections. All that would be needed is a reasonably unobstructed view of the sky at the employee's home or remote office. Related application environments include home banking, remote medical diagnosis and remote process control. Although it is desirable for an antenna to be positioned with full view of the sky, this is not always necessary. If the location and environment are known in advance, then the antenna can be placed on a window with only a limited view of the sky. The environment would be taken into account when the signals are processed at the host. For remote authentication to succeed, the client and host must be within 2,000 to 3,000 kilometers of each other so that their GPS sensors pick up signals from some of the same satellites. By utilizing a few regionally deployed location signature sensors (LSS), this reach can be extended to a global basis. For example, suppose that a bank in Munich needs to conduct a transaction with a bank in New York and that a London-based LSS provides a bridge into Europe. Upon receiving the location signatures from London and Munich, the New York bank can verify the location of the Munich bank relative to the London LSS and the London LSS relative to its own location in New York. The technology is also applicable to mobile computing. In many situations, it would be possible to know the general vicinity where an employee is expected to be present and to use that information as a basis for authentication. Even if the location cannot be known in advance, the mere fact that remote users make their locations available will substantially enhance their authenticity. In his new book, The Road Ahead, Bill Gates predicts that wallet PCs, networked to the information highway, will have built-in GPS receivers as navigational assistants. With the CyberLocator technology, these PC receivers can also perform authentication while being a factor of ten less expensive than conventional code correlating receivers (most of the processing is executed in the host rather than the remote units), which only achieve 100 meter accuracy, and a factor of a hundred less expensive than conventional DGPS receivers. Location-based authentication is a powerful new tool that can provide a new dimension of network security never before possible. The CyberLocator technology is currently operational in a portable demonstration. Dorothy E. Denning is professor of computer science at Georgetown University (Washington, D.C.) and consultant to ISR. She can be reached at 202-687-5703 or denning at cs.georgetown.edu. Peter F. MacDoran is president and CEO of International Series Research, Inc. (Boulder, CO). He can be reached at 303-447- 0300 or pmacdorn at isrinc.com. $0$AD Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From hfinney at shell.portal.com Thu Apr 11 16:12:39 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 12 Apr 1996 07:12:39 +0800 Subject: No matter where you go, there they are. Message-ID: <199604111437.HAA05376@jobe.shell.portal.com> I think the various comments are correct that Denning's scheme won't work across the Internet as it currently exists. Any network with latencies in the multiple milliseconds and up will allow the fraud where the remote node lies about its latency in order to allow it to move some of the received data "forward in time", which is necessary but would not be possible if latency were known and fixed. Note however that Denning did not mention the Internet in her spiel. I believe her method would be workable across lower latency networks, if such exist or eventually exist. Perhaps direct connections or leased lines would provide low enough latency; I don't know. In any case networks are likely to become faster in the future and her method might eventually work. Actually the issue is not just latency but whether the latency can be lied about, and for some kinds of networks that would be harder. The method of using authenticated devices which provide timestamped data from satellites not visible to the authenticating site does not need to provide that data in real time. Even if it is delayed so it comes in later than the data from the remote site, the verifying site can still use it to calculate what the remote site should have been seeing, and so get the benefit of using timings from all the satellites visible to the remote site (again, assuming the remote site itself has a low latency connection to the authenticating site). They do mention that in urban or other obstructed locations a partial view of the sky may be adequate. But of course if all the satellites visible to the remote site are in the south, it can move its apparently location north by using older data. So for the system to work there must be satellites visible in all parts of the sky (no line you can draw through your location which puts all satellites on one side of that line). Hal From trei at process.com Thu Apr 11 16:21:39 1996 From: trei at process.com (Peter Trei) Date: Fri, 12 Apr 1996 07:21:39 +0800 Subject: No matter where you go, there they are. Message-ID: <199604101956.MAA09258@toad.com> > > Peter - didn't they say that the checking station is also listening > to the satellites? That way they can tell that you are playing back > signals that you taped earlier because they won't match what the > satellites are broadcasting right now. > > I think your idea would work if you wanted to pretend to be at a point > which was _farther_ from each of the satellites than where you actually > are. Then you could delay all of the signals. But the only way to > be farther would be to be deep underground. You might be able to pretend > to be at the center of the earth, but that is not very useful. > > Actually I suppose this only applies to those satellites which are shared > between you and the checkin station. If you are far away then maybe you > only share one or two. If you know which ones those are, you can lie to > your heart's content about other ones, and for the shared ones you can > again delay the signal and claim to be farther than you are. > > If their authenticated repeaters are used then you have to assume the > checking station has all the satellite signals and again the best you can > do is pretend to be a Mole Man. > > Hal Denning hasn't thought this through. Do the math. The diameter of the earth is 12,576 km The speed of light is about 3e5 km/sec -> max phase shift to simulate = 42 msec. This is on roughly the same scale as network delays, or less. If you are trying to simulate a location in roughly the same area as your actual location (say, on the same continent), the max phase shift to simulate is a lot smaller - probably less than 5 ms. The site checking the incoming packets for their origin has to allow for realistic network delays - say 100 -200 ms. Therefore any site that can see the same set of satellites as the site it is trying to simulate can do so, buffering less than 50 ms of waveforms and pretending to be on the end of a slow link. Denning's plan: A beautiful idea murdered by cold, unfeeling facts. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From llurch at networking.stanford.edu Thu Apr 11 16:22:58 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Apr 1996 07:22:58 +0800 Subject: liibulletin - Announcement of New Related Services (fwd) Message-ID: <Pine.ULT.3.92.960411093629.20668B-100000@Networking.Stanford.EDU> I have no joke. I just like saying, "barratry.law.cornell.edu." Oh, and the full-text availability of recent net.relevant decisions (numero dos) should be useful to somebody. So how do I get to be the Unabomber's pen pal? Hmm, what jail was he in again? I wonder if they'll accept packages for him with excessive postage. -rich and now, back to bilingual 9-bit-punks ---------- Forwarded message ---------- Date: Thu, 11 Apr 1996 12:13:36 -0400 From: "Peter W. Martin" <martin at LII.law.Cornell.EDU> To: Multiple recipients of list <liibulletin at listserv.law.cornell.edu> Subject: liibulletin - Announcement of New Related Services [...] The announcement: ================================================================ April 11, 1996 Two New Services from Cornell's Legal Information Institute I. Landmark Supreme Court Decisions Cornell's Legal Information Institute is pleased to announce the addition of important "new" decisions to its Supreme Court collection. Under a license, recently concluded with InfoSynthesis, publishers of the USSC+ CD-ROM, the LII will be placing a steadily growing number of historic decisions on its WWW server. The first of these historic decisions are now in place, including: Brown v. Board of Education (I and II), New York Times v. Sullivan, The "Pentagon Papers" case, and Bakke. These join an existing collection of important decisions dealing with privacy, the First Amendment, administrative law, patents, and copyright. All decisions in this collection carry links to current U.S. Court of Appeals decisions in which they are cited (using the LII's full-text index of Court of Appeals decisions on the Net) and to other related documents in the LII collection (e.g., statutes, topical summaries, the Constitution). The "new" cases are accessible from the base address for Supreme Court materials http://www.law.cornell.edu/supct/ or directly at http://www.law.cornell.edu/supct/cases/historic.htm Additions will follow on a regular basis. II. LII's Eye on the Courts Joining the current awareness services already offered by Cornell's LII -- BigEar (http://barratry.law.cornell.edu:5123/notify/buzz.html), liibulletin and liibulletin-ny (see http://www.law.cornell.edu/focus/bulletins.html) -- is a new WWW page providing links to newsworthy decisions handed down by any of the many appellate courts now covered on the Net, along with relevant background, when available. LII's Eye on the Courts can be found at http://www.law.cornell.edu/focus/liieye.htm ================================================================ From jeffb at sware.com Thu Apr 11 16:37:55 1996 From: jeffb at sware.com (Jeff Barber) Date: Fri, 12 Apr 1996 07:37:55 +0800 Subject: questions about bits and bytes [NOISE] In-Reply-To: <9604110950.ZM8850@glacius.alias.com> Message-ID: <199604111452.KAA24457@jafar.sware.com> Richard Martin writes: > On Apr 10, 6:57pm, jim bell wrote: > > At 06:29 PM 4/10/96 -0700, Simon Spero wrote: > > >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. > > I notice you gave no examples. Why is that? > Perhaps he thought that most people who were interested could go look > it up themselves. > > - From a really quick web search, we find that the SGI Impact jams 9-bit > bytes [that's what it says] across the Rambus internally. I'm not sure > if the memory itself is 9-bit. [I told myself I was going to stay out of this, but Jim Bell's dogmatic stance irks me... ] Here's a citation from "Portability of C Programs and the Unix System" by S.C. Johnson and D.M. Ritchie (yes, that Richie) in the Bell System Technical Journal volume 57, Number 6, July-August 1978. "A representation of characters (bytes) must be provided with at least 8 bits per byte. ... Most programs make no explicit use of this fact, but the I/O system uses it heavily. (This tends to rule out one plausible representation of characters on the DEC PDP-10, which is able to access 5 7-bit characters in a 36-bit word with one bit left over. Fortunately, that machine can access four 9-bit characters equally well.) ..." The clear implication is that "byte" means the number of bits used or needed to represent a single character. -- Jeff From declan+ at CMU.EDU Thu Apr 11 16:48:03 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 12 Apr 1996 07:48:03 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <ad928bf30d021004097c@[205.199.118.202]> Message-ID: <olPI84q00YUuIE=vI9@andrew.cmu.edu> Excerpts from cypherpunks: 11-Apr-96 Re: Know Your Net.Enemies P.. by Timothy C. May at got.net > Sort of like Nixon's Enemies List? > > Have we become the enemy? Tim, I thought that the "Enemies List" name would be seen as a deliberate takeoff of Nixon's Enemies List, and what I thought would be a humorous working title for the project until a permanent one was found. You may remember, BTW, that I don't have the power of the FBI to command. But since I was unclear and since the joke was ill-taken, I apologize. To be clear: I envision this as opposition research. In the context of the CDA, it was very useful to know what the family values groups were saying -- their arguments and their strategies. A central collection point for such research is a useful thing. Suggestions for a working title, anyone? -Declan From perry at piermont.com Thu Apr 11 16:58:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 12 Apr 1996 07:58:35 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604111714.NAA02244@universe.digex.net> Message-ID: <199604111740.NAA21264@jekyll.piermont.com> Scott Brickner writes: > Anyway, you computer creates the IP packet, but then sends it to your > ISP's router. That router *always* makes changes to the packet header > because it must decrement the time-to-live field and recompute the > header checksum. There is a trivial trick for making the decrement TTL/change checksum operation very fast, based on noting how a decrement would change the checksum. Most very high speed routers attempt to avoid doing ANY processing of the packets at all beyond this, and IPv6 has no header checksum partially in order to reduce this overhead further. Forcing routers to do more work is a Very Very Bad Idea. Perry From llurch at networking.stanford.edu Thu Apr 11 17:38:14 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Apr 1996 08:38:14 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <olPI84q00YUuIE=vI9@andrew.cmu.edu> Message-ID: <Pine.ULT.3.92.960411114044.21820A-100000@Networking.Stanford.EDU> On Thu, 11 Apr 1996, Declan B. McCullagh wrote: > Excerpts from cypherpunks: 11-Apr-96 Re: Know Your Net.Enemies P.. by > Timothy C. May at got.net > > Sort of like Nixon's Enemies List? Don't we already have a list of anti-crypto cypherpunks? That should definitely be added. I'll write the FUCKING STATIST section. > > Have we become the enemy? > > Tim, I thought that the "Enemies List" name would be seen as a > deliberate takeoff of Nixon's Enemies List, and what I thought would be > a humorous working title for the project until a permanent one was > found. You may remember, BTW, that I don't have the power of the FBI to > command. > > But since I was unclear and since the joke was ill-taken, I apologize. Cool. In retrospect, I understand that much of what you've been saying in the last couple months was intended ironically. At least you didn't say something really over-the-top like "fuck you and your high horse too." Someone might have taken offense. > To be clear: I envision this as opposition research. In the context of > the CDA, it was very useful to know what the family values groups were > saying -- their arguments and their strategies. A central collection > point for such research is a useful thing. I disagree. Anything that bundles together Canter & Siegel, the Family Research Council, the Church of Scientology, and overzealous prosecutors in Mannheim and Cincinatti is bound to be so all-encompassing and vague as to be meaningless. It's like discussing "the Internet Party." Be sure to talk about Usenet censorship at NIU, those censor-happy homosexuals at Harvard, those Stanford speech code prosecutions, the involvement of the Wiesenthal Center in the Zundelmatter, the theft of conservative newspapers at Stanford and elsewhere, the censorship of, in the News & Observer's words, an "unconventional view of the Holocaust" at UMAss Amherst, the censorship of soc.history.war.world-war-ii, the elusive Eric Carr, those violent threats against David Irving at Berkeley, the coverup of the number of bits in a byte, and other urban legends. Nonspecialist idealogues are dangerous. They tend to be sloppy with the facts. Look at Noam Chomsky; he's an embarrassment to any serious researcher on US interventionism in Latin America. -rich From tcmay at got.net Thu Apr 11 18:17:22 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 09:17:22 +0800 Subject: Protocols at the Point of a Gun Message-ID: <ad91be950b021004c99c@[205.199.118.202]> As required by the CDA (Competency Disclosure Act) my Ignorance bit is set to "1" for this speculation. At 11:03 PM 4/10/96, Lucky Green wrote: >If my computer creates the IP packet, what is there to prevent me from >modifying the value of the "Minor/Adult" flag at my leisure? Are the "minor/adult" settings (and Christian/Atheist, Southern Baptist/Reformed Baptist, Creationist/Evolutionist, etc. bits) even be proposed to be set at the IP packet level? I'd've thought it would be at the message level, such as this message or a posting to Usenet. (Granted, many messages are presumably the same as IP messages. But I'd assume that the setting would be within the message, so that any forwarder of the packet would not be likely to tamper with internal message settings....) If we assume IP packet creators are altering ratings system settings, they could just as easily be inserting CDA-violating language or images. Which they could, unless messages were encrypted, signed, whatever. (I'm not supporting mandatory ratings. Indeed, I oppose them.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From agent at l0pht.com Thu Apr 11 18:29:25 1996 From: agent at l0pht.com (Rogue Agent) Date: Fri, 12 Apr 1996 09:29:25 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <199604112008.QAA25509@l0pht.com> Timothy C. May (tcmay at got.net) wrote: |At 8:12 PM 4/10/96, Steve Reid wrote: [...] |>I don't really know much about remailers, but I don't think there's much |>to know... If I'm mistaken about any of the above, I'm sure someone will |>correct me. | |Glad to oblige. I note also that Jim Byrd and Jim Warren are unclear on |some details. (To Jim Byrd, that "alumni account at Cal Tech" that you |mentioned was one of the Cypherpunks remailers at Caltech that our own |pioneering Hal Finney runs.) Incorrect. The account was tc at alumni.caltech.edu, which is not the same as Hal's remailer at hal at alumni.caltech.edu. Just an odd coincidence they were on the same machine. There's a whole saga about how CoS tracked the guy down, it's quite a story. Rather than go into it here and leave things out or confuse them further, check out http://www.cybercom.net/~rnewman/scientology/anon/penet.html for a clear, concise explanation of the whole bizarre affair. Check out Ron's "CoS vs the Net" page while you're at it, at http://www.cybercom.net/~rnewman/scientology/home.html. |Cypherpunks remailers account for something like 29 out of 30 of all the |world's remailers, by site count, though not volume. Sophisticated users |know that the Cypherpunks model is the only robust one; Julf's approach |has an ecological niche, but is highly vulnerable to the very subpoena |approach used recently (not "several years ago" as Jim Warren says). It's also suceptible to hacker attack, as happened a few years ago. "Information wants to be free" is not a political statement, it's a fact of nature. One property of information is that it tends to spread. If you don't want the information to spread, don't store it. RA agent at l0pht.com (Rogue Agent/SoD!/TOS/attb) - pgp key on request ---------------------------------------------------------------- The NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one. From sameer at c2.org Thu Apr 11 18:32:36 1996 From: sameer at c2.org (sameer at c2.org) Date: Fri, 12 Apr 1996 09:32:36 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <316CACF9.354D@netscape.com> Message-ID: <199604111804.LAA04824@atropos.c2.org> > There is an environment variable called HTTPS_KEYSIZE that > is passed to cgi's by the HTTP server. HTTPS_SECRETKEYSIZE is the one you need to watch. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From abc at gateway.com Thu Apr 11 19:00:59 1996 From: abc at gateway.com (Alan B. Clegg) Date: Fri, 12 Apr 1996 10:00:59 +0800 Subject: machine moved, mailing lists intact. Message-ID: <Pine.BSI.3.91.960411134631.364D-100000@black-ice.gateway.com> Update: cypherpunks-d, bsdi-users(-d), unix-lizards. The system running the mailing lists has now been physically moved from one place to another (phew, didn't drop it!), and all seems to be OK. A couple of DNS changes still remain to be made, but things seem to be working pretty well. I will be moving a couple of things around and updating some systems OS soon, so we're not all done yet... Please let me know if you see any additional oddities. Just for the record: ISDN really IS cool. I just can't wait to get that other B channel running.. yowza.. 128k to the house! -abc \ Alan B. Clegg Just because I can \ Network Technologist does not mean I will. \ gateway.com, inc. \ <http://www.gateway.com/> From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Thu Apr 11 20:36:17 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Fri, 12 Apr 1996 11:36:17 +0800 Subject: No matter where you go, there they are. Message-ID: <9604112026.AA8065@> >From: hfinney @ shell.portal.com (Hal) @ UGATE >Peter - didn't they say that the checking station is also listening >to the satellites? That way they can tell that you are playing back >signals that you taped earlier because they won't match what the >satellites are broadcasting right now. > >I think your idea would work if you wanted to pretend to be at a point >which was _farther_ from each of the satellites than where you actually >are. Then you could delay all of the signals. But the only way to >be farther would be to be deep underground. You might be able to pretend >to be at the center of the earth, but that is not very useful. No, the situation is better than that. Here's how GPS works (loosely): you have four unknowns (not three): x, y, z, and the current time. You have signals from four satellites reporting their x, y, z, t. Using suitable math you construct four equations in four unknowns, and presto, you get your four answers. Why is time one of the unknowns? Because your receiver only has a rough idea of what time it is. Remember that a microsecond offset amounts to a 300 meter (1000 foot) displacement. So a side effect of GPS position measurement is accurate time measurement. (Some GPS receivers turn this around, and make delivering accurate time their primary task. They get accurate position as a side effect.) Suppose I want to pretend that I am 1000 feet closer to satellite 4 than I really am. Simple, I take the signals from all the other satellites and delay them by 1 microsecond. That looks like a 1 microsecond local timebase error together with a 1 microsecond delay reduction to satellite 4. Yes, the checking station in this purported scheme would also listen to the satellites. That doesn't help at all. It could detect that I replayed a signal from a minute ago (unless I substitute the correct time codes, which wouldn't be hard since they are predictable). But there is no need to do that and indeed it's probably easier not to. In the description of the article, the "signature" [sic] is sent to the checker over some sort of comm link, which has a latency likely to be several milliseconds or more, plus jitter of many microseconds. If I'm a healthy distance away from the target (say, 20 miles) that means I have to introduce an offset of at most 100 microseconds. If I do that in real time -- which is no big deal -- then the checker basically has to be capable of detecting 100 microsecond delays in the authentication data it is getting. And if I'm willing to be closer to the lion's den -- say, a block or two away -- then I only need at most a one microsecond delay. Incidentally, differential GPS is not an issue (re Peter's question). GPS relies on knowing accurately the position and time at each satellite and the speed of light in between. DGPS lets you correct for errors in these. The idea is simple: if you're close to a "reference station", then the errors are essentially the same for both. The reference station is at a precisely known place, so it can look at where the satellites claim it is, and deduce from that how much error there is on the signal from each satellite. It tells you, and you subtract out those errors. So while DGPS lets you get better accuracy, it doesn't interfere with your ability to fool the CyberLocator scheme. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From jimbell at pacifier.com Thu Apr 11 20:58:03 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 12 Apr 1996 11:58:03 +0800 Subject: Digital Cash Escrow Message-ID: <m0u7VIU-0008zAC@pacifier.com> At 09:17 AM 4/11/96 -0500, John Deters wrote: Go dig up the manuals for a >UNIVAC 1100, Jim. Why do you think the RFCs for IP specifically refer to >"octets" as opposed to "bytes"? Because (they explain) "octet" is >unambiguous, which then infers a certain ambiguity to "byte", now, doesn't it? Wasn't the original development of the Internet done in the middle 1960's? And thus, does its development pre-date the coinage of the term, "byte"? If that's true, doesn't this answer your question? The terminology used for the definition of a standard often tends to be frozen in time. Lacking the term "byte" they used "octet." The subsequent invention of the term "byte" would not have displaced the original term, at least in Internet standards. From lzirko at isdn.net Thu Apr 11 21:34:17 1996 From: lzirko at isdn.net (Lou Zirko) Date: Fri, 12 Apr 1996 12:34:17 +0800 Subject: Bank information protected by 40-bit encryption.... Message-ID: <199604111747.MAA04181@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit With this thread and a prior one about what makes up a challenge worthwile, I could not resist forwarding this to the list. Sorry to those that this might offend or be in violation of local NOISE ordinances. Ah, what the fuck. - -------- clipped from some other mail --------- Subject: Network Engineering Technologies Announces $10,000 Firewall Challenge Excerpt from: -(BUSINESS WIRE) via Individual Inc. [04-08-96 at 15:41 EDT, Business Wire] [snip] The Challenge To claim the $10,000 in NET's Firewall Challenge, individuals must first register with NET, then use a computer to break into NET's secure transaction server and retrieve information stored there about paper currency totaling $10,000, namely: (1) the number of notes, (2) the denomination of each note and (3) the serial number of each note. The first person to supply the correct information to NET between 12:01 a.m. May 1 and 12:01 a.m. May 31 will win the $10,000. In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner. Participants must be individuals over 18 years of age, not companies, and must also agree to surrender to NET all relevant information about the methods they used to break through the firewall. Further details on the Network Engineering Technologies' $10,000 Firewall Challenge available on the World-Wide Web at http://thefirewall.com or by writing NET at 1714 Ringwood Ave., San Jose, CA 95131. [snip] Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye PGP Fingerprint = 96 F2 E2 32 90 4B 8C 2A D1 0B 2A 51 3A 3B D8 6F Public Key available on bal keyserver at MIT -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW1Fod9BId/c612VAQHKWQP/eKwW1FnuFCTWiZTvOL7r/5VFwLXyrxYF B9pQnk5LjdjX/2rQZN1h1I9/1iMwkwhCrk5/vZeeqG0DNmmFwDbtrHkVTTo3Cvb5 vXh6PVlmcJjln8S8Tv4XAURDsneImm9lY5O0XX8jS+vov7MP5Wp4hpbdfxe1xuZr IlCiBVVoamE= =Phel -----END PGP SIGNATURE----- From tcmay at got.net Thu Apr 11 21:36:59 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 12:36:59 +0800 Subject: Digital Cash Escrow Message-ID: <ad92e5ef110210042db1@[205.199.118.202]> At 8:27 PM 4/11/96, Vladimir Z. Nuri wrote: >give me a break!!! the future government attempts to squelch, >suppress, restrict, prohibit, regulate, tax, spindle, and >mutilate Digital Cash will make Clipper look as significant and >threatening as a christmas tree ornament. Larry, are you just _now_ realizing these implications? A few years ago you were fairly dismissive of these effects, arguing mainly that "electrocrisy" (electronic democracy?) would be the main effect, or at least the program that Cypherpunks should push. ... >as I wrote in an earlier essay, the possibilities of combining >digital cash with stock market company shares suggest a radical >new economy that would have the potential to topple a lot of >very powerful existing interests, in the way that printing presses >once toppled the Church. > >to borrow a bit of Chinese black humor, "we live in interesting times". >we will be living in even more interesting times shortly. Sure. I wrote essays along these lines as early as 1987, with the ideas apparent to me even earlier. (Cf., for example, "The Crypto Anarchist Manifesto," 1987.) Glad you are finally tuned in to our channel. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Q101NOW at st.vse.cz Thu Apr 11 21:44:39 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Fri, 12 Apr 1996 12:44:39 +0800 Subject: No matter where you go, there they are. Message-ID: <36B62659B@st.vse.cz> - It's called "S/A" (Selective Availability) which is the NWO term for adding - errors that "authorized" users can remove. (Not to be confused with A/S, or - anti-spoofing) It was originally intended to be turned on in wartime to - deny the enemy accurate fixes, but during the Gulf War military GPS - receivers were so scarce that the soldiers had to use commercial products, - so the S/A actually was turned OFF then! - - Since then, pressure has been building to turn off S/A, since its usefulness - is nearly zero. Even so, the amplitude of S/A errors are only a little - larger than natural errors caused by satellite timing errors, atmospheric - propagation variations, etc. The result is that DGPS is useful, which is - (more or less) a fixed antenna and GPS system which knows where it is, and - subtracts where it "seems" to be by GPS every second, and broadcasts the - resulting error data on some terrestrial system to receivers locally. The - result is errors down to the 1-meter level and even lower. That system - compensates for both natural errors and S/A, so the whole purpose of having - S/A is negated. Eventually S/A will probably be turned off permanently, but - even then we'll want to continue to use DGPS systems. Close, but not quite: S/A is an ADJUSTABLE variable, not on/off. it can reduce accuracy to 10 meters or 100 meters or whatever. It's a DoD term, not NWO term. The "this is where you really are" percision location (forgot the designation off hand) is ENCRYPTED (yes, there is crypto revelance here...) in the data stream from the satellites. The difference S/A makes is on the order of magnitude, therefore not "useless." It should be pointed out that different regions of the earth can have different degrees of accuracy based on the S/A system. I doubt S/A will ever be turned off, but this is my opinion. I know Jim's opinion. Discussion of this point is pointless. DGPS transmission are made from a multiple single points, which (to the best of my knowledge) are not networked. glenn From JC6452 at FS2HOST.CCCCD.EDU Thu Apr 11 21:47:24 1996 From: JC6452 at FS2HOST.CCCCD.EDU (James Childers) Date: Fri, 12 Apr 1996 12:47:24 +0800 Subject: info Message-ID: <96Apr11.191350cdt.8844@cricket.ccccd.edu> send info From mianigand at [205.164.13.10] Thu Apr 11 21:58:10 1996 From: mianigand at [205.164.13.10] (Michael C. Peponis) Date: Fri, 12 Apr 1996 12:58:10 +0800 Subject: I have seen the enemy, and it is us (was Know Your Net.Enemies) Message-ID: <199604111831.OAA17305@Fe3.rust.net> On 10 Apr 96 ,Declan B. McCullagh wrote: > Would anyone be interested in collaborating on a "Know Your Net Enemies" > project? > > We'd start with a resource like Bob Chatelle's excellent web pages at > <http://world.std.com/~kip/bcfenatl.html> and with permission build on > it and list the deceptions and misrepresentations each Net-Enemy has > engaged in -- what each has done to restrict liberty online. We'd > include original documents and links as appropriate. > > Who would be listed? Well, there's the family values groups > [AFA/CC/NLC/EE!/FOF/FRC], the green card spammers, Carnegie Mellon > University, Marty Rimm, the Church of Scientology, the Simon Wiesenthal > Center, the NSA, German state prosecutors, Senator Exon, Dorothy > Denning, and so on. > Anyone interested? This would be a great resource. Sure, it's worth a shot, but what is the ultimate goal??? I have noticed that there has been alot of noise about who is doing what, but instead of whining and crying, what are we going to do about it???? Cryptology lets people put an envelope on their communications, which is a significant achievment. Digital signatures allow for authentication, another acheivement, but what else could be coded? Sure, it is technicaly possible to set up net sites whos physical location could not be determined without alot of effort, but at that point, the war has already been lost, that practice is just minimizing the extent of the loss. Seems all the end result is just rialing up everybody, and repeting ad nausum how stupid these people are, like we didn't know that before. These are not technical problems, they can not be coded out of existance. The problem is with people, and must be delt with at that level. Legislation and debate will not do a damm thing, we have our views, others have thiers, and the two will never meet. Personally, I don't even respect the family groups, national security types, etc, thus I really do not care about thier concerns or feelings, nor do they care for mine. At some point and time, people are going to decide for themselves what is their freedom worth. Are they willing to give up all the benifits of a parential govement taking care of them so that they can be truely free. I would say no, even most people here are all for freedom, as long as it does not cost them anything. They are all for freedom as long as they don't have to live in fear for their life because absolute freedom means that everybody can do whatever they want, and some people have no problem blowing you away for the stupidest reasons. Such is human nature, alot of people are not very nice, sorry, that is the way it is. The other one was "We need a stable enviorment to continue generating captital so we can afford to by new toys" Again, we have a choice, give up our freedom for the toys, or give up the toys to be free. As has been said many times before FREEDOM ISN'T FREE. Regards, Michael C. Peponis Public Key Avalible Via Key Servers, or Finger From tcmay at got.net Thu Apr 11 22:03:07 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 13:03:07 +0800 Subject: Know Your Net.Enemies Project Message-ID: <ad9291d00f0210046a1c@[205.199.118.202]> At 5:31 PM 4/11/96, Declan B. McCullagh wrote: >Excerpts from cypherpunks: 11-Apr-96 Re: Know Your Net.Enemies P.. by >Timothy C. May at got.net >> Sort of like Nixon's Enemies List? >> >> Have we become the enemy? > >Tim, I thought that the "Enemies List" name would be seen as a >deliberate takeoff of Nixon's Enemies List, and what I thought would be >a humorous working title for the project until a permanent one was >found. You may remember, BTW, that I don't have the power of the FBI to >command. > >But since I was unclear and since the joke was ill-taken, I apologize. No apology needed. I just think it's a destructive, negative idea, one that I think could cast the Cypherpunks as a bunch of small-minded people. Maybe it comes from living in sunny California, with its fruits, nuts, and odd people, but I would really prefer to concentrate on positive ideas (which I view crypto anarchy as being, by the way) than on compiling lists of enemies. It also seems odd that you recently characterized Dorothy Denning as a "sweet old lady" but now propose a special page for her on the Enemies List. I have no brief for her positions, and have opposed her positions over the years, but I have no interest in formally demonizing her. (I confess to _once_ having characterized her as "the Wicked Witch of the East," but this was during the furor over the Clipper Chip, and I have since scrupulously avoided personalizing the attack. And it was meant at that time as a joke, obviously. I even got on well at last year's CFP with Stewart Baker, former chief counsel of the NSA and still heavily-linked to spooks, but I disagree _strongly_ with his views about encryption policy. Still, I would not dream for an instant of helping to compile an Enemies List with Stewart Baker on it!) >To be clear: I envision this as opposition research. In the context of >the CDA, it was very useful to know what the family values groups were >saying -- their arguments and their strategies. A central collection >point for such research is a useful thing. > >Suggestions for a working title, anyone? I think David Friedman had a pretty good point a while back on the Cyberia list: that compilation of such viewpoints could help opposition lawyers prepare their cases. Speaking for myself, I have seen Kathy Cleaver _several_ times on various interview shows, so I know her positions on most CDA-related things. You undoubtedly know her likely positions even better. I submit that only a handful of Cypherpunks know more than the two of us about Cleaver's position, for example (I include myself because I have CNN on during ordinary working hours, or NPR, and so I get a chance most people don't have to see her, Arianna Huffington, Ralph Reed, and suchlike, being interviewed or giving their views.) A research page having detailed links to their positions _might_ be useful to those who will be facing them in court or in debates. You might ask Godwin, Barlow, etc. if this would be useful. But this is quite a different thing from an "Enemies List," which I rather doubt would be useful per se to Barlow, Godwin, and other civil liberties activists. Maybe my viewpoint comes from just wanting to wash my hands of "those easterners" in the Beltway-New York corridor. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From timd at consensus.com Thu Apr 11 22:08:06 1996 From: timd at consensus.com (Tim Dierks) Date: Fri, 12 Apr 1996 13:08:06 +0800 Subject: No matter where you go, there they are. Message-ID: <v02140b02ad93486a7a04@[205.149.165.24]> At 4:22 PM 4/10/96, Peter Trei wrote: >> >> Peter - didn't they say that the checking station is also listening >> to the satellites? That way they can tell that you are playing back >> signals that you taped earlier because they won't match what the >> satellites are broadcasting right now. >> >> I think your idea would work if you wanted to pretend to be at a point >> which was _farther_ from each of the satellites than where you actually >> are. Then you could delay all of the signals. But the only way to >> be farther would be to be deep underground. You might be able to pretend >> to be at the center of the earth, but that is not very useful. >> >> Actually I suppose this only applies to those satellites which are shared >> between you and the checkin station. If you are far away then maybe you >> only share one or two. If you know which ones those are, you can lie to >> your heart's content about other ones, and for the shared ones you can >> again delay the signal and claim to be farther than you are. >> >> If their authenticated repeaters are used then you have to assume the >> checking station has all the satellite signals and again the best you can >> do is pretend to be a Mole Man. >> >> Hal > >Denning hasn't thought this through. Do the math. While we may disagree with Ms. Denning on a number of political matters, she's quite intelligent; I suspect the paper is well-founded. >The diameter of the earth is 12,576 km >The speed of light is about 3e5 km/sec GPS receivers are line-of-sight only; only a small portion of the earth can see the same satellites. > [...] >Therefore any site that can see the same set of satellites as the site it is >trying to simulate can do so, buffering less than 50 ms of waveforms and >pretending to be on the end of a slow link. GPS works by measuring the differing distances to a number of satellites. Thus, a crucial factor of GPS reception is not just the signals from satellites, but the different times at which these signals were received. It might be possible to seperately record the signals from several different satellites, delay them each just the right amount of time, and then recombine them to simulate being at another nearby location (within several hundred miles). However, this might not be possible. Examine the following quote from Denning's paper: :The location signature is virtually impossible to forge at the :required accuracy. This is because the GPS observations at any given time :are essentially unpredictable to high precision due to subtle satellite :orbit perturbations, which are unknowable in real-time, and intentional :signal instabilities (dithering) imposed by the U.S. Department of Defense :selective availability (SA) security policy. It's possible that the orbit perturbations may be enough to screw up an attempt to forge a signal; the variations in signal timings won't provide enough information to an attacker to be able to accurately replicate what the signal would look like at another location. It remains to be seen whether it is reliably possible for the secure host, at its location, to distinguish between an accurate signature and an inaccurate but plausible forged signature. Selective Availability doesn't really seem to matter that much, especially since it's going to be phased out. (There was an announcement on this last week, but I can't find a reference right now). - Tim Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From alanh at mailhost.infi.net Thu Apr 11 22:57:36 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Fri, 12 Apr 1996 13:57:36 +0800 Subject: On computer face recognition: In-Reply-To: <199604110601.XAA05984@dns2.noc.best.net> Message-ID: <Pine.SV4.3.91.960411144737.17506D-100000@larry.infi.net> How do _people_ recognize faces? From m1tca00 at FRB.GOV Thu Apr 11 23:03:14 1996 From: m1tca00 at FRB.GOV (Thomas C. Allard) Date: Fri, 12 Apr 1996 14:03:14 +0800 Subject: questions about bits and bytes In-Reply-To: <9604111803.AA6921@> Message-ID: <9604111736.AA18301@bksmp2.FRB.GOV> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/19960412/c57491c3/attachment.bin> From llurch at networking.stanford.edu Thu Apr 11 23:07:54 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Apr 1996 14:07:54 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <ad9291d00f0210046a1c@[205.199.118.202]> Message-ID: <Pine.ULT.3.92.960411174357.24598D-100000@Networking.Stanford.EDU> On Thu, 11 Apr 1996, Timothy C. May wrote: [Nothing I disagree with -- DAMN!] > > No apology needed. I just think it's a destructive, negative idea, one that > I think could cast the Cypherpunks as a bunch of small-minded people. Are you seriously trying to suggest that we're not? :-) > A research page having detailed links to their positions _might_ be useful > to those who will be facing them in court or in debates. You might ask > Godwin, Barlow, etc. if this would be useful. > > But this is quite a different thing from an "Enemies List," which I rather > doubt would be useful per se to Barlow, Godwin, and other civil liberties > activists. I concur. Lists of links sans unnecessary editorial commentary would be useful; counter-propaganda is distasteful and counterproductive. I hate to bring up those damn Nazis *yet again*, but hey, this is as an example, not for their own sake. Compare the following approaches to "bad ideas." http://www.wiesenthal.com/watch/index.html Does not provide any links. Just says "look out, they're out there." IMO ineffective, begging too many questions. http://www.web.apc.org/~ara/ "Let's make the 'bad guys' look good by comparison!" http://www.almanac.bc.ca/other-sites/ Lists of links with minimal editorial comments. Pretty good IMO. http://www.almanac.bc.ca/cgi-bin/ftp.pl Voluminous primary documents, with no editorial comments. Excellent. http://www.vir.com/Shalom/hatred.html Has the effect of glorifying the opposition. A very popular site among the Nazis. Sheesh. -rich From tcmay at got.net Fri Apr 12 00:18:06 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 15:18:06 +0800 Subject: Protocols at the Point of a Gun Message-ID: <ad928e240e0210048d4c@[205.199.118.202]> At 6:50 AM 4/11/96, Jeff Weinstein wrote: > Given that the IETF has no "official" (whatever that means) sanction, >what would prevent any other organization from coming in and trying to >take over their turf? I saw an article today (sorry, can't remember >where) that suggested a brewing fight between IETF and W3C over future >HTTP and HTML standards. If someone stands up and says that the IETF >is becoming too slow and overcome by bickering (not my opinion, just >a what if), and that their new group is better suited to setting standards, >who decides who is right, and based on what criteria? It seems that >one aspect of anarchy is that anyone could move in and replace "their >anarchy" with the "new anarchy". > > Just some philosophical pondering late one night... This is indeed an interesting philosophical question. Many have studied the emergence of order in anarchic or chaotic systems: F. Hayek, R. Dawkins, E.O. Wilson, W. Bartley, David Friedman, and many others. Standards or modes have generally evolved without enforcement from a central authority. Economies and markets are a good example (but perhaps too loaded with baggage about politics, so I won't use markets as my example here). Language is the most obvious example of this evolution without central authority. And everything in your paragraph above has an equivalent in language. For example: "It seems that one aspect of [the words we use] is that anyone could move in and [introduce new words and others might start using them]." Indeed, languages and cultures change. Sometimes slowly, and sometimes quickly (a la punctuated equilibrium). But it is not necessarily an easy thing to have such changes adopted. Inertia, other cultural/memetic forces, and other factors give certain advantages to the status quo, with changes percolating in. Sometimes changes happen rapidly, in an almost phase shift-like way. The introduction of Mosaic (and now Netscape) followed this pattern. Note that no offical standards body dictated the form (quibblers may cite HTML standards, but this is beside the point...), and it spread like wildfire, either filling newly-created ecological niches or largely displacing existing products (like gopher, archie, veronica, anonymous ftp, etc.). A good place to read about some of this is Kevin Kelly's "Out of Control," where the title suggests the theme, that central control mechanisms are dead. This applies to economies, cultural memes, evolution, and so on. And of the aforementioned authors, Hayek's "Law, Legislation, and Liberty" is a good source. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From adam at lighthouse.homeport.org Fri Apr 12 00:26:01 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 12 Apr 1996 15:26:01 +0800 Subject: [reputationpunks] Article on Moody's In-Reply-To: <Pine.3.89.9604091832.A19718-0100000@tesla.cc.uottawa.ca> Message-ID: <199604120346.WAA05808@homeport.org> s1113645 at tesla.cc.uottawa.ca wrote: | This week's Economist has a nice tidbit on bond rating agencies and | antitrust on page 80. A comment on firms that trade mostly on their reps. | Is an unsolicited rating by a for-profit agency an act of free speach | or an act of defamation? It seems that Moody has gotten greedy, and is asking for money for unsolicited services, with a carefully worded non-threat. To my mind, unsolicited work is just that. Its something many of us do from time to time, with no expectation of being paid. Usually we don't spend months on a project that won't be satisfying without a contract. To do work and then bill for it without a handshake strikes me as bogus. I wouldn't do it myself, and I have no respect for Moody's, who seems to be doing it. I trust Morningstar more because they bill me for the information they give me. They have no relationship with the evaluated. A much better model. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Fri Apr 12 00:39:24 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 12 Apr 1996 15:39:24 +0800 Subject: security auditing class (fwd) Message-ID: <199604111833.NAA03453@homeport.org> Wow. Looks like fun. ----- Forwarded message from Dan ----- >From firewalls-owner at GreatCircle.COM Thu Apr 11 06:54:33 1996 Message-Id: <199604102045.NAA29570 at flying.fish.com> X-Authentication-Warning: flying.fish.com: Host zen at localhost didn't use HELO protocol To: firewalls at GreatCircle.COM Subject: security auditing class reply-to: /dev/null at flying.fish.com Date: Wed, 10 Apr 96 13:45:46 -0700 From: Dan <zen at flying.fish.com> Sender: firewalls-owner at GreatCircle.COM Precedence: bulk Announcement of Free Class on Internet Security Auditing and Risk Assessment *** Sponsored by Sun *** TIME & LOCATION Tuesday, April 30th, 1996 ***** This class will be given *one* time; it will *not* be repeated ***** The class will last all day - 8 or more hours [Exact building/location TBA, but will be in Mountain View, CA, USA INSTRUCTORS Dan Farmer Wietse Venema Sun Microsystems Eindhoven University of Technology GENERAL OVERVIEW *** WARNING *** *** This class will be aimed at experienced system administrators or *** *** security auditing professionals. 8 hours of class in one day is not *** *** for the faint of heart! However, there are no requirements or *** *** prerequisites needed to attend. *** *** *** Wietse and I are going to give a class on security auditing. In something like 8 hours, we are going to try and cover everything we know (or at least the highlights) on how to do an Internet security audit. Neither of us have any formal auditing training, but we feel that with our combined experience (we are the authors of the TCP wrappers, COPS, and SATAN, among other tools and papers) that we have a fair amount to say about the subject. If the class goes well, we plan on giving another talk in the summer, probably in europe next time, on securing your Unix system. CLASS TOPICS (selected, not exhaustive) Definition and purpose of security auditing Software and hardware tools used Our general philosophy about auditing Tiger teams Types of auditing/systems What to examine/ignore "Perfect" vs. incomplete data Micro vs. macro auditing Auditing large networks Passive vs. active data collection Interpretation of data collection Auditing the security policy *Our* auditing and security standards Scoring methods Overall data analysis System design analysis The report REGISTRATION NOTES & INFORMATION We don't know how many people will show up; we will try to accomodate everyone, but with finite space, we might have to limit the class size. It will be filled in a more-or-less first come, first serve basis. We will be placing some notes on the web; registered participants will be notified of where to find them. To register, you must send a *physical* letter with your name and e-mail address to my wonderful Sun administrator: Diana Behjou 2550 Garcia Avenue, MS PAL01-550 Mountain View, CA 94043-1100 USA And request a position in the Internet Security Auditing and Risk Assessment class. You will receive an e-mail reply to confirm your registration. Again, there is no charge, but *please* don't register unless you are certain that you'll be there, because others will suffer if the class fills up. E-mail will probably be ignored, unless I know you, and then I'll be pissed off that you asked me to add you to the list instead of sending a stupid letter, and you'll owe me a bottle of fine port or something. There is no ulterior motive to this, other than the fact that wietse and I are trying to write a book, and we're using this as a motivational tool. Enjoy. ----- End of forwarded message from Dan ----- -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Fri Apr 12 02:01:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 12 Apr 1996 17:01:35 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604111939.MAA14767@toad.com> >At 9:48 4/10/96, Duncan Frissell wrote: >[...] >>We know that governments would like to impose things like the Simple >>Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) >>Protocols. There was a recent discussion on a radio talk show that the IRS is now requiring some large class of taxpayers who submit estimated taxes to do so electronically. The host and callers weren't sure of any of the details (such as exactly who's covered and whether you can deduct the computer you had to buy to submit your taxes electronically :-) but obviously they read Duncan's phrase about Simple Tax Transfer Protocol and decided to implement it real fast.... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 03:16:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 12 Apr 1996 18:16:32 +0800 Subject: Possible problems caused by Brown death? Message-ID: <01I3EZYEN04G8Y4ZSN@mbcl.rutgers.edu> Given that Commerce is the main force within the administration pushing for freeing up the escrow rules, the below article is of interest. -Allen > WASHINGTON (Apr 8, 1996 10:48 a.m. EDT) -- When Ron Brown died in a > plane crash, American capitalism lost its staunchest ally in the > Clinton administration. Now business executives wonder who will > champion their cause the next time commercial interests clash with > other priorities. [...] > With the Cold War over, Brown believed the United States no longer > should sacrifice economic interests to other foreign policy goals and > he used his close friendship with Clinton to push a business agenda > inside the administration. [...] > He succeeded in battles with the Defense Department in loosening Cold > War-era export controls that American companies had long complained > severely limited their ability to sell high-technology products such > as computers and telecommunications equipment. > Copyright © 1996 Nando.net From sjb at universe.digex.net Fri Apr 12 03:22:35 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Fri, 12 Apr 1996 18:22:35 +0800 Subject: questions about bits and bytes In-Reply-To: <JZX7LD7w165w@bwalk.dm.com> Message-ID: <199604111722.NAA02646@universe.digex.net> Dr. Dimitri Vulis writes: >I used to hack a CDC Cyber box designed by Seymour Cray before he started his >oen company. It had the following curious features: > >1 word = 10 _bytes_ = 60 bits >1 _byte_ = 6 bits . . . >I believe BESM-6 also had 6-bit bytes. I have the dox for it someplace >(in Russian) but can't find them offhand. > >Moral: it's not necessarily redundant to say '8-bit byte'. Which is precisely the reason the IETF always refers to "bytes" as "octets". "Octet" is defined to be eight bits, regardless of local word sizes. From steve at edmweb.com Fri Apr 12 03:43:30 1996 From: steve at edmweb.com (Steve Reid) Date: Fri, 12 Apr 1996 18:43:30 +0800 Subject: Message not deliverable In-Reply-To: <960410164932_268662594@emout10.mail.aol.com> Message-ID: <Pine.BSF.3.91.960411123135.13200A-100000@kirk.edmweb.com> > >Subj: Message not deliverable > >Date: 96-04-10 11:51:09 EDT > >From: Administrator_at_DCACINTS at dca.com (Administrator) > [body text deleted] > Has anyone else been getting these when they post to cpunks? I get one every Yep, I've been getting 'em. There's one in my inbox right now. :( > time I post. I emailed the administrator at dca.com, a few weeks ago, but > nothing has changed. Anyone got suggestions? I dunno.... Maybe it's some weird mail system at dca.com... Looking at the full header of the "not deliverable" message I got, it looks like smtphost.dca.com is using SMTPLINK V2.11 PreRelease 4. I've never heard of that program, but I would guess (stab in the dark) that that PreRelease version sees the To:cypherpunks at toad.com and can't find any user named "cypherpunks" on their system, and so it bounces. That's just a stab in the dark, though... I don't know anything about that mailer beyond the fact that it's bouncing these messages around. Sig file decloaking... ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | Alternate email: sreid at edmbbs.iceonline.com sreid at sea-to-sky.net | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | --- DISCLAIMER: JMHO, YMMV, IANAL. --- | ===================================================================== From um at c2.org Fri Apr 12 04:51:35 1996 From: um at c2.org (Ulf Moeller) Date: Fri, 12 Apr 1996 19:51:35 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <autopost.829264955.3442@ulf.mali.sub.org> Message-ID: <m0u7Wp8-0000ABC@ulf.mali.sub.org> tcmay at got.net (Timothy C. May) writes: >some details. (To Jim Byrd, that "alumni account at Cal Tech" that you >mentioned was one of the Cypherpunks remailers at Caltech that our own >pioneering Hal Finney runs.) From: noring at netcom.com (Jon Noring) Subject: [X-Post, Caltech OFFICIALLY Speaks] -AB-,penet, and Caltech ******************************************************* In article <3smmv3$ard at gap.cco.caltech.edu> rich at cco.caltech.edu (Richard E. Fagen) writes: On Wednesday afternoon, February 8th, three private investigators visited the Caltech Security Office and the Campus Computing Organization. The P.I.s wanted to know the identity of the holder of the account "tc" on the Caltech Alumni Association computer system (alumni.caltech.edu). They claimed to have gotten the account name from the anon.penet.fi server via the Helsinki police. Due to the unusual nature of this request, the P.I.s were told that Caltech would need more information before this type of information could be given out. Later that day, an attorney representing the Church of Scientology called the campus computing support office demanding the name of the account holder. The attorney claimed that a document had been stolen from a CoS computer system, and that the document had been posted to the a.r.s newsgroup from alumni.caltech.edu via the anon remailer. (The claim was the document was created on Jan. 21 and appeared in a.r.s. on Jan. 24). The computing support staff did not divulge the name of the account holder, and the CoS attorney was referred to the Caltech General Counsel's office. The Computer Crime Unit of the Bunco-Forgery Division of the LAPD subsequently contacted Caltech security and asked for more information on the case. The LAPD wanted to know if a breakin to the CoS computer had occurred from the alumni system. Caltech told the LAPD that no evidence of such a break in could be found. The LAPD requested and was given the name of the "tc" account holder with the understanding that this information would not be divulged. A couple days after that Caltech was informed that the LAPD could find no evidence that a crime had been committed. In the ensuing several days, the attorney and P.I.s representing CoS made repeated attempts (both via phone and by physically appearing on the Caltech and JPL campuses) to obtain the contents of the tc account and also the tape backups (the account holder had admitted to deleting most of the contents of the account). The CoS attorney produced a letter allegedly signed by the tc account holder allowing CoS permission to get the data stored on that account and the backups. Due to irregularities with both the letter and a phone conversation with the account holder, permission for CoS to have access to the data in the account was denied by Caltech. After the CoS attorney and P.I.s continued their attempts to get the data, Caltech retained the counsel of an independent law firm. Soon after that, all communication with the CoS ended. One phone call from the tc account holder requesting the backup data was received by the computing support staff. This request was also denied. That was the last communication with the account holder. Our analysis is that Caltech was caught in the middle of what appears to be an internal matter between the Church of Scientology and one of its members, who also happened to be an account holder on the Caltech alumni computer. No evidence that a Caltech computer was used to break into another computer, or was used to store stolen documents could ever be found. I hope this serves to shine a little light on this chain of events. Rich Fagen Director, Campus Computing Organization Caltech ****************** end of cross-post ******************** -- OmniMedia | The Electronic Bookstore. Come in and browse! Two 9671 S. 1600 West St. | locations: ftp.netcom.com /pub/Om/OmniMedia/books South Jordan, UT 84095 | and ftp.awa.com /pub/softlock/pc/products/OmniMedia 801-253-4037 | E-book publishing service follows NWU recommendations. From stewarts at ix.netcom.com Fri Apr 12 05:26:52 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 12 Apr 1996 20:26:52 +0800 Subject: Digital Cash Escrow Message-ID: <199604111801.LAA12556@toad.com> At 08:11 PM 4/10/96 -0700, Tim May wrote: >At 10:14 PM 4/10/96, Bill Stewart wrote: > >>Of course, if you happen to become dead while you're storing it, >>the paper cash is far more useful to your heirs, so I assume we'll have >>a government-sponsored cash-escrow system announced soon to protect >>the government's interest in collection of inheritance taxes... > >Don't give them ideas, Bill! They are known to monitor our list for >insights into what to regulate next, and I can see the 15-watt lightbulbs >going on over their heads as they ponder the wonderful opportunities >presented by "digital cash escrow." You're one to talk, Tim :-) A couple years back you joked about a "Position Escrow System", and now Dorothy's proposing the technology to actually implement it! # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From jimbell at pacifier.com Fri Apr 12 05:41:41 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 12 Apr 1996 20:41:41 +0800 Subject: GPS-based authentication Message-ID: <m0u7bv8-0008ykC@pacifier.com> At 11:33 AM 4/11/96 -6, Peter Trei wrote: >I've read with interest your proposed GPS-based authentication >mechanism (it was posted to the cypherpunks mailing list). Can you >confirm that you wrote this? Some people on the list think it may be >a forgery. [deleted] >You say: >" The signature ... is formed from bandwidth compressed raw >observations of all the GPS satellites in view." > >" The location signature is virtually impossible to forge at the required >accuracy. This is because the GPS observations at any given time are >essentially unpredictable to high precision due to subtle satellite orbit >perturbations, which are unknowable in real-time, and intentional >signal instabilities (dithering) imposed by the U.S. Department of >Defense selective availability (SA)." I think that Denning's paragraph is misleading. S/A is stated; what I think they probably mean is closer to A/S, the anti-spoofing signal. The S/A error is small and changes only slowly, the A/S signal is far faster and could hold the data to implement the signatures. Even so, I think it would be comparatively easy to fake a signal if you are in view of most of the satellites in the area you wish to fake; attempting to fake something around the world would be harder. Aside from the technical difficulties associated with this system (everyone has to have a GPS receiver, for instance) there is an obvious political problem associated with trusting the government. After all, only its agents are supposed to know the dithering code which will be transmitted by the GPS satellite; its agents would presumably be able to fake their location since they can anticipate the data being transmitted. Which raises an interesting issue, I think: Would it be possible to remove the ability of the government to fake these signals, even if the rest of the system worked? The goal would be to prevent anybody (including the operators of the GPS system) from being able to anticipate the dithering codes the GPS satellites would send. One way to do that is to combine multiple random/pseudorandom bit streams (from hundreds, thousands, or maybe even millions of independent sources, perhaps you and me) into an overall stream, in such a way (XOR) that no data contributor could know how the result came out until he saw it. Each contributor would be able to verify, however, that his data stream was used to form the eventual bit stream, and he is confident of the randomness of the system he uses to generate that stream. (If he isn't, he should just change systems, or add another system to his equipment and XOR the results before he sends them off, crypted, to the central data combiner.) Release of the decrypt keys could be delayed "just long enough" to prevent faking. BTW, I'm not endorsing the underlying idea. I think it's a leap backwards for freedom. Jim Bell jimbell at pacifier.com From geeman at best.com Fri Apr 12 06:01:36 1996 From: geeman at best.com (geeman at best.com) Date: Fri, 12 Apr 1996 21:01:36 +0800 Subject: On computer face recognition: Message-ID: <199604120630.XAA14255@dns1.noc.best.net> There was a piece, I _think_ in Scientific American, tho it might have been an AI journal, on face recognition by use of neural nets together with what were called "eigenface" images: These eigenfaces each have specific characteristics, which when combined together can closely approximate a specific face image. The target face was analyzed in terms of closeness-of-match to a small set of eigenfaces, on the order of 5 to 8, I think. Results of course were promising (else why write about it, eh?) if not excellent. At 12:14 PM 4/11/96 -0700, you wrote: >At 10:02 PM 4/10/96 -0700, you wrote: >> >>On computer face recognition: >> >> >>>> Shaving probably will not be a problem, but holding your head at a >>>> slightly different angle... will screw up the system totally, >>>> unless the system has radically improved since the last time I read >>>> up on it. >> >>At 11:45 AM 4/9/96 -0500, K00l Secrets wrote: >>> Well, the systems I have seen are quite good at finding people's eyes. >>> Scaling (for distance), and rotation (for the angle of your head) >>> therefore don't really confuse the system once it has your eyes. >> >>Finding the eyes can only control for rotations in the plane of >>the image, when you tilt your head to one side. They cannot >>handle the much more common case of 3D rotations, where you >>look slightly to the right or slightly to the left of camera. >>Facial expressions also throw them badly. >> > >Take a peak at http://www.neci.nj.nec.com/homepages/lawrence/papers. One of >Lawences papers is on using Neural networks to recognize faces. Methinks >that the state of the art is advancing rapidly and such problems as not >looking at the camera or changing your expression are rapidly being overcome. > > >===================================== >dwl at hnc.com > >Zippity do da, zippity ah, my oh my what a wonderful day. >Ya right, and hear I am without time to finish a cup of coffee. > > From rschlafly at attmail.com Fri Apr 12 06:18:57 1996 From: rschlafly at attmail.com (Roger Schlafly) Date: Fri, 12 Apr 1996 21:18:57 +0800 Subject: Pub Key patent update Message-ID: <rschlafly1030647070> The battle over the public key patents continues, with no end in sight. Recent events: * Cylink tried to get a preliminary injunction against RSADSI shipping BSAFE for contributory infringement of the Stanford patents. The judge denied it, saying there was doubt about the validity of Diffie-Hellman and about the scope of Hellman-Merkle. * Cylink is appealing the preliminary injunction denial to the Federal Circuit. * Cylink's lawsuit to break the MIT RSA patent on obviousness and other grounds is scheduled to goto trial on July 9 before an LA judge. I don't know where the trial will be held. * RSADSI had a license to the Stanford patents dating back to around 1987, and it argues that it covers BSAFE customers. Cylink recently demanded a 5% royalty, and when RSADSI refused, Cylink unilaterally terminated the license. Cylink is now adding a direct infringement claim against RSADSI. * RSADSI and PKP motions for dismissal of my charges have left most of them intact. In particular, the antitrust charge is still alive. * My motion for summary judgment on the invalidity of the patents is technically still pending, but the judge shows no sign of ruling anytime soon. If my arguments were either clearly correct or clearly incorrect, he would have ruled by now. I cannot predict what will happen. * Trial on the Stanford patents is likely this summer. RSADSI is trying to postpone it. Roger Schlafly phone: 408-476-3550 CompuServe: 76646,323 US Mail: PO Box 1680, Soquel, CA 95073 USA Internet: rschlafly at attmail.com From rmartin at aw.sgi.com Fri Apr 12 06:22:32 1996 From: rmartin at aw.sgi.com (Richard Martin) Date: Fri, 12 Apr 1996 21:22:32 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u7BgI-00091BC@pacifier.com> Message-ID: <9604110950.ZM8850@glacius.alias.com> -----BEGIN PGP SIGNED MESSAGE----- On Apr 10, 6:57pm, jim bell wrote: > At 06:29 PM 4/10/96 -0700, Simon Spero wrote: > >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. > I notice you gave no examples. Why is that? Perhaps he thought that most people who were interested could go look it up themselves. - From a really quick web search, we find that the SGI Impact jams 9-bit bytes [that's what it says] across the Rambus internally. I'm not sure if the memory itself is 9-bit. richard -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW0OIR1gtCYLvIJ1AQHvDQP/T5Xip82nGUzOO7diwoHw+BIiOXlpaEc2 oBuZ1VgMetcnr1qjANL8L5mvrMXUTJmZrDYwJ4VGSyErBX6Mm0Rz4OrMZy4mDvRt BzEI52MXfVzItZG95AcyiSXVcjVqCn1Hbo/MO3mzrVpvROy3ibsslDks30QFDC8j asImraxVlTE= =bAQH -----END PGP SIGNATURE----- -- Richard Martin [not speaking for a|w] rmartin at aw.sgi.com http://reality.sgi.com/rmartin_aw/ Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] From tcmay at got.net Fri Apr 12 06:23:53 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 21:23:53 +0800 Subject: First Seven-Year-Old to Encrypt Solo! Message-ID: <ad9349951602100496f2@[205.199.118.202]> I know Perry dislikes anything that smacks of mention of our personal lives and that is not related to the IPv95 specs, but this is of interest, I think. If not, ignore it and go back to reading the thread du jour. On Saturday many of us--several dozen Cypherpunks, at least--had a beach party/cookout on Tunitas beach, between Pescadero and Half Moon Bay, roughly 30 miles south of San Francisco and 50 miles north of Santa Cruz. Arranged by Doug Barnes, with help from Jim McCoy amongst others, it was a blast. We looked at Comet Hyakutake, though no longer at peak brightness, and even used the night vision scope provided by Jay Holovacs. Numerous CPs in attendance, including Sandy Sandfort, Eric Hughes, Bill Stewart, Sameer Perekh, Jude Milhon, Jay Campbell, Eric Hollander, Russell Whittaker, Romana Machado, and on and on. (Sorry if I left anyone out...it got dark and I didn't seen everyone, anyway.) Ironically, the little girl who died today in a plane crash stunt was from Pescadero, and took off yesterday from Half Moon Bay's airport. It has no direct relevance to us, but is an interesting coincidence, given the small sizes of these towns. Synchronicity happens. If Sameer can paraphrase Freud, I can paraphrase Jung. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From richieb at teleport.com Fri Apr 12 06:24:51 1996 From: richieb at teleport.com (Rich Burroughs) Date: Fri, 12 Apr 1996 21:24:51 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailer records? In-Reply-To: <ad91b30d0902100413eb@[205.199.118.202]> Message-ID: <Pine.SUN.3.92.960411124812.25002A-100000@julie.teleport.com> On Wed, 10 Apr 1996, Timothy C. May wrote: > At 7:37 PM 4/10/96, Jim Byrd wrote: > > >The story is weirder than that. The first poster of church secrets (with > >lots of commentary) was Dennis Erlich, an ex-scientologist. Dennis was > >raided and sued, and is awaiting trial. His ISP, Tom Klemesrud, refused > > His ISP was Netcom. Klemesrud respresents Netcom. [snip] Tom does not work for Netcom or represent them, AFAIK. He is the sysop of the BBS (support.com) that Dennis uses to access the Net. The BBS gets its net feed through Netcom. CoS sued both Tom and Netcom (in addition to Dennis). They claimed that after alerting Tom and Netcom to Dennis' alleged "copyright terrorism" the ISPs should have cut off his net access. Tom refused, and Netcom didn't want to pull the plug on his whole BBS just to stop one man accused of copyright infringement. I hope I have that all straight... ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From llurch at networking.stanford.edu Fri Apr 12 06:26:32 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 12 Apr 1996 21:26:32 +0800 Subject: Message not deliverable In-Reply-To: <Pine.BSF.3.91.960411123135.13200A-100000@kirk.edmweb.com> Message-ID: <Pine.ULT.3.92.960412012248.26121B-100000@Networking.Stanford.EDU> On Thu, 11 Apr 1996, Steve Reid continued to talk about... > > >Subj: Message not deliverable > > >Date: 96-04-10 11:51:09 EDT > > >From: Administrator_at_DCACINTS at dca.com (Administrator) Sheesh, are y'all really that shy, or did y'all (like me) assume that someone else was going to take care of it? I sent direct mail describing the problem to the two dca.com addresses on cypherpunks. One of the two messages bounced, and I forged an unsubscribe for that address. I guess we'll see if the problems stop. Since nobody at dca.com has responded to this for a couple days, and since their postmaster is asleep at the wheel, I don't see how anyone can complain. -rich From smith at sctc.com Fri Apr 12 06:59:04 1996 From: smith at sctc.com (Rick Smith) Date: Fri, 12 Apr 1996 21:59:04 +0800 Subject: Add me (Net.Enemies List) Message-ID: <v01540b03ad92f701a177@[172.17.1.61]> Please add my name to your list of Net Enemies. I'd rather start out branded as subversive and retain the freedom to be myself. Otherwise I might be tempted to keep silent and feign political correctness. Rick. smith at sctc.com secure computing corporation From tcmay at got.net Fri Apr 12 07:06:34 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 12 Apr 1996 22:06:34 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymousremailer records? Message-ID: <ad9296081002100467e3@[205.199.118.202]> At 2:40 PM 4/11/96, Hal wrote: >From: tcmay at got.net (Timothy C. May) >> At 7:37 PM 4/10/96, Jim Byrd wrote: >> >to find the identity of -AB-. This turned out to be an alumni account at >> >Cal Tech. The poster has never been heard from again. >> >> This was without a doubt just a user of one of Hal Finney's remailers he >> runs out of an account at Caltech. (There's a tiny chance it was someone >> else, but it fits the description of Hal's "alumni" remailer exactly, and >> is almost certainly just that.) > >Actually, this is not true. The poster, from rumors I have heard, was >someone else with a Caltech alumni account (I don't know who). I have >never been contacted by any representatives of Scientology with respect >to this case. So it is apparently just a coincidence that this case >involved the same system as my remailer. Several other people have sent me e-mail saying the same thing. An odd coincidence.... I'm glad I hedged a little bit. I did not hedge in saying that Klemesrud represented Netcom, which turns out to be wrong (as several people corrected me on). Klemesrud apparently ran "support.com," which got its feed from Netcom. Sorry about any confusion. On the remailer subpoena thing, any Cypherpunks remailer operators who are keeping logs might want to reconsider their strategies. And any such logs should be purged before the subpoenas arrive. (I understand, I think, the issues of abuse that have caused some operators to keep logs. But since the rumors of subpoenas are in the air, now is a good time to send the message that remailer operators _generally_ cannot produce mappings between incoming and outgoing messages. In an ideal mix, this is of course true. And by purging old files, it becomes de facto true for even today's far-from-ideal mixes.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From eli+ at GS160.SP.CS.CMU.EDU Fri Apr 12 07:22:32 1996 From: eli+ at GS160.SP.CS.CMU.EDU (eli+ at GS160.SP.CS.CMU.EDU) Date: Fri, 12 Apr 1996 22:22:32 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <+cmu.andrew.internet.cypherpunks+4lOmu2e00UfA41010Z@andrew.cmu.edu> Message-ID: <199604111718.KAA29564@cygnus.com> JonWienke at aol.com writes: >I have no disagreements with this. I merely proposed using the compression >function as a means of roughly estimating entropy and preventing the seeding >of the hash/PRNG with potentially "weak key" type data. It's not a useful estimate of entropy, and I don't see what you mean by "`weak key' type data". There are no keys or PRNGs involved here, just a hash function. Now, if you've got a sufficiently compressible data stream, compression may be a fast way to jump-start the distillation, but you absolutely need a priori information on the entropy of the source. >Would anyone like to propose a means of measuring entropy that we can all >agree on? If your definition of entropy is at least as strong as Kolmogorov complexity, it's infeasible to compute. The way to measure entropy is to spend ten years trying to understand the data source, and hope that no one else can afford to spend twenty. -- Eli Brandt eli+ at cs.cmu.edu From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 08:09:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 12 Apr 1996 23:09:19 +0800 Subject: Idea Futures - current application Message-ID: <01I3F04QVGUS8Y4ZSN@mbcl.rutgers.edu> Of course, a form using anonymnity would be preferable. I find it very interesting that the Commodity Futures Trading Comission is allowing this; it increases my opinion of them. If someone would forward this to the extropy list, the idea futures folks on there would find it interesting. -Allen Reuters New Media _ Monday April 1 2:32 PM EST _ U.S. Traders Play Political Futures In Cyberspace CHICAGO - As primaries in the American Midwest confirmed Senate Majority Leader Bob Dole's clean sweep, a Wall Street trader logged into the Internet on his home computer and made one last trade before going to bed. [....] These political futures contracts are not available at the huge, traditional exchanges that trade billions of dollars per day. Instead, the contracts are on the 24-hour Iowa Electronic Markets (IEM), which trades several thousand dollars per day. The IEM, setup in 1988 by the University of Iowa, is a not-for-profit political futures market open to traders globally via the Internet, under the regulatory scope of the Commodity Futures Trading Commission. An estimated 5,800 people have registered as IEM members by sending checks or money orders to open trading accounts of $5 up to $500 to trade various world political markets that also include Austria's Vienna City Parliament Election and Canada's British Columbia Provincial Elections. Collectively, accounts total about $150,000, said Joyce Berg, a professor of accounting and director of markets at the University of Iowa. [...] In that race, IEM payoffs are determined by the candidate who wins the majority of popular votes. Contracts in the candidate receiving the largest number of popular votes will pay $1 each while all other contracts will expire worthless. "For those of you with Web access, let me point you to an astounding place for us market geeks -- the Iowa Electronic Market," one trader wrote in the Option Fool newsletter, written and distributed via the Internet. "It's a fun market," said Gary Sparks a stock options trader at Group One Trading who participated in the market during the last presidential election four years ago. But some take the IEM seriously because each candidate's contract price in cents can be translated into his percentage chance of winning. And in the past two U.S. presidential races, the IEM has predicted the winner with an average 0.2-percent absolute margin for error. That compares to the next most accurate Harris poll with a 1.2 percent margin of error, according to the Iowa Political Market's data. That type of accuracy has caught the eyes of at least a few U.S. stock options traders and has earned a weekly spot in a New York Post newspaper roundup of presidential polls. Jeff Yass of Susquehanna Investment Group said he considers what IEM markets are showing when making trading decisions in stocks and options. "Clinton and Dole have been in a tighter race (on the IEM) than any of the Wall Street analysts have predicted," he noted. [...] Copyright 1996 Reuters Ltd. From batman at infomaniak.ch Fri Apr 12 08:13:11 1996 From: batman at infomaniak.ch (Batman) Date: Fri, 12 Apr 1996 23:13:11 +0800 Subject: No Subject Message-ID: <01BB27EB.655CD0C0@ppp4.infomaniak.ch> Please PUT me OUT of YOUR cypherpunks AND other MAIL-LISTS Thankx From adam at lighthouse.homeport.org Fri Apr 12 08:15:04 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 12 Apr 1996 23:15:04 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <olPI84q00YUuIE=vI9@andrew.cmu.edu> Message-ID: <199604120258.VAA05545@homeport.org> "MinTruth Personnel Office" Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From steve at edmweb.com Fri Apr 12 08:30:39 1996 From: steve at edmweb.com (Steve Reid) Date: Fri, 12 Apr 1996 23:30:39 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <ad9291d00f0210046a1c@[205.199.118.202]> Message-ID: <Pine.BSF.3.91.960412014408.14210A-100000@kirk.edmweb.com> > But this is quite a different thing from an "Enemies List," which I rather > doubt would be useful per se to Barlow, Godwin, and other civil liberties > activists. I also think that an "Enemies List" would not be useful... It would only make people believe that the Cypherpunks are a bunch of anti-government terrorists. A list would not be a problem in itself, after all the governments keep their lists of "subversives". Maybe there should be a "Luddite List"... Ludd-ite n. (Eng. hist.) a member of those groups of workers who deliberately smashed machinery in the industrial centers of the East Midlands, Lancashire and Yorksire (1811-16), believing it to be a cause of unemployment [after Ned Ludd, a late 18th-c. riot leader] Of course, "Luddite" is usually used with a more general meaning, refering to people who are ignorant of and/or resisting technology. I think it's a very good word to use. It's apropriately demeaning, but not hateful. I think it's a word that could be accepted and understood by the general public. Just a thought. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | Alternate email: sreid at edmbbs.iceonline.com sreid at sea-to-sky.net | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | --- DISCLAIMER: JMHO, YMMV, IANAL. --- | ===================================================================== From stend at grendel.texas.net Fri Apr 12 08:46:48 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Fri, 12 Apr 1996 23:46:48 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u7BgI-00091BC@pacifier.com> Message-ID: <199604120217.VAA03048@grendel.texas.net> >>>>> jim bell writes: jb> At 06:29 PM 4/10/96 -0700, Simon Spero wrote: >> No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. jb> I notice you gave no examples. Why is that? As I recall, the Honeywell H6000 used 6-bit bytes and 36-bit (6 byte) words. -- #include <disclaimer.h> /* Sten Drescher */ ObCDABait: For she doted upon their paramours, whose flesh is as the flesh of asses, and whose issue is like the issue of horses. [Eze 23:20] Unsolicited email advertisements will be proofread for a US$100/page fee. From Q101NOW at st.vse.cz Fri Apr 12 09:15:07 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Sat, 13 Apr 1996 00:15:07 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <318256DC0@st.vse.cz> - > BTW, has anyone out there created an anonymous web forwarder? I'm sure - > there are a lot of people out there who don't like the idea of having - > their email address in the log files of dozens of web servers... Creating - > a simple web forwarder wouldn't be hard. - - I've heard several people make this statement... Can anyone confirm that - it is really possible to log the uid (username) of the person making the - http request? I know they can get your ip address, but I'm skeptical - of getting the username. Yes, there are several web interfaces to anonymous remailers out there (check altavista). No, they cannot get your username UNLESS you have logged into the site by entering a username and password into a www auth dialogue box -or- you are on a Unix box which is running identd -and- the remote site runs a check (unlikely and DOES NOT apply to dialups, unless you are running identd on your dialup). Even in the extremely unlikely event of a remailer running a check using identd, that would not show up in the standard web logs. It would be theorically possible to get a username/True Name from an IP address if you were on a dialup and the ISP kept track of who was on what dialup and when. glenn From roger at coelacanth.com Fri Apr 12 09:53:16 1996 From: roger at coelacanth.com (Roger Williams) Date: Sat, 13 Apr 1996 00:53:16 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604111437.HAA05376@jobe.shell.portal.com> Message-ID: <9604120126.AA1569@sturgeon.coelacanth.com> >>>>> Hal <hfinney at shell.portal.com> writes: > Note however that Denning did not mention the Internet in her > spiel. Well, assuming that she wrote *any* of the spiel, she does: "Where it works ... Location-based authentication could facilitate telecommuting by countering the vulnerabilities associated with remote access over dial-in lines and Internet connections..." -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From rkmoore at iol.ie Fri Apr 12 10:01:21 1996 From: rkmoore at iol.ie (Richard K. Moore) Date: Sat, 13 Apr 1996 01:01:21 +0800 Subject: No matter where you are, you can lie. Message-ID: <v0211012aad93e9600833@[194.125.43.36]> 4/10/96, Peter Trei wrote: >Therefore any site that can see the same set of satellites as the site it is >trying to simulate can do so, buffering less than 50 ms of waveforms and >pretending to be on the end of a slow link. That's what I assumed in the first place. Thanks, Peter, for doing the math. Do you have a solution as satellites cross the horizon, or for very-distant spoofing? ...co-conspirator nodes tightly-coupled via laser or wire? -rkm (not on cypherpunks) From sjb at universe.digex.net Fri Apr 12 10:04:49 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 13 Apr 1996 01:04:49 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v02120d2bad91ecd377cc@[192.0.2.1]> Message-ID: <199604111714.NAA02244@universe.digex.net> Lucky Green writes: >At 9:48 4/10/96, Duncan Frissell wrote: >[...] >>We know that governments would like to impose things like the Simple >>Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) >>Protocols. > >There is one thing about the proposed minor flag addition to IP that I >don't understand. [No, I am not surprised by this. Mandatory authorization >to establish a connection and an "Internet Driver License", probably in the >form or a smart card are coming]. > >If my computer creates the IP packet, what is there to prevent me from >modifying the value of the "Minor/Adult" flag at my leisure? Yikes! Don't lend it the credibility of calling it "proposed". Someone might think you're serious. "Suggested" is as far as I'd go. Anyway, you computer creates the IP packet, but then sends it to your ISP's router. That router *always* makes changes to the packet header because it must decrement the time-to-live field and recompute the header checksum. The ISP's router software would (in the scenario I suggested, but deplore), based on to whom it's connected, set the drivers licence flag as it sees fit. When a PPP account of a "minor" sends a packet, the router always inserts "minor". When the account of an adult sends it, it inserts "adult". When the account of a partner who has contractually accepted liability for the flag's setting sends a packet, it leaves it alone. From vznuri at netcom.com Fri Apr 12 10:17:57 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 13 Apr 1996 01:17:57 +0800 Subject: Lotus notes 24 bit hack project? Message-ID: <199604112014.NAA16020@netcom7.netcom.com> reading notes on the recent RSA conference reminds me of something. Lotus announced their 64 bit encryption for foreign users some months ago, with 24 bits secretly "owned" by the NSA. there was some speculation here about how this was handled. could the system be so insecure as to have a unique 24 bits used across every foreign key? or are those 24 bits somehow algorithmically determined from the other 40 bits, with the algorithm a secret? in any case it seems that reverse engineering of Lotus Notes would provide the answer, and we'd be able to embarrass both NSA and Lotus (who imho deserves it, for caving in to the NSA) all in the same sweep by revealing it to the world!!! I would bet this would be worth some more NYT or WSJ almost-front-page ink for some lucky cpunks if someone can pull this off!! this would be a *major* new feather in the cpunk cap, and I'd enthusiastically support anyone attempting to work on this project (maybe writing HTML pages for information or something). cypherpunks, start your disassemblers!! From tcmay at got.net Fri Apr 12 10:25:08 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 01:25:08 +0800 Subject: Know Your Net.Enemies Project Message-ID: <ad928bf30d021004097c@[205.199.118.202]> At 3:47 AM 4/11/96, Declan B. McCullagh wrote: >Would anyone be interested in collaborating on a "Know Your Net Enemies" >project? > >We'd start with a resource like Bob Chatelle's excellent web pages at ><http://world.std.com/~kip/bcfenatl.html> and with permission build on >it and list the deceptions and misrepresentations each Net-Enemy has >engaged in -- what each has done to restrict liberty online. We'd >include original documents and links as appropriate. .. Sort of like Nixon's Enemies List? Have we become the enemy? Flippancy aside, this strikes me as being a terribly negative, destructive, and counterproductive way of approaching things. It could easily backfire in the media, as they note the "Enemies List," or "The Page of Shame." Recall how the recent "List of Shame" was reacted to, as some people clamored to be added. And just how would "Net-Enemies" be decided upon? By vote? By acclamation? By whomever wants to create an entry? Would Denning (Dorothy) be on the list, but not Denning (Peter)? How about Barlow? Maybe the whole EFF power structure at the time of the Wiretap Act should be added to the Net-Enemies list...I'll start working on this right away. Well, count me out. I know who I think are the people receptive to my concerns and viewpoints, and the people not receptive...and I don't need an Enemies List to tell me. I'd prefer to evaluate people I haven't yet reached a decision on based on their own merits. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JonWienke at aol.com Fri Apr 12 10:36:02 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 13 Apr 1996 01:36:02 +0800 Subject: questions about bits and bytes [NOISE] Message-ID: <960412012047_270015300@mail06> In a message dated 96-04-11 20:26:44 EDT, jeffb at sware.com writes: >[I told myself I was going to stay out of this, but Jim Bell's dogmatic >stance irks me... ] Here's a citation from "Portability of C Programs >and the Unix System" by S.C. Johnson and D.M. Ritchie (yes, that Richie) >in the Bell System Technical Journal volume 57, Number 6, July-August 1978. Citing sources from 1978 in the computing field is a little like using dictionaries from the 1800's to dictate modern English usage. My desktop machine has as much computing power as some colleges had during that era. We've come a long way, baby! Yes, in the past, the term "byte" applied to entities other than 8 bits, but "8 bits" IS the commonly accepted, standard meaning of "byte" now, in the present. The fact that the meaning and usage of words can change over time is not relevant to current meaning and usage. Anyone who wishes to dispute this should study the etymology of the word "gay." Jonathan Wienke From perry at piermont.com Fri Apr 12 10:56:55 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 13 Apr 1996 01:56:55 +0800 Subject: Money supply is fake anyway In-Reply-To: <Pine.SUN.3.91.960412002240.2926C-100000@kolo.isr.umd.edu> Message-ID: <199604121257.IAA24747@jekyll.piermont.com> Thomas Grant Edwards writes: > On Thu, 11 Apr 1996, Perry E. Metzger wrote: > > > Thomas Grant Edwards writes: > > > Banks "invent" money on a daily basis. > > > Really? Since when? > > Since the invention of fractional reserve banking. Banks loan out far > more than they have currency reserves. Thats true. However, that isn't the same as "inventing" money. They never give out money they don't have -- they can't. > This loaning out of non-existant money inflates the money supply. You made two magical jumps here. The first was the notion that they are loaning out non-existant money. That is false. They only loan out money that they have on hand, and the value of their assets in the form of loans + reserves is always higher than the value of their debts to depositors. It is true that they don't have the value of all their assets on hand to give to creditors if they demand it, but then again you probably don't have all your assets in a liquid form either. The second magical leap you make here is that this is somehow inflationary, which of course it isn't. > There is far more money in demand deposits (i.e. figures on a computer) > than there is currency (i.e. green stuff). It is true enough that the total sum of demand deposits exceeds the total value of outstanding currency. So what? > The Federal Reserve also controls the expansion of the money supply by > buying and selling federal securities as well as setting interest rates on > its "loans of last resort" it makes to member banks. You are correct that the fed creates and destroys money. You are not correct that ordinary banks do, or in your assertion that the fed substantially controls the expansion of the money supply through the discount rate. Perry From jf_avon at citenet.net Fri Apr 12 10:59:24 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 13 Apr 1996 01:59:24 +0800 Subject: Digital Cash Escrow Message-ID: <9604120200.AA17096@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- To: Cypherpunks at toad.com from: jf_avon at citenet.net date: 11 Avril 96 ======================================= John Deters <jad at dsddhc.com> wrote: >ObOtherListComplaint (doesn't everyone?): Has anyone suffered ill-effects >by having their mail program filter Jim Bell's postings? Does anyone, especially in Canada, ever noticed that them or their local net friends had their snail mail opened? A friend of mine has his regularly opened; he complained to Canada Post three times, but it stills goes on AFAIK. He is pissed off at me, convinced that the forwarding of Jim Bell's AP related articles is what justified the mail opening. Actually, he does not even reply to my e-mails anymore. We used to be great friends... Neither of us ever engaged in any subversive activities or are involved in illegal actions. It seems that FUD got him. ...sigh... He even refused to *touch* PGP. He is a professionnal programmer, in C++, win, and OS-2. Can you believe it?!? Any comments? JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMW1pKsiycyXFit0NAQG3Rwf+PUFu0geKEXOEYktp5MP6ao4Yb0CfPSWA dbnZ4R4kJsLm7jQ8tNXdo8KsLRhL7+Qe3NNfAKvTQVmvrN45QImyKk+fZd77Cady TLKuNEYCx1FCrIpLewM13sLj4twCcNpvCIJNRsVV8Q3xcyWkfNJ6PSAakDa2POnD spPnEz0Ptepw58KXoM0G36lE6fJnfv83PEeaogjE+h8Gsxf1uzhK1ZAQxpB6QHLP 4cizjFyKNfEZIVKK4kXebWr7wlalE87XTC6wWpXLQ8XuNYtbzKWG+wB747IpbN2a ijKDBf9fXAZRB/qVQUdF/toEWJ/+Vg6LniFgmYq1EQqToUiPMRT48A== =NnBW -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Fri Apr 12 11:06:40 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Apr 1996 02:06:40 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604111939.MAA14774@toad.com> There are serious technical problems with the suggestion that labelling packets as "Adult" or "Child" using IP options and filtering at ISPs for censorship. IP works on a per-machine basis (technically, a per-network-interface basis, though for most client machines that's the same thing.) That means that a web or nntp server including some "Adult" material and some "Child" material either needs a way for an application process to communicate this to the network drivers, or needs to label all packets as "Adult" to avoid the politically incorrect risk of mislabelling a packet as "Child" when it's not. The standard TCP/IP API programming interface software on Windows, Mac, and Unix machines doesn't provide for applications to _tell_ the network drivers about IP options, so even if IPng had censorship features added, the applications couldn't use it. (There are a few military multi-level security versions of Unix that give you more flexibility for this sort of thing, but they tend to provide mandatory security so you _can't_ send a packet marked "UNCLASSIFIED" from a "TOP SECRET" session.) Another problem is that it only addresses single-user client machines, rather than multi-user operating systems such as Linux, which has a million or so users out there. The model works fine when you treat a PC as a fancy version of a dumb terminal, but a machine shared by multiple users (whether many at one time, or one at a time) uses a single connection to support all of them - that means you can't have censored material available to the child and uncensored material available to the parent unless the networking software can pass the censorship labels on to the application program - but again, the standard operating system interfaces (developed over many years by thousands of The Free World's finest developers :-) don't have a way to implement it, because it was never a design goal. Trying to implement censored sessions at a transport level instead has its own problems. First of all, TCP provides reliable sessions; censoring packets based on IP labels in the middle of a transaction means that TCP will retransmit until the packet gets through or it gives up and drops the connection, so any "Adult" packets would dump a Registered Child out of the browser, even if they were unintentional (e.g. from an Adult who labels all packets "Adult" to avoid being liable for mistakes, or packets from Europe that were default-labelled by a service provider to avoid having to read them all, or from the Library of Congress Online Edition if the Librarian labels each packet correctly.) On the other hand, UDP packet exchange, which doesn't use sessions, would require validating the user's ID and authorization on each packet. Furthermore, if the censorship information is carried at the transport level, or at a higher level (i.e. headers in the message itself), the only way the ISP's routers, which work at the IP level, can censor packets is to perform the equivalent of the Post Office steaming open envelopes before delivering them to your house, and refusing to deliver them if there's a child living in the house and the letter either contains a bad word or is written in a language the Post Office doesn't understand, such as Finnish or Japanese or PGP. At 04:03 PM 4/10/96 -0700, Lucky Green wrote: >At 9:48 4/10/96, Duncan Frissell wrote: >>We know that governments would like to impose things like the Simple >>Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) >>Protocols. > >There is one thing about the proposed minor flag addition to IP that I >don't understand. [No, I am not surprised by this. Mandatory authorization >to establish a connection and an "Internet Driver License", probably in the >form or a smart card are coming]. >If my computer creates the IP packet, what is there to prevent me from >modifying the value of the "Minor/Adult" flag at my leisure? If you create outgoing packets that are labelled "Minor", and contain "Restricted to Government-Certified Adults Only, and No Felons or Foreigners Allowed" material, you can get busted for it. So you have to either restrict all your outgoing packets to be labelled "RtG-C Adults O,aNFoFA", or else make sure all the material you transmit passes the "Government-Approved-for-Minors, Foreigners, and Victorian ladies" filter. On the other hand, if you don't log in to your ISP with a "government-certified adult, non-felon, non-foreigner, politically stable, not-a-Commie-or-Jew" id, it'll block any packets not approved for you. Any news or web server will also have refuse to send any "Adult"-labelled material to you if the requests arrived on a "Kid"-labelled connection - this means that either the server machine will have to only carry Kid-approved traffic, or only talk to Adults, or add an "Adult" label to all outgoing packets whether marked "Kid" or not, or else it will have to break protocol boundaries by passing IP-layer information up to the application. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From jf_avon at citenet.net Fri Apr 12 11:14:21 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sat, 13 Apr 1996 02:14:21 +0800 Subject: Tense visions of future imperfect Message-ID: <9604120159.AB17030@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- >What the bank does is keep a list of all spent serial numbers, not all >issued ones (since it doesn't know those). That way it can detect double >spending. Correct me if I'm wrong: It means that the weakest point of the digital cash chain is the server. If the server's database is tampered with, or lost, then, the double-spending can be done (in case of loss, if ever the server is put back online) Does that means that for all practical purposes, a server should be run from a vault with security comparable to a big money repository? JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMW1dnsiycyXFit0NAQFpPQf6A/IvZWumneiGU1IERxbs/udunwFWHWVG p+rbAK9h7bDYG+6NcFCIJp97n4MGfH8/+bbPLV4eIuv+5eyTKRkB+1IdOkVNUhEq LGcKGN1iAScQvLxj+cM/3nthAhDxdaMBXmyaylnphgqh9slKJg7FppWpBfLI56nt YYZJ69ThyYMVCN/g9o5G0zbzYefKFOzV/0lbxaGUn0G/KoKbURMut1NlMdfmhmqw BbTd50ae8LVWLjxlVs5Gi5Ui9Loa2DKlSR5PIp1vlFDSk1UBAjTbbK8fSKVhkEFn thI+YXLifA73LOJNdBWwvneTWyy+kdVxHBSDVFEXH2HMsR4LYeHF1g== =JxPP -----END PGP SIGNATURE----- From tallpaul at pipeline.com Fri Apr 12 11:42:24 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sat, 13 Apr 1996 02:42:24 +0800 Subject: Know Your Net.Enemies Project Message-ID: <199604112020.QAA06780@pipe5.nyc.pipeline.com> On Apr 10, 1996 23:47:54, '"Declan B. McCullagh" <declan+ at CMU.EDU>' wrote: >Would anyone be interested in collaborating on a "Know Your Net Enemies" >project? Feel free to use my writings on the CyberAngels. --tallpaul From adam at lighthouse.homeport.org Fri Apr 12 11:46:39 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 13 Apr 1996 02:46:39 +0800 Subject: No matter where you go, there they are. In-Reply-To: <v02140b02ad91db64cd39@[205.162.51.35]> Message-ID: <199604120314.WAA05634@homeport.org> Jim McCoy wrote: | And perhaps more importantly, do you really want anyone you connect to | on the net to know your location to the nearest 10 meters? What is | Dennings fascination with building Big Brother? She read Snow Crash, and it scared her. This is flippiant, but I believe it comes close to the truth, in that tends to provide a cogent explanation for her political actions, as I've observed. (Dorothy-- Since someone will forward this to you, I'd be fascinated to hear your reactions in public or private.) Snow Crash is a book about a future in which governments are ineffective. Companies run things, and have complete local control. The world has gone to hell, and as a result, life is nasty, poor, brutish and short. Many people do not look forward to this world. Thats an understandable reaction; when I first heard about anonymous assasination markets, I thought it was pretty bizzare as a world to look forward to. Then I heard Neal Stephenson speak. And he brought up a very good point, which was Hitler killed more people than Charles Manson because Hitler had a big country, and its large army. I look forward to smaller, weaker government that can't put the Japs in holding camps, surround and harras the Branch Davidians, etc. The debate, really, boils down to Hobbes v. Locke, or Plato v. Aristotle. Its not going to be resolved anytime soon by a philosopher. Many of us have read Mill, Hayek, Freidman, Nozick, and decided that we prefer that world view. That Dr. Denning has decided that she likes Philosopher-Kings is not particularly unusual, except in the computer business. Go read Leviathan. Think about what we're talking about here. Its a scary new world that I expect will be created, by the UNSTOPPABLE advance of technology. There is no weapon created that is not used by someone who judges the cause to be worthwhile. Nukes, chemicals, and biologicals have all been used against civilian populations. I judge that stopping the advance of cryptoanarchist technology will fail (in the long run), and not be worth the price. I suspect Dorothy disagrees, and there lies her fascination with building in Big Brother. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jimbell at pacifier.com Fri Apr 12 11:55:13 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 02:55:13 +0800 Subject: GPS-based authentication Message-ID: <m0u7Y7v-00090jC@pacifier.com> At 11:33 AM 4/11/96 -6, Peter Trei wrote: >Ms Denning, Mr. MacDoran > >I've read with interest your proposed GPS-based authentication >mechanism (it was posted to the cypherpunks mailing list). Can you >confirm that you wrote this? Some people on the list think it may be >a forgery. > >The participants of the list have noted some apparent vulnerabilities >in the system, and I am curious as to how you address them. If you >respond to me and give permission, I'll forward your response to the >list. > >The problems are two-fold: > >1. The system is easily spoofed. >2. It leaks sensitive location data. It should occur to all of us that what you (and we) call "problems" are, to government sympathizers, actually FEATURES. Identifying people's locations is probably going to be considered enormously important to the government (if it lasts that long). And since the government runs all the GPS transmitters, and can presumably modulate the S/A function any way it wishes, it has a leg up on all of us who have to depend on the integrity of the system. There is also the possibility of them jamming the system locally to either deny the user the ability to make the identification system work and thus deny access, or detect the location of the user by subtly modulating the local signal in such a way as to leak through the otherwise-secure system. (If we trust it that far, which I don't.) From an366601 at anon.penet.fi Fri Apr 12 12:14:51 1996 From: an366601 at anon.penet.fi (** CRAM **) Date: Sat, 13 Apr 1996 03:14:51 +0800 Subject: Australia cracking down on the internet?!?! Message-ID: <9604121303.AA17137@anon.penet.fi> X-Anonymously-To: an366601 Reply-To: an578849 at anon.penet.fi Thank you CRAM for your informative and interesting peices aznd snippets from the American Press. Out here in the land of Oz, the state governements are whipping up a frenzy of legislation, including laws prohibiting the uploading or downloading of any material that may be offensive to minors. Penalty: $25000 and/or 1 year in jail. The push is on to make ISPs the defacto publishers and censors of all material that passes through them. And as always its the child pronography thing that predominates the discussion. It is unfortunate that at the same time the internet is booming, there is a huge peadophile hunt going on here in Sydney (turns out the peodophiles have powerfull allies amongst the policians and judges, no surprises there). People open their newspapers and see "Peadophiles use internet" and their minds shut like steel doors. Keep up the good work. --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From mark_reed at sware.com Fri Apr 12 12:49:16 1996 From: mark_reed at sware.com (Mark J. Reed) Date: Sat, 13 Apr 1996 03:49:16 +0800 Subject: questions about bits and bytes [NOISE] Message-ID: <9604121405.AA21928@shlep.sware.com> JonWienke at aol.com writes: \ In a message dated 96-04-11 20:26:44 EDT, jeffb at sware.com writes: \ Citing sources from 1978 in the computing field is a little like using \ dictionaries from the 1800's to dictate modern English usage. My desktop \ machine has as much computing power as some colleges had during that era. \ We've come a long way, baby! Yes, in the past, the term "byte" applied to \ entities other than 8 bits, but "8 bits" IS the commonly accepted, standard \ meaning of "byte" now, in the present. The fact that the meaning and usage \ of words can change over time is not relevant to current meaning and usage. \ Anyone who wishes to dispute this should study the etymology of the word \ "gay." \ \ Jonathan Wienke \ No, no. What started this whole discussion was someone claiming that bytes have ALWAYS been 8 bits. That was the argument. NO-ONE is claiming that byte doesn't mean 8 bits NOW. I think we have now established that, yes, 'byte' is synonymous with 'octet' in the modern computer era, and no, this was not always the case. Now can we move on to other matters? -- Mark J. Reed Email: mark_reed at sware.com - Voice: +1 404 315 6296 x158 - Fax: +1 404 315 6407 Hewlett-Packard Co. / 2957 Clairmont Rd Suite 220 / Atlanta GA 30329-1647 E-Mail Privacy by SecureMail. Visit URL:http://www.secureware.com/ for details. -- Mark J. Reed Email: mark_reed at sware.com - Voice: +1 404 315 6296 x158 - Fax: +1 404 315 6407 Hewlett-Packard Co. / 2957 Clairmont Rd Suite 220 / Atlanta GA 30329-1647 E-Mail Privacy by SecureMail. Visit URL:http://www.secureware.com/ for details. From frantz at netcom.com Fri Apr 12 12:58:03 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 13 Apr 1996 03:58:03 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604112224.PAA11290@netcom9.netcom.com> For information on the "Internet Philosophy" there is a IETF draft that might be of interest at: ftp://ds.internic.net/internet-drafts/draft-iab-principles-02.txt ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tedwards at Glue.umd.edu Fri Apr 12 12:59:14 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Sat, 13 Apr 1996 03:59:14 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604111444.KAA20811@jekyll.piermont.com> Message-ID: <Pine.SUN.3.91.960412002240.2926C-100000@kolo.isr.umd.edu> On Thu, 11 Apr 1996, Perry E. Metzger wrote: > Thomas Grant Edwards writes: > > Banks "invent" money on a daily basis. > Really? Since when? Since the invention of fractional reserve banking. Banks loan out far more than they have currency reserves. This loaning out of non-existant money inflates the money supply. The trick of being a banker is loaning out enough money to make a profit, while keeping enough currency on reserve to pay people when they take money out of your bank. There is far more money in demand deposits (i.e. figures on a computer) than there is currency (i.e. green stuff). The ratio of demand deposits to currency backing in banks is set by the government. If everyone came and took out all their currency for their demand deposits, banks would fail right and left. The Federal Reserve also controls the expansion of the money supply by buying and selling federal securities as well as setting interest rates on its "loans of last resort" it makes to member banks. I don't consider the Fed a "conspiracy," as I believe that even in a privatized money system, there would need to be flexible fractional reserve banking to avoid damaging deflationary periods which come with spurts of credit demand. Most of my free-market money buddies assure me that deflation in a hard-money system is mainly a product of socialist spending policies coming to an end, especially after a time of war. I remain in belief that even without massive government spending that hard currency would have credit cycles that would lead to dangerous deflationary periods. As far as inflation, the Fed has managed to create the most massive inflationary period the U.S. has ever had. -Thomas From joelm at eskimo.com Fri Apr 12 13:01:37 1996 From: joelm at eskimo.com (Joel McNamara) Date: Sat, 13 Apr 1996 04:01:37 +0800 Subject: Private Idaho 2.6b3 release Message-ID: <199604121358.GAA19551@mail.eskimo.com> Private Idaho 2.6b3 (a freeware Windows front-end to PGP, anonymous remailers, and nym servers) is now available at: http://www.eskimo.com/~joelm New features include: licensed IPPort - no more "nag" screen on start-up support for multiple nym servers and nyms support for multiple PGP keys for signing support for printing messages support for transfer to multiple applications Questions, comments to joelm at eskimo.com From ravage at ssz.com Fri Apr 12 13:55:16 1996 From: ravage at ssz.com (Jim Choate) Date: Sat, 13 Apr 1996 04:55:16 +0800 Subject: No matter where you go, there they are. (fwd) Message-ID: <199604120214.VAA13727@einstein.ssz.com> Forwarded message: > GPS works by measuring the differing distances to a number of satellites. Actualy, it measures doppler shift as well. > It might be possible to seperately record the signals from several > different satellites, delay them each just the right amount of time, and > then recombine them to simulate being at another nearby location (within > several hundred miles). However, this might not be possible. Examine the > following quote from Denning's paper: Seems to me that standard satellite tracking software would work just fine for this once the correct orbital parameters were included. To get the necessary orbital parameters look on sci.space.news and they are announced regularly. > :The location signature is virtually impossible to forge at the > :required accuracy. If you can measure the accuracy you can spoof it. It is only a question of cost at that point. > :orbit perturbations, which are unknowable in real-time, and intentional > :signal instabilities (dithering) imposed by the U.S. Department of Defense > :selective availability (SA) security policy. Which are going to be turned off. I have to draw exception to the 'dithering' in regard to the lsb's of the data. They are actualy encrypted. It is not random which is what 'signal instability' implies. Were it random then a 'flying capacitor' type filter or a digital filter could get the bits out. I have two years of experience using such 'flying capacitor' type filters in LORAN-C equipment I calibrated and repaired for Austron. The signal on LORAN is a damped sinusoid, very precisely damped. The timing sequence of sites are drawn on maps as well as published in book and electronic form. You set the filter for the same repeat rate as the signal you wish to detect. As the signal is fed over and over into the bank of capacitors the random noise cancels out and you are left with a remarkably clean signal. You then feed this to a 2055 microstepper (nS/S) and compare it to a time reference standard (1210 Time reference standard, my specialty). When the signals cancel you can get a very accurate reading and change that to lat/long quite easily. I would regularly sync the 1210's to USNO and the NIST to measure the oven heated crystal oscillators drift in frequency over time. By applying a voltage to the circuit you can compensate for this drift using a 2055 microstepper (a time delay unit). At that time we were making both the 2000 and 5000 series receivers. The 68000 based machine was due out when I left for a job at UT Austin. The neatest part of the job was flying cesium beams around the world and measuring their drift to accurately measure the rotation rate of the Earth. You can defeat even the encryption if you take a long enough time to interpolate. The reason it isn't done is that by the time you get the fix the target you were going to shoot your missile at is gone. If it is so large (a city) or slow (grunts) that it won't move significantly in that time you don't need that accuracy in the first place. I base this on a years worth of technical support I did for CompuAdd for Desert Shield/Storm. I handled several problems related to MLRS and Naval systems related to target selection and tracking & GPS in regards our computers. > It's possible that the orbit perturbations may be enough to screw up an > attempt to forge a signal Which would be enough to scramble the signal as well. As a matter of fact this might create another means of attack. Namely that the orbit varies is a given. That the orbit can be predicted to quite good accuracy in less than real-time is a given. By comparing these to the actual orbit it might be possible to creat a situation where a fake signal was more accurate than the real signal making the receiver filter the real signal as noise. The one drawback here is that it would require considerable power to effectively impliment the masking. ; the variations in signal timings won't provide > enough information to an attacker to be able to accurately replicate what > the signal would look like at another location. The doppler shift directly corresponds to altitude. If you have the normal orbital parameters it is a relatively simple matter to use a computer to predict where it will be in the near future (5 minutes). NASA and United States Space Command (USSC) regularly track over 8,000 items in orbit. Some as small as bolts. Tracking accuracy is a well understood problem. > It remains to be seen > whether it is reliably possible for the secure host, at its location, to > distinguish between an accurate signature and an inaccurate but plausible > forged signature. Anybody got a GPS receiver in Austin? I believe I can arrange the necessary equipment and support to attempt it. I know several EE's as well as somebody with commercial radio service equipment I am shure some of the other local cpunks might want to help as well. I propose that what be attempted is making a GPS receiver believe it is 100 miles from where it actually is. I will forward a copy of this to the Experimental Science Instrumentation mailing list (tesla at ssz.com) to see if anyone on there might be interested. Jim Choate CyberTects ravage at ssz.com Tivoli - IBM jchoate at tivoli.com From proff at suburbia.net Fri Apr 12 14:13:13 1996 From: proff at suburbia.net (Julian Assange) Date: Sat, 13 Apr 1996 05:13:13 +0800 Subject: LACC: CDA Court Challenge: Update #6 In-Reply-To: <9604121057.AA26895@all.net> Message-ID: <199604121503.BAA27341@suburbia.net> > This would ONLY impact packets that carry pornographic material, and all > other packets would remain unchanged. Naturally, you would not be able > to have Classified Pornographic material under this scheme, but I think > that's probably an acceptable tradeoff. Oh, I don't know. The remote satalite imaging lab in reston has been known for sometime now to have enough resolution to look down a good clean cleavege, and certainly their perspective is vertical enough. > Furthermore, any parent that wanted to allow a child to attach to the > Internet and wanted pornographic protection would be responsible for > setting their own filter up to limit these packets. Thus the provider > of pornographic material and the parent of the child using the net are > the only two groups affected by this change. The rest of the net can > continue unhindered. ISPs don't have to identify users. After all, it > is the parent and the bookstore owner who are responsible for keeping > children out of the dirty book section, not the bus driver who brings > the child to the neighborhood or the company that paves the street. I've thought about this as well. You could also use the IP TOS minimise-cost bit, which is defunct, doesn't require IP options, is included in every packet and in most modern unix's and rfc1122 complient TCP/IP protocol interface stacks can be set at user level with a simple setsockopt() call. That said, it has a granularity of one. To my mind, it is value judgement, and a difficult one at that to decide when information is appropriate or otherwise for a given age group. A given community may feel the age of maturity is something other than 18, and physiologically the age of maturity is different for differing racial groups. It is a strange world where it is permissible to get married at 16 -- and all that implies, but not permissible to think freely until 18, or 21 in certain states. More appropriate would be content flags. Using the security option there is a resonable number that could be assigned. OPT_R_UPPER_NUDITY, OPT_R_LOWER_NUDITY, OPT_R_FULL_NUDITY, OPT_R_FEMALE, OPT_R_MALE, OPT_R_BIZARRE, OPT_R_HOMOSEXUAL, OPT_R_BESTIALITY, OPT_R_DISECTION, OPT_R_INTERCOURSE, OPT_R_VIOLENCE and OPT_R_ADVERTISING come to mind. Unlike TOS however, many IP stacks have no real support for the security option. The value of re-using it then for this purpose it dubious. There is no reason another IP option couldn't be added. Perhaps the spare TOS bit could be used as a catch-all until a content option is implimented. Most french wouldn't be concerned about OPT_R_FULL_NUDITY provided OPT_R_HOMOSEXUAL wasn't set. -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From JonWienke at aol.com Fri Apr 12 14:18:39 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 13 Apr 1996 05:18:39 +0800 Subject: Entropy Estimator Message-ID: <960412001922_511825948@mail02.mail.aol.com> I just added a feature to my entropy graphing program that estimates the number of bits of entropy in the file, in addition to making the graph. I tested it on some ZIP files, comparing the sum of the results obtained from each file individually to the results from the ZIP file containing all of them. So far, the results have been consistent within 20%. EXE's show 3-4 entropy bits/byte, ZIP files show 6-7, and DLL's and text files show 1-2. Source code (Visual Basic) available to anyone who wants it, but I think I will hold off on the EXE and VBX's until I find someone who will put it on their FTP/WEB site. Suggestions via email regarding this would be appreciated. Jonathan Wienke From jimbell at pacifier.com Fri Apr 12 14:28:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 05:28:46 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Work Message-ID: <m0u7Ov2-0008zwC@pacifier.com> At 08:42 AM 4/11/96 -0400, Clay Olbon II wrote: >At 11:10 AM 4/9/96, jim bell wrote: >>At 07:57 AM 4/9/96 -0500, Mike McNally wrote: >>>There are supposedly some new techniques that look at the infrared >>>signature of your face (like, I guess, distribution & position of >>>hot & cold spots), and that's less likely to be fooled by facial >>>hair and other superficial disguises. It's probably a fairly simple >>>technology, and could be applied to the credit card ID problem. >> >>I think this is based on looking at your face with near-infrared, not the >>medium and far (thermal) infrared. Near infrared is supposed to penetrate >>flesh far better, so your blood vessels are visible and form a pattern >>which can be recognized. >> >>Jim Bell >>jimbell at pacifier.com > >Jim, > >Where did you get your info? Near IR is around 1-1.5 microns, at these >wavelengths, the body radiates very little energy. I think most of the >systems you are discussing use mid (3-5) or long-wave (8-12) IR, where >objects that are room to body temp radiate most of their energy. I get most of my information in this area from Photonics Spectra magazine, and Laser Focus World magazine. No, Clay, I did not say that the flesh RADIATED near IR. (it does, but only a very tiny amount.) The identification system I describe would probably use 940 nm IRLEDs to illuminate the face, and a silicon CCD detector to pick up the images. Or it would use ambient near-IR, perhaps from the sun or a tungsten filament or fluorescent lighting, along with an IR filter to ensure that the CCD camera picked up only the IR bands of interest. It would be easy to check out the results: Put such an IR-passing filter in front of a CCD-based camcorder, and take a picture of somebody. Incidentally, this simplicity shows the flaw in using this kind of system as an identifier: Since people's faces are usually visible, and can be photographed in the near-IR surreptitiously, it isn't clear how to prevent faking a face which appears to have the same IR signature and pattern. Jim Bell jimbell at pacifier.com From sjb at universe.digex.net Fri Apr 12 14:55:45 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 13 Apr 1996 05:55:45 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604111740.NAA21264@jekyll.piermont.com> Message-ID: <199604112313.TAA23689@universe.digex.net> "Perry E. Metzger" writes: >Scott Brickner writes: >> Anyway, you computer creates the IP packet, but then sends it to your >> ISP's router. That router *always* makes changes to the packet header >> because it must decrement the time-to-live field and recompute the >> header checksum. > >There is a trivial trick for making the decrement TTL/change checksum >operation very fast, based on noting how a decrement would change the >checksum. Most very high speed routers attempt to avoid doing ANY >processing of the packets at all beyond this, and IPv6 has no header >checksum partially in order to reduce this overhead further. Forcing >routers to do more work is a Very Very Bad Idea. As I pointed out in a private note to Perry, it's not the high-speed routers that have to change the packets. They typically are between the sort of ISPs that would get "network common carrier" status, and could rely on the options added (or not) by the other side. It's only when the packet crosses the border from outside the "common carrier" net to inside that the header needs changed, and that's usually at a terminal server, not a "very high speed router". From dwl at hnc.com Fri Apr 12 14:58:41 1996 From: dwl at hnc.com (David Loysen) Date: Sat, 13 Apr 1996 05:58:41 +0800 Subject: No matter where you go, there they are. Message-ID: <199604121604.JAA02423@spike.hnc.com> [CHOMPED] > Close, but not quite: >S/A is an ADJUSTABLE variable, not on/off. it can reduce accuracy to >10 meters or 100 meters or whatever. It's a DoD term, not NWO term. > The "this is where you really are" percision location (forgot >the designation off hand) is ENCRYPTED (yes, there is crypto >revelance here...) in the data stream from the satellites. The >difference S/A makes is on the order of magnitude, therefore not >"useless." It should be pointed out that different regions of the >earth can have different degrees of accuracy based on the S/A system. > I doubt S/A will ever be turned off, but this is my opinion. I >know Jim's opinion. Discussion of this point is pointless. > DGPS transmission are made from a multiple single points, which >(to the best of my knowledge) are not networked. > glenn Does anyone else get a little upset at the thought of one Government agency (DoD) spending money to install the GPS system, then making it less accurate than it should be, and then a second Government agency (US Coast Guard) spending money to improve the system by installing DGPS stations. Plus, in order to get the real accuracy of GPS right now I have to spend more money on a much more expensive DGPS unit. Pisses me right the F### off. From rah at shipwright.com Fri Apr 12 15:15:31 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 13 Apr 1996 06:15:31 +0800 Subject: Demonizing the Opposition: Bruce "The Toolman" Taylor Message-ID: <v02120d0cad94054e9da6@[199.0.65.105]> At CFP96, Bruce Taylor, Brock Meek's "lawyer with brass balls", and Declan McCullagh's "architect of the CDA" (who seems like a Pretty Stand-Up Guy, except he wants to tell us how to think), sat on the dias and made repetitive inflamatory references to a picture of "female genitalia nailed to a board", and others to a picture of "a penis with a blister on it", citing them as examples of the Rampant Filth and Corruption We Find on the Internet Today, Brothers and Sisters, Say Haleluja. Unfortunately, as hard as I tried to remain true to the Spirit of CFP, and not Demonize the Opposition, I couldn't help but come up with a spiffy new moniker for Mr. Taylor, which I will try to remember to use from time to time, viz., Bruce "Penis with a Blister" Taylor abbreviated PWAB, or "Blister" I suppose Of course, the CDA-able version of this proposed new handle would be, Bruce "The Toolman" Taylor shortened to "Toolie"? "The Tool"? "Toolboy"? ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jya at pipeline.com Fri Apr 12 15:18:53 1996 From: jya at pipeline.com (John Young) Date: Sat, 13 Apr 1996 06:18:53 +0800 Subject: Mardi Gra Cash Card Message-ID: <199604121538.LAA29724@pipe1.nyc.pipeline.com> WSJ 4-12-06 reports that England's "Mardi Gra" bomber is demanding of Barclays "access to the bank's cash reserves through the use of a special cash card, although details could not be confirmed." Police are communicating with the bomber through cryptic notices in personal columns of newspapers, the latest stating: "MARDI GRA We are ready to help and give value. Contact us on the verification number." Barclays says 25 bombs have been sent to its branches. The bomber -- who has been compared to America's Unabomber -- may be a former employee among those 18,500 laid off during the past 5 years, or a small businessman with a grudge. [Or ...] From daw27 at newton.cam.ac.uk Fri Apr 12 15:22:07 1996 From: daw27 at newton.cam.ac.uk (D.A. Wagner) Date: Sat, 13 Apr 1996 06:22:07 +0800 Subject: RC4 improvement idea In-Reply-To: <199604120717.AAA17361@mail1.best.com> Message-ID: <199604121550.QAA19509@jordan.newton.cam.ac.uk> > At 02:57 AM 4/9/96 -0700, David Wagner wrote: > > For one key in 256, you have a 13.6% chance of recovering 16 bits of > > the original key. > > > > On average, the work factor per key recovered is reduced by a factor > > of 35 (i.e. the effective keylength is reduced by 5.1 bits) by using > > this class of weak keys. > > Why do you not just assume the last byte of the key is 0x4A > > Then for one key in 256 the effective keylength is reduced by a > whole 8 bits instead of a measly 5.1 bits. No. The 5.1 bit figure is averaged over the whole damn keyspace. If you pick a random 40 bit key (not necessarily a weak key), and I apply the Andrew Woos attack, I can guess your key with 2^{40-5.1} = 2^34.9 work factor, on average. Look. 1 in 256 keys are weak. For a weak key, you have a 1/7.35 = 13.6% chance of recovering 16 bits of the key. This is an advantage for the attacker, as 2^16 / (256*7.35) = 34.8 = 2^5.1 > 1. Suppose you called keys with the last byte 0x4A jamesd-weak. 1 in 256 keys are jamesd-weak. For a jamesd-weak key, you have a 1.0 = 100% chance of recovering 8 bits of the key. This is not an advantage for the attacker, as 2^8 / (256*1.0) = 1.0. Keep an open mind, -- Dave Wagner From jimbell at pacifier.com Fri Apr 12 15:23:02 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 06:23:02 +0800 Subject: questions about bits and bytes Message-ID: <m0u7lBY-0008yHC@pacifier.com> At 09:17 PM 4/11/96 -0500, Sten Drescher wrote: >>>>>> jim bell writes: > >jb> At 06:29 PM 4/10/96 -0700, Simon Spero wrote: >>> No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. > >jb> I notice you gave no examples. Why is that? > > As I recall, the Honeywell H6000 used 6-bit bytes and 36-bit >(6 byte) words. Here's the problem with this kind of counter-example: You do not explain whether or not these data structures were actually called "bytes" by the manufacturer, or whether the term "byte" was inflicted later on by people who didn't know better. Remember, in the absence of any name for a "6-bit data object" I'm sure the temptation was probably very strong to misuse a term, especially in hindsight. See, I do not challenge the fact that there were plenty of data objects of length other than 8-bits. The issue is whether or not the people back then actually believed that a correct, official usage of the term "byte" included lengths other than 8. Dmitri Vulis at least acknowledged that when he looked back into the documentation, he discovered that the term used for his counter-example was "character", not byte. How many other of these counter-examples would show this kind of thing? From tcmay at got.net Fri Apr 12 15:27:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 06:27:38 +0800 Subject: On computer face recognition: Message-ID: <ad931b9413021004c822@[205.199.118.202]> At 7:14 PM 4/11/96, David Loysen wrote: >Take a peak at http://www.neci.nj.nec.com/homepages/lawrence/papers. One of >Lawences papers is on using Neural networks to recognize faces. Methinks >that the state of the art is advancing rapidly and such problems as not >looking at the camera or changing your expression are rapidly being overcome. One system I read up on a few years ago relied heavily on ear shape....it seems that the profile of ears varies tremendously and ear profiles are fairly easy to get a kind of hash of, assuming the ear profile is not obstructed by hair. "Get a haircut" may once again return to favor. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From trei at process.com Fri Apr 12 15:31:28 1996 From: trei at process.com (Peter Trei) Date: Sat, 13 Apr 1996 06:31:28 +0800 Subject: No matter where you go, there they are. Message-ID: <199604121441.HAA08990@toad.com> > From: Roger Williams <roger at coelacanth.com> > >>>>> Hal <hfinney at shell.portal.com> writes: > > > Note however that Denning did not mention the Internet in her > > spiel. > > Well, assuming that she wrote *any* of the spiel, she does: > > "Where it works > > ... Location-based > authentication could facilitate telecommuting by countering the > vulnerabilities associated with remote access over dial-in lines and > Internet connections..." She wrote it. The original of the paper may be found at http://all.net/journal/csi/csi-96-01.html Peter Trei trei at process.com From steve at edmweb.com Fri Apr 12 15:33:54 1996 From: steve at edmweb.com (Steve Reid) Date: Sat, 13 Apr 1996 06:33:54 +0800 Subject: bits and bytes / CDA perverting net protocol In-Reply-To: <01BB279B.115D6C50@bcdev.com> Message-ID: <Pine.BSF.3.91.960411172854.13632A-100000@kirk.edmweb.com> > In a past life I worked on a Honeywell DPS8 box that had > 36 bit words and 9 bit bytes. > -Blake (recalling the random evil flags that extra bit was used for) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Ooo! Ooo! Let's go back to the 9-bit bytes! The ninth bit could be the adult/minor flag! Let's toss away all of our computers! Buy new equipment! Just to accomodate the CDA! The ninth bit would be perfect for this! Every single byte could be flagged as Adult or Minor! Every byte with a value > 255 would be only available to adults. If you use numbers > 255, then the 9th bit would be set, and we would know you're an adult since minors can't count to 256! Small print: The "9th bit adult/minor flag" is the intellectual property of Steve Reid. Unauthorized users of the "9th bit adult/minor flag" will be prosecuted to the fullest extent of the law. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | Alternate email: sreid at edmbbs.iceonline.com sreid at sea-to-sky.net | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | --- DISCLAIMER: JMHO, YMMV, IANAL. --- | ===================================================================== From tcmay at got.net Fri Apr 12 15:48:30 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 06:48:30 +0800 Subject: On computer face recognition: Message-ID: <ad931cb2140210040b59@[205.199.118.202]> At 6:48 PM 4/11/96, Alan Horowitz wrote: >How do _people_ recognize faces? Still an open question, last I heard. It may be unknowable, at least in a formal sense. That is, we know that babies can recognize the faces of their mothers in fractions of a second (no, I don't have a reference for this, but I remember the number from my days as an AI person at Intel). There may be no simple description that is used, such as angles between eye line and mouth, convexity of chin, whatever. What is important is that face recognition happens in about 30-100 "cycles" of the brain, implying massive parallelism (hardly surprising). There are, of course, very few recognition algorithms that run on conventional computer architecures in so few cycles. By "unknowable" I don't mean "supernatural," merely not practically describable as an algorithm runnable on conventional von Neumann-type machines. "Neural net" is the buzzword usually associated with this. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vznuri at netcom.com Fri Apr 12 15:53:58 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 13 Apr 1996 06:53:58 +0800 Subject: Digital Cash Escrow In-Reply-To: <ad91bd700a02100484a7@[205.199.118.202]> Message-ID: <199604112027.NAA17193@netcom7.netcom.com> TCM: > >At 10:14 PM 4/10/96, Bill Stewart wrote: > >>Of course, if you happen to become dead while you're storing it, >>the paper cash is far more useful to your heirs, so I assume we'll have >>a government-sponsored cash-escrow system announced soon to protect >>the government's interest in collection of inheritance taxes... > >Don't give them ideas, Bill! They are known to monitor our list for >insights into what to regulate next, and I can see the 15-watt lightbulbs >going on over their heads as they ponder the wonderful opportunities >presented by "digital cash escrow." give me a break!!! the future government attempts to squelch, suppress, restrict, prohibit, regulate, tax, spindle, and mutilate Digital Cash will make Clipper look as significant and threatening as a christmas tree ornament. we have not seen the tiniest shred of the panic and paranoia that will resonate through government once they get a clue about what Digital Cash means to the future of the world. furthermore, it is my belief that there are some very rich people that effectively control our governments, who have strangleholds on various aspects of the world economy that will become a tad upset as well. as I wrote in an earlier essay, the possibilities of combining digital cash with stock market company shares suggest a radical new economy that would have the potential to topple a lot of very powerful existing interests, in the way that printing presses once toppled the Church. to borrow a bit of Chinese black humor, "we live in interesting times". we will be living in even more interesting times shortly. From tcmay at got.net Fri Apr 12 16:23:34 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 07:23:34 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <ad931eee1502100491ce@[205.199.118.202]> At 5:36 AM 4/11/96, jamesd at echeque.com wrote: >At 10:36 PM 4/9/96 -0400, JonWienke at aol.com wrote: >> Would anyone like to propose a means of measuring entropy that we can all >> agree on? I haven't seen anything yet that everyone likes. > >Nor will you: To measure entropy is a deep unsolved philosophical >and physical problem. Indeed. That there can be no simple definition of entropy, or randomness, for an arbitrary set of things, is essentially equivalent to Godel's Theorem. (To forestall charges that I am relying on an all-too-common form of bullshitting, by referring to Godel, what I mean is that "randomness" is best defined in terms of algorithmic information theory, a la Kolmogorov and Chaitin, and explored in Li and Vitanyi's excellent textbook, "Algorithmic Information Theory and its Applications.") Think of it this way: when can a set of things, a string, etc., be _compressed_. Answer: whenever a compression is found. Most things have no real compressions, that is, they have no shorter description than themselves. But they _might_ have a shorter description, a compression, and we can never say for sure that they do not. Thus, even a set which we think is of "high entropy" (roughly, "high randomness" or "no order" or "not compressible") may actually have some hidden order, or compressibility, not apparent at first glance. That we can never know when we have achieved maximum compression is a profound result of modern mathematics and information theory. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cp at proust.suba.com Fri Apr 12 16:27:17 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 13 Apr 1996 07:27:17 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604120314.WAA05634@homeport.org> Message-ID: <199604121744.MAA08365@proust.suba.com> > Snow Crash is a book about a future in which governments are > ineffective. Companies run things, and have complete local control. > The world has gone to hell, and as a result, life is nasty, poor, > brutish and short. Many people do not look forward to this world. > Thats an understandable reaction; when I first heard about anonymous > assasination markets, I thought it was pretty bizzare as a world to > look forward to. I agree with you that it's a pretty bizzare world to look forward to, but how likely is it? It's always seemed to me that both sides of the crypto debate have been overselling the changes crypto is going to bring. Crypto won't make surveillance impossible, it will make it expensive. That's a big difference. My computer is loaded up with crypto. I use pgp, ssh, sfs, cfs, etc., every day. I've picked strong passphrases, and I edit sensitive files on a ram disk. But getting my data would be child's play for the nsa if they were interested enough in me to come into my apartment and make an active attack. Military security depends as much upon military discipline and procedure as it does on strong crypto tools. When crypted email becomes the norm, remember that 95% of the keys in the world will be sitting on hard drives in the clear or protected by passphrases like "bob1". Software that forces people to pick strong passphrases won't be popular in the marketplace. I know: I run an ISP, and everytime I tell someone how to pick a password, they always come back with "bob1". There's a mindset out there that says, "the only way to fight crime is to do massive surveillance." I don't buy it. Surveillence technology is fairly new, and there were law abiding societies before it was deployed. It's like people who feel that the only way to stop violence in cities is to take away guns. If that's true, how come there are so few murders in Western Nebraska (I have family there), where almost everyone is armed? The truth is the police do surveillence easily and cheaply now, and it's not working. Things are getting worse in many places, not better. Beat cops who talk to people and who know the neighborhood are more effective than spooks in vans or centralized monitoring facilities with sophisticated electronics. If we don't want crime, we're going to have to make sure people have enough skills to develop other economic opportunities. The answer is jobs, not a telescreen in every home. It is true that law enforcement has been building up a giant surveillance apparatus over the past couple of decades, and that crypto is going to kill it. But it's also true that the buildup in surveillence has coincided with a decrease in the effectiveness of police forces in general. Surveillance is good for massive beauracracies with bloated budgets who work behind closed doors and who aren't held accountable for their failures. It's not good for fighting neighborhood crime. I reject the opposition's premise: surveillance is not necessary to keep the four horsemen at bay. How can they have the chutzpah to demand that I sacrifice my civil liberties in the name of the drug war, when everyone in Chicago knows that dealers are allowed to sell without harassment on literally thousands of street corners in this city? They don't need clipper to stop the crack trade, they need to send cops out to arrest the people who are standing out in broad daylight selling and buying. It doesn't take a gps system to track them down. From unicorn at schloss.li Fri Apr 12 16:58:16 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 07:58:16 +0800 Subject: Mystery of the unsuvscrives: SOLVED? Message-ID: <Pine.SUN.3.91.960412130613.20272A-100000@polaris.mindport.net> On replying to one of the many recent unsubscrivers I got this in return: A creative spam attack? ---------- Forwarded message ---------- Date: Fri, 12 Apr 1996 11:34:53 +0100 From: Batman <batman at infomaniak.ch> To: Black Unicorn <unicorn at schloss.li> Subject: Re: your mail On Thu, 11 Apr 1996, Black Unicorn wrote: > On Thu, 11 Apr 1996, Batman wrote: > > > Please PUT me OUT of YOUR cypherpunks AND other MAIL-LISTS > > > > Thankx > > Please LEARN to UNSUBSCRIBE from MAILING lists and OTHER THINGS. > > --- > My preferred and soon to be permanent e-mail address:unicorn at schloss.li > "In fact, had Bancroft not existed, potestas scientiae in usu est > Franklin might have had to invent him." in nihilum nil posse reverti > 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > I don't think you're the mail-list admin, so, don't send me your advices. I've been flooded and put in that shit mail-list without my permission. GET OUT From shamrock at netcom.com Fri Apr 12 17:06:17 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 13 Apr 1996 08:06:17 +0800 Subject: [NOISE] Why there are so many cluless people Message-ID: <v02120d39ad9446cc8b78@[192.0.2.1]> Today, I heard a commercial on the radio. Some company wants to help you make $1k+ per day as an Internet expert. Simply listen to their one week audio tape course and you know everything you need to work as an Internet consultant. Sigh, -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From sjb at universe.digex.net Fri Apr 12 17:19:18 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 13 Apr 1996 08:19:18 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604111939.MAA14774@toad.com> Message-ID: <199604121822.OAA01246@universe.digex.net> Bill Stewart writes: >There are serious technical problems with the suggestion that labelling packets >as "Adult" or "Child" using IP options and filtering at ISPs for censorship. Few of the following are really *technical* problems. >IP works on a per-machine basis (technically, a per-network-interface basis, >though for most client machines that's the same thing.) That means that a >web or nntp server including some "Adult" material and some "Child" material >either needs >a way for an application process to communicate this to the network drivers, >or needs to label all packets as "Adult" to avoid the politically incorrect risk >of mislabelling a packet as "Child" when it's not. The standard TCP/IP API >programming interface software on Windows, Mac, and Unix machines doesn't >provide >for applications to _tell_ the network drivers about IP options, so even if >IPng had censorship features added, the applications couldn't use it. >(There are a few military multi-level security versions of Unix that give >you more flexibility for this sort of thing, but they tend to provide >mandatory security so you _can't_ send a packet marked "UNCLASSIFIED" from a >"TOP SECRET" session.) This is more of an economic problem than a technical one. By the "standard API" we usually mean "BSD sockets", which already has a "getsockopt()" and "setsockopt()" interface for the application to communicate this sort of thing. Adding a SO_SECCLASS to change the setting from the system default would be pretty straightforward, technically. >Another problem is that it only addresses single-user client machines, >rather than multi-user operating systems such as Linux, which has a million >or so >users out there. The model works fine when you treat a PC as a fancy version of >a dumb terminal, but a machine shared by multiple users (whether many at one >time, >or one at a time) uses a single connection to support all of them - that >means you >can't have censored material available to the child and uncensored material >available to the parent unless the networking software can pass the censorship >labels on to the application program - but again, the standard operating system >interfaces (developed over many years by thousands of The Free World's finest >developers :-) don't have a way to implement it, because it was never a >design goal. Actually, this is a bit of an "ivory tower" picture of the Internet. Conceptually, the protocols are purely peer-to-peer, but in the real world, those end-user Linux boxes go through an ISP. The User to ISP link is governed by a contrac, which may specify filtering done at the ISP. If you want to access "adult" material, but don't want your kid to be able to, you should get a separate filtered PPP account for the kid. >Trying to implement censored sessions at a transport level instead has its >own problems. >First of all, TCP provides reliable sessions; censoring packets based on IP >labels >in the middle of a transaction means that TCP will retransmit until the >packet gets >through or it gives up and drops the connection, so any "Adult" packets would Not so. If one end of the connection is discarding "adult" packets, the SYN packet attempting to establish the session will *also* be dropped, probably resulting in a "connection refused" (from a RST by the other side) or "destination unreachable" (from the IP module that discarded it). >dump a Registered Child out of the browser, even if they were unintentional Dropped connections don't dump you out of the browser. You just get a popup. (If it *does* dump you out, get a new browser.) >(e.g. from an Adult who labels all packets "Adult" to avoid being liable for >mistakes, >or packets from Europe that were default-labelled by a service provider to avoid >having to read them all, or from the Library of Congress Online Edition if >the Librarian >labels each packet correctly.) Again, these aren't technical issues, they're social. A European company who sends a dirty magazine to a sixteen year old American is violating existing non-CDA decency laws. >On the other hand, UDP packet exchange, >which doesn't >use sessions, would require validating the user's ID and authorization on >each packet. True, but this isn't a problem. The "validation" is simply a matter of checking the "information level" in the packet with the "authorization level" of the user. If the ISP is filtering adult packets, the "authorization level" is a constant per PPP connection. If the ISP is inserting "information levels", it's still constant per PPP connection, but now the content provider needs to check if the request is permitted to be fulfilled. In either case the test is trivial. It's not like there has to be a key exchange and RSA exponentiation for each packet. >Furthermore, if the censorship information is carried at the transport level, >or at a higher level (i.e. headers in the message itself), the only way the >ISP's routers, which work at the IP level, can censor packets is to perform the >equivalent of the Post Office steaming open envelopes before delivering them >to your house, and refusing to deliver them if there's a child living in the >house >and the letter either contains a bad word or is written in a language the >Post Office doesn't understand, such as Finnish or Japanese or PGP. Agreed. But the current discussion is about adding features to the network layer. >If you create outgoing packets that are labelled "Minor", and contain >"Restricted to Government-Certified Adults Only, and No Felons or >Foreigners Allowed" material, you can get busted for it. >So you have to either restrict all your outgoing packets to be labelled >"RtG-C Adults O,aNFoFA", or else make sure all the material you transmit >passes the "Government-Approved-for-Minors, Foreigners, and Victorian >ladies" filter. > >On the other hand, if you don't log in to your ISP with a >"government-certified adult, >non-felon, non-foreigner, politically stable, not-a-Commie-or-Jew" id, >it'll block any packets not approved for you. Any news or web server will also >have refuse to send any "Adult"-labelled material to you if the requests >arrived on a "Kid"-labelled connection - this means that either the server >machine >will have to only carry Kid-approved traffic, or only talk to Adults, >or add an "Adult" label to all outgoing packets whether marked "Kid" or not, >or else it will have to break protocol boundaries by passing IP-layer >information >up to the application. Regardless of whether information is added at the network layer to communicate the "adult/minor" information, knowingly sending web pages with adult material to a minor is illegal. With current implementations, providers have the excuse that they have no way of knowing that the requester is a minor. If the information is added to the protocols, they lose the excuse. Again, this is a social matter, not a technical one. The point about breaking protocol boundaries is an interesting one, and as far as I am concerned, the *only* technical issue you raise. I note that the IP layer's "Security Compartment" option, which is one I've suggested might be used to implement the censorship, already provides exactly this "violation". The "Stream ID" option and "Type of Service" field are similar "violations". The TCP layer gives the application layer the "Urgent" and "Push" flags, which are arguably similar "violations". Again, I'd like to emphasize that I think implementing this suggestion would be censorship, and do more harm than good. I really hope someone can come up with a solid technical reason why doing this won't work, but the more I think about it, the more I think it *will* work. I maintain that the CDA is bad socially, but that support for it at the network layer is technically possible. From Doug.Hughes at Eng.Auburn.EDU Fri Apr 12 17:21:17 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Sat, 13 Apr 1996 08:21:17 +0800 Subject: questions about bits and bytes In-Reply-To: <m0u7Ov4-000903C@pacifier.com> Message-ID: <doug-9603121634.AA0247400@netman.eng.auburn.edu> On Apr 12 at 8:07 jim bell wrote: > >Are you sure they're not referring to 8 bits of data and a parity bit? In >any case, please give the address to the list so that it can be checked out. > > > Come on, give it up already and admit you were wrong. At least 8 different people have cited examples of machines that supported non 8bit bytes. Your pride is getting the best of you. If you mean 8 bits, you should really say Octets as has always been the form of Internet RFC's where the distinction is important. It may be standard today, but it was not always so.. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From stewarts at ix.netcom.com Fri Apr 12 17:22:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Apr 1996 08:22:35 +0800 Subject: No matter where you go, there they are. Message-ID: <199604121849.LAA12509@toad.com> [ Dorothy - there's been substantial discussion on cypherpunks about your position escrow proposal; the paper that's on your web page was posted here.] At 03:01 PM 4/11/96 -0400, perry at piermont.com wrote: >Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com writes: >> Suppose I want to pretend that I am 1000 feet closer to satellite 4 than >> I really am. Simple, I take the signals from all the other satellites >> and delay them by 1 microsecond. That looks like a 1 microsecond >> local timebase error together with a 1 microsecond delay reduction >> to satellite 4. >Aren't things even worse? Since the satelite signals are not >authenticated with anything like public key methods, couldn't I just >synthesize a signal appropriate to any spot on the planet, knowing the >positions of the satelites relative to that spot? No, you can't. One problem is that the Selective Availability coding isn't predictable, since it uses some kind of secret military code - so you don't know what its values are until you hear them. So as long as you share any satellites with the recipient, you need to be sure to output the correct codes for that satellite, which means you need to either be in range or have access to some internet "position remailer" site that's making them available. As far as predicting relative timing between satellites to fake your position, if that's sufficiently unpredictable that you can't fake it, as Denning and MacDoran say, then it should also be equally unpredictable to the verifier who wants to know if you're telling the truth or faking it. And if you require systems to respond to requests for "Where are you now?" or especially "Where were you on the night of April 13th at 8:37pm?", the spoofer can request that information just as easily as the verifier. One method that could be used to prevent faking is GPS receivers with "tamperproof" digital signature capability, which would not only receive the location information but sign it; that's not much more secure than just having a "tamperproof" token in the first place. As far as the multipath issues that some people have brought up, I searched for "MacDoran" on altavista, and found several papers on GPS multipath, so they're aware of the issue, though I don't know how they're planning to address it. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From holovacs at styx.ios.com Fri Apr 12 18:25:14 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Sat, 13 Apr 1996 09:25:14 +0800 Subject: On computer face recognition: In-Reply-To: <Pine.SV4.3.91.960411144737.17506D-100000@larry.infi.net> Message-ID: <Pine.3.89.9604121506.A6799-0100000@styx.ios.com> This is a significant area of research, and is not that well understood. It is known that a dedicated area of the brain is used, and that damage to this area keeps people from recognizing faces even though they may retain their ability to recognize objects generally. Face recognition is much tougher than it would seem. ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 On Thu, 11 Apr 1996, Alan Horowitz wrote: > How do _people_ recognize faces? > From stewarts at ix.netcom.com Fri Apr 12 18:27:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Apr 1996 09:27:53 +0800 Subject: questions about bits and bytes Message-ID: <199604121934.MAA13397@toad.com> At 09:05 AM 4/11/96 -0800, jim bell <jimbell at pacifier.com> wrote: >>- From a really quick web search, we find that the SGI Impact jams 9-bit >>bytes [that's what it says] across the Rambus internally. I'm not sure >>if the memory itself is 9-bit. > >Are you sure they're not referring to 8 bits of data and a parity bit? In >any case, please give the address to the list so that it can be checked out. www.altavista.digital.com, which is the address of almost everything :-) If you don't count the parity bit as part of the byte here, you probably shouldn't count it in a typical 7-bit-ASCII-plus-parity situation either. As far as jamming 9-bit-bytes across a bus, that almost certainly _is_ 8 bits of data and one parity bit; people have been agitating for and debating parity on memory busses for a long time. AT&T's Datakit switch (an ancestor of ATM) used 9-bit bytes on its data busses, where 8 bits were data-from-outside and one bit was a control-vs-data indicator, which let cards listening to the bus decide whether to think about the byte with their control processors or just shove them onto an output wire. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 19:29:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 10:29:52 +0800 Subject: "Contempt" charges likely to increase Message-ID: <01I3GRDPKA348Y510B@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 6-APR-1996 16:17:13.99 >I might add that the Cayman Islands are full of trust companies with >provisions which forbid the disclosure of data to a client who is >coerced. A law on the books refuses to recognize "consent" orders made >under judicial compulsion. This would give the appearance of total >unavailability of evidence and suggest the futility of contempt >charges. Yet courts have still, and with no small measure of success, >imposed sanctions on witnesses so protected. What measure of success? Getting the data, or locking up the witness? -Allen From mclow at owl.csusm.edu Fri Apr 12 19:45:02 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Sat, 13 Apr 1996 10:45:02 +0800 Subject: Protocols at the Point of a Gun Message-ID: <v03005b03ad94a136129f@[206.126.100.99]> Scott Brickner wrote: >Somebody who might be Marshall Clow wrote: >>Multiple IP #s, multiple machines, multiple users, ONE account. >>Which router will insert the "suggested" flag, and how will it decide which >>packets to tag? > >The way I envision it (in my nightmares), you'd have two options: have >the account configured as "kid safe", and live in a cyberspace playground, >or have it configured as "adult", and accept responsibility for your kids' >use. > I have no problem whatsoever with this. Guess which option I'd choose :-) However, given the hysteria that is surrounding the CDA, etc., I think that the second option would be "politically unacceptable". The whole thrust [ sorry for the sexual imagery ;-) ] behind [ oops, now it's sodomy ] the CDA is that it's not good enough for parents to take responsibility for their children's use; the government must be involved. -- Marshall Marshall Clow Aladdin Systems <mailto:mclow at mailhost2.csusm.edu> "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From jim at ACM.ORG Fri Apr 12 20:14:56 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Sat, 13 Apr 1996 11:14:56 +0800 Subject: Answer about bits and bytes In-Reply-To: <m0u7lBY-0008yHC@pacifier.com> Message-ID: <199604122104.OAA01053@mycroft.rand.org> jim bell <jimbell at pacifier.com> writes: >See, I do not challenge the fact that there were plenty of data objects of >length other than 8-bits. The issue is whether or not the people back then >actually believed that a correct, official usage of the term "byte" included >lengths other than 8. Reading from the PDP-10 Reference Handbook (DEC, 1971) page 2-30, we read: To conserve memory, it is useful to store data in less than full 36-bit words. Bytes of any length, from 1 to 36 bits, may be entered using a BYTE statement. BYTE (N) X,X,X The first operand is the byte size in bits. It is a decimal number in the range 1-36, and must be enclosed in parentheses. ... In the following statement, three 12-bit bytes are entered: LABEL: BYTE (12)56,177,N This assembles as... and so on. The PDP-8 "Introduction to programming" (1970) has similar remarks, though not as explicit. On page v in the introduction it says o A six-bit byte swap instruction that provides much faster... and in the description of special periph ops on page D 1-15: VBA 6534 BYTE ADVANCE command requsts next twelve bits, data ready flag is set. I suggest you gracefully back off, if it's still possible. Jim Gillogly Sterday, 22 Astron S.R. 1996, 21:04 From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 20:31:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 11:31:14 +0800 Subject: Spinners and compression functions Message-ID: <01I3GRB38EY28Y510B@mbcl.rutgers.edu> I have had a somewhat related idea to this on compression regarding steaography and which bits are the best ones to use. How about those that a lossy compression method that's reasonable loses first? These are the ones that aren't going to be noticed by the viewer, and (if the compression method is good) will have at least somewhat higher entropy than the rest. -Allen From hoz at univel.telescan.com Fri Apr 12 20:50:48 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Sat, 13 Apr 1996 11:50:48 +0800 Subject: Entropy Estimator Message-ID: <199604122106.OAA15596@toad.com> At 12:19 AM 4/12/96 -0400, JonWienke at aol.com wrote: >I just added a feature to my entropy graphing program that >estimates the number of bits of entropy in the file, Hey, that's just what I need. I have these two 8-million byte files. One is a recording made by a geiger counter, every bit is uncorrelated with anything else in the universe and each bit is equally likely to be a one or a zero. The second file is an IDEA encryption of all the four-byte numbers from one to two-million. Here's my problem. I can't remember which file is which, and I've forgotten sixty-four bits of the key I used to produce the encrypted file. That's where your technique come in. The first file has sixty-four million bits of entropy. The second file has only sixty-four bits of entropy, total (the missing key bits). Surely, your technique can tell me which file is which. Estimating entropy can be difficult, and I don't expect perfection. But any measuring technique that is not a complete HOAX must be able to clearly find a difference of six orders of magnitude. If you tried to give me a ruler that couldn't detect the difference between a millimeter and a kilometer, I might think you misunderstood something about the concept of distance. If encouraged me to use a clock that could not measure the difference between a minute and a year, many would conclude that you were not an expert in chronology. So, if your technique is worth anything at all, it should be able to accomplish this easy task. PS. I think it is your patriotic duty to report this technique to the Federal government. They frequently need to distinguish between ciphertext and just plain random digits. A breakthrough like this would have a major impact on national security. They might be willing to remove ITAR restrictions from cryptography, out of gratitude to the cypherpunks. From frantz at netcom.com Fri Apr 12 20:54:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 13 Apr 1996 11:54:58 +0800 Subject: PICS Message-ID: <199604130056.RAA11192@netcom9.netcom.com> I had a chance for a brief look at the PICS protocol, and it seems to have a lot of cypherpunks relevance. It includes features such as: Multiple third party rating systems Digital signatures I will have to find time to look at it in more detail. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From wcs at idiom.com Fri Apr 12 21:19:25 1996 From: wcs at idiom.com (Bill Stewart) Date: Sat, 13 Apr 1996 12:19:25 +0800 Subject: Cypherpunks Bay Area - Saturday 1:00 Printer's Ink Message-ID: <199604122337.QAA20471@idiom.com> The usual suspects for meeting places having fallen through, there will be a Bay Area Cypherpunks meeting at 1:00 Saturday at Printer's Ink on Castro Street in Mountain View. Meet at the outside tables by the side of the building, and we'll see if the meeting migrates from there. If we're not there, and the meeting has moved when you arrive, look for a note on a lamppost in front of the building. Directions: Castro Street goes between the Central Expressway and El Camino Real in the middle of Mountain View; Printer's Ink is on a corner in the middle. Parking is around back. Coffee is upstairs, books are inside. Directions from far away - take Route 101 to the Moffett exit, head west/south, watch the street name mutate at the Central Expressway and train tracks. Public Transit: Take CalTrain to the Mountain View Exit, walk about three blocks west/south. Agenda: As you've guessed from this highly timely notice, there's a full schedule of events planned. I'd like to talk about remailer spam prevention, and there's been a lot of activity recently on Denning's position escrow, Scientology court cases, CDA, and other entertaining politics. Thanks! Bill Replies to: stewarts at ix.netcom.com From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 21:25:33 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 12:25:33 +0800 Subject: Edited Edupage, 4 April 1996 Message-ID: <01I3GR89SYDY8Y510B@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 5-APR-1996 01:25:00.85 >***************************************************************** >Edupage, 4 April 1996. Edupage, a summary of news items on information >technology, is provided three times each week as a service by Educom, >a Washington, D.C.-based consortium of leading colleges and universities >seeking to transform education through the use of information technology. >***************************************************************** >IBM'S INTELLIGENT MINER DIGS OUT THE GOOD STUFF >IBM plans to offer companies "data mining" software and services, allowing >them to make better use of disparate pieces of information stored in their >computer systems. The Intelligent Miner software will be available on IBM's >RS/6000 servers by the fall, and on other platforms by year end. The >company also plans to develop Intelligent Decision Server software for local >area network-based information analysis. (Investor's Business Daily 3 Apr >96 A9) Anyone have any _specific_ ideas on how their Intelligent Miner system works? It would appear to be relevant to the identity-spoofing discussions. -Allen >Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas >(douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. >Technical support is provided by the Office of Information Technology, >University of North Carolina at Chapel Hill. >*************************************************************** >EDUPAGE is what you've just finished reading. To subscribe to Edupage: send >mail to: listproc at educom.unc.edu and in the body of the message type: >subscribe edupage Marilyn Monroe (if your name is Marilyn Monroe; if it's >not, substitute your own name). ... To cancel, send a message to: >listproc at educom.unc.edu and in the body of the message type: unsubscribe >edupage. (If you have subscription problems, send mail to >educom at educom.unc.edu.) From rah at shipwright.com Fri Apr 12 21:33:45 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 13 Apr 1996 12:33:45 +0800 Subject: Protocols at the Point of a Gun Message-ID: <v02120d00ad94ab019591@[199.0.65.105]> How fortuitous! At 8:09 PM 4/12/96, Marshall Clow wrote: > However, given the hysteria that is surrounding the CDA, etc., I think >that > the second option would be "politically unacceptable". The whole thrust [ > sorry for the sexual imagery ;-) ] behind [ oops, now it's sodomy ] the >CDA > is that it's not good enough for parents to take responsibility for their > children's use; the government must be involved. Yeah. What *he* said. Actually, this gratuitous waste of bandwidth brought to you by my new .sig, courtesy of my samoan attorney, one Vincent Moscaritolo. Vinnie, to his friends... Cheers, Bob Hettinga Note new .sig! \|/ \|/ \|/ V V V ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they just passed a few more laws, we could all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From die at pig.die.com Fri Apr 12 21:37:15 1996 From: die at pig.die.com (Dave Emery) Date: Sat, 13 Apr 1996 12:37:15 +0800 Subject: How the other half lives - why encryption is necessary Message-ID: <9604130124.AA08230@pig.die.com> The following showed up on a public radio-oriented mailing list I occasionally read - if this is really a true report by a confessed cordless/cellular scanner freak who got caught taping calls and passing the tapes around it is certainly illuminating as someone in an official position may have possibly said much more than more sophisticated law enforcement eavesdroppers would ever admit to. Clearly most people would think the law in the matter was very different than the attitude here expressed, though I think that many of the more cynical would view this as no surprise at all and indeed SOP in most investigative agencies, I cannot vouch for the identity of the poster or the veracity of this. However I think it certainly shows the official attitude that has made many of us advocates of encryption, particularly of wireless communications, and deeply suspicious of the notion that court ordered wiretaps are the only ones used by the police and other agencies. Forwarded message: From scan-mass-east-request at nomad.n-reading.ma.us Old-Return-Path: <merk!tiac.net!kilo> Date: Fri, 12 Apr 1996 19:17:41 -0400 Message-Id: <199604122317.TAA17404 at zork.tiac.net> X-Sender:kilo at tiac.net X-Mailing-List:<scan-mass-east at nomad.n-reading.ma.us CORDLESS PHONE MONITORING: -- I was accused of monitoring phone conversations of public officals over a scanner. I was accused of taping said conversations in which the public officals were conducting town buissness in a illegal manner etc. The allegded tapes (copies) were allegedly passed around to "other" town officals for them to hear what was being "said", "done", and what actions were about to unfold. A investigation by the Mass. District Attoney was ordered and the results if that investigation is as follows ---- "The information available during this investigation indicated that the telephone calls which were tape recorded were made on a cellular telephone or a portable telephone. No evidence was obtained indicating a wire communication was illegally intercepted and recorded. The audio tape that was around the town of $%#@!%^%$$ and played for several individuals was not recovered. @@ @#$$#% ^%%&* found the tape left on the front seat of %$^ car and had it for a period of time, but does not have it or knew where it was at this time. This officer (police) explained to those directly involved that cellular telephone conversations and any conversation that is transmitted over the airwaves is not protected communitations, as there is no expectation of privacy in the open airways. I further informed those involved that there are people who have nothing better to do then listen and record such cellular telephone calls and this means of communication is not secure. This officer requests that this investigation be closed". That is from the Masssachusetts District Attoney's Office in Barnstable,Mass. ******** In fact when I was interviewed I was told flat out that lawenforcement "does not want" it to be against the law, because not only do they hear about drug transactions which allows them to bust subjects, "BUT" it is also a saftey tool, for at times the people under survailance talk using this type of communication and they (POLICE) can find out if the subject(s) have weapons, etc. etc......!!!!! That's what my experience in this area is... Happy Scanning!!!!!!!!!! Vietnam Vets - "USMC" From unicorn at schloss.li Fri Apr 12 21:55:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 12:55:45 +0800 Subject: On computer face recognition: In-Reply-To: <ad931b9413021004c822@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960412155140.27436A-100000@polaris.mindport.net> On Thu, 11 Apr 1996, Timothy C. May wrote: > At 7:14 PM 4/11/96, David Loysen wrote: > > >Take a peak at http://www.neci.nj.nec.com/homepages/lawrence/papers. One of > >Lawences papers is on using Neural networks to recognize faces. Methinks > >that the state of the art is advancing rapidly and such problems as not > >looking at the camera or changing your expression are rapidly being overcome. > > One system I read up on a few years ago relied heavily on ear shape....it > seems that the profile of ears varies tremendously and ear profiles are > fairly easy to get a kind of hash of, assuming the ear profile is not > obstructed by hair. Even ears are not perfect. Recall the case of the pretender to the Romanov/Feodorovich dynasty, "Anna Anderson." Three independent experts used ear profiles to confirm she was indeed the lost Tsarevna Anastasia, a judgment later proved wrong by a combination of handwriting analysis, trip ups, DNA, and the discovery of the actual Tsarevna's remains. > "Get a haircut" may once again return to favor. I can't cite sources, but the current doctrine is silly putty (tm). Aside from looking much like flesh, being easy to apply and mold, it tends to absorb and radiate heat fairly well. The result is a nice distortion of IR shots of ears. While careful analysis will reveal the putty eventually, (it will always be somewhat cooler than the flesh) when properly applied, silly putty (tm) will so distort the actual ear profile as to render identification by this method alone nearly impossible. Users with darker skintones are told to add a mixture of blue and red food coloring to the putty. Add salt to taste. > --Tim May > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 22:10:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 13:10:37 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <01I3GPGIWMLG8Y50UU@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 5-APR-1996 06:26:05.96 >There are ways to resist compelled discovery. These are not they. Any methods you're willing to mention sans a money order? -Allen From frantz at netcom.com Fri Apr 12 22:16:20 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 13 Apr 1996 13:16:20 +0800 Subject: Demonizing the Opposition: Bruce "The Toolman" Taylor Message-ID: <199604121916.MAA04360@netcom9.netcom.com> At 12:08 PM 4/12/96 -0400, Robert Hettinga wrote: >Bruce "Penis with a Blister" Taylor >abbreviated PWAB, or "Blister" I suppose Seems to me that "a penis with a blister on it" is a good description of a picture of active syphilis. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Fri Apr 12 22:30:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 13:30:46 +0800 Subject: No matter where you go, there they are. Message-ID: <m0u7oHD-0008zIC@pacifier.com> At 10:14 PM 4/11/96 -0500, Adam Shostack wrote: >Jim McCoy wrote: > What is >| Dennings fascination with building Big Brother? > > She read Snow Crash, and it scared her. > Snow Crash is a book about a future in which governments are >ineffective. Companies run things, and have complete local control. >The world has gone to hell, and as a result, life is nasty, poor, >brutish and short. Many people do not look forward to this world. >Thats an understandable reaction; when I first heard about anonymous >assasination markets, I thought it was pretty bizzare as a world to >look forward to. However, looked at from the standpoint of somebody who is not already steeped in it, OUR society is a "pretty bizarre world." Ostensibly we live in a society that loves freedom, yet it's controlled by a rather tiny number of people who wield an extraordinarily large amount of power. We can be beaten or killed by agents of the government, and the only time a ruckus seems to be raised is when there happens to be a camcorder nearby, one that the police do not notice in time. I haven't heard much speculation about why we never (actually, almost never) see such cases without recordings. > Then I heard Neal Stephenson speak. And he brought up a very >good point, which was Hitler killed more people than Charles Manson >because Hitler had a big country, and its large army. I look >forward to smaller, weaker government that can't put the Japs in >holding camps, surround and harras the Branch Davidians, etc. > > The debate, really, boils down to Hobbes v. Locke, or Plato v. >Aristotle. Its not going to be resolved anytime soon by a >philosopher. I think it will be resolved by a computer programmer. I am reminded of the scene in the TV show "Hitchhiker's Guide to the Galaxy," when the two philosophers complained to the computer, "Deep Thought" (Assigned the task of answering the question of "Life, the Universe, and Everything"), something like "What's the point of debating the existence of God, when you're going to tell us his address?" There is precedent for this kind of frustration. I seem to recall that more than 10 years ago, or more, that the solution/proof for the 4-color mapping problem (The theory that all maps could be colored with at most 4 colors) was done by computer. It was accomplished, as I recall, by exhaustively testing "all" the various possibilities (having been narrowed down appropriately), and determing that they needed no more than 4 colors. Mathematicians, who were used to multi-page proofs that a human could actually comprehend and follow on a step-by-step basis, were unhappy that it all came down to a computer. Many of us have read Mill, Hayek, Freidman, Nozick, and >decided that we prefer that world view. That Dr. Denning has decided >that she likes Philosopher-Kings is not particularly unusual, except >in the computer business. Go read Leviathan. Think about what we're >talking about here. > > Its a scary new world that I expect will be created, by the >UNSTOPPABLE advance of technology. There is no weapon created that is >not used by someone who judges the cause to be worthwhile. Nukes, >chemicals, and biologicals have all been used against civilian >populations. I judge that stopping the advance of cryptoanarchist >technology will fail (in the long run), and not be worth the price. I >suspect Dorothy disagrees, and there lies her fascination with >building in Big Brother. I think the thing to remember is that the "worth the price" issue appears to depend substantially on who you are. If you're a powerful government official, who fears losing his cushy job and maybe even his life, it may appear to be worth an effort. From the standpoint of the ordinary citizen, however, if he understands what's at stake he'll recognize that it isn't. Jim Bell jimbell at pacifier.com From tcmay at got.net Fri Apr 12 22:39:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 13:39:07 +0800 Subject: "Batman" Read!--How to Unsubscribe Message-ID: <ad93d76119021004e784@[205.199.118.202]> At 9:11 PM 4/11/96, Batman wrote: >Please PUT me OUT of YOUR cypherpunks AND other MAIL-LISTS > >Thankx I sent you instructions by private e-mail, and in a separate posting on the list. If you had read either of these messages and followed the "unsubscribe" instructions, you could remove yourself from the list. If, however, you are not reading messages that arrive in your mailbox, including messages on this list and personal mail, then you are likely not reading _this_ message either, and it is hopeless for you. You will be condemned to getting list traffic until you get a clue. On the off chance you read this message by either of the routes, instructions are included _again_ at the end of this message. (And I have retitled your thread name...the message name "Re:" is not terribly helpful, and indicates you took no time to compose a meaningful title.) How to subscribe to the Cypherpunks mailing list: send a message to "majordomo at toad.com" with the body message "subscribe cypherpunks". To unsubscribe, send the message "unsubscribe cypherpunks" to the same address. For help, send "help cypherpunks". Don't send these requests to the Cypherpunks list itself. And be aware that the list generates between 40 and 100 messages a day. From dlv at bwalk.dm.com Fri Apr 12 22:57:16 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 13 Apr 1996 13:57:16 +0800 Subject: Answer about bits and bytes In-Reply-To: <199604122104.OAA01053@mycroft.rand.org> Message-ID: <kTuamD31w165w@bwalk.dm.com> Jim Gillogly <jim at ACM.ORG> writes: > jim bell <jimbell at pacifier.com> writes: > >See, I do not challenge the fact that there were plenty of data objects of > >length other than 8-bits. The issue is whether or not the people back then > >actually believed that a correct, official usage of the term "byte" included > >lengths other than 8. > > Reading from the PDP-10 Reference Handbook (DEC, 1971) page 2-30, we read: > > To conserve memory, it is useful to store data in less than full > 36-bit words. Bytes of any length, from 1 to 36 bits, may be > entered using a BYTE statement. > > BYTE (N) X,X,X ... _The Programmer's Guide to the 1802_ (Tom Swan, Hayden Books, 1981) says the following on p. 19: The eight binary digits or bits represented in Fig. 2-1 are commonly given the name _byte, and in this book, one byte will always equal eight bits. (This is a rather common convention in microcomputing, but a byte does not always equal eight bits in much of the published literature.) Some books also refer to computer "words," but, since a "word" is even more loosely defined than a "byte," we will refrain from using it as a label for binary numbers. In addition, to make things come out right for eight-bit computers, leading zeros are usually written in front of binary numbers so all numbers come out to even multiples of eight-bit bytes. _Assembler Reference Manual for the Sub Workstation, Version 1.0 of 30th November 1982_ (we're talking the Motorola 68K Sun 1 here!) says: Many MC68000 machine instructions can operate upon byte (8-bit), word (16-bit), or long word (32-bit) data. They felt it necessary to specify this in a number of places. A very important book that anyone who programs computers should read -- Donald Knuth, _The Art of Computer Programming_ (Addison Wesley, 1973), v. 1, p. 120, says the following about the MIX language: Words. The basic unit of information is a _byte. Each byte contains an _unspecified amount of information, but it must be capable of holding at least 64 distinct values. That is, we know that any number between 0 and 63, inclusive, can be contained in one byte. Furthermore, each byte contains _at _most 100 distinct values. On a binary computer a byte must therefore be composed of six bits; on a decimal computer we have two digits per byte. Programs written in the MIX language should be written so that no more than sixty-four values are ever assumed for a byte. If we wish to treat the number 80, we should always leave two adjacent bytes for expressing it, even though one byte is sufficient on a decimal computer. _An _algorithm _in _MIX _should _work _properly _regardless _of _how _big _a _byte _is. Although it's quite possible to write programs which depend on the byte size, this is an illegal act which will not be tolerated; the only legitimate programs are those which would give correct results with all byte sizes. It is usually not hard to abide by these ground rule, and we will thereby find that programming a decimal computer isn't so different from programming a binary one after all. ... _A _computer _word _is _five _bytes _plus _a _sign. The sign position has only two possible values, + and -. Give it up, Jim -- I have more ancient writings than you can shake a dynamite stick at. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rodger at interramp.com Fri Apr 12 23:06:29 1996 From: rodger at interramp.com (Will Rodger) Date: Sat, 13 Apr 1996 14:06:29 +0800 Subject: CDA Court Challenge: Update #6 Message-ID: <v01510102ad948d03235c@[38.12.5.135]> On 4/11/96 Declan McCullagh wrote: >+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ > WHO CARES ABOUT KIDS: WHO ARE THE ADULTS? >+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ > >The third way to answer the now-tiresome who-are-the-kiddies question >is to turn it on its head and ask: "Who are the adults?" > >Hardware to answer that question already exists. The March 25 issue of >Interactive Week reports that Livingston Enterprises, Inc. has >colluded with Senator Exon's staff to design an "Exon box" -- a router >that lets ISPs cut off unrated or "indecent" or unrated sites. To get >around the block, an "adult" enters a secret password that tells the >router to open a session and let the packets flow. > Whoa. Thanks for mentioning my article, Declan, but I think "colluded" is too strong here - as far as I know, Livingston never contacted Exon, even though Livingston's ChoiceNet can undoubtedly play into his hands. >Exon's staff is heralding this as an example of how easy it is to comply >with the CDA. Almost - Bruce Taylor is, actually, but he's not part of Exon's satff. The only problem is that, like many such >hamfisted censorship "solutions," it sucks, and it ain't going to >work. One of the original architects of the Internet, David P. Reed, >wrote: > > I do work to protect my children from inappropriate material, but > pressure from Senators to mandate technically flawed solutions, and > opportunistic, poorly thought-through technologies from companies > like Livingston are not helpful. > It should be noted that Livingston is promoting this as a voluntary solution a la PICS. PICS' own Web pages, after all, suggest software on routers could do the job as well as client products like NetNanny, CyberPatrol, etc. There are some distinct advantages to doing it that way, in fact. Livingston insists this is an alternative to mandatory censorship, but they're not being shy about admitting it can be used in other ways, too. All that said, you cypherpunks can speculate who's up to what in all this. Will Rodger Washington Bureau Chief Interactive Week From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 23:10:47 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 14:10:47 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <01I3GOIKUJYM8Y50UU@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 2-APR-1996 06:31:08.52 >This happens any time anybody signs up with an an######@anon.penet.fi address. >Ideally, someone could, in their copious spare time, hack majordomo >to automatically translate all subscription requests of that form to >na######@anon.penet.fi ; as an alternative, if majordomo has some sort >of subscription blocking list an*@anon.penet.fi belongs on it. In other words, majordomo is broken. I should have suspected as much, given the weird way headers turn up compared to all other mailing list programs. Can that be reconfigured by the list owner? I may be starting up a list (on c2.org) sometime (after I finish 3 papers, an oral presentation, and some finals), and what I've got available is majordomo. Curing this problem would be good. -Allen From andrew_loewenstern at il.us.swissbank.com Fri Apr 12 23:28:18 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Sat, 13 Apr 1996 14:28:18 +0800 Subject: [NOISE] Why there are so many cluless people In-Reply-To: <v02120d39ad9446cc8b78@[192.0.2.1]> Message-ID: <9604122211.AA00317@ch1d157nwk> > Today, I heard a commercial on the radio. Some company wants > to help you make $1k+ per day as an Internet expert. Simply > listen to their one week audio tape course and you know > everything you need to work as an Internet consultant. I heard that Internet Privacy Guaranteed is coming out with their own set of cassette tapes... ;-) "Become a cryptanalyst in 21 days, while you sleep, or your money back!" andrew From tcmay at got.net Fri Apr 12 23:29:19 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 14:29:19 +0800 Subject: Entropy Estimator Message-ID: <ad946a8a010210047a9a@[205.199.118.202]> At 9:06 PM 4/12/96, rick hoselton wrote: >At 12:19 AM 4/12/96 -0400, JonWienke at aol.com wrote: > >>I just added a feature to my entropy graphing program that >>estimates the number of bits of entropy in the file, > >Hey, that's just what I need. I have these two 8-million byte >files. One is a recording made by a geiger counter, every bit >is uncorrelated with anything else in the universe and each bit >is equally likely to be a one or a zero. The second file is an >IDEA encryption of all the four-byte numbers >from one to two-million. > >Here's my problem. I can't remember which file is which, and I've >forgotten sixty-four bits of the key I used to produce the encrypted file. > >That's where your technique come in. The first file has sixty-four >million bits of entropy. The second file has only sixty-four bits >of entropy, total (the missing key bits). Surely, your technique can >tell me which file is which. No, this is not the case. Suppose your file of 64 million bits of entropy is stored as "Rick's Geiger Counter File," perhaps on your Web site. (Great for use by various people as a "virtual one time pad" (patent pending).) A year or so from now someone asks a program to measure the entropy of this file. Nearly all programs will report that the file has lots of bits of entropy... However, is this the "true" entropy? A clever program, or a person, might well remember that this file is Rick's Geiger Counter File, making the bits _very_ predictable (or, equivalently, little "surprise," low entropy, great compressibility, etc.). Once again, one can never know for sure that a file, sequence, string is maximally compressed. The application to your stated problem is that the two files might very well have similar statistics (a good cryptographic hash function is likely to produce a regular output, for example) and that a program cannot tell which one is the "really random" file and which is the "seemingly random" file is not a failing of the program, necessarily, but is implicit in some inevitable limitations of all programs. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 23:47:06 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 14:47:06 +0800 Subject: PICS required by laws Message-ID: <01I3GRMTAVBQ8Y510B@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 6-APR-1996 16:21:56.32 >I am less worried about this possibility than most. PICS scrubbers will be >as easy to produce as any other web intermediary. (e.g. The one which >replaces "bad" words with "censored".) Quite... as will ones that flip-flop the various packet bits that people are discussing. >I do not make these comments publicly, because I don't want to poke holes >in network self censorship while the courts are grinding on the CDA. (Note >that true self censorship, where the viewer wants the filtering would not >be impacted. Those viewers would just not use that kind of intermediary.) I don't plan on mentioning it on CuDigest, either... just that any imposition of this standard will leave countries where it isn't imposed. > I applaud the ACLU's position in not rating their web page. I will also >note that it is possible for a PICS filter to refuse to pass unrated pages. Yes... and it would be possible for a PICS unrating filter to simply set all of them to child-OK. With the current discussion of packet-based censorship, it would appear possible for the bit in question to be reset by _any_ of the systems it passes over at least as easily as those systems could use this bit for filtration. I would suggest a "Trojan Horse" program to do this, in order to A. get governmental systems and B. give SYSOPs an excuse to run the flipping program. This flipping could produce either child-visible or child-invisible material, depending on what result the system in question wished to produce. Child-visible would help the children; child-invisible would make the Net unusable for children whose parents weren't sensible enough to not use such software. The latter, applied to technical material, would also drive China, Singapore, et al nuts. > If much of the technical information on the net is unrated, China, >Singapore etc. will be between a rock and a hard place with the >anti-censorship intermediaries. -Allen From perry at piermont.com Fri Apr 12 23:49:38 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 13 Apr 1996 14:49:38 +0800 Subject: Lotus notes 24 bit hack project? In-Reply-To: <199604112014.NAA16020@netcom7.netcom.com> Message-ID: <199604122144.RAA25414@jekyll.piermont.com> "Vladimir Z. Nuri" writes: > reading notes on the recent RSA conference reminds me of something. > > Lotus announced their 64 bit encryption for foreign users some > months ago, with 24 bits secretly "owned" by the NSA. there > was some speculation here about how this was handled. Actually there was virtually no speculation. There is an RSA public key embedded in every copy of Lotus notes that was supplied by the NSA and in which the top 24 bits get encrypted and sent out over the wire. Its all simple enough. > in any case it seems that reverse engineering of Lotus Notes > would provide the answer, and we'd be able to embarrass both > NSA and Lotus (who imho deserves it, for caving in to the NSA) > all in the same sweep by revealing it to the world!!! Revealing what? Its not like there is a mystery, Mr. Detweiler. .pm From EALLENSMITH at ocelot.Rutgers.EDU Fri Apr 12 23:51:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 14:51:16 +0800 Subject: the cost of untracability? Message-ID: <01I3GS5RCZX28Y510B@mbcl.rutgers.edu> From: IN%"weidai at eskimo.com" "Wei Dai" 7-APR-1996 10:52:52.30 >I think you're right. There is no need for the issuer to pay explicit >interest. The easiest way to eliminate signorage would be to steadily >increase the value of each denomination of ecash. It would be kind of >like a mutual fund that doesn't pay dividends. In fact, if the ecash is >backed by a portfolio of investment securities and its value floats with >the value of the portfolio, then it would be almost exactly like a mutual >fund. Another method would be for ecash to have a label on it as to when the issuer would redeem it. Until then, if you want cash from it, find someone else to trade to. This has the interest advantage for the purchaser, and the advantage to the issuer that they won't have to worry about when someone will redeem it. They'll know that they'll need to have a particular amount on a particular date, and their earnings/losses up until that point can vary all over the place without being worried about whether they can make their payments. Ideal for a startup business. -Allen From jwhiting at igc.apc.org Fri Apr 12 23:54:19 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Sat, 13 Apr 1996 14:54:19 +0800 Subject: Lotus Notes 24-bit sellout Message-ID: <199604121621.JAA01379@igc2.igc.apc.org> When Ray Ozzie announced the work reduction sellout at the RSA conference, both he and Ms Denning (whom I spoke with about it later) mentioned that there was something else in Lotus Notes 4 besides the 40+24 bit compromise. My thought is that the NSA gave them something else in exchange for the mandatory escrow scheme they're all talking about publicly. Perhaps some other crypto code the NSA had lying around unused. So looking for a common 24-bit subkey may reduce Notes' key to a 40-bit brute force exercise but the 40+24 is probably not ALL that's in Notes 4. Definitely a deal with the Devil. Given that we're talking about IBM, not Lotus none of this surprises me given IBM's Lucifer/DES history with spook input years ago. Then again to be fair, I don't know if the 40+24 deal was cooked up before or after the IBM/Lotus merger. Jerry Whiting Azalea Software, Inc. P.S. Yes, I'm the one doing carrick "Encryption software so good, the Feds won't let us export it." In fact, we schedule for a visit from the NSA next month regarding our desire to export carrick to Australia. The mere mention of a Blowfish-based crypto product left my assigned spook momentarly speechless. Something tells me they ain't gonna let carrick out of the country with a key length worth using. AND I DEFINITELY AIN'T INTERSTED IN MAKING A DEAL WITH THE DEVIL. From sjb at universe.digex.net Sat Apr 13 00:15:34 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 13 Apr 1996 15:15:34 +0800 Subject: Digital Cash Escrow In-Reply-To: <m0u7VIU-0008zAC@pacifier.com> Message-ID: <199604121921.PAA03867@universe.digex.net> jim bell writes: >At 09:17 AM 4/11/96 -0500, John Deters wrote: > Go dig up the manuals for a >>UNIVAC 1100, Jim. Why do you think the RFCs for IP specifically refer to >>"octets" as opposed to "bytes"? Because (they explain) "octet" is >>unambiguous, which then infers a certain ambiguity to "byte", now, doesn't it? > >Wasn't the original development of the Internet done in the middle 1960's? >And thus, does its development pre-date the coinage of the term, "byte"? > >If that's true, doesn't this answer your question? The terminology used for >the definition of a standard often tends to be frozen in time. Lacking the >term "byte" they used "octet." The subsequent invention of the term "byte" >would not have displaced the original term, at least in Internet standards. Well, the earliest RFC is dated 4/7/69. That's not really "middle 1960's". The term "byte" seems to date from the mid-to-late 1950's. Try again. From unicorn at schloss.li Sat Apr 13 00:24:10 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 15:24:10 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <01I3GRDPKA348Y510B@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.91.960412195749.27436I-100000@polaris.mindport.net> On Fri, 12 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 6-APR-1996 16:17:13.99 > > >I might add that the Cayman Islands are full of trust companies with > >provisions which forbid the disclosure of data to a client who is > >coerced. A law on the books refuses to recognize "consent" orders made > >under judicial compulsion. This would give the appearance of total > >unavailability of evidence and suggest the futility of contempt > >charges. Yet courts have still, and with no small measure of success, > >imposed sanctions on witnesses so protected. > > What measure of success? Getting the data, or locking up the witness? > -Allen Getting the data. If the IRS or a private plaintiff wants it bad enough, they can usually get their hands on it, or at least find out where it is. The government of the United States doesn't play "fair" when they want something. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From tcmay at got.net Sat Apr 13 00:46:09 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 15:46:09 +0800 Subject: [NOISE] Why there are so many cluless people Message-ID: <ad94813302021004cd6f@[205.199.118.202]> At 10:11 PM 4/12/96, Andrew Loewenstern wrote: >I heard that Internet Privacy Guaranteed is coming out with their own set of >cassette tapes... ;-) > >"Become a cryptanalyst in 21 days, while you sleep, or your money back!" This is old news. "Subliminal channels" have been around in crypto for a long time. --Klaus! von Future Prime From thecrow at iconn.net Sat Apr 13 00:51:56 1996 From: thecrow at iconn.net (Jack Mott) Date: Sat, 13 Apr 1996 15:51:56 +0800 Subject: Known Plaintext attacks on symmertric algorithms Message-ID: <316EF0D7.3B80@iconn.net> Now maybe I have this all wrong, but it is my understanding that a known plaintext attack is when the cracker knows part of the plaintext of an encrypted file. Then he/she uses that and runs the inverse of the algorithm to calculate the key. Whether or not I am right about what known plaintext means, isn't the entirely possible on all of the symmetric algorithms out there? If I grab a file that I know is, say, a standard credit card transaction form, and I know what the first 256 bytes are because they are always the same, shouldn I always be able to find the entire key that corresponds with those 256 bytes? (assuming the key is 2048 bits or less) And then with that key decrypt the whole file? Maybe I am missing something but it seems that all the symmetric algorithms are vulnerable to this, and I thought of a fix, but it involves having two keys (or one thats twice as big) -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From jpb at miamisci.org Sat Apr 13 00:53:44 1996 From: jpb at miamisci.org (Joe Block) Date: Sat, 13 Apr 1996 15:53:44 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <v02130521ad94d892f68e@[192.168.69.70]> At 4:12 PM 4/10/96, Steve Reid wrote: >The problem with that, of course, is that the remailer has to keep a >record of who owns each anonymous account, so that it can direct the >replies to the anonymous person. These records could be siezed. Sameer will certainly correct me if I'm wrong, but remailers like c2 store an encrypted header that is a path through the remailer system. Since each nesting level is encrypted to that level's remailer, the other levels only know which remailer to pass the message along to. If you really want to be secure, run your own remailer so that nasty folk can't tell which of the encrypted messages are for you, and which your machine is passing along. I'd have a seperate account that I used solely for pointing these c2 style messages to that had a procmail setup that would add a copy of each message to my real mailbox and generate a random garbage file that was a random number of bytes smaller than the incoming mail and premail it through the remailer chain until it hit a /dev/null address. That way, for every message that entered your remailer one would exit for the benefit of any traffic analysts. I'd also make sure that the c2 address passed through my remailer at least twice. >BTW, has anyone out there created an anonymous web forwarder? I'm sure >there are a lot of people out there who don't like the idea of having >their email address in the log files of dozens of web servers... Creating >a simple web forwarder wouldn't be hard. I can't stand netscape's mailer and newsreader so I use Eudora Light and just have netscape set to a bogus email address. Joseph Block <jpb at miamisci.org> "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From nyap at mailhub.garban.com Sat Apr 13 00:54:15 1996 From: nyap at mailhub.garban.com (Noel Yap) Date: Sat, 13 Apr 1996 15:54:15 +0800 Subject: NYT: Chaotic Encryption: a Solution in Search of a Problem Message-ID: <9604122153.AA00613@mailhub.garban.com> > There has been research into developing chaos based encryption, but none of > the systems developed are nearly as strong as block ciphers such as IDEA and > 3DES. Chaos encryption is more like steganography than encryption. > The chaos encryption schemes that I know of use a driving circuit to generate > the carrier wave for the transmission. If a person on the other end knows the > driving circuit used, then that person can remove it. The output of a chaos > encryption mechanism is similar to static, but I don't think that it is > particularly strong. With proven strong encryption, the only advantage I can > see to using chaos encryption would be to encrypt analog data. I've actually been thinking about using chaos to sporadically add noise to some information before the info is encrypted. After decryption, the receiver would then have to separate the noise from the real content. Has anyone else thought about this? Please respond directly to nyap at garban.com 'cos I'm no longer on the cypherpunks list. From rkmoore at iol.ie Sat Apr 13 01:03:33 1996 From: rkmoore at iol.ie (Richard K. Moore) Date: Sat, 13 Apr 1996 16:03:33 +0800 Subject: Protocols at the Point of a Gun Message-ID: <v02110134ad945a3a8bff@[194.125.43.36]> 4/11/96, Bill Stewart wrote: >There are serious technical problems with the suggestion that labelling packets >as "Adult" or "Child" using IP options and filtering at ISPs for censorship. IMHO, the technical problems can somehow be solved, whether we like it or not, although it will probably be botched intentionally or otherwise. It's tougher than most protocol upgrades, but easier than was designing X.400 (just to give some GROSS bounds to the problem). My (simplistically presented) suggestion in such a scheme would be that we don't want a "flag" on packets: we want two "fields": - content-classification field in packets: _roughly_ analogous to a dewey-decimal number -- says a lot (?) about the content, not merely which end of the library it goes in - user-classification field appended to user-id's: a micro-bio of the user -- says something about age, languages known, interests Before you flame -- I'm not thinking about the potential abuses, I'm thinking about the useful applications: more useful filtering based on such fields can be installed as agents on: - user machine - "dial-in" network node - retrieval engines - database engines "A great project is only a little harder than a good project" - A Kay Regards, -rkm (not on cypherpunks) ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~--~=-=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ Posted by Richard K. Moore - rkmoore at iol.ie - Wexford, Ireland Cyberlib: www | ftp --> ftp://ftp.iol.ie/users/rkmoore/cyberlib ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~--~=-=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ From tcmay at got.net Sat Apr 13 01:21:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 16:21:07 +0800 Subject: questions about bits and bytes [NOISE] Message-ID: <ad93f754000210046940@[205.199.118.202]> At 5:20 AM 4/12/96, JonWienke at aol.com wrote: >In a message dated 96-04-11 20:26:44 EDT, jeffb at sware.com writes: > >>[I told myself I was going to stay out of this, but Jim Bell's dogmatic >>stance irks me... ] Here's a citation from "Portability of C Programs >>and the Unix System" by S.C. Johnson and D.M. Ritchie (yes, that Richie) >>in the Bell System Technical Journal volume 57, Number 6, July-August 1978. > >Citing sources from 1978 in the computing field is a little like using >dictionaries from the 1800's to dictate modern English usage. My desktop ... I've been ignoring most of these quibbles about the definition of "byte" and when it came about, etc., but the debate never seems to end. I went to the Jargon File (aka The Hacker's Dictionary), where a nice online version resides at http://beast.cc.emory.edu/Jargon30/JARGON.HTML This is what I found: byte : /bi:t/ [techspeak] n. A unit of memory or data equal to the amount used to represent one character; on modern architectures this is usually 8 bits, but may be 9 on 36-bit machines. Some older architectures used `byte' for quantities of 6 or 7 bits, and the PDP-10 supported `bytes' that were actually bitfields of 1 to 36 bits! These usages are now obsolete, and even 9-bit bytes have become rare in the general trend toward power-of-2 word sizes. Historical note: The term was coined by Werner Buchholz in 1956 during the early design phase for the IBM Stretch computer; originally it was described as 1 to 6 bits (typical I/O equipment of the period used 6-bit chunks of information). The move to an 8-bit byte happened in late 1956, and this size was later adopted and promulgated as a standard by the System/360. The word was coined by mutating the word `bite' so it would not be accidentally misspelled as bit. See also nybble. From harmon at tenet.edu Sat Apr 13 02:13:12 1996 From: harmon at tenet.edu (Dan Harmon) Date: Sat, 13 Apr 1996 17:13:12 +0800 Subject: Answer about bits and bytes In-Reply-To: <kTuamD31w165w@bwalk.dm.com> Message-ID: <Pine.OSF.3.91.960413012249.6873A-100000@beall.tenet.edu> Just a note, Jim's attribution dates seem to be older than yours. Not that it matters a whole hill of beans. Dan P.S. DEC referred to memory size on the 11 series prior to the 11/70 in 16 bit words, not 8 bit bytes. On Fri, 12 Apr 1996, Dr. Dimitri Vulis wrote: > Jim Gillogly <jim at ACM.ORG> writes: > > jim bell <jimbell at pacifier.com> writes: > > >See, I do not challenge the fact that there were plenty of data objects of > > >length other than 8-bits. The issue is whether or not the people back then > > >actually believed that a correct, official usage of the term "byte" included > > >lengths other than 8. > > > > Reading from the PDP-10 Reference Handbook (DEC, 1971) page 2-30, we read: > > > > To conserve memory, it is useful to store data in less than full > > 36-bit words. Bytes of any length, from 1 to 36 bits, may be > > entered using a BYTE statement. > > > > BYTE (N) X,X,X > ... > > _The Programmer's Guide to the 1802_ (Tom Swan, Hayden Books, 1981) says the > following on p. 19: > > The eight binary digits or bits represented in Fig. 2-1 are commonly > given the name _byte, and in this book, one byte will always equal > eight bits. (This is a rather common convention in microcomputing, but > a byte does not always equal eight bits in much of the published > literature.) Some books also refer to computer "words," but, since a > "word" is even more loosely defined than a "byte," we will refrain from > using it as a label for binary numbers. In addition, to make things > come out right for eight-bit computers, leading zeros are usually > written in front of binary numbers so all numbers come out to even > multiples of eight-bit bytes. > > _Assembler Reference Manual for the Sub Workstation, Version 1.0 of > 30th November 1982_ (we're talking the Motorola 68K Sun 1 here!) says: > > Many MC68000 machine instructions can operate upon byte (8-bit), word > (16-bit), or long word (32-bit) data. > > They felt it necessary to specify this in a number of places. > > A very important book that anyone who programs computers should read -- > Donald Knuth, _The Art of Computer Programming_ (Addison Wesley, 1973), v. 1, > p. 120, says the following about the MIX language: > > Words. The basic unit of information is a _byte. Each byte contains an > _unspecified amount of information, but it must be capable of holding > at least 64 distinct values. That is, we know that any number between 0 > and 63, inclusive, can be contained in one byte. Furthermore, each byte > contains _at _most 100 distinct values. On a binary computer a byte > must therefore be composed of six bits; on a decimal computer we have > two digits per byte. > > Programs written in the MIX language should be written so that no more > than sixty-four values are ever assumed for a byte. If we wish to treat > the number 80, we should always leave two adjacent bytes for expressing > it, even though one byte is sufficient on a decimal computer. _An > _algorithm _in _MIX _should _work _properly _regardless _of _how _big > _a _byte _is. Although it's quite possible to write programs which > depend on the byte size, this is an illegal act which will not be > tolerated; the only legitimate programs are those which would give > correct results with all byte sizes. It is usually not hard to abide by > these ground rule, and we will thereby find that programming a decimal > computer isn't so different from programming a binary one after all. > > ... > > _A _computer _word _is _five _bytes _plus _a _sign. The sign position > has only two possible values, + and -. > > Give it up, Jim -- I have more ancient writings than you can shake a dynamite > stick at. :-) > > --- > > Dr. Dimitri Vulis > Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps > From jleonard at divcom.umop-ap.com Sat Apr 13 02:14:17 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Sat, 13 Apr 1996 17:14:17 +0800 Subject: questions about bits and bytes [NOISE] In-Reply-To: <960412012047_270015300@mail06> Message-ID: <9604122214.AA09462@divcom.umop-ap.com> Jonathan Wienke wrote to Cypherpunks: > In a message dated 96-04-11 20:26:44 EDT, jeffb at sware.com writes: > > >[I told myself I was going to stay out of this, but Jim Bell's dogmatic > >stance irks me... ] Here's a citation from "Portability of C Programs > >and the Unix System" by S.C. Johnson and D.M. Ritchie (yes, that Richie) > >in the Bell System Technical Journal volume 57, Number 6, July-August 1978. > > Citing sources from 1978 in the computing field is a little like using > dictionaries from the 1800's to dictate modern English usage. My desktop > machine has as much computing power as some colleges had during that era. > We've come a long way, baby! Yes, in the past, the term "byte" applied to > entities other than 8 bits, but "8 bits" IS the commonly accepted, standard > meaning of "byte" now, in the present. The fact that the meaning and usage > of words can change over time is not relevant to current meaning and usage. > Anyone who wishes to dispute this should study the etymology of the word > "gay." The most recent use of a non-8-bit byte I can find is from 1994 (no typo, 2 years ago). It's a spec for a RAM cell in ASIC design, and the usage is more or less "smallest individually writable memory unit". By design, bits must be written in chunks (bytes!), which in this case are 22 bits. As much as I'd like byte to be a standard, unambiguous 8-bits, there's still other uses out ther, which is why even recent RFCs specify octets instead of bytes. That said, I agree that older CS references aren't a reliable indicator of modern usage. > Jonathan Wienke Jon Leonard From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 02:36:39 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 13 Apr 1996 17:36:39 +0800 Subject: "Contempt" charges likely to increase Message-ID: <01I3GRYEA2HC8Y510B@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 7-APR-1996 03:10:38.36 >Over time, technology is dramatically increasing our protections: From >locks to alarms to monitoring systems to remote cameras, with bank accounts >that are secure from ordinary criminals, we are becoming less and less >dependant on government for our security. Since the ostensible purpose of >courts is nominally to protect us, if those protections begin to be replaced >by technology the logical conclusion is that courts will become less >numerous and less powerful. The problem is, that isn't happening, and the >reason is that organizations tend to act in ways to protect their own power >and influence. In fact, the average citizen is subject to far more theft of >his assets BY THE GOVERNMENT than by common criminals, so at some point we >have to realize that the government is now a net problem, rather than being >a net solution. Quite. I can see clear justifications for, say, allowing whatever money is spent on private security as a tax deduction. Unfortunately, the PC egalitarian types who don't seem to realize that inequality is a fact of life will claim that this will give the poor worse security than the rich. Yes... and the rich are the ones who need the most security. One, they're the banks: they're where the money is. Two, the rich tend to be the smarter ones, and thus the most valuable. >I think that most crimes that subpoenas would normally be used for are >probably not crimes at all, and are probably "malum prohibitum," not "malum >in se" crimes. And in the future, they would likely be used to harass >political enemies, as harassment was done in the 1950's and 60's. This >means, for anybody of a libertarian bent, that it would actually be better >if the government could be rendered incapable of enforcing them. Naturally, >governments and courts will resist, but that will be irrelevant. I would guess that most instances of violations of banking secrecy, wiretaps, et al fall into this category also. -Allen From stewarts at ix.netcom.com Sat Apr 13 02:43:41 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Apr 1996 17:43:41 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: <199604130639.XAA29560@toad.com> >>This happens any time anybody signs up with an an######@anon.penet.fi address. >>Ideally, someone could, in their copious spare time, hack majordomo >>to automatically translate all subscription requests of that form to >>na######@anon.penet.fi ; as an alternative, if majordomo has some sort >>of subscription blocking list an*@anon.penet.fi belongs on it. > > In other words, majordomo is broken. I should have suspected as much, No, it's not broken, it just interacts badly with anon.penet.fi. Of the two of them, majordomo is doing the obvious unsurprising thing, while anon.penet.fi needs a bit more complicated support because of difficulties with its implication and the workarounds it uses. Somebody did comment that they modified majordomo to handle this, but presumably vanilla majordomo can at least pattern-match block an######, and if it can't, you can always pre-process with egrep or sed. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stewarts at ix.netcom.com Sat Apr 13 02:43:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 13 Apr 1996 17:43:44 +0800 Subject: Known Plaintext attacks on symmertric algorithms Message-ID: <199604130654.XAA29908@toad.com> At 08:09 PM 4/12/96 -0400, you wrote: >Now maybe I have this all wrong, but it is my understanding that a known >plaintext attack is when the cracker knows part of the plaintext of an >encrypted file. Then he/she uses that and runs the inverse of the >algorithm to calculate the key. Some algorithms have usable inverses, but good ones try not to; one class of known plaintext attack is working your way back through the algorithm to discover the key bits using the known parts. Another kind of attack is just to brute-force the key, assuming the algorithm or key length is short enough to do that quickly. > Whether or not I am right about what known plaintext means, isn't the >entirely possible on all of the symmetric algorithms out there? If I >grab a file that I know is, say, a standard credit card transaction >form, and I know what the first 256 bytes are because they are always >the same, shouldn I always be able to find the entire key that >corresponds with those 256 bytes? (assuming the key is 2048 bits or >less) And then with that key decrypt the whole file? Algorithms vary widely on their susceptibility. Consider a one-time-pad: even if you know the first 256 bytes of the transaction, all that does is let you recover the first 256 bytes of key, which will never be used again, even in the second half of the message. Pretty useless, usually. On the other hand, consider a simple "xor with the key, repeating as often as needed"; if the key's no longer than your known plaintext, xor again, find the key, repeat as often as needed, and you've got the whole message. Using the same technique with DES will be left as an exercise for the reader :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stevenw at best.com Sat Apr 13 02:51:54 1996 From: stevenw at best.com (Steven Weller) Date: Sat, 13 Apr 1996 17:51:54 +0800 Subject: Cryptography Forum - Churchill Club Message-ID: <v01540b02ad94cdb6e09d@[206.86.1.35]> Seen in ba.internet. This may be of interest to people living in the San Francisco area of California. ------------------------------------->8-------------------------------------- Information Security and the 20th Anniversary of Public Key Cryptography Monday, April 29, 1996 Marriott Hotel, Burlingame, CA 5:30 PM Full Dinner 6:30 PM Program Members: $20 Non-members: $35 KEYNOTE SPEAKERS: Senator Conrad Burns (R, MT) Senator Larry Pressler (R, SD) Congressman Robert Goodlatte (R, VA) David Morris, Vice President, Cylink Corp. Jim Omura, Chief Technology Officer, Cylink Corp. James Freeman, Special Agent in Charge, FBI Phil Mellinger, Chief Engineer, Government Securities Assoc. Paul Raines, Project Manager, United State Postal Service Whitfield, Diffie, Martin, Hellman and Ralph Merkle - Pioneers and original patent holders for public key cryptography Economic espionage is costing the nation billions of dollars in lost business every year. U.S. companies are in danger of losing everything from trade secrets and proprietary financial information , to the bottom line figures on contract bills. Three bills are now in Congress to protect government, business and home computer users from outside snooping of sensitive information. These proposed new laws have been written to encourage the use of encryption and loosen export restrictions on encryption technology. Congressman Goodlatte is the author of one of these bills. April 1996 is also the 20th anniversary of the creation of Public Key Cryptography. The three principal pioneers and patent holders will also be present to share their views on the need for strong encryption. Morris of Cylink Corp. will provide an overview of what state-of-the-art security solutions are needed, and available, to truly protect business from unauthorized access. James Freeman of the FBI will discuss the recent study on industrial espionage and Paul Raines from the U.S. Postal Service will talk about electronic postmarking and certificate authority key registry bureau. TO REGISTER: Please call (408) 371-4460 or fax reservations (408) 371-4180 or email chrchllclb at aol.com PRESENTED BY THE CHURCHILL CLUB - A NON-PARTISAN FORUM FOR SILICON VALLEY ------------------------------------->8-------------------------------------- ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From harmon at tenet.edu Sat Apr 13 02:54:05 1996 From: harmon at tenet.edu (Dan Harmon) Date: Sat, 13 Apr 1996 17:54:05 +0800 Subject: Calvin and Hobbes In-Reply-To: <ad93d9911a0210046aff@[205.199.118.202]> Message-ID: <Pine.OSF.3.91.960413015732.6873C-100000@beall.tenet.edu> Calvin is also ADHA. Dan On Fri, 12 Apr 1996, Timothy C. May wrote: > At 3:14 AM 4/12/96, Adam Shostack wrote: > > > Snow Crash is a book about a future in which governments are > >ineffective. Companies run things, and have complete local control. > >The world has gone to hell, and as a result, life is nasty, poor, > >brutish and short. Many people do not look forward to this world. > > > Reminds me of a good joke I heard about the comic strip "Calvin and Hobbes" > (Calvin is a little boy, Hobbes is his stuffed toy tiger, who only Calvin > can see is alive). > > Why is Calvin so much like Hobbes? He's nasty, brutish, and short. > > > > (I heard this from Chip Morningstar...I don't know where he heard it, or if > perchance he invented it.) > > --Tim > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > From alano at teleport.com Sat Apr 13 03:07:54 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 13 Apr 1996 18:07:54 +0800 Subject: questions about bits and bytes Message-ID: <2.2.32.19960412215132.0095ccdc@mail.teleport.com> At 11:34 AM 4/12/96 -0500, Doug Hughes wrote: > >On Apr 12 at 8:07 >jim bell wrote: >> >>Are you sure they're not referring to 8 bits of data and a parity bit? In >>any case, please give the address to the list so that it can be checked out. > >Come on, give it up already and admit you were wrong. At least 8 different >people have cited examples of machines that supported non 8bit bytes. Your >pride is getting the best of you. Jim is unwilling to admit his errors, even in things he has little or no training in. (I remember him claiming at one point that he was not a programmer or did any coding for that matter. Why he continues to persist in such things I will not speculate on...) I have worked on a couple of machines (that are still in use today) that were non-standard bit sizes. Many of the legacy machines from the old mainframe days (about 20+ years ago) had non-standard bit sizes. (Which made communication between then an interesting mess.) The old Microdata PICK machines had a weird byte size, for example. Some of the old Vax machines had the same "difficulty". >If you mean 8 bits, you should really say Octets as has always been the >form of Internet RFC's where the distinction is important. Making the assumption as to the stability of the sizes of bytes, words, and characters can get you into alot of trouble in the coding world. Characters are a good case in point. Depending on your OS and/or language, you could be talking about 5, 7, 8 or more bits. With the need to distribute applications internationally, the need to support all sorts of character schemes makes it even more variable. Unicode is 16 bytes per character. Shift JIS can be variable. (Either 8 or 16, if I remember correctly.) It just depends on the hardware, software, and compiler being used. I am sure that alot of old code is getting broken by the assumption that a character is always 8 bits. Assuming the same about bytes on old machines will do about as much good. >It may be standard today, but it was not always so.. And the standards change. I expect that at some point, some standards group will change all the terms again. (And this argument will flare up again...) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From frantz at netcom.com Sat Apr 13 03:10:22 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 13 Apr 1996 18:10:22 +0800 Subject: the cost of untracability? Message-ID: <199604130501.WAA02229@netcom9.netcom.com> At 7:42 PM 4/12/96 -0400, E. ALLEN SMITH wrote: >From: IN%"weidai at eskimo.com" "Wei Dai" 7-APR-1996 10:52:52.30 > >>I think you're right. There is no need for the issuer to pay explicit >>interest. The easiest way to eliminate signorage would be to steadily >>increase the value of each denomination of ecash. ... > > Another method would be for ecash to have a label on it as to when the >issuer would redeem it. Until then, if you want cash from it, find someone else >to trade to. ... And if you are using a "first to clear gets the money" system like Digicash, the holders can race to see who gets the money. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Sat Apr 13 03:14:07 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 18:14:07 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u7wxs-00090cC@pacifier.com> At 07:37 PM 4/12/96 EDT, E. ALLEN SMITH wrote: >From: IN%"jimbell at pacifier.com" "jim bell" 7-APR-1996 03:10:38.36 >>I think that most crimes that subpoenas would normally be used for are >>probably not crimes at all, and are probably "malum prohibitum," not "malum >>in se" crimes. And in the future, they would likely be used to harass >>political enemies, as harassment was done in the 1950's and 60's. This >>means, for anybody of a libertarian bent, that it would actually be better >>if the government could be rendered incapable of enforcing them. Naturally, >>governments and courts will resist, but that will be irrelevant. > > I would guess that most instances of violations of banking secrecy, >wiretaps, et al fall into this category also. True, I think. For example, 10-20 years from now there will probably be no need anymore for laws against wiretaps, because crypto telephones will become so cheap and ubiquitous that it will be assumed that anybody saying anything "valuable" on the phone will be using good crypto. If that's the case, nobody will even bother doing wiretaps, and nobody will ever lose anything as a consequence of being tapped. There's no point in having a law against a crime that never occurs. Likewise, "banking secrecy" will become a contractural obligation: Nobody who isn't privy to this information will be able to retrieve it. Looked at in this light, laws against victimless crimes can be seen as a last, desperate attempt by government to replace the real crimes which are "lost" to technological developments with placeholders; things the cops can do when nobody needs them. I think it would be reasonable to present so-called "law enforcement" with an ultimatum: "Make yourself obsolete within 10 years or we do it for you." In other words, choose only those crimes which have real victims, and figure out technological ways to either prevent them entirely, or solve then once committed. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Sat Apr 13 03:35:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 18:35:19 +0800 Subject: What can the judge do to me? In-Reply-To: <199604122207.SAA08791@netcom13.netcom.com> Message-ID: <Pine.SUN.3.91.960412193031.27436E-100000@polaris.mindport.net> An unnamed cypherpunk asked: > I was just wondering how/if [International Union] fit[s] in with frequent >claim 'the judge can throw away the key' if he wants...... c'punks - I've been involved in a private discussion with a list reader about the extent to which courts can impose contempt fines and sanctions. I thought I would post the results to the list as many have expressed interest in the ways that courts might try to compel production of crypto keys or compel offshore e-cash institutions. The bulk of my answer follows. The key to limiting the ability of a court to summarily enter contempt sanctions has always been the classification of the sanctions. "Criminal" sanctions, may entitle the witness to a trial by jury. "For 'serious' criminal contempts involving imprisonment of more than six months, these [procedural] protections include the right to jury trial. " International Union, United Mine Workers of America, et al. v. Bagwell et al., 114 S. Ct. 2552 (1993)(hereinafter, International Union)(citing Bloom, 391 U.S., at 199; Taylor v. Hayes, 418 U.S. 488, 495, 41 L. Ed. 2d 897, 94 S. Ct. 2697 (1974)). "Civil" sanctions do not require such protections and can be imposed on the spot and without review. "...civil contempt sanctions, or those penalties designed to compel future compliance with a court order, are considered to be coercive and avoidable through obedience, and thus may be imposed in an ordinary civil proceeding upon notice and an opportunity to be heard. Neither a jury trial nor proof beyond a reasonable doubt is required." International Union, supra. The court in International Union also makes a distinction between "direct" and "indirect" contempts. "Direct contempts that occur in the court's presence may be immediately adjudged and sanctioned summarily." International Union, supra. These would certainly include refusing to reveal non-privileged information on the stand, and may include the refusal to reveal the passphrase to a crypto key while on the stand. The court also recognizes that the indefinite confinement option is available to judges. Specifically, "[t]he paradigmatic coercive, civil contempt sanction, as set forth in Gompers, involves confining a contemnor _indefinitely_ until he complies with an affirmative command such as an order "to pay alimony, or to surrender property ordered to be turned over to a receiver, or to make a conveyance." International Union, supra (emphasis added)(citing Gompers, 221 U.S., at 442). See also, McCrone v. United States, 307 U.S. 61, 64, 83 L. Ed. 1108, 59 S. Ct. 685 (1939) (failure to testify). Shillitani v. United States, 384 U.S. 364, 370, n. 6, 16 L. Ed. 2d 622, 86 S. Ct. 1531 (1966) (upholding as civil "a determinate 24 month sentence which includes a purge clause"). My favorite language from the court defining such sanctions is this: "In these circumstances, the contemnor is able to purge the contempt and obtain his release by committing an affirmative act, and thus "carries the keys of his prison in his own pocket." International Union, supra (citing Gompers, 221 U.S., at 442, quoting In re Nevitt, 117 Fed. 451 (1902)). The court goes on: "A contempt fine accordingly is considered civil and remedial if it either 'coerces the defendant into compliance with the court's order, [or] . . . compensates the complainant for losses sustained.'" International Union, supra (quoting United States v. United Mine Workers of America, 330 U.S. 258, 303-304). And, "Where a fine is not compensatory, it is civil only if the contemnor is afforded an opportunity to purge." International Union, supra, (citing Penfield Co. v. SEC, 330 U.S. 585, 590, 91 L. Ed. 1117, 67 S. Ct. 918 (1947)). And on per diem fines, "Like civil imprisonment, such fines exert a constant coercive pressure, and once the jural command is obeyed, the future, indefinite, daily fines are purged." International Union, supra. The court makes a point to justify severe sanctions where testimony is sought, or the proceedings are threatened. "The necessity justification for the contempt authority is at its pinnacle, of course, where contumacious conduct threatens a court's immediate ability to conduct its proceedings, such as where a witness refuses to testify, or a party disrupts the court... [t]hus, petty, direct contempts in the presence of the court traditionally have been subject to summary adjudication, 'to maintain order in the courtroom and the integrity of the trial process in the face of an 'actual obstruction of justice.'" International Union, supra (quoting Codispoti v. Pennsylvania, 418 U.S., at 513 and citing numerous other sources). Most interesting to the crypto crowd: "Contempts such as failure to comply with document discovery, for example, while occurring outside the court's presence, impede the court's ability to adjudicate the proceedings before it and thus touch upon the core justification for the contempt power.... Similarly, indirect contempts involving discrete, readily ascertainable acts, _such as turning over a key_ or payment of a judgment, properly may be adjudicated through civil proceedings since the need for extensive, impartial fact-finding is less pressing." International Union, supra (emphasis added). Hence, International Union preserves very broad contempt sanctions which can be imposed without much review provided they fall into a rather wide "civil" categorization, rather than a "criminal" one. I think it's clear, the court literally spells this out, that holding a witness indefinitely until he complies with court orders is within the discretion of a judge. Compelling through sanctions the production of a "key" (though I'm not sure a crypto key is directly contemplated) is likewise clearly permitted. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From ses at tipper.oit.unc.edu Sat Apr 13 04:11:49 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 13 Apr 1996 19:11:49 +0800 Subject: [NOISE] Why there are so many cluless people In-Reply-To: <v02120d39ad9446cc8b78@[192.0.2.1]> Message-ID: <Pine.SOL.3.91.960412224955.26690F-100000@chivalry> There's a report on this in thise weeks bay area guardian; it's really just a schme to get people to pay to recruit other people to use someone elses webpage hosting service. On Fri, 12 Apr 1996, Lucky Green wrote: > Today, I heard a commercial on the radio. Some company wants to help you > make $1k+ per day as an Internet expert. Simply listen to their one week > audio tape course and you know everything you need to work as an Internet > consultant. > > Sigh, > > -- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. > > > --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Sat Apr 13 04:12:13 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 19:12:13 +0800 Subject: Calvin and Hobbes Message-ID: <ad93d9911a0210046aff@[205.199.118.202]> At 3:14 AM 4/12/96, Adam Shostack wrote: > Snow Crash is a book about a future in which governments are >ineffective. Companies run things, and have complete local control. >The world has gone to hell, and as a result, life is nasty, poor, >brutish and short. Many people do not look forward to this world. Reminds me of a good joke I heard about the comic strip "Calvin and Hobbes" (Calvin is a little boy, Hobbes is his stuffed toy tiger, who only Calvin can see is alive). Why is Calvin so much like Hobbes? He's nasty, brutish, and short. (I heard this from Chip Morningstar...I don't know where he heard it, or if perchance he invented it.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From markm at voicenet.com Sat Apr 13 04:36:05 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 13 Apr 1996 19:36:05 +0800 Subject: PGPCrack Message-ID: <Pine.LNX.3.92.960412143325.258A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- I have written a UNIX program that will brute-force crack a PGP conventionally encrypted file using a dictionary of passphrases. I am working on making it possible to break secret keys also. If you have any suggestions or bug reports, feel free to e-mail them to me. The URL is: http://www.voicenet.com/~markm/pgpcrack5b.tar.gz The MD5 hash of this file is 46aa9e37020ac2efce73d870fe1acbdc. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMW6j0LZc+sv5siulAQETGAQAnKr1n/OnWS6CpQqTQSRAJhTTCkq1zP8N l0QZYKrvO9i3EE0uXYF88EIXludrXq2mzEZCOeh4vjF0Ym8KEc82gUdRwAfxPxTU YxHylDI56PdvgLwRBAoBiGTaUZwajM+sEtvJaH1fYshPR7neTF+Aw3YL+cMQ/iQt PMFKXEM9GWQ= =fgA8 -----END PGP SIGNATURE----- From shamrock at netcom.com Sat Apr 13 04:58:11 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 13 Apr 1996 19:58:11 +0800 Subject: Protocols at the Point of a Gun Message-ID: <v02120d38ad9441032fa6@[192.0.2.1]> At 11:48 4/11/96, Timothy C. May wrote: >As required by the CDA (Competency Disclosure Act) my Ignorance bit is set >to "1" for this speculation. > >At 11:03 PM 4/10/96, Lucky Green wrote: > >>If my computer creates the IP packet, what is there to prevent me from >>modifying the value of the "Minor/Adult" flag at my leisure? > >Are the "minor/adult" settings (and Christian/Atheist, Southern >Baptist/Reformed Baptist, Creationist/Evolutionist, etc. bits) even be >proposed to be set at the IP packet level? Yup. Sen. Exon and this staff demand that IP be redesigned to include such a flag. No doubt, we'll soon hear about demands to include a male/female flag, a cast flag (there go another two bits), a flag for meat eater/vegetarian, a flag indicating your HIV status, one they get going, the sky is the limit. >I'd've thought it would be at the message level, such as this message or a >posting to Usenet. (Granted, many messages are presumably the same as IP >messages. But I'd assume that the setting would be within the message, so >that any forwarder of the packet would not be likely to tamper with >internal message settings....) Sure. Access control belongs into the application layer, or somewhere nearby. The problem is that those in power wouldn't know a modem if it bit them in the ass. Expect legislation that mandates routers to support the various flags in the near future. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Sat Apr 13 04:59:29 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Sat, 13 Apr 1996 19:59:29 +0800 Subject: No matter where you go, there they are. Message-ID: <9604122226.AA4262@> >While we may disagree with Ms. Denning on a number of political matters, >she's quite intelligent; I suspect the paper is well-founded. Yes, that was my initial reaction too, but the content just don't support that. I suspect this is a case of a person well-qualified in one area (crypto) working in very different area (GPS) where she is not qualified and does not understand what is going on. >GPS receivers are line-of-sight only; only a small portion of the earth can >see the same satellites. Well, sort of. The satellites are up at 11,000 miles, which makes for a large footprint. You'd certainly see most of the same satellites from several states away. >It might be possible to seperately record the signals from several >different satellites, delay them each just the right amount of time, and >then recombine them to simulate being at another nearby location (within >several hundred miles). Right, that's what several of us have been saying. >However, this might not be possible. Examine the >following quote from Denning's paper: > >:The location signature is virtually impossible to forge at the >:required accuracy. This is because the GPS observations at any given time >:are essentially unpredictable to high precision due to subtle satellite >:orbit perturbations, which are unknowable in real-time, and intentional >:signal instabilities (dithering) imposed by the U.S. Department of Defense >:selective availability (SA) security policy. Sure, but that is nonsense. Here's why. The time delay you need to introduce a 200 mile shift is 1 ms. The effects Denning et al. are talking about are LOW FREQUENCY effects. This is obvious for orbital perturbations, since we're talking about small motions of large heavy objects here, and it is also true for the S/A dither. Indeed it has to be that way, since any high frequency jitter would prevent the receiver from locking on the spread spectrum code that's at the core of how GPS works. In other words, at the millisecond level, none of those effects exist. Re Hal's comments: >Note however that Denning did not mention the Internet in her spiel. > >I believe her method would be workable across lower latency networks, if such >exist or eventually exist. Perhaps direct connections or leased lines would >provide low enough latency; I don't know. In any case networks are likely >to become faster in the future and her method might eventually work. >Actually the issue is not just latency but whether the latency can be >lied about, and for some kinds of networks that would be harder. What a checking system actually observes is: at time T2 it receives a message that claims to have been generated at time T1 by a system at location X. It would accept the authentication as valid if the elapsed time T2-T1 is small enough to be believable. How small this is depends on (a) the transmission latency, (b) the processing delay in X and in the checker. There are two flavors of attack on this: 1. Attacker Y uses the real-time signals from the satellites, delayed as needed. It sends those after processing, just as X would have done (except that X doesn't insert the processing delay). The elapsed time seen by the checker differs from the case of X by the sum of the processing delay and the incremental transmission latency (since Y is at a different place than X, so its connection to the checker may have either less or more latency). This fools the checker if the incremental latency is within its tolerance. Suppose that I'm using a LAN -- in that case a transmit delay on the order of 1 ms is plausible. X and Y would be about the same (of course it has hard for Y to get on the LAN unobserved...). If X is less than 20 miles away, the processing delay is under 100 microseconds, which is "in the noise". If I'm in a WAN, then the latency is likely to be greater, but even if is is 1 ms, I can be many miles away before it becomes obvious. The above of course assumes that the signal processing is done in hardware (or fast DSP) so it can indeed be done in well under 1 ms. Not a big deal... That seems to be one Denning mistake, the thinking only of replay in the sense of long delayed spoofing messages. 2. Attacker Y synchronizes to the satellites but constructs a signal locally that effectively "anticipates" what the satellite is about to send. This allows it to get the effect of a negative delay (thus avoiding the "node in the ground" problem). Since the signal is entirely predictable at the few-ms level, this is not difficult, though it requires a bit more effort than the simple delay approach. This way Y can construct a signal acceptable to the checker, even if its transmit latency to the checker is greater than it is for X. It simply anticipates by the difference plus whatever it needs to fake the position. Finally... As Hal also pointed out, if the system allows users to have partial sky view, then the attacker can avoid the need for negative delays entirely by selecting satellites closer to him than to the legitimate user. For anyone interested in an intro to GPS, Trimble (one of the leading companies in the industry) puts out some skinny paperbacks with nice clear explanations. They sometimes are a bit at the "see Spot run" level, but they do have the correct story. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From me at muddcs.cs.hmc.edu Sat Apr 13 05:00:39 1996 From: me at muddcs.cs.hmc.edu (Michael Elkins) Date: Sat, 13 Apr 1996 20:00:39 +0800 Subject: Scientologists may subpoena In-Reply-To: <1A5C983A02502C79@-SMF-> Message-ID: <199604121937.MAA18253@muddcs.cs.hmc.edu> Scott Binkley writes: > What if we set up a chaining remailing system in as many countries as > possible, all working in double blind > mode. You could have it randomly pick 20 or so remailers before actually > sending the message to its destination. > > That isn't a very clean method, but would sure slow down the process of > obtaining court orders in each respective country. This is true. We definitely could use more remailers outside the US. Especially since we all know that if you have enough money, you can get away with murd^H^H^H^Hanything in this country,possibly even getting access to remailer records. > I have this other idea, but it would be difficult to set up. Again, with > many many remailers, you could set it up, so that > any message you send is sent to a random FTP site of the day. Each of > the remailers randomly picks messages out > of the pool at the FTP site, and sends it on its way (all is encrypted of > course). At the end of the day, the FTP site is > erased, and a new one is set up somewhere else (all remailers would then > scan there). > > The beauty is that when a remailer pulls a message out of the FTP site, > it has no idea where the message came from, nor which > remailer (country) sent it there (providing the pooled messages have had > the return addresses removed). This would make it > very difficult to track down to the source. > > The disadvantage is that it requires cooperation between remailers, and > that a message cannot be replied to. Some of the cypherpunk remailers already sort of do this. However, the only thing it really does is make it a little harder to do traffic analysis. The main problem with your scheme is that all of the remailers would have access to the final destination of the message. The best method is still to use a randomly selected group of remailers for each anonymous message, and change your reply block on your nym often. me -- Michael Elkins <me at cs.hmc.edu> http://www.cs.hmc.edu/~me PGP key fingerprint = EB B1 68 32 3F B5 54 F9 6C AF 4E 94 5A EB 90 EC From frantz at netcom.com Sat Apr 13 05:07:49 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 13 Apr 1996 20:07:49 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604121845.LAA01353@netcom9.netcom.com> Should this nonsense of adding "Adult bit" to IP headers actually be implemented, I will sponser a contest: A free emailed "Thanks" to the first person who (truefully) reports that an Adult Internet access username and password has been posted (or scrawled on the bathroom wall) at a US high school. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Sat Apr 13 05:12:00 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Apr 1996 20:12:00 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v02110134ad945a3a8bff@[194.125.43.36]> Message-ID: <Pine.ULT.3.92.960412234329.2525A-100000@Networking.Stanford.EDU> On Fri, 12 Apr 1996, Richard K. Moore wrote: > 4/11/96, Bill Stewart wrote: > >There are serious technical problems with the suggestion that labelling > >packets as "Adult" or "Child" using IP options and filtering at ISPs > >for censorship. > > IMHO, the technical problems can somehow be solved, whether we like > it or not, although it will probably be botched intentionally or otherwise. > It's tougher than most protocol upgrades, but easier than was designing > X.400 (just to give some GROSS bounds to the problem). Hello? We're talking packets, not sessions. Trying to do this at the network layer (or lower) is so monstrously wrong that it's not worth talking about. It's impossible by design. In a properly designed system, the application should have no way to tell the protocol stack to flip special bits. What about encapsulation? Fragmentation? LAN emulation? Although... if you're talking ATM PVCs rather than packets, I could imagine adding minor/adult negotiation to the setup phase. But despite the hype, I don't expect to see many people using raw ATM (not LAN emulation/encapsulation) for a decade, if at all. > My (simplistically presented) suggestion in such a scheme would be > that we don't want a "flag" on packets: we want two "fields": > - content-classification field in packets: > _roughly_ analogous to a dewey-decimal number -- says a > lot (?) about the content, not merely which end of the > library it goes in > > - user-classification field appended to user-id's: > a micro-bio of the user -- says something > about age, languages known, interests We're talking packets here, not sessions. > Before you flame -- I'm not thinking about the potential abuses, > I'm thinking about the useful applications: more useful filtering based on > such fields can be installed as agents on: > - user machine > - "dial-in" network node > - retrieval engines > - database engines For this you use different TCP ports and out-of-band cryptographic authentication, not extra fields in the packets. -rich From declan+ at CMU.EDU Sat Apr 13 05:14:39 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 13 Apr 1996 20:14:39 +0800 Subject: CDA Court Challenge: Update #6 Message-ID: <IlPJRGy00YUv4TOFNd@andrew.cmu.edu> ----------------------------------------------------------------------------- The CDA Challenge, Update #6 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this update: BYU/CMU's Dan Olsen's net-censorship boondoggle ACLU's 4/9 motion to suppress obscene images -- DENIED The new "I am a child" Internet protocol Who cares about kids: Who are the adults? Olsen as an expert witness -- on what? April 11, 1996 PITTSBURGH, PA -- The U.S. Department of Justice wants to split the worldwide Internet into "adult" and "minor" sections. That's their plan, assuming they can find someone to testify that this audacious boondoggle is even remotely feasible under current technology. If the DoJ gets this testimony in the record, then their attorneys will argue that the Communications Decency Act is constitutional and should be upheld. Well, they found their man. The Justice Department stoolie who's testifying tomorrow is none other than Dan R. Olsen, Jr., the incoming director of the Human Computer Interaction Institute at Carnegie Mellon University, now the head of the computer science department at Brigham Young University. Olsen concocted this scheme that he calls L18, for "Less than 18." Under it, every net-user must label every USENET post, email message, FTP site file, web page, chat room, IRC channel -- any collection of public bits spewed on the Net -- if the content is "inappropriate for minors." If you think you're clever 'cuz you labeled some "indecent" materials as suitable for kids, guess again, pal. Try that trick and the Feds'll throw your ass in jail for two years and send you a bill for $250,000. (Owners of anonymous remailers might be for in some surprise visits from the Feds if their systems are used to post "indecent" stuff that's labeled L18.) The censorhappy geeks at Brigham Young University put together a demo to prove that this scheme works. First Olsen stuck L18 tags on half his web pages. Then they set up a "Netscape proxy server" so it denied access to pages with L18 tags unless the user was verified as an adult. The experiment was a success -- and a hit with the DoJ! By now cybersavvy readers are wondering: "But how will a server know how old a user is?" The DoJ has a couple ideas that they're going to throw at the three-judge panel in Philadelphia tomorrow. The government's idea seems to be that if the judges accept even one of them, they'll uphold the CDA. The DoJ's proposals are: 1. Servers with "indecent material" will register users as adults or minors. 2. Every ISP will tag accounts as adults or minors. 3. A custom router will only allow users to access "indecent" sites if an adult types in the password first. Olsen's Grand Design for the Net incorporates Proposal #1. He's pushing the idea that web servers or proxy servers with "indecent" material will give out "adult verification passwords" before you can access their web page. This means: * A lengthy pre-registration process before you can access the site. * The server has to keep a database with the identities of all the adult users, complete with the credit card numbers that presumably will be used for verification. * If you want to access hundreds of web sites with "indecent" material, you've got to get hundreds of different passwords. If you run a web site with material that a Federal prosecutor anywhere in the U.S. may find "indecent" or "patently offensive," under Olsen's plan you have to verify that your users are adults. Somehow, I don't expect overseas sites will go for this. What, doesn't the DoJ realize that we're not just talking about the U.S. here? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ ACLU'S MOTION TO SUPRESS OBSCENE IMAGES -- DENIED! +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ It's not about cybercensorship. It's about cybersex. At least that's what the DoJ wants everyone to believe. Justice Department attorneys have been flooding the court with printouts of hundreds of pages of dirty pictures, a lot of them pretty damn raunchy. Some of them might even be "obscene" -- that is, they fall into a legal class of images that flunk a three-part test that includes only images without "serious literary, artistic, social, political, or scientific value." Pretty hardcore stuff. GIFs like coeds fraternizing with german shepherds -- with the help of 25' of rubber tubing and a Tibetan yak. On April 9, the ACLU/EFF plaintiffs filed a motion to close the floodgates on the DoJ's deluge of porn, asking that the government be barred from introducing exhibits "unless they believe in good faith the material could not be prosecuted under existing obscenity or child pornography laws." The idea behind this motion was to educate the court and remind them that the CDA outlaws "indecency," not "obscenity." EFF attorney Mike Godwin explains the difference in his forthcoming book _Cyber Rights_: The term "indecency," although never defined by Congress or the courts, is a far broader concept than "obscenity" (examples of "indecency" include George Carlin's famous "Seven Dirty Words" monologues, at least some portions of Howard Stern's radio broadcasts, and, according to one court, the text of Allen Ginsberg's "Howl"). Not one of our plaintiffs has "obscene" or even titillating pictures on our web sites, but all of us are subject to a $250,000 fine and two years in prison if a minor stumbles across our URL. Yesterday the court denied our motion, saying that it understood that we weren't challenging obscenity laws and that, unlike the situation that might occur if there were a jury, the judges would not be prejudiced by any pictures introduced. The court ruled *they* were capable of understanding the difference, so there was no need to separate the materials. They did admit that we had raised an important issue, and the court understood the reason for the motion. I guess we have to trust them. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ THE NEW "I AM A CHILD" INTERNET PROTOCOL +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ There's a second way to answer the question of: "How do you know who the children are?" Another option the DoJ appears to be pushing -- we'll know details tomorrow -- is this idea of reprogramming every computer on the worldwide Internet to run software that tags users as adults or minors, so a server will know whether it can send out "indecent" material. This shifts the burden of establishing age-identity from the content provider to the business or school giving out the Internet account. It also would allow any unscrupulous net.lurker to troll for "I am a child" tags and follow them back to the originating site -- not exactly the best way to protect the children! I should have realized this DoJ strategy earlier. Last week when I was arguing with Bruce Taylor, an architect of the CDA, we went 'round and 'round on the issue of children on the Net. He maintained that every Internet user has to have an account somewhere, so the provider of that account can tag the user as a minor or adult. I asked Taylor how his proposal was possible with the TCP/IP protocol -- the nerve system the carries all the data flowing through the Net. He replied that technical problems can be solved by technical people, and wasn't there a new protocol being developed, anyway? Basically, his position was: "Your side comes across to the court as saying that it can be done but we won't do it. You're a bunch of geeks who want to protect their porn and the court isn't going to buy it." The "new protocol" being developed is IP Version 6, which the DoJ zoomed in on in cross-examination of one of our witnesses, Scott Bradner from the Internet Engineering Task Force: 13 Q Would it be fair to say, to summarize what you've just 14 said, that the IP Next Generation group is working on a new 15 generation of the IP Protocol itself? 16 A That is correct. 17 Q Does it have -- does the IP Next Generation group have 18 recommendations regarding a specific architecture of the 19 packet traffic on the Internet, including the format of the 20 packet? The DoJ is going to argue that IPv6 can include such an adult/minor tag in each datagram. Chris Hansen, the head of the ACLU's legal team, says: Olsen is going to push this tagging idea that the government has, that you can imbed in your tag -- in your address -- an adult or minor tag. They're going to suggest that the market will come into existence that will make that tagging relevant. It's more like the *judicial penalties* will evolve to make the tagging not just relevant, but mandatory! On the cypherpunks list, Bill Frantz, a computer consultant, outlines one problem: One of the migration paths suggested for IPV4 to IPV6 migration is to tunnel IPV4 packets within IPV6 packets. IPV4 packets do not provide for an adult/minor tag, so until the transition to IPV6 is fairly well along, this approach will be ineffective. If the people who are worried about minor's accessing smut want something this century, they should go with PICS. A member of the IETF replies: Neither, for that matter, do IPv6 packets -- there is no provision for them. Furthermore, were anyone to create an end to end header of that sort, it would be eight bytes of wasted space in every packet in the net, especially since the implementation of such a tag is a technical impossibility as there is no way to force the originating system to tell the truth. The "high-touch" argument against this is important as the high-tech one. I just received the following mail from someone who would be unable to continue his work if the DoJ's IPv6 scheme is implemented: We provide free anonymous access to the net to sexual abuse survivors. We don't even know who they are, nor do we care - a lot of them are hiding out from their perps, and to try and identify them would be a tremendous breach of trust, as they are depending on us for their anonymity, much as a reporter would protect their anonymous source. I also have been told by these folks themselves that some of them are under the age of 18 - hell, I've had a few that tell me that they are 13 or 14 years old, and that they are still at home, still being raped by their perps. We provide an outlet for their frustrations, emptional support, a community for them, people to talk to, and support for them if they choose to report their abuse. None of this would be possible if Taylor and friends had their way. Sure, we could trace each and every one of them back to their providers, and find out who they are, but I'm not going to do it, and I'm perfectly willing to go to jail to protect their identities. My integrity is worth a whole hell of a lot more than any government law. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ WHO CARES ABOUT KIDS: WHO ARE THE ADULTS? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ The third way to answer the now-tiresome who-are-the-kiddies question is to turn it on its head and ask: "Who are the adults?" Hardware to answer that question already exists. The March 25 issue of Interactive Week reports that Livingston Enterprises, Inc. has colluded with Senator Exon's staff to design an "Exon box" -- a router that lets ISPs cut off unrated or "indecent" or unrated sites. To get around the block, an "adult" enters a secret password that tells the router to open a session and let the packets flow. Exon's staff is heralding this as an example of how easy it is to comply with the CDA. The only problem is that, like many such hamfisted censorship "solutions," it sucks, and it ain't going to work. One of the original architects of the Internet, David P. Reed, wrote: I do work to protect my children from inappropriate material, but pressure from Senators to mandate technically flawed solutions, and opportunistic, poorly thought-through technologies from companies like Livingston are not helpful. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ OLSEN AS AN EXPERT WITNESS -- ON WHAT? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ As I was writing this, I started wondering why Olsen got picked as the DoJ's expert witness for tomorrow's hearing, especially when his research is *not* in distributed computing environments and protocol design. It's in human computer interaction and user interfaces. One of Olsen's former students at Brigham Young University contacted me last week, saying he had initially hoped that Olsen was "lending a neutral opinion" on technical issues "but that hope proved false." I asked if his former faculty member has "done any work relating to distributed computing environments like the Internet?" His reply: "The closest thing I'm aware of is a paper on interactive bookmarks." Network engineering that ain't. On April 7th I sent Olsen email, asking him: "What kind of research have you done related to distributed computing environments like the Internet?" As of April 11, still no response -- even though he had replied to my earlier messages almost immediately. (I wouldn't put it past the DoJ's tame attack ferret, Jason Baron, to try and muzzle Olsen as well.) Vanderbilt Professor Donna Hoffman writes about Olsen: A colleague at CMU told me that Dan Olsen is largely an administrator at BYU and will assume administrative duties at CMU as the temporary head of the HCII... I've seen his vita and talked to some colleagues in CS and related fields about his work and it doesn't seem that he has done much, if any, research related to the distributed computing environments like the Internet. His vita is difficult to parse because he has numerous items I can't identify - for example, are they book chapters, working papers, proceedings? Where were they published? And so on. He is the Editor of a new journal published by CACM which started a few months ago, related to human-computer interaction. His main research interest seems to be in user interface issues, but he hasn't published much in scholarly journals so I would conclude that his work has had little impact on the field. (I should point out here that a member of the HCII at CMU sent me mail saying that conference proceedings are the main form of publication in the field.) Still, I wonder why the DoJ couldn't get a real net-expert to defend the CDA and the network protocol schemes they're proposing? Grey Flannel Suit (aka Air Force Special Agent Howard A. Schmidt) is going to take the stand tomorrow and do a live demonstration of how he can find cybersleze on the Net. I can hardly wait! Grey Flannel has been involved in a half-dozen porn prosecutions in the past: two dealing with civilian porn sites and and four dealing with military ones. From the deposition he gave in Washington, DC earlier this week, the extent of his testimony seems to be: "I went onto the Net and found dirty pictures." The following clue as to Grey Flannel's history of porn-prosecutions flowed into my mailbox the other day: It would be interesting to find out if Schmidt was involved in _US v. Maxwell_, 42 M.J. 568 (USAF Ct Crim App 1995), a military justice case concerning a USAF colonel who used AOL to communicate "indecent language" to another servicemember and to traffic in pornographic matter. USAFOSI was clearly involved in the investigation, but no agents are named in the opinion. Flannel will be followed by our last witness, MIT's Albert Vezza, and then Dan Olsen. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on 4/12, possibly 4/15 as a last day of witness testimony, 4/26 for rebuttal if necessary, and 6/3 for closing arguments. Mentioned in this CDA update: Michael Froomkin: "The Internet as a Source of Regulatory Arbitrage" <http://www.law.miami.edu/~froomkin/arbitr.htm> Wired: "How Anarchy Works -- Inside the Internet Engineering Task Force" <http://www.hotwired.com/wired/3.10/departments/electrosphere/ietf.html> Net-Guru David Reed's article: "CDA may pervert Internet architecture" <http://fight-censorship.dementia.org/fight-censorship/dl?num=2093> Michael Froomkin's LONG article on anonymous remailers: <http://www.law.miami.edu/~froomkin/ocean1-7.htm> Dan Olsen at BYU <http://www.cs.byu.edu/info/drolsen.html> BYU's censorship policy <http://advance.byu.edu/pc/releases/guidelines.html> Internet Eng Task Force <http://www.ietf.org/> Rimm ethics critique <http://www.cs.cmu.edu/~declan/rimm/> Int'l Net-Censorship <http://www.cs.cmu.edu/~declan/zambia/> CMU net-censorship <http://www.cs.cmu.edu/~kcf/censor> University censorship <http://joc.mit.edu/> Grey Flannel Suit <howardas at aol.com> This report and previous CDA Updates are available at: <http://fight-censorship.dementia.org/top/> <http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/> <http://www.epic.org/free_speech/censorship/lawsuit/> To subscribe to the fight-censorship mailing list for future CDA updates and related net.censorship discussions, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: <http://www.eff.org/> <http://www.aclu.org/> <http://www.cdt.org/> ----------------------------------------------------------------------------- From hoz at univel.telescan.com Sat Apr 13 05:21:51 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Sat, 13 Apr 1996 20:21:51 +0800 Subject: Entropy Estimator Message-ID: <199604130725.AAA00737@toad.com> On 12 Apr 1996 at 20:58:19 Timothy C. May wrote: >At 9:06 PM 4/12/96, rick hoselton wrote: >>... I have these two 8-million byte >>files. One is a recording made by a geiger counter, every bit >>is uncorrelated with anything else in the universe ... >No, this is not the case. Suppose your file of 64 million bits of entropy >is stored as "Rick's Geiger Counter File,"... I left the word "you" out of one sentence. My line breaks are very strange. I wrote "chronologist" when I meant "horologist". I revealed a US-centric point of view, and I broke a New Year's resolution by contributing to the noise level on the cypherpunks mailing list. But I did not forget to say: >...every bit is uncorrelated with anything else in the universe ... :) Rick Hoselton It's not really fair to call me crazy, just because one of my personalities is paranoid/schizophrenic. Rick F. Hoselton (who doesn't claim to present opinions for others) From hkhenson at cup.portal.com Sat Apr 13 05:30:23 1996 From: hkhenson at cup.portal.com (hkhenson at cup.portal.com) Date: Sat, 13 Apr 1996 20:30:23 +0800 Subject: Federal Court Friday for Henson Message-ID: <9604111032.1.29952@cup.portal.com> To: hkhenson From: hkhenson Subject: anouncement Date: Thu, 11 Apr 96 10:31:13 PDT Lines: 248 To those who have not been following the antics of the Scientologists in their epic battle with the Net, and various cryonicist, extropians, cypherpunks, pensfa, kabuki, and bay area folks: After a Temporary Restraining Order was issued against well known net.person Grady Ward by the Scientologists, I looked up one of the forbidden documents on the news spool, commented on the criminal aspects of the contents, and posted it to the net. A week later *I* was served with a 3 inch stack of legal papers. There will be a hearing for me in Federal court, Friday, April 12, sometime between about 9:30 and 11:30. It might be kind of fun, since I am starting by trying to get the judge to disqualify himself. If you want to know *way* too much about this subject, the meat of the court filings are at: http://www.cybercom.net/~rnewman/scientology/henson/home.html And here is the my posting (sanitized), a threat letter, and my response. Sorry for the spam and the short notice. Wide distribution, especially to news media encouraged. Keith Henson ************** H. Keith Henson San Jose, CA 95123 408-521-0614 Ronald M. Whyte, Federal Judge Northern District of California San Jose, CA Open Letter to Judge Whyte Dear Judge Whyte: In the company of perhaps 100,000 other people (the readers of the Usenet newsgroups alt.religion.scientology, alt.activism, alt.2600, comp.org.eff.talk, and misc.legal), I read the TRO against Mr. Grady Ward and "all persons in active concert." Was it your intent for this order to apply to random persons on the Internet such as myself? If so, I believe the TRO is a violation of my First Amendment rights to discuss the criminal activities of the cult of Scientology. Upon reading the TRO you approved, I sorted the list of documents attached and ran a text search on the news spool on one of my accounts to see if any of these documents were there. Some were-- though it is impossible to tell if they are the real thing or not. I pulled out the first one which came up. I had not been inclined to look at this material before (it's *boring*), but your TRO inspired me. Assuming this is real, I can see why the "Church" of Scientology is trying to suppress this material. If carried out, the instructions in this particular bulletin amount to *criminal* acts, to wit, the practice of medicine without a license. I reproduce this widely available document in its entirety for your edification. > HCO BULLETIN OF 14 NOVEMBER 1978 [snip all but name, I an under a TRO not to disclose the contents.] Please note that point 4 states that this process of "blowing BTs" cures illness. The phrases "cease to read" and "no longer read" refer to "auditing" with an E-meter. The "Church" of Scientology is under Court orders stemming from FDA actions in the early 1970s against making such claims involving the use of E-meters. This bulletin (assuming it is real) is written evidence of the level of contempt the "Church" of Scientology has for the Courts. Scientology even has policies on using the court system to abuse critics and former members. Forbidding discussion of this particular document, including quoting it entirely, is clearly against the public interest as well as a violation of my First Amendment rights. Unless, of course, copyright law can be used to prevent disclosure of instructions for criminal activity. With respect to "all persons in active concert," I have certainly been sympathetic to the ideals Mr. Ward espouses, and felt much of the rage he must have felt when (as he puts it) the "criminal cult of Scientology" sent Gene Ingram, a wanted felon, to obtain pictures of Mr. Ward's children from his mother by deceit. For what reason did the "Church" of Scientology need pictures of Mr. Ward's children? Were they planning a kidnapping or was this just a tactic of intimidation? This would certainly be an interesting question for you to skillfully ask of the members of the law firm which paid Mr. Ingram for this particular service. They will be in your court Friday. I know that taking a stand against Scientology is likely to subject me and my family to the same abuse Mr. Ward has experienced. But there comes a point where people of good will *must* stand up to criminals--even to those who are experts in using the courts to harass. If you think I am being too harsh in this matter, I can supply you with nearly unlimited affidavits and court findings which show a consistent pattern of criminal behavior for this cult over decades of time. Friday I will provide to you a letter from Mr. Arnie Lerma to Judge Brinkma about the stunts pulled on Mr. Lerma in a related case. Many of those who read these news groups are outside of the US, and thus not subject to your authority. I, however, am local to San Jose and will be in your court Friday morning. It is my position that the public interest in this matter should override *all commercial* copyright concerns. The entire corpus of material the "Church" of Scientology is trying to keep from public view is so at odds with what cult victims are told when they are suckered into it as to constitute fraud--thinly disguised as "religion." On the other hand, if you feel the TRO *does* preclude quoting examples of the copyrighted, trade secret, criminal instruction manuals of the "Church" of Scientology, please let me know. Sincerely, H. Keith Henson President/CEO Xanadu Operating Company [CoS threat letter, and my response. Posted on alt.religion. scientology, comp.org.eff.talk and misc.legal] Yo folks! Another letter from Helena showed up in my mailbox. [posted and mailed, cc to Judge Whyte] >Dear Mr. Henson, > > I represent Religious Technology Center ("RTC"), the owner >of the confidential Advanced Technology of the religion of >Scientology, and the holder of exclusive rights under the >copyrights applicable to the Advanced Technology materials. >Among these copyrighted and confidential materials are the >Advanced Technology materials of certain levels known as "NED for >OTs Series." Boilerplate. Do you have a macro programmed with this introduction? > I have been informed that you have posted NOTs Series 34 to >the Internet without the authorization of my client, who, of >course, would not have given such authorization had it been >requested. That I did. In particular the HCOB of Nov. 14, 1978. I presume by your complaining that RTC acknowledges this material to be an official copyrighted, trade secret, instruction manual for criminal activities? No wonder you want to keep it from being discussed! > I also see that you are claiming that you have talked >to the court and that this justifies your posting. You would have to be exceptionally dense to avoid noticing that the quoted document was right in the middle of a letter to Judge Whyte. > I am hereby placing you on notice that NOTs Series 34 is a >copyrighted, unpublished work. And I am hereby placing RTC on notice that the HCOB of Nov. 14, 1978 contains claims and instructions which seem to me to be both criminal in nature and in violation of certain court orders against the "Church" of Scientology. > Not only is it subject to the TRO >issued by Judge Whyte against Grady Ward (and will be subject to >the preliminary injunction once issued), it is also subject to a >preliminary injunction issued by Judge Whyte in Religious >Technology Center v. Netcom On-line Communications, Inc. against >Dennis Erlich. In both instances, the injunction is against Ward >or Erlich and their "agents, servants, and employees, and all >persons acting or purporting to act under his authority, >direction or control, and all persons anyone acting in concert or >in participation with any of them who receive notice of this >Order." These injunctions were issued on the basis that RTC was >likely to succeed on the merits of its claims. Well, lets see. I am certainly not any kind of "agent, servant or employee" of either Dennis Erlich or Grady Ward, nor do I act under any kind of direction or control. Now, you can go argue with Judge Whyte that all persons who happen to read a.r.s, agree with Grady or Dennis that CoS is a scam of a cult, and take independent action are "acting in concert or in participation." Lots of luck. > > You have also included in your notice a request for people >to send you the NOTs materials. I am not interested in just *any* old NOTs materials. I asked for NOTs materials which amounts to instructions for criminal acts, such as those found in the HCOB of Nov. 14, 1978, or fraud. I believe discussion of this subset(?) of these materials is in the public interest. I am prepared to go to court to defend my right to quote from and discuss the criminal acts and policies of the "Church" of Scientology. > Please be informed that the >California Uniform Trade Secrets Act prohibits even the >*acquisition* of materials containing trade secrets. I simply do not believe that anything which can be found by a few seconds of searching on any one of a hundred thousand computers all over the world can be considered a "trade secret." What is a non-profit *Church* doing with trade secrets anyway? Trade secrets are for *profit* making commercial companies. Or perhaps fraudulent scams. > It is for >this reason that Mr. Ward was enjoined under trade secret law. >Your solicitation of these materials is a violation of that law >and an inducement to others to do so. As I pointed out above, I asked for material which amount to criminal instruction manuals or material which shows evidence of fraud on the part of Scientology. It will be very interesting to be enjoined in a First Amendment pursuit which is so clearly in the public interest. You really should try. You don't even have to hire a process server. Give me a call, beeper # 408-521-0614, and I will come down to Mr. Hogan's office and pick up my papers. > I am setting forth below the TRO issued by Judge Whyte and >the notice which I posted after the TRO was issued. I hereby >demand that you cease and desist from any and all further >posting, reproduction, display, distribution, solicitation or >acquisition of NOTs Series 34 or any of the Advanced Technology >works of the Scientology religion. > > Sincerely, > Helena K. Kobrin Well, Helena, I am going to put it a little nicer than Grady would, but you can take your demand, fold it till it is all corners, and stick it where "the Sun don't shine." And, just to show I mean it, I am *again* asking for NOTs or any other Scientology "AT" materials, acquired by legal, or *illegal* means which describe criminal acts, amount to criminal instruction manuals, or show the fraudulent bait and switch nature of Scientology. It is my intent to comment on and post this material in the public interest. I do not believe that either copyright law or trademark law will prevent the publication of information relating to unlawful acts. If you think otherwise, I suggest you check with a couple of tobacco companies. > NOTICE TO READERS: > > On March 6, 1996, Grady Ward posted a message to the >Internet soliciting a NOTs pack. In a later posting, Ward [snip for bandwidth] Keith Henson SP 4, bucking for SP 6 From blake at bcdev.com Sat Apr 13 05:37:30 1996 From: blake at bcdev.com (Blake Coverett) Date: Sat, 13 Apr 1996 20:37:30 +0800 Subject: Entropy Estimator Message-ID: <01BB28AF.778AE600@bcdev.com> > them. So far, the results have been consistent within 20%. EXE's show 3-4 > entropy bits/byte, ZIP files show 6-7, and DLL's and text files show 1-2. Hmm... EXEs have twice the average entropy of DLLs?? The structural difference between an EXE and a DLL is a single flag in the header. I suspect that either your sample inputs are highly non-representative or your algorithm for estimating entropy is badly flawed. regards, -Blake From gnu at toad.com Sat Apr 13 05:37:48 1996 From: gnu at toad.com (John Gilmore) Date: Sat, 13 Apr 1996 20:37:48 +0800 Subject: SF BAY event: Goodlatte, Burns, Pressler, Diffie, Hellman, Merkle, ... Message-ID: <199604130647.XAA29808@toad.com> The event costs $35 (or $20 if you're a Churchill Club member). Probably plus the price of dinner -- this wasn't clear from their recording. I wish I would be in town for it. Someone do a trip report, please! -- gnu Date: Thu, 11 Apr 1996 19:43:08 -0700 From: Kate Apgar <kapgar at ix.netcom.com> To: webmaster at eff.org Subject: Goodlatte to appear in Burlingame My name is Kate Apgar and I am the executive director of the a non-profit, nonpartisan organization called the Churchill Club. We present about 20 programs a year with topics ranging from arts, entertainment, education, foreign affairs, economics, medicine and high technology. We are hosting a program on cryptography. One of the keynote speakers is Congressman Goodlatte (see description of program below). If this information is appropriate, please post and let us know. Thank you for your time. Information Security and the 20th Anniversary of Public Key Cryptography Monday, April 29, 1996 Marriott Hotel, Burlingame, CA 5:30 PM Full Dinner 6:30 PM Program KEYNOTE SPEAKERS: Senator Conrad Burns (R, MT) Senator Larry Pressler (R, SD) Congressman Robert Goodlatte (R, VA) David Morris, Vice President, Cylink Corp. Jim Omura, Chief Technology Officer, Cylink Corp. James Freeman, Special Agent in Charge, FBI Phil Mellinger, Chief Engineer, Government Securities Assoc. Paul Raines, Project Manager, United State Postal Service Whitfield Diffie, Martin Hellman and Ralph Merkle - Pioneers and original patent holders for public key cryptography Economic espionage is costing the nation billions of dollars in lost business every year. U.S. companies are in danger of losing everything from trade secrets and proprietary financial information , to the bottom line figures on contract bills. Three bills are now in Congress to protect government, business and home computer users from outside snooping of sensitive information. These proposed new laws have been written to encourage the use of encryption and loosen export restrictions on encryption technology. Congressman Goodlatte is the author of one of these bills. April 1996 is also the 20th anniversary of the creation of Public Key Cryptography. The three principal pioneers and patent holders will also be present to share their views on the need for strong encryption. Morris of Cylink Corp. will provide an overview of what state-of-the-art security solutions are needed, and available, to truly protect business from unauthorized access. James Freeman of the FBI will discuss the recent study on industrial espionage and Paul Raines from the U.S. Postal Service will talk about electronic postmarking and certificate authority key registry bureau. TO REGISTER: Please call (408) 371-4460 or fax reservations (408) 371-4180 or email chrchllclb at aol.com PRESENTED BY THE CHURCHILL CLUB From jamesd at echeque.com Sat Apr 13 06:14:08 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 13 Apr 1996 21:14:08 +0800 Subject: RC4 improvement idea Message-ID: <199604120717.AAA17361@mail1.best.com> <jamesd at echeque.com> wrote: > > Such keys are not weak. At 02:57 AM 4/9/96 -0700, David Wagner wrote: > No, the report was right: the weak keys are real. > > For one key in 256, you have a 13.6% chance of recovering 16 bits of > the original key. > > On average, the work factor per key recovered is reduced by a factor > of 35 (i.e. the effective keylength is reduced by 5.1 bits) by using > this class of weak keys. Why do you not just assume the last byte of the key is 0x4A Then for one key in 256 the effective keylength is reduced by a whole 8 bits instead of a measly 5.1 bits. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From sjb at universe.digex.net Sat Apr 13 06:31:28 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 13 Apr 1996 21:31:28 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v03005b03ad944efa70c3@[206.126.100.99]> Message-ID: <199604121833.OAA01707@universe.digex.net> Marshall Clow writes: >>Anyway, you computer creates the IP packet, but then sends it to your >>ISP's router. That router *always* makes changes to the packet header >>because it must decrement the time-to-live field and recompute the >>header checksum. The ISP's router software would (in the scenario I >>suggested, but deplore), based on to whom it's connected, set the >>drivers licence flag as it sees fit. When a PPP account of a "minor" >>sends a packet, the router always inserts "minor". When the account of >>an adult sends it, it inserts "adult". When the account of a partner >>who has contractually accepted liability for the flag's setting sends a >>packet, it leaves it alone. >> >How would this work in my case? >I have a Pipeline 25 ISDN router in my house. >I have several computers, used by myself, my wife, and my kids, connected >via Ethernet to the p25. The router talks to my provider. I have _one_ >account at my provider. > >Multiple IP #s, multiple machines, multiple users, ONE account. >Which router will insert the "suggested" flag, and how will it decide which >packets to tag? The way I envision it (in my nightmares), you'd have two options: have the account configured as "kid safe", and live in a cyberspace playground, or have it configured as "adult", and accept responsibility for your kids' use. As I see it, with the censorship support at the network layer that I outlined, the ISP can have "common carrier" status. They sold the account to an adult, so all packets delivered to the account are delivered to that adult, as owner of the ISDN router. If the adult chooses to then deliver that packet to a child, it's no different than if the adult buys a copy of "Debbie Does Dallas" and shows it to the kid. >I suspect the people who thought this up haven't thought it through. :-) >They are confusing "ISP accounts" with "e-mail" addresses, maybe? Well, I don't know that the CDA supporters are thinking of. I just responded to the charge of "technically infeasible" with an outlined technical solution. I *do* think that the separation between ISP account and email address isn't quite as black and white as you seem to think. >My setup may be unusual, but it's certainly not unique. Actually, I expect configurations like yours to become more widespread in the near future. There are a lot of cable-modem designs that basically put an ethernet port on your cable box. There's little practical difference (from a network topology perspective) between that and your ISDN setup. From junger at pdj2-ra.F-REMOTE.CWRU.Edu Sat Apr 13 06:37:24 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Sat, 13 Apr 1996 21:37:24 +0800 Subject: On computer face recognition: In-Reply-To: <Pine.SV4.3.91.960411144737.17506D-100000@larry.infi.net> Message-ID: <m0u7mkF-0004KkC@pdj2-ra.F-REMOTE.CWRU.Edu> Alan Horowitz writes: : How do _people_ recognize faces? Some of us don't. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From tcmay at got.net Sat Apr 13 07:01:16 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 13 Apr 1996 22:01:16 +0800 Subject: Any examples of mandatory content rating? Message-ID: <ad93dffc1b021004ed13@[205.199.118.202]> There are several swirling proposals for "rating" of Internet packets, Usenet articles, Web pages, and perhaps other computer-communicated items. There are also things like the "V-Chip," included as part of the Telecommunications Act. (The V-Chip is ostensibly a "voluntary self-rating" scheme, with an included mandate that government will give industry a year or so to come up with a plan.) I foresee major legal challenges to mandatory ratings of content. Issues involving prior restrain, censorship, and the First Amendment of the U.S. Constitution. I'm interested in hearing about any _actual_ examples where a government body in the United States has mandated that intellectual property (roughly, written words, magazines, motion pictures, CDs, etc.) be "rated" or "age-labelled." Before anyone out there fires up his "Reply" and tells us about movie ratings, magazine warning labels, and the like, read on. To forestall a couple of likely examples some will cite, let me discuss a few oft-cited cases: 1. Movie ratings. The familiar "G," "PG," "R," and "NC-17." (Used to have "M" for "Mature," and "X" for, well, X-rated stuff.) In actuality, these ratings are _not_ mandated by law, and are done by the MPAA, the Motion Picture [something] Association. There may be serious legal charges brought if, say, a 10-year-old child was let into a showing of "Debbie Does Fort Meade," but this would be after the fact and would presumably involve negligence charges of some sort (contributing to the delinquency of a minor, child abuse, etc.). (A parallel to this is ordinary speech to a child. While speech is not required to be rated, there might well be various sanctions applied to an adult who spoke to a child in various indecent or obscene or "patently offensive" ways. I'm not saying whether I endorse this, and it would depend on just what was said, but the point is that there is no "rating" system for speech imposed, nor would the Constitution admit one.) We may speculate that had the movie industry not adopted "voluntary ratings" in the 1960s, government may have tried to impose ratings, but the fact is that government did NOT impose content ratings. (The important point being that we cannot look to how the movie situation evolved for hints about how Internet packets or articles might be rated.) Note also that the MPAA ratings are not "self-ratings," but are done by a panel of MPAA representative. Many film directors have been very angry over the MPAA ratings they received, and would not have rated their films as the MPAA panel did. There are then local ordinances about allowing children in to see "R" or "NC-17"-rated movies, but this is a case where the government piggybacks on the "private" ratings service (which could raise some important constitutional issues if it was ever seriously challenged, which seems unlikely). This MPAA situation is an important example because it is neither "self-rating" nor "government" rating, but is, instead, something else. This model would be extremely hard to apply to the Internet, as there is no similar body to the MPAA, nor is there the same economic incentive for any such body to form and then to try to cope with tens of thousands (at least) of articles and pages per day.... 1A. A special case of this system is _television and radio broadcast_ of indecent material, a la the FCC's regulations about content broadcast over the airwaves at various times of the day. Cable is not regulated in the same way, though most cable systems I have seen have "adult" material in the evening hours (though definitely not confined to late evening). Lots of wrinkles here, and the FCC is attempting some regulation of some cable..."The Playboy Channel" is involved in a dispute where they are being told they can only send their channel out after certain hours...details should be accessible on the Web. I think this special case of FCC involvement covers a different set of issues than the "content" issue per se. Though this may help to explain some of the rumors about the FCC seeking a broader mandate to regulate "cyberspace," as this gives them a foot in the door to regulate content on the same basis they regulate content of broadcasts. Moving on.... 2. Magazines, as in "For Adults Only!" emblazoned on the covers. In doing my "research" for this article, I consulted my "reference materials," and discovered that such warnings are less common than I remembered them as being. Neither "Penthouse" nor "Playboy" issues that I have at hand contain any such warnings, though some other mags do. So far as I know, there is no government requirement for labelling. Again, there may be sanctions imposed for, say, selling such a magazine to a minor. I can't say as I've ever heard of a court case along these lines. Importantly, there appears to be no "ratings board" run by the government that rates such materials a priori. ("Obscenity" is not the same as pornography or nudity, as we all must know by now.) I conclude that magazines need not be labelled, voluntarily or otherwise, though there may be sanctions if children are exposed to certain materials (though this is unlikely). More to the point, it seems likely that the laws which exclude children from entering bars and strip joints are the one which would apply to keeping children out of "adult bookstores." An important point was made recently by someone on the Cypherpunks list, that some libraries make a point of providing access to _all_ materials, by _all_ patrons, including back issues of "Penthouse." So far as I know, no librarians have gone to jail for this. Moving on... 3. "Explicit Lyrics" labels on CDs and music. This one is more iffy. I recall the _proposals_ to require such labels, and Tipper Gore (wife of VP) was a leader in this campaign some years back, but I don't believe any laws were formally passed. I could be wrong. And some local jurisdictions may have such laws; I recall some part of Florida mandated a labelling law, or banned sales of explicit lyrics CDs in some way. (The "2 Live Crew" issue, with "Me So Horny" and other gems.) And none of the CDs I have seen here in California with "Explicit Lyrics" or "Parental Advisory" notices mention who did the rating, whether the lyrics are "Government Censor Approved," etc. This tongue in cheek mention of "Government Censor Approved" is an important point: any hint that a government censor is to apply ratings to written or spoken or similar materials runs smack dab into the First Amendment. This is not just an academic matter. There is no provision for a "ratings board" to review content, and such a "prior restraint" (can't publish something until it's been rated or approved) is a textbook case of prior restraint, forbidden by the First Amendment. (The H-Bomb case involving "The Progressive" was ultimately decided in favor of no prior restraint, even for such a potentially serious situation.) So, if anybody's still reading this, I am interested in _any_ examples where intellectual content (as opposed to food or drug packaging, for example) is required to be labelled. Such examples might shed some light on how these various proposals for "labelling" of Net traffic might work. And absent such examples, might show just what a tough road lies ahead for those advocating such labelling. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat Apr 13 07:22:13 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 22:22:13 +0800 Subject: InfoWarCon: Call for Papers (Sept in Wash DC) In-Reply-To: <199604130904.CAA03604@toad.com> Message-ID: <Pine.SUN.3.91.960413071904.10486C-100000@polaris.mindport.net> On Sat, 13 Apr 1996, John Gilmore wrote: > goes. The conference itself costs $1000 to attend, but I bet it's > free to speakers. According to the URL: Conference Fees: $495.00 - NCSA Members/OSS Attendees $595.00 - All others Are these in error? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Sat Apr 13 07:23:06 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 13 Apr 1996 22:23:06 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <01I3GPGIWMLG8Y50UU@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.91.960412194208.27436H-100000@polaris.mindport.net> On Fri, 12 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 5-APR-1996 06:26:05.96 > > >There are ways to resist compelled discovery. These are not they. > > Any methods you're willing to mention sans a money order? > -Allen The work I posted discusses many and weighs their strengths and weaknesses. Generally, and not that I would support the obstruction of justice, the key to resisting any coercion is not to leave anything valuable in the reach of the coercer. As an example, if you live in the U.S., and your freedom is valuable to you, you're vulnerable. If you own a house in the U.S., if you hold accounts in your real name in the U.S., if you work for an employer who is in the jurisdiction of the U.S., or if you have assets or an employer in any jurisdiction which has judicial recognition or information shring treaties with the U.S., you're vulnerable. Shooting judges, if the above aren't satisified and if you're in a jurisdiction which extradites for murder, is only going to get you in deeper. I might add that U.S. courts won't refuse to subject you to process because you were brought into the U.S. against your will, or in violation of international or local law. Even non-cooperative jurisdictions won't always save you. (Don't fly over or sail into international airspace/waters either). There was a great article in Fortune about a historic tax fugitive that can show you how the U.S. can "getcha." If your interested, I'll dig up a pointer. Generally speaking, if you really need significant asset and judgment protection, seek the advice of a professional. Professionals may be expensive, but if they will be cheaper than asset forfeiture consider consulting them. I cannot recommend that you venture out on asset concealing or protection schemes without professional advice, no more that I could suggest you do your complicated tax work without professional advice. I'll remind everyone that tax evasion and money laundering are illegal in the United States. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From dsmith at midwest.net Sat Apr 13 07:45:58 1996 From: dsmith at midwest.net (David E. Smith) Date: Sat, 13 Apr 1996 22:45:58 +0800 Subject: Money supply is fake anyway Message-ID: <199604112204.RAA22999@cdale1.midwest.net> > > Banks "invent" money on a daily basis. > > Really? Since when? > That's something from college-level economics. If a bank has reserves in excess of their reserve requirement, they can loan out the excess, several times, gambling that they won't be made to provide all of that alleged money in a more negotiable (outside of the bank system) form, like cash. As I understand it, that's where a lot of the 80s Savings & Loan problems came from - too many people wanted their 'money' in a more negotiable form too quickly, and they had to fold. (OTOH, it's been a long time since I took that college-level economics course.) dave --- David Smith, Intellectual Terrorist http://www.midwest.net/scribers/dsmith/ From llurch at networking.stanford.edu Sat Apr 13 07:57:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 13 Apr 1996 22:57:27 +0800 Subject: Email privacy policies at universities Message-ID: <Pine.ULT.3.92.960411160134.23921A-100000@Networking.Stanford.EDU> We don't really have one, because we respect privacy in general. Kind of a "congress shall make no law" approach. Skidmore seems to have a pretty reasonable policy at http://www.skidmore.edu/help/rules/mail-privacy.html If you know of others, please pass along for the discussion on the resnet list, http://www.acns.nwu.edu/resnet/resnet-forum/resnet-forum.html The subject line there reads "off topic" for that list, but I don't think it is. -rich From jimbell at pacifier.com Sat Apr 13 08:13:31 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 13 Apr 1996 23:13:31 +0800 Subject: No matter where you go, there they are. Message-ID: <m0u7aOu-0008y4C@pacifier.com> At 07:48 PM 4/11/96 GMT+01DST, Powers Glenn wrote: >- It's called "S/A" (Selective Availability) which is the NWO term for adding >- errors that "authorized" users can remove. (Not to be confused with A/S, or >- anti-spoofing) It was originally intended to be turned on in wartime to >- deny the enemy accurate fixes, but during the Gulf War military GPS >- receivers were so scarce that the soldiers had to use commercial products, >- so the S/A actually was turned OFF then! >- >- Since then, pressure has been building to turn off S/A, since its usefulness >- is nearly zero. Even so, the amplitude of S/A errors are only a little >- larger than natural errors caused by satellite timing errors, atmospheric >- propagation variations, etc. The result is that DGPS is useful, which is >- (more or less) a fixed antenna and GPS system which knows where it is, and >- subtracts where it "seems" to be by GPS every second, and broadcasts the >- resulting error data on some terrestrial system to receivers locally. The >- result is errors down to the 1-meter level and even lower. That system >- compensates for both natural errors and S/A, so the whole purpose of having >- S/A is negated. Eventually S/A will probably be turned off permanently, but >- even then we'll want to continue to use DGPS systems. > > Close, but not quite: >S/A is an ADJUSTABLE variable, not on/off. Huh? You sound like you're trying to correct me, but you're not. I'm already aware that the magnitude of S/A is adjustable; nothing I've said above contradicts this. >it can reduce accuracy to 10 meters or 100 meters or whatever. For ordinary C/A code (the kind civilians are allowed to use) it can't "reduce accuracy to 10 meters." The minimal error in C/A mode is based on atmospheric propagation and other errors. Adjusting S/A down or off can eliminate the ADDED error, not reduce it below C/A's normal minimum RMS value. >It's a DoD term, not NWO term. I was being a bit facetious. Nevertheless, my implication was correct: The term is "selective availability" and it was specifically chosen to sound "positive" rather than "negative." (I can't tell you exactly which issue of GPS World magazine mentioned this, but I've read every copy since it was started a few years ago. It was probably in this magazine. It would have been more accurate, I suppose, to call this "Newspeak.") > The "this is where you really are" percision location (forgot >the designation off hand) is ENCRYPTED (yes, there is crypto >revelance here...) in the data stream from the satellites. It's called "PPS," for "Precise positioning Service." Check the most recent issue of GPS World for an article on making that even more accurate. Nevertheless, even PPS is only accurate to about +/- 2 meters; DGPS is easily accurate to 1 meter, and I've seen ads that talk about 0.15 meter accuracy with differential GPS in C/A mode. > The difference S/A makes is on the order of magnitude, therefore not >"useless." That depends on what you compare it to. If you compare it to non-differential, C/A code signal, it turns +/- 25 meter (approx, of course) errors to upwards of +/- 100 meter errors, although as I understand it S/A is normally toned down to about +/- 50 meters. BTW, I don't doubt that DoD has the technical ability to increase S/A even beyond +/- 100 meters, but that would be a pointless exercise. It would also strongly piss off the average civilian GPS user, and since by far the largest number of GPS users are now civilian (and this number is growing rapidly) the DoD knows which side of its bread is buttered. And using DGPS, the effect of S/A is essentially nil, since both it and most "natural" (unintentional) errors are cancelled out. So, what part of "useless" do you not understand? Please note that I didn't say it had no effect, merely that it was "useless." As in, no militarily significant effect. If you still disagree, please formulate a plausible (and, ideally, a PROBABLE) scenario under which the presence of S/A achieves a military benefit based on a rational view of whichever "enemy" you choose. Since DGPS receivers are available for well under $1000, you're going to have to hypothesize a poverty-stricken enemy indeed. >It should be pointed out that different regions of the >earth can have different degrees of accuracy based on the S/A system. > I doubt S/A will ever be turned off, but this is my opinion. Just a couple of days ago, I saw a note HERE reporting that Clinton had backed down (his normal behavior, interestingly!) and had decided to turn off S/A. I haven't seen any confirmation of this claim, but then I haven't looked either. If that report was correct, your opinion is already wrong. I am fully aware that it could later be turned back on, if there was a genuine reason to do so. This would be in line with the original intent behind S/A, to turn it on only when there was some real reasons to do so. Why they did not adopt this planned mode years ago, I don't know. >I know Jim's opinion. Discussion of this point is pointless. In other words, "Don't confuse me with the facts." > DGPS transmission are made from a multiple single points, which >(to the best of my knowledge) are not networked. > glenn That's only partially true. There is nothing to prevent the world-wide distribution of a data stream which represents the complete differential correction data for GPS, broadcast from multiple locations by FM subcarrier, idle cell-phone site, HF, pager channels, or other. In fact, it has been argued that it should be transmitted, in the band of the GPS signals(so that a separate differential antenna is not required), from satellites, with the receivers built into GPS units, so that it would be available to everyone no matter where he is. The attraction of this system, from a government/military standpoint, is that it would tend to foster dependance on this correction system by the average GPS user, and would tend to deter development of DGPS stations independent of the government. That means that the government would actually be able to keep the "S/A advantage": When it wants accuracies to be degraded, they will be. Its current policy, however, practically guarantees that DGPS stations will be broadcasting in every major population center within just a few years. Isn't it a good thing that government is so (CDA alert!) fucking stupid? Jim "He only talks about one subject" Bell jimbell at pacifier.com From mclow at owl.csusm.edu Sat Apr 13 08:22:12 1996 From: mclow at owl.csusm.edu (Marshall Clow) Date: Sat, 13 Apr 1996 23:22:12 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v02120d2bad91ecd377cc@[192.0.2.1]> Message-ID: <v03005b03ad944efa70c3@[206.126.100.99]> >Lucky Green writes: >>At 9:48 4/10/96, Duncan Frissell wrote: >>[...] >>>We know that governments would like to impose things like the Simple >>>Tax Transfer Protocol on the Net as well as Is A Person (and Is A Minor) >>>Protocols. >> >>There is one thing about the proposed minor flag addition to IP that I >>don't understand. [No, I am not surprised by this. Mandatory authorization >>to establish a connection and an "Internet Driver License", probably in the >>form or a smart card are coming]. >> >>If my computer creates the IP packet, what is there to prevent me from >>modifying the value of the "Minor/Adult" flag at my leisure? > >Yikes! Don't lend it the credibility of calling it "proposed". >Someone might think you're serious. "Suggested" is as far as I'd go. > >Anyway, you computer creates the IP packet, but then sends it to your >ISP's router. That router *always* makes changes to the packet header >because it must decrement the time-to-live field and recompute the >header checksum. The ISP's router software would (in the scenario I >suggested, but deplore), based on to whom it's connected, set the >drivers licence flag as it sees fit. When a PPP account of a "minor" >sends a packet, the router always inserts "minor". When the account of >an adult sends it, it inserts "adult". When the account of a partner >who has contractually accepted liability for the flag's setting sends a >packet, it leaves it alone. > How would this work in my case? I have a Pipeline 25 ISDN router in my house. I have several computers, used by myself, my wife, and my kids, connected via Ethernet to the p25. The router talks to my provider. I have _one_ account at my provider. Multiple IP #s, multiple machines, multiple users, ONE account. Which router will insert the "suggested" flag, and how will it decide which packets to tag? I suspect the people who thought this up haven't thought it through. :-) They are confusing "ISP accounts" with "e-mail" addresses, maybe? My setup may be unusual, but it's certainly not unique. -- Marshall Marshall Clow Aladdin Systems <mailto:mclow at mailhost2.csusm.edu> "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From gnu at toad.com Sat Apr 13 08:25:37 1996 From: gnu at toad.com (John Gilmore) Date: Sat, 13 Apr 1996 23:25:37 +0800 Subject: InfoWarCon: Call for Papers (Sept in Wash DC) Message-ID: <199604130904.CAA03604@toad.com> Here's our chance to talk with, learn from, and educate the folks who are pushing the concept of information warfare and seeing where it goes. The conference itself costs $1000 to attend, but I bet it's free to speakers. So dig out some related concept you've been wanting to pin down on paper, write it up, and send it in. It'd be pretty silly to run or defend against an InfoWar without the cypherpunks, so let's introduce ourselves before the hostilities begin. I've got a paper in mind... John Excerpted from http://www.ncsa.com/iwpaper.html. Note that this "NCSA" is the National Computer Security Association, not the guys who wrote "NCSA Telnet". Fifth International Information Warfare Conference "Dominating the Battlefields of Business and War Sept 5-6, 1996, Washington, DC Call for Papers We are seeking forward thinking papers, demonstrations and interactive concepts for presentation to an audience of 1000+ attendees; representing civilian and military from more than 20 countries, all branches of the US Government and the top US corporations. The papers should offer new perspectives, attitudes, studies, and technologies that can be used for the advancement of the field. You are free to submit on any subject matter, including, but not limited to: <UL> <LI> Battlefield Dominance <LI> Industrial Espionage <LI> Military Perspectives <LI> Policy Quagmires <LI> Personal Privacy <LI> Denial of Service <LI> Terrorism and Counter-Terrorism <LI> Threats to Global Electronic Commerce <LI> Anonymous International Bankings <LI> The convergence of the commercial and the military in the Post Cold War World <LI> InfoWar Technologies <LI> Case Studies <LI> Your thoughts and ideas </UL> Please submit your 1-2 page concept white papers NO LATER than Sunday, May 5, 1996. The evaluation committee will let you know the results by Wednesday, May 15, 1996. We will need your complete submission no later than Monday, July 15, 1996. Send your papers to Betty at Infowar.Com. InfoWar Conference © Copyright, 1995, NCSA ®.</H5> From die at pig.die.com Sat Apr 13 09:03:13 1996 From: die at pig.die.com (Dave Emery) Date: Sun, 14 Apr 1996 00:03:13 +0800 Subject: Bank transactions on Internet Message-ID: <9604120417.AA22212@pig.die.com> > >>>>> "Dave Emery" <die at pig.die.com> pessimised: > > > [... the tools are too expensive...] > > [... and the skills required are too high...] > > [... for anyone on cypherpunks...] > > Come on, Dave, this isn't alt.2600! > I want to immediately applogize to the list readership if anything in my posting seems to imply that I doubted that some of the list members possess the skills or brainpower to build a key cracker. I am sure a considerable number (at least by comparison with most other net communities) do, and many more certainly have the raw brainpower to learn the required technology if not currently up on it. Motivation and available time are another matter however. My only disparaging comment (at least as intended by me) was that the task was probably beyond some of the alt.2600 type crackers who primarily use canned programs and scripts to perpetrate their attacks. That comment was actually intended as a left handed warning about the advisablity of releasing a readily reproduced hardware key cracker design to the world at large. This seems especially true if entire FPGA array PC plugin boards are becoming a commodity item and readily available and the cracker recipe is buy one of those and install this canned software on it. > Most of the subscribers to this list are professionals -- engineers, > programmers, mathematicians, lawyers -- not phone phreaks. I'm sure > that there are more than a few of us with the knowledge, experience, > and free access to the resources needed to handle most relatively > small-scale designs like this. > > (It's like saying that no one on cypherpunks has access to the > distributed computing resources necessary to perform other sorts of > brute-force cracking -- which is patently ludicrous.) > I'm sorry, but rereading my post I simply don't find the statement that cypherpunks readers couldn't carry out the task, My comments were directed at the original cost and effort estimates that I thought were a little low - I'm certainly aware that many cypherpunks list members are working professionals or grad students/researchers with very considerable "free" resources at their beck and call. And even the pessimistic resource estimate I posted is not beyond motivated people. particularly if they see a large profit or advantage in it. But most importantly I may be making a very nieve assumption about the list readership - that it is mostly good guys and not thieves preparing to rip off hundreds or thousands of credit card numbers/ bank access codes from the Internet for gain. It is the implication that for this thief group it would be an easy $400 project to *design* and build a useful key cracker that I was challenging. (I might add that there certainly are other easier ways of obtaining large numbers of credit card numbers and access codes by such means as tapping unencrypted non-Internet data or voice communications and/or altering existing credit card terminal firmware to make it save up and deliver credit card numbers via a backdoor or bugging device. Gaining illegal access to the phone cables or credit terminals at a mall is certainly easier for most crackers and more typical of their experiance base than designing efficient pipelined key schedulers that fit into an FPGA). Presumably most of the competant, talented cypherpunks who could easily design a cracker are already far too well paid for these design skills to have much of any motivation to build such hardware for criminal purposes. And I might add that to my knowlage (admitedly rather limited) I know of no hardware crackers having been built with this technology (at least outside of the classified world). If it really is a simple trivial project that can be carried out with $400 worth of resources why aren't there NYT front page articles about someone having built a useful one and cracked something ? There certainly are lots of ambitious young grad students with lots of resources available to them and time to do this who would love to make their reputation by being the first to crack DES in under a week ... > For instance, from where I'm sitting in my *home* office, I can see > the full development packages for Xilinx and AT&T FPGAs, Viewlogic > VHDL, schematic, and simulation tools, an HP 1660A logic analyser, and > a Tek THS 720 500 MHz digital scope. > You have better tools than I do (I have a 16500B for example rather than a 1660A (which I'd love), but not hugely so, and I've been mostly semi-retired, taking a sabbatical to care for my newborn son and haven't wanted to spend the money to update resources I'd be largely using occasionally for very casual playing. > And I doubt if I'm the only one here who does this for a living. > Judging from other posts I've seen I have little doubt. Certainly I have done related stuff in the past... > The problem isn't resources, but time and motivation -- what sort of > situation would it take to get me (for instance), and one of > cypherpunk's cryptography wizards, to take the time to collaborate on > something like this. I completely agree. But I'd be surprised if it took much of a crypto wizard to do a brute force cracker as a just a simple brute force cracker. The task would demand much more of the skills of a good clever parallel logic designer to figure out how to effectively pipeline the well known and well defined crypto algorithms within the constraints of a still limited FPGA. What a crypto wizard might add might lie more in the direction of optimized strategies for key generation and scheduling to reduce the number of clock ticks and or gates devoted to this. The game of course is how many keys per second per dollar... anyone can build something that will eventually try a key, it is building something that will try keys at a maximum rate on cheap hardware that is interesting. (Sorry to take so much list bandwidth on this).. Dave Emery die at die.com From perry at piermont.com Sat Apr 13 09:05:30 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 00:05:30 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604112040.NAA18876@netcom7.netcom.com> Message-ID: <199604112050.QAA21809@jekyll.piermont.com> "Vladimir Z. Nuri" writes: > >Thomas Grant Edwards writes: > >> Banks "invent" money on a daily basis. > > > >Really? Since when? > > since we left standards that tie money to things physical with > value. That means, Mr. Detweiler, that the Fed invents money, which is true enough. However, banks in general aren't so empowered. This isn't cypherpunks material any longer so I'll much more happily discuss it in private mail. I feel bad about discussing it this much already... Perry From jf_avon at citenet.net Sat Apr 13 09:06:26 1996 From: jf_avon at citenet.net (Jean-Francois Avon) Date: Sun, 14 Apr 1996 00:06:26 +0800 Subject: Know Your Net.Enemies Project [noise] Message-ID: <9604120236.AA18762@cti02.citenet.net> Rich Graves <llurch at networking.stanford.edu> ambiguously wrote: >definitely be added. I'll write the FUCKING STATIST section. Do you use 'FUCKIN' as an adjective or as an active verb? :) Sorry, couldn't resist :-> JFA From unicorn at schloss.li Sat Apr 13 09:14:07 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 00:14:07 +0800 Subject: Bank information protected by 40-bit encryption.... In-Reply-To: <Pine.GSO.3.92.960411160334.16119J-100000@happyman> Message-ID: <Pine.SUN.3.91.960411171436.8886B-100000@polaris.mindport.net> On Thu, 11 Apr 1996, =?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote: > On Wed, 10 Apr 1996, Tom Weinstein wrote: > > > Sorry, I think I was hallucinating or something. You're right, they > > don't require 128-bit encryption and they only let you query your > > balance. > > Are there any banks besides SFNB then that use weak 40-bit encryption for > anything more than balance queries or transaction history, and allow to > make real transactions on-line? http://www.eub.com > > I know Merita in Finland allows bank transactions using 40-bit RC4, but > they also use one-time passwords (every user gets a printed list with 40 > or so password pairs, each of which you can use just once). > > Juri Kaljundi > jk at digit.ee > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From SBinkley at atitech.ca Sat Apr 13 09:14:28 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Sun, 14 Apr 1996 00:14:28 +0800 Subject: Scientologists may subpoena In-Reply-To: <1A5C983A02502C79@-SMF-> Message-ID: <5F61983A01502C79@-SMF-> >with bated breath to see whether or not the subpoena is issued. But if >chaning outside the US won't even work, then the remailers aren't going >to do a whole lot of good. What if we set up a chaining remailing system in as many countries as possible, all working in double blind mode. You could have it randomly pick 20 or so remailers before actually sending the message to its destination. That isn't a very clean method, but would sure slow down the process of obtaining court orders in each respective country. I have this other idea, but it would be difficult to set up. Again, with many many remailers, you could set it up, so that any message you send is sent to a random FTP site of the day. Each of the remailers randomly picks messages out of the pool at the FTP site, and sends it on its way (all is encrypted of course). At the end of the day, the FTP site is erased, and a new one is set up somewhere else (all remailers would then scan there). The beauty is that when a remailer pulls a message out of the FTP site, it has no idea where the message came from, nor which remailer (country) sent it there (providing the pooled messages have had the return addresses removed). This would make it very difficult to track down to the source. The disadvantage is that it requires cooperation between remailers, and that a message cannot be replied to. Anyway, just my $0.02 /sb From JonWienke at aol.com Sat Apr 13 09:21:51 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 14 Apr 1996 00:21:51 +0800 Subject: No Subject Message-ID: <199604112221.SAA05470@emout06.mail.aol.com> e. > However, since the protocol requires that Alice send out location data, >once >she starts using it she reveals her physical location to Eve, Mallory, and >anyone ese > who can see the packets. Since the nature of the protocol is that Alice's >location does >not change frequently (and needs to transmitted via a trusted channel to >Bob when it >does), after the first usage Mallory *knows* the physical location he is >trying to >simulate, and can use this information for future spoofing. > > The upshot of this is that Denning's scheme not only provides no >security against >spoofing, and leaks potentially sensitive data about locations. > > If Sadaam Huissain (sp?) had used this scheme during the Gulf War, we'd >have been >able to send a cruise missile directly to his keyboard. This could be prevented by encrypting the data packets, but that would introduce more delay into the protocol, and make it easier to spoof distant locations. >[These flaws in the protocol seem so obvious that I can't help but wonder if >we're >missing something - Dorothy isn't *that* stupid.] Isn't she about the age where Alzheimer's starts kicking in? Jonathan Wienke From stillson at ashd.com Sat Apr 13 09:30:06 1996 From: stillson at ashd.com (Chris Stillson) Date: Sun, 14 Apr 1996 00:30:06 +0800 Subject: WWW User authentication Message-ID: <199604112221.RAA18588@bach.ashd.com> >> >Well, if you use SSL, it's useable by a "large number of browsers" since >> >Netscape has such a large share of the browser market. And then all of >> >the things you're doing w.r.t. authentication are hidden, at least from >> >casual eavesdroppers and others too if you use more than the 40-bit option. >> >There's really no other choice to reach a large number of browsers. > >> Once again mister barber is being an idiot. netscape is not a "large number >> of browsers". > I have to apologize for this. Me having a bad day is not a good reason to call Jeff Barber an idiot. My aplogies. >> He is right that ssl is probably a good way to go. (shttp would >> be better :) ) > >SHTTP might be better if it didn't have to be "useable by a large number >of browsers" -- since Netscape doesn't support SHTTP. (I'm sorry that you >apparently find Netscape's success so frustrating, but it is a fact.) Again, I probably went a little overboard. I just get worried when any one company has as much control over the technology (in this case net based encryption) as netscape has. That, and I used to work for one of their competitors and I get tired of people telling me that netscape is the only company out there. Sorry to be a jerk From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Sat Apr 13 09:33:29 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Sun, 14 Apr 1996 00:33:29 +0800 Subject: No matter where you go, there they are. Message-ID: <9604112350.AA9349@> >From: perry @ piermont.com ("Perry E. Metzger") >Aren't things even worse? Since the satelite signals are not >authenticated with anything like public key methods, couldn't I just >synthesize a signal appropriate to any spot on the planet, knowing the >positions of the satelites relative to that spot? In the case of the C/A (civilian) code, absolutely. In the case of the P code (military) only if you have the key, but in that case, yes. As Jim Bell pointed out, there are boxes you can buy for suitable amounts of money that are "GPS simulators" -- they construct out of whole cloth the signals you would receive if you were at location X with satellites {Y1, Y2, ...} overhead. However, if all you set out to do is fool a location authenticator, deriving shifted location data from the actual satellites is far easier and bound to be much cheaper. There is one limitation this has that the simulator approach doesn't -- delaying real signals requires having access to the same satellites (or a large enough subset, i.e., 3-4 of them) that the checking station has overhead. paul From frantz at netcom.com Sat Apr 13 09:35:37 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 14 Apr 1996 00:35:37 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604111853.LAA24648@netcom9.netcom.com> At 11:50 PM 4/10/96 -0700, Jeff Weinstein wrote: > Given that the IETF has no "official" (whatever that means) sanction, >what would prevent any other organization from coming in and trying to >take over their turf? ... It seems to me that this question represents a classic case of the costs of market entry. IETF has a pretty good reputation as a standards body. If another body were to take over its function, they would have to have superior reputation in the relevant market (i.e. IP protocol suite implementors and their customers). Superior reputation could come from: (1) Better response to proposals. (Hard to imagine in the current climate.) (2) Government coercion. (We will throw you in jail if you don't ...) (3) Government coercion. (We won't buy equipment that doesn't meet x standard.) (4) Large User coercion. (We won't buy equipment that doesn't meet x standard. Probably no user is currently big enough to force standards in this way, not even Microsoft.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Sat Apr 13 09:40:04 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 00:40:04 +0800 Subject: questions about bits and bytes Message-ID: <m0u7Unh-0008yfC@pacifier.com> At 11:36 AM 4/11/96 -0400, Blake Coverett wrote: >> At 06:29 PM 4/10/96 -0700, Simon Spero wrote: >> >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. >> >> I notice you gave no examples. Why is that? >> >> Jim Bell >> jimbell at pacifier.com > >In a past life I worked on a Honeywell DPS8 box that had >36 bit words and 9 bit bytes. I'm seeing a few notes of this sort which make such claims, but there is not enough information included to establish that anybody _originally_ called those 9-bit data items "bytes" or not. It appears to me that after the fact, 20+ years later, there is a tendency to call ANYTHING other than a single bit a byte, at least during that time frame. What I'm looking for, however, is an indication that this was actually the term used, THEN, for that data structure. From bressen at hks.net Sat Apr 13 09:41:32 1996 From: bressen at hks.net (Andrew K. Bressen) Date: Sun, 14 Apr 1996 00:41:32 +0800 Subject: washington post notices archives Message-ID: <199604112139.RAA11386@spirit.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Hi-- we here at HKS.net have today received a cease and desist letter from the washington post regarding editorial copy of theirs that was evidently posted to c'punks and then abosrbed into our c'punk archives. Once the archives are restored (RSN) we'll probably manually edit out the messages from the archive. We're trying to get the post to give us URLs for their copies of the content in question so that we can point to their archives, but their legal dept wasn't sure whether or not their archives were on the web. The posts in question date back some time (archive volume 1); I'm not too concerned about a recurrance (though it would make an interesting attack), but thought it was interesting enough to warrent mention, since it seems likely that the washington post was grepping the net looking for themselves. I wonder if robot exclusion on our site would have prevented this? Although the legal staffer who sent the letter did come up with a URL for the offending messages, she seemed unaware of the concepts of "mailing list" and (semi-automated) archives according to the person here who spoke to her. - --andrew k bressen bressen at hks.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMW17+1u2h42ZEVfZAQFslQP/avVguGOK/hRz/1SmZtZpld79edoDyJnf yeBkX7WdrfVt1/xSkOdD4xtVHf1FENfeFr50xnt2PPVb8g0E0DQqMv6Cz4ZNy5Su bXzsmvK/zCvLKPn7gueeRjk3jQKohGRf7R9Y6rr6N6jNbCS4zZQQ/nwN7sWdhZA2 epRRPjbH52A= =8d5T -----END PGP SIGNATURE----- From unicorn at schloss.li Sat Apr 13 09:44:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 00:44:09 +0800 Subject: Know Your Net.Enemies Project In-Reply-To: <olPI84q00YUuIE=vI9@andrew.cmu.edu> Message-ID: <Pine.SUN.3.91.960411193514.16784A-100000@polaris.mindport.net> On Thu, 11 Apr 1996, Declan B. McCullagh wrote: > Excerpts from cypherpunks: 11-Apr-96 Re: Know Your Net.Enemies P.. by > Timothy C. May at got.net > > Sort of like Nixon's Enemies List? > > > > Have we become the enemy? > > Tim, I thought that the "Enemies List" name would be seen as a > deliberate takeoff of Nixon's Enemies List, and what I thought would be > a humorous working title for the project until a permanent one was > found. You may remember, BTW, that I don't have the power of the FBI to > command. > > But since I was unclear and since the joke was ill-taken, I apologize. > > To be clear: I envision this as opposition research. In the context of > the CDA, it was very useful to know what the family values groups were > saying -- their arguments and their strategies. A central collection > point for such research is a useful thing. > > Suggestions for a working title, anyone? Re-education prospects list. > > -Declan > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Sat Apr 13 10:01:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 01:01:44 +0800 Subject: Digital Cash Escrow In-Reply-To: <ad92e5ef110210042db1@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960413095508.10486K-100000@polaris.mindport.net> On Thu, 11 Apr 1996, Timothy C. May wrote: > At 8:27 PM 4/11/96, Vladimir Z. Nuri wrote: > > >give me a break!!! the future government attempts to squelch, > >suppress, restrict, prohibit, regulate, tax, spindle, and > >mutilate Digital Cash will make Clipper look as significant and > >threatening as a christmas tree ornament. > > Larry, are you just _now_ realizing these implications? A few years ago you > were fairly dismissive of these effects, arguing mainly that "electrocrisy" > (electronic democracy?) would be the main effect, or at least the program > that Cypherpunks should push. [...] > Glad you are finally tuned in to our channel. > > --Tim May I thought everyone had realized that LD was suffering from legitimate MPD by now? > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Sat Apr 13 10:07:34 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 01:07:34 +0800 Subject: questions about bits and bytes Message-ID: <m0u7Ov4-000903C@pacifier.com> At 09:50 AM 4/11/96 -0400, Richard Martin wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >On Apr 10, 6:57pm, jim bell wrote: >> At 06:29 PM 4/10/96 -0700, Simon Spero wrote: >> >No, bytes are no always 8 bits - some machines use(d) 9-bit bytes. >> I notice you gave no examples. Why is that? >Perhaps he thought that most people who were interested could go look >it up themselves. > >- From a really quick web search, we find that the SGI Impact jams 9-bit >bytes [that's what it says] across the Rambus internally. I'm not sure >if the memory itself is 9-bit. Are you sure they're not referring to 8 bits of data and a parity bit? In any case, please give the address to the list so that it can be checked out. From vznuri at netcom.com Sat Apr 13 10:08:01 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 14 Apr 1996 01:08:01 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604111444.KAA20811@jekyll.piermont.com> Message-ID: <199604112040.NAA18876@netcom7.netcom.com> PM: >Thomas Grant Edwards writes: >> Banks "invent" money on a daily basis. > >Really? Since when? since we left standards that tie money to things physical with value. i.e.-- the federal reserve was created, supposedly moving to a gold standard, but which was given up, and then we moved to silver, which was then thrown away by Nixon or whoever. TGE was obviously referring to the way that all banks are authorized to lend money that they don't actually have in assets based on our banking system. they are all "tentacles" of the federal reserve, so to speak. <g> people say, "so what if we don't use gold. money is just an abstraction". perhaps so, but think of this: if an economy collapsed such that money no longer had any psychological value, would you like to go to your bank and have them say, "sorry, we don't guarantee our money"? or would you like to go pick up your few pounds of gold or whatever that the money represented? I can guarantee you this: the latter scenario is not possible in our current system, and if you think it is, perhaps you will encounter a reality check (like the crash of '29 was). a long time ago a "banknote" referred to gold, and that banknote could be traded for that gold. manipulations in our system caused us to lose that standard. few people will understand this, and those that control the money supply and benefit therefrom would prefer it that way. the power of printing and creating money is far more significant than most people understand. again, those that do understand it would prefer that it stays this way. a somewhat amusing book called "Last Waltz of the Tyrants" might interest some. there are many more substantial books on the subject as well. these issues are going to come to the forefront if digital money ever gets off the ground. again, I expect that there are a lot of people secretly working against digital money because it has the potential to interfere with monomaniacal power structures already in place. sure, I'll be flamed by some for writing this, but what is the cpunk list without a little delicious conspiracy theory? From gorkab at sanchez.com Sat Apr 13 10:24:01 1996 From: gorkab at sanchez.com (Brian Gorka) Date: Sun, 14 Apr 1996 01:24:01 +0800 Subject: Hack MSN anyone? Message-ID: <01BB27CD.F1BB8D40@loki> -----BEGIN PGP SIGNED MESSAGE----- The names have been changed to protect the innocent... I need say no more I'm sure. - ---------- From: MSN Support JosephB Sent: Sunday, April 07, 1996 4:05 PM To: xxxxxxxxxx Subject: RE: Connection, Member ID: xxxxxxxxxx, Country: United States (1), Locale: English (United States) Yes, windows95 dialup networking uses compression to send the password when connecting. Thanks for using the Microsoft Network Joseph Beasley msn Member Support - ---------- From: xxxxxxxxxx Sent: Friday, April 05, 1996 5:57 PM To: MSN Member Communications Subject: Connection, Member ID: xxxxxxxxxx, Country: United States (1), Locale: English (United States) Ye[Ask Member Support] MemberID=xxxxxxxxxx Problem Description= Microsoft being security conscious and all, I would hope that when I connect to MSN over the Internet, that my MSN client has the decency to ENCRYPT my password when it sends it over the net, yes? This is the first time I couldn't get through to a dial-up connection and had to access MSN using my ISP. Having done so, I find it extrememly convenient, and would like to continue to do so. Thanks. xxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMW18MRhOHC4UmUYJAQHxvAf+NXAoqm8RUIskjtODUE9MYA+0JRs6x8f9 SMD70zWDRpF7mSPB6QaJcWfnufK5VqynrQ6iHfoNO9rC2yRlmkV04Ce3QW2m1z6P NVgAayVofN0Cjd1vITgdrB1XB9u3PnjXUggyTBLnAprTy79dCQsiTgen/2YujsaV Tzx6Xt87CFS8GwQcKWj5VonTkFQVjOuQIa6GbcVwEFiqVaXp2tLf3RUHXBtJ8B0H nC4wecTyra6CW2AAqFVXXmwVGeDh87caSy4Y3oFEQ8mxgZHFxOZLUeLo3MdaE+nx 33Yl2VdsjxTIlkog1R8d+6A1VDqpVqAJzcdjKnPLm8Sivm9wdGgsag== =TSTX -----END PGP SIGNATURE----- From perry at piermont.com Sat Apr 13 10:35:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 01:35:24 +0800 Subject: No matter where you go, there they are. In-Reply-To: <9604112026.AA8065@> Message-ID: <199604111901.PAA21576@jekyll.piermont.com> Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com writes: > Suppose I want to pretend that I am 1000 feet closer to satellite 4 than > I really am. Simple, I take the signals from all the other satellites > and delay them by 1 microsecond. That looks like a 1 microsecond > local timebase error together with a 1 microsecond delay reduction > to satellite 4. Aren't things even worse? Since the satelite signals are not authenticated with anything like public key methods, couldn't I just synthesize a signal appropriate to any spot on the planet, knowing the positions of the satelites relative to that spot? Perry From dwl at hnc.com Sat Apr 13 10:40:08 1996 From: dwl at hnc.com (David Loysen) Date: Sun, 14 Apr 1996 01:40:08 +0800 Subject: On computer face recognition: Message-ID: <199604111905.MAA07433@spike.hnc.com> At 10:02 PM 4/10/96 -0700, you wrote: > >On computer face recognition: > > >>> Shaving probably will not be a problem, but holding your head at a >>> slightly different angle... will screw up the system totally, >>> unless the system has radically improved since the last time I read >>> up on it. > >At 11:45 AM 4/9/96 -0500, K00l Secrets wrote: >> Well, the systems I have seen are quite good at finding people's eyes. >> Scaling (for distance), and rotation (for the angle of your head) >> therefore don't really confuse the system once it has your eyes. > >Finding the eyes can only control for rotations in the plane of >the image, when you tilt your head to one side. They cannot >handle the much more common case of 3D rotations, where you >look slightly to the right or slightly to the left of camera. >Facial expressions also throw them badly. > Take a peak at http://www.neci.nj.nec.com/homepages/lawrence/papers. One of Lawences papers is on using Neural networks to recognize faces. Methinks that the state of the art is advancing rapidly and such problems as not looking at the camera or changing your expression are rapidly being overcome. ===================================== dwl at hnc.com Zippity do da, zippity ah, my oh my what a wonderful day. Ya right, and hear I am without time to finish a cup of coffee. From perry at piermont.com Sat Apr 13 11:04:54 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 02:04:54 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604112204.RAA22999@cdale1.midwest.net> Message-ID: <199604112225.SAA22025@jekyll.piermont.com> I've answered Mr. Smith in private mail. .pm "David E. Smith" writes: > > > Banks "invent" money on a daily basis. > > > > Really? Since when? > > > > That's something from college-level economics. If a bank > has reserves in excess of their reserve requirement, they From froomkin at law.miami.edu Sat Apr 13 11:13:03 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 14 Apr 1996 02:13:03 +0800 Subject: (political) Privacy, Regulatory Arbitrage, Free Speech In-Reply-To: <9604111802.AA23693@rpcp.mit.edu> Message-ID: <Pine.SUN.3.91.960411174501.26610C-100000@viper.law.miami.edu> Thank you for the thoughtful comments. On Tue, 11 Apr 2000, Joseph M. Reagle Jr. wrote: > I just read your paper and had a couple quick comments, I used to think that > the Internet would be an ultimate promoter of liberal democratic values, > however given recent events in asian countries (which you mention) > particularly actions of China (which you didn't) I am not at all sure that > this will be the case -- of course, one can't prove these things, but I tend > to believe that China could actually clamp down on the freedom of speech > with respect to the following: I agree that the next draft should discuss China more. I think China could probably clamp down very effectively. I am not persuaded it could do so without giving up a very large share of the benefits of access. > > "Like it or not, we live now in an age of completely free speech..." I think > it would be very worthwhile to examine what is meant by "free speech." I > don't think free speech means, if I want, I could say what I want and no one alas, this is beyond the scope of this essay. There's a huge literature on this in the law reviews, though. [...] > > So perhaps the Internet shall provide a mechanism for practical free speech > (allowing some to speak their minds, and the others that get trapped will > get crushed) but it shouldn't be considered a subsitute for political free > speech (in which no one gets crushed). In the case of countries like China, I agree. It's not a substitute. Just an enabler in places that don't choose to practice draconian access control. > the hope is that the practical free speech will enable political free > speech, but based on news reports I am seeing this is less likely than I > used to think, and as you mention in the section of "Mobility of Personal > Data" the capability of this technology to abuse the citizens' and > customers' rights are also increasing, but their isn't an open mailing list > on which everyone can examine the conversation between the organizations > which wish to accomplish this. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From jimbell at pacifier.com Sat Apr 13 11:26:37 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 02:26:37 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u870T-0008xMC@pacifier.com> At 07:59 PM 4/12/96 -0400, Black Unicorn wrote: >On Fri, 12 Apr 1996, E. ALLEN SMITH wrote: >> >I might add that the Cayman Islands are full of trust companies with >> >provisions which forbid the disclosure of data to a client who is >> >coerced. A law on the books refuses to recognize "consent" orders made >> >under judicial compulsion. This would give the appearance of total >> >unavailability of evidence and suggest the futility of contempt >> >charges. Yet courts have still, and with no small measure of success, >> >imposed sanctions on witnesses so protected. >> >> What measure of success? Getting the data, or locking up the witness? >> -Allen > >Getting the data. If the IRS or a private plaintiff wants it bad enough, >they can usually get their hands on it, or at least find out where it is. > >The government of the United States doesn't play "fair" when they want >something. But if the government of the United States does play "fair," then why can we not play "fair" and kill their agents who violate what we feel is our rights? After all, the government is merely the representative of the people (at least in theory!) and it 'must' follow the rules (laws, Constitution, etc). To whatever extent it exceeds those limits, and to whatever extent the public can't get justice to prevent those violations, why would the public be obligated to accept them? To believe otherwise is to believe that the government has some sort of special dispensation to violate the law. I don't believe this; it wouldn't surprise me to hear that you do, however. Which is it? Jim Bell From unicorn at schloss.li Sat Apr 13 11:28:48 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 02:28:48 +0800 Subject: Any examples of mandatory content rating? In-Reply-To: <ad93dffc1b021004ed13@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960413083139.10486F@polaris.mindport.net> On Fri, 12 Apr 1996, Timothy C. May wrote: > > I'm interested in hearing about any _actual_ examples where a government > body in the United States has mandated that intellectual property (roughly, > written words, magazines, motion pictures, CDs, etc.) be "rated" or > "age-labelled." Before anyone out there fires up his "Reply" and tells us > about movie ratings, magazine warning labels, and the like, read on. Well, my examples aren't all going to be in the United States, or strictly intellectual property, or 'age' based, but here: Age rated, I don't think there are many examples. General ratings exist. The best place to look for this kind of thing is e.g., FAA safety ratings on potential aircraft/aircraft part designs. While at first it may seem a bad example, these ratings are generally mandatory if you wish to market things as aircraft parts/related. They are implemented in much the way I envision mandatory Internet ratings being implemented. (e.g., executive Agency created to define standards and execute ratings system as well as enforce infractions by the removal of whatever largess the FAA provides. It might also be noticed that this is right in line with the conflict of interest trend in government of allowing the same entity define and enforce standards of conduct/manufacture/design). It might further be noticed that the FAA rating for parts increases their cost several-fold over non rated parts, even if non-FAA rated parts are literally identical. > So, if anybody's still reading this, I am interested in _any_ examples > where intellectual content (as opposed to food or drug packaging, for > example) is required to be labelled. Mandatory labelling or mandator rating? I think this is an important distinction. Most of the mandatory _ratings_ I can think of (FAA stuff included) are implemented in a round-a-bout way. (i.e. "If you want to market this as X (bear a label) you must comply with Y, Z and U.") I can't think of strict examples of mandatory "Labels" (i.e. "If you want to sell X, it must say Y, Z and U.") where a product simply must bear a quality rating symbol or something. Voluntary systems are many. The green "point" is a german example. (Products wanting to market themselves as environmentally "safe" have to pass certain standards and then can bear the "green point" label. This is still in the 'voluntary' labeling class in my view. It might be noted, however, that if you are selling a food like product without the green point and you have even one compeditor who has it, you're not going to sell a single jar in germany). The other German example is the Reinheitsgebot (Beer purity law, struck down as violating Article 30 of the ECC Treaty in Commission v. Germany, Case 178/84, [1987] ECR 1227). Briefly, the word 'bier' could only be used on beverage products produced with only malted barley, hops, yeast and water. Said the court (translated from the French) "It must be added that such a system of mandatory consumer information must not entail negative assessment for beers not complying with the requirements of the Reinheitsgebot." Laws on the mandatory use of the words "Sekt," "Weinbrand," "Branntwein aus Wein," and "Shaumwein" were struck down in Commission v. Germany, Case 12/74, [1975] ECR 181. Taken as a whole, the German scheme could be viewed as a mandatory ratings system on type and quality of alcoholic beverages. (The German argument for preservation of the Reinheitsgebot was that it prevented consumers from being taken in by producers who were using additives. The Sekt, Wienbrand etc. laws were defended on similar grounds). Granted all of these shy away from Mr. May's "intellectual property" qualification, but only insofar as we ignore the fact that what is really being regulated is a production process. I suppose milk dates are "mandatory" and can be considered a "rating" in so far as they represent percieved quality/freshness. Still, governments are quite talented at making ratings schemes look voluntary when practically speaking they are not. > Such examples might shed some light on how these various proposals for > "labelling" of Net traffic might work. And absent such examples, might show > just what a tough road lies ahead for those advocating such labelling. I think it will end up much like motion pictures. The net will be asked to regulate itself under the threat of government regulation, which might be an empty threat if the First Amendment rights are applied. Most people will comply, it being easier than making a fuss. The real concern, if you believe as I do, that some form of internet rating standards are unavoidable, is allowing the same agency to make and enforce the standards. IRS, SEC, FDA, FAA, FCC are all examples of where and how this can go wrong. For a detailed discussion of the problems of government largess in the context of conflicts of interest, See Reich, The New Property; Reich, The New Property after 25 Years. (Harvard Law Review, I forget the precise cite, but I will dig it up if anyone cares). > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From stevenw at best.com Sat Apr 13 11:44:50 1996 From: stevenw at best.com (Steven Weller) Date: Sun, 14 Apr 1996 02:44:50 +0800 Subject: Bank transactions on Internet Message-ID: <v01540b00ad917ec02a02@[206.86.1.35]> On FPGAs: > And it is rather unlikely that one could make a high clock speed >high performance hardware based key cracker work without traditional >high speed logic debugging tools such as a fast logic analyzer (if we >are talking 5-10 ns clock especially) and a 1 ghz or so digital scope. >These kinds of gear, though sometimes available after hours to engineers >working for more liberal companies or schools, cost many thousands >of dollars and are not garden variety items available to any hacker. Probably not necessary. Simulators do just fine. And the FPGAs themselves top out at 50 to 80 MHz. > And finally, depending on the technology of the part being >used, there may be a significant cost in the order of at least hundreds >if not thousands of dollars for a specialized programmer capable of >programming ("burning") the FPGA with the interconnect patterns generated >by the software. These tend to either be specialized to one kind of >part and maybe modestly cheap (hundreds of dollars) or universal and >several thousands of dollars (such as DataIO gear). Easy to access. They are everywhere. The EPROMs are about $6 each and are serial. You could build a programmer at home. > And at least in my experiance (I may be unusually stupid and >careless and clumsy or may not be) even if the parts are a few times >reprogrammable (as CMOS FPGAs often are these days) one can assume >that one will fry, or break the pins off, or reprogram one time too >many the FPGA or FPGA's before one gets the design working. This >means that it would be realistic to assume several parts would be >consumed by the prototyping effort, they may not be cheap and this >adds up too. While there are OTP FPGAs out there (typocally Altera), many are in-circuit programmable *any* number of times since they use SRAM internally not EPROM cells to program the configuration. The latest twist on FPGAs is to add more RAM internally and have them reprogram themselves on the fly, hundreds of thousands of times a second. This cuts the logic requirements down for desidhns that don't need all of the logic all of the time. > So whilst someone working with these parts as part of their job >or schooling might well have access to all the required resources on an >informal basis and be able to build a key cracker in evenings or >weekends for little more than the cost of the chip and a PC board to >hold it, it should be realistically noted that the actual cost of >equiping a lab from scratch with the required resources is more on the >order of tens to hundreds of thousands of dollars rather than $400. True, but $400 is probably not far low. > I must hasten to add that high density FPGAs have many many >legitimate uses in prototyping logic and producing products in small >volumes too small to justify the tooling costs of doing mask programmed >gate arrays (which tend to be significantly faster and easier to design, >but cost $5-100K NRE to set up custom masks for fabrication). The >current generation of them make it possible to build logic systems in >one small chip that a few years ago would have been large PC boards >full of PALs and other logic. My employer uses FPGAs in all new designs for production. They are *very* common for products that sell into the thousands per year. Mask-programmed gate arrays have the major disadvantage of very long lead times, usually a more pressing requirement than saving $30 per board over several thousand boards. Companies now make boards that contain just FPGAs wired in a grid. They are sold as general-purpose logic engines with software to implement circuits as hardware simulations. I'm sure that these would do just fine, though they are costly. ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From jimbell at pacifier.com Sat Apr 13 11:47:52 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 02:47:52 +0800 Subject: questions about bits and bytes Message-ID: <m0u876G-0008z6C@pacifier.com> At 02:51 PM 4/12/96 -0700, Alan Olsen wrote: >At 11:34 AM 4/12/96 -0500, Doug Hughes wrote: >> >>On Apr 12 at 8:07 >>jim bell wrote: >>> >>>Are you sure they're not referring to 8 bits of data and a parity bit? In >>>any case, please give the address to the list so that it can be checked out. >> >>Come on, give it up already and admit you were wrong. At least 8 different >>people have cited examples of machines that supported non 8bit bytes. Your >>pride is getting the best of you. > >Jim is unwilling to admit his errors, even in things he has little or no >training in. (I remember him claiming at one point that he was not a >programmer or did any coding for that matter. Why he continues to persist >in such things I will not speculate on...) What I meant was the most honest answer I could give: I am not a professional programmer. I have programmed, in APL, Fortran, Algol, PL/1, Pascal, and I can read BASIC's well enough, but not recently. From jimbell at pacifier.com Sat Apr 13 11:52:47 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 02:52:47 +0800 Subject: questions about bits and bytes Message-ID: <m0u736N-0008yBC@pacifier.com> At 12:00 AM 4/10/96 -0700, Bill Stewart wrote: >At 09:33 PM 4/8/96 -0400, Jack Mott wrote: >>This may be a bit of a no brainer, but everything I have read sorta >>skips over this point. a bit is 1 or 0. 8 bits make up a byte (0-255). > >Be careful writing code - sometimes a byte is -128 to 127 instead of 0 to 255. >Also, there are machines (mostly old kinky ones) that use bytes of sizes >other than 8 bits. No, Bill, a "byte" has ALWAYS been 8-bits. One of the main reasons the term "byte" was invented was because the term "word" (as in, "word length") varied for different computers, especially in the 1960's. (In fact, many computers of that era used word lengths other than 8, 16, 32, 64 bits, as surprising as this may sound to the current crop of PC and Mac afficionados.) This made it inconvenient to talk about memory capacities unless you were referring to the same machine. The solution was to invent a new term, "byte," which conviently had about the same size as an ASCII character and was always 8 bits. From jeffb at sware.com Sat Apr 13 12:07:49 1996 From: jeffb at sware.com (Jeff Barber) Date: Sun, 14 Apr 1996 03:07:49 +0800 Subject: WWW User authentication In-Reply-To: <199604092100.QAA21158@bach.ashd.com> Message-ID: <199604101707.NAA23185@jafar.sware.com> Chris Stillson writes: > > At 11:58 4/9/96 -0400, Jeff Barber wrote: > >Brian C. Lane writes: > > > >> I just finished writing a cgi script to allow users to change their login > >> passwords via a webpage. I currently have the webpage being authenticated > >> with the basic option (uuencoded plaintext). MD5 would be nicer, but how > >> many browsers actually support it? > > > >AFAIK, none. I don't see how this would be helpful anyway. If you > >MD5 the password, I won't be able to snoop the password off the wire, > >but I can simply snoop the MD5 hash off the wire instead and since > >that's what your authentication check must now be against, what does > >this buy you? > Well, that isn't exactly how digest authentication works. > In fact mister barber should figure out what he is talking about > before saying anything. But, you can't really use a hash function > to send the new password. OK. I suppose I deserved this -- I didn't make the leap from "MD5" to digest access authentication. I've studied up now. Still, as you say, digest authentication won't protect the password modification scenario. > >> When the user changes their password, the form sends their name, old > >> password, and new password with it, in the clear. This is no worse than > >> changing your password across a telnet connection, but I'd like it to be > >> more secure, but useable by a large number of browsers. > >Well, if you use SSL, it's useable by a "large number of browsers" since > >Netscape has such a large share of the browser market. And then all of > >the things you're doing w.r.t. authentication are hidden, at least from > >casual eavesdroppers and others too if you use more than the 40-bit option. > >There's really no other choice to reach a large number of browsers. > Once again mister barber is being an idiot. netscape is not a "large number > of browsers". This, on the other hand, was both uncalled-for and incorrect. Netscape browsers certainly do account for a large majority of the total browsers. If a solution doesn't work with Netscape, most people would agree that it isn't "useable by a large number of browsers". And, in any case, Netscape is not the only browser to implement SSL. Several other commercial browsers also claim to support SSL and I have even heard that there is a version of Mosaic that uses SSLeay. > He is right that ssl is probably a good way to go. (shttp would > be better :) ) SHTTP might be better if it didn't have to be "useable by a large number of browsers" -- since Netscape doesn't support SHTTP. (I'm sorry that you apparently find Netscape's success so frustrating, but it is a fact.) -- Jeff From rah at shipwright.com Sat Apr 13 12:14:08 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 14 Apr 1996 03:14:08 +0800 Subject: PEP Announcement (fwd) Message-ID: <v02120d14ad91c581ad03@[199.0.65.105]> -----BEGIN PGP SIGNED MESSAGE----- At 2:28 PM 4/10/96, Black Unicorn wrote: > This showed up in my mailbox: <snip> > PEP: Pretty Easy Privacy, a set of scripts for OneClick that integrate > Eudora and MacPGP are now available in the latest Button Circle release >at: > ><ftp://ftp.westcodesoft.com/pub/westcode/Contributions/OCButtonCircleMarch9 >6.sit > .hqx> I'm using it. I actually went out and bought OneClick to do so, mostly because I wanted to mess around with scripts for other things and OneClick looks pretty painless to use. PEP works pretty much as advertised, except that the finger operations take too long for my ISP to execute sometimes, and evidently the finger events in Eudora aren't robust enough to wait for the operations to complete, so a "wait" has to run. The work-around is to manually do the finger instensive "get cypherpunks remailer names" and "get remailer-keys" operations with eudora, copy the results, and then run the scripts. Anyway, I bashed on it, and PGP, a bit, and now there's a palette when I use Eudora which I can click to do chained remails, which I was never really able to do before. It also does signs, which are fine, and encrypts, which are also fine, but the decrypts come up in the PGP window, which is crypto-correct, I suppose, but I like the dump-it-into-it's-own-mail-window result of the original OSA scripts which come with MacPGP. This is useful if you actually want to reply to an encrypted mail message. One of the other things that is nice about the original MacPGP scripts is that they automatically verify signatures on decryption, and, at the same time, they also automagically add any attached keys to your keyring, pending certification, etc. Anyway, if you have OneClick already, then PEP is a way cool thing to have. Here. I'll sign this message with it. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMWwYUvgyLN8bw6ZVAQEUKgP/eXQsCS/AaAj07s9PAX07j5WcXCXDGvpF RxDSLqJNA3wOcU3QKrDc/T0HfzQELM/RbjOvDy7XPWUwxEN/SUTfRzAekYtJ6RbM 2w3CDYtNsdXyv4yyrgNF1eIjs+IecYYrCBeXJcvHn6fRwEbVBr+yFgXIprjfeEZ9 of/IGHDE0Qc= =bshY -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From perry at piermont.com Sat Apr 13 12:15:11 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 03:15:11 +0800 Subject: Lotus Notes 24-bit sellout In-Reply-To: <199604121621.JAA01379@igc2.igc.apc.org> Message-ID: <199604131607.MAA27918@jekyll.piermont.com> Jerry Whiting writes: > Definitely a deal with the Devil. Given that we're talking about IBM, not > Lotus none of this surprises me given IBM's Lucifer/DES history with spook > input years ago. Then again to be fair, I don't know if the 40+24 deal > was cooked up before or after the IBM/Lotus merger. > Lucifer wasn't any stronger thatn DES. Please learn a bit about the history of how DES was developed and what attacks it was built to withstand. The story is all 100% public at this point. Perry From alanh at mailhost.infi.net Sat Apr 13 12:17:03 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Sun, 14 Apr 1996 03:17:03 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604091755.TAA13648@utopia.hacktic.nl> Message-ID: <Pine.SV4.3.91.960410232222.12483B-100000@larry.infi.net> President Clinton recently decided to stand-down the dithering (Selective Availability) of the GPS constellation. Check out the satellite-navigation and the surveying newsgroups, this is hot stuff amongst these dudes. From unicorn at schloss.li Sat Apr 13 12:23:27 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 03:23:27 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <m0u870T-0008xMC@pacifier.com> Message-ID: <Pine.SUN.3.91.960413113607.10486M-100000@polaris.mindport.net> I will not, of course, reply to Bell's reply. On Sat, 13 Apr 1996, jim bell wrote: > At 07:59 PM 4/12/96 -0400, Black Unicorn wrote: > >The government of the United States doesn't play "fair" when they want > >something. > > But if the government of the United States does play "fair," then why can we > not play "fair" and kill their agents who violate what we feel is our > rights? Are you planning on affording them due process rights? What about other rights generally? At least the U.S. government attempts to do this. How about a trial, or does it merely take a single bidder with money to have someone offed? Sounds like tyrrany of the rich to me. I might add that if this is the way things were the richest would be the survivors, able to kill their enemies, protect themselves better, and deploy their own agents. Jim Bell would be uni's first victim methinks. Sure, implement this policy, I'd love it. I'm not sure there would be many people standing in the end, but the wealthy would be the last of them. You're merely replacing the leaders with even more despotic types and without any constitutional protections. (BTW, read it closely, I said they DON'T play fair.) > After all, the government is merely the representative of the > people (at least in theory!) and it 'must' follow the rules (laws, > Constitution, etc). I think the U.S. government does a much better job at this than almost any other sovereign excepting perhaps the U.K., which has still had its share of self contradiction. > To whatever extent it exceeds those limits, and to > whatever extent the public can't get justice to prevent those violations, > why would the public be obligated to accept them? Really Mr. Bell has recognized something important, though I'm not sure even he realizes it. Specifically, that when his allies are so few in number he must resort to general terrorism and low intensity conflict to have any hope of success at all. > To believe otherwise is to believe that the government has some sort of > special dispensation to violate the law. I don't believe this; it wouldn't > surprise me to hear that you do, however. Which is it? I don't believe anyone has any special dispensation. It's all a question of who can get away with it. For all your moaning and whining, you are still less able to get away with it than agents of the CIA and the men on top. It must be killing you. I can feel the way the knife twists in you with the realization that you are another small gear in the machine. You and the Unabomber. Horrified at the thought that you might be insignificant. Driven by the need to be important, noticed. Some people work to change the system by developing structures to work within it, or around it. You call for the assassination of (not even particularly important) public officials on the whim of the individual who happens to have cash. You're a one trick pony and it's getting boring fast. Grow up. > Jim Bell [B.A. Physics, Ph.D. Nuclear Physics, J.D., LL.M. (Taxation) Coast Guard Certified Navigator, Ph.D. Computer Science (Thesis on bytes), M.A. Political Science.] --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From dmarner at mis.nu.edu Sat Apr 13 12:45:57 1996 From: dmarner at mis.nu.edu (Dan Marner) Date: Sun, 14 Apr 1996 03:45:57 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture In-Reply-To: <8lOUXbq00YUvBYs3cV@andrew.cmu.edu> Message-ID: <199604091820.SAA24783@mis.nu.edu> There are more details about Livingston's Exon Box (they call it ChoiceNet) available at http://www.livingston.com/Marketing/Press/choicenet_press.html . My kneejerk reaction was to hate this thing too, but now I'm not so sure. If I was responsible for the Internet connectivity for a K-12 school system, I would want this capability in a big way. I see the Livingston product as an enabling technology. The obvious associated risk is Big Brother deciding, "If one router CAN do it, then every router MUST do it!" The idea of having a Naughty_Enabled Bit in IPv6 is, of course, even worse; but I'm glad it isn't my job to exlpain why it is horrid to a Federal judge. Dan On Tue, 9 Apr 1996 02:51:19 -0400 (EDT) "Declan B. McCullagh" wrote: [ SNIP ] > Enforcing the CDA Improperly May Pervert Internet Architecture > > by David P. Reed [ SNIP ] > I just read in Inter at ctive Week (March 25, 1996) that Livingston plans > to announce an "Exon box" - a router that is designed to enable ISPs > to restrict access to "indecent sites" or unrated sites unless an > "adult" enters an authorization code when opening a session to enable > the router to transmit packets to the site. -- Dan Marner dmarner at mis.nu.edu Network Weasel National University "Not on MY network!" From wb8foz at nrk.com Sat Apr 13 13:11:29 1996 From: wb8foz at nrk.com (David Lesher) Date: Sun, 14 Apr 1996 04:11:29 +0800 Subject: No matter where you go, there they are. Message-ID: <199604131648.MAA08425@nrk.com> I asked a friend charged with spending money in this area. Here's his reactions, and those of someone he consulted: ================== ..There is a business case flaw in the proposal. The scheme as laid out only provides a high confidence factor on the users location (+- 10M), NOT on the actual identity of the user. Thus it would have to be coupled with some other form of I&A. The business question then arises, is the confidence delta provided by this scheme consistent with the cost delta? My first take is that the answer is no. =================== Re spoofing the system. If you think about the geometry of the problem, the delay to be induced for each satellite is a time varying function of the satellite's position, the reference site, and the target. It will vary from positive to negative values for many satellite passes. It can be precomputed, but the precomputed adjustment will be in error by some amount due to the orbital perturbations mentioned in the original article. The most common prediction error is the in-track postion, which inconveniently for the predictor has the greatest effect on one's ability to calculate the right delays. Anyone with access to a decent orbital prediction code and access to the statistics on orbital perturbations should be able to calculate the expected delay prediction error as a result of the orbital uncertainties. If the delay prediction errors are detectable, then it seems the system is secure after all, allthough other reservations on operational suitability might still apply. Note that the sensitivity is a function of the distance between the reference site and the target. If you could collect your reference signal across the street from the target, it would make spoofing a lot easier. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From tcmay at got.net Sat Apr 13 13:15:39 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 14 Apr 1996 04:15:39 +0800 Subject: washington post notices archives Message-ID: <ad9521f1030210049162@[205.199.118.202]> At 9:39 PM 4/11/96, Andrew K. Bressen wrote: >we here at HKS.net have today received a cease and desist >letter from the washington post regarding editorial copy >of theirs that was evidently posted to c'punks and then >abosrbed into our c'punk archives. > >Once the archives are restored (RSN) we'll probably manually edit out >the messages from the archive. We're trying to get the post to give us Several relevant points for lists like ours: 1. Expect more and more of these sorts of copyright "cease and desist" (or, as I like to say, "decease and cyst") orders, as newspapers and magazines use search engines to find their stuff. Expect some "automated searches" to be done routinely, even offered as services by third parties. ("Find infringing copies...make $1000 a week in your spare time.") 2. What does removal of infringing articles mean for follow-ups? If I reference a WSJ or NYT article that someone has quoted or forwarded, is my follow-up expunged also? 3. And what of the "Cypherpunks Archives on CD-ROM"? Too late to simply remove a single article...does the entire production run go into the landfill? (I haven't heard much about the "enthusiasm du jour" of the "Cypherpunks CD-ROM," but this always been a concern, that legal issues would have to be resolved, including the getting of releases from several hundred or more parties.) 4. Suppose the HKS archives were actually offshore, in the Cayman Islands or in some place that doesn't recognize copyright law in the same way most Western or Berne Convention countries do? 5. Suppose access to such archives is done via Web remailers, and the location is not easily determinable? (To be sure, lots of hits means traffic analysis will reveal the location....the same general problem with "reply-blocks," of course.) It sounds like the Washington Post is discovering the brave new world. Expect an article or two on this. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat Apr 13 13:50:06 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 04:50:06 +0800 Subject: PEP Announcement (fwd) Message-ID: <Pine.SUN.3.91.960410142613.9112A-100000@polaris.mindport.net> This showed up in my mailbox: --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information ---------- Forwarded message ---------- Date: Wed, 10 Apr 1996 00:03:29 -0400 From: Amos Elberg <aelberg at wesleyan.edu> To: unicorn at schloss.li Subject: PEP Announcement Uni, can you forward this to the c-punks for me? --------- PEP: Pretty Easy Privacy, a set of scripts for OneClick that integrate Eudora and MacPGP are now available in the latest Button Circle release at: <ftp://ftp.westcodesoft.com/pub/westcode/Contributions/OCButtonCircleMarch96.sit .hqx> PEP is designed to provide features similar to the UNiX premail program on the Macintosh. It handles encryption, decryption, signing, verifying, anon.penet.fi remailing and cypherpunk remailing. PEP uses OneClick to place a button bar in Eudora, from which the user can select privacy functions. Buttons pop-up menus of encryption targets, signature keys and cypherpunk remailers. Q: What do I do about the rest of MacPGP's interface? A: PEP is not designed to replace MacPGP, just to provide easier access to it from within Eudora. For a full featured MacPGP GUI replacement with added features, try Raif Naffah's MacPGPControl application. Q: Isn't the name 'PEP' pretentious and derivative? A: Yes, I think so too. I couldn't think of a better one. Suggestions are welcome. Q: I have a lot more questions. Where are the answers? A: In the documentation. If you have any more questions, please direct them to <mailto:aelberg at wesleyan.edu> ------------------------------------------------------------------------------ Amos B. Elberg | #include disclaimer.h Amos will code for Wesleyan University | food. E-mail me for a resum�. Please. 341 S. Main St. Apt. 3N |---------------------------------------- Middletown, CT 06459 | Help keep the net safe from the Will Code for Food! | aesthetically challenged. Please, Public keys available from the usual | oppose ASCII art. keyservers, or by request. |---------------------------------------- PGP fingerprint = 08 B8 87 04 6B 21 08 5D B0 62 F7 94 7B 42 0F 10 --- end forwarded text From mianigand at [205.164.13.10] Sat Apr 13 14:33:22 1996 From: mianigand at [205.164.13.10] (Michael C. Peponis) Date: Sun, 14 Apr 1996 05:33:22 +0800 Subject: Edited Edupage, 4 April 1996 Message-ID: <199604131820.OAA28940@Fe3.rust.net> On 12 Apr 96 ,E. ALLEN SMITH wrote: > From: IN%"educom at elanor.oit.unc.edu" 5-APR-1996 01:25:00.85 > >IBM'S INTELLIGENT MINER DIGS OUT THE GOOD STUFF > >IBM plans to offer companies "data mining" software and services, allowing > >them to make better use of disparate pieces of information stored in their > >computer systems. The Intelligent Miner software will be available on IBM's > >RS/6000 servers by the fall, and on other platforms by year end. The > >company also plans to develop Intelligent Decision Server software for local > >area network-based information analysis. (Investor's Business Daily 3 Apr > >96 A9) > > Anyone have any _specific_ ideas on how their Intelligent Miner system > works? It would appear to be relevant to the identity-spoofing discussions. > -Allen Not really, it's a tool used in Data Warehousing/Decission Support Systems. Here is what it is in a nut shell. A company creates a Data Warehouse, defining it's data universe in terms of business rules and practices. Data Mining is the process by which users try to make sence of all the data. They call it "intelligent" because it supports natural language queries, ie the end user does not need to know SQL or the table layouts to retrieve the information they want. Very sketchy explination, but there are entire volumes written on the subject, and it's new technology so the exact definition varies depending on who you ask. I have been developing systems like this for the past year, and I still can't give people a cut and dry answer as to what the hell it is. Regards, Michael C. Peponis Public Key Avalible Via Key Servers, or Finger From dlv at bwalk.dm.com Sat Apr 13 14:43:26 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 14 Apr 1996 05:43:26 +0800 Subject: Answer about bits and bytes In-Reply-To: <Pine.OSF.3.91.960413012249.6873A-100000@beall.tenet.edu> Message-ID: <ge1BmD43w165w@bwalk.dm.com> Dan Harmon <harmon at tenet.edu> writes: > Just a note, Jim's attribution dates seem to be older than yours. Not > that it matters a whole hill of beans. Nope, Jim sited a PDP-10 manual from 1971, and the first edition of _The Art of Computer Programming_ came out in 1967. (I quoted the second edition, but I know that the first edition had MIX too.) The book _IBM's Early Computers_ by Bashe, Johnson, Palmer, Pugh says the following about the STRETCH system developed in 1956 (akin to 704 and 705): "In July, Stretch technical staff manager Buchholz wrote a report listing the advantages of a word length of sixty-four bits. Assuming an _m-bit binary field for addressing a sixty-four-bit memory-contained word, he noted, _m+1 bits could address a half-word, _m+2 bits a quarter-word, _m+3 bits an eight-bit segment, and so on until _m+6 bits could address a single bit. Using this systematic addressing principle, one class of instructions could address words, and other classes could address shorter operands by increasing the length of an address field. By this time, the term "byte" had been coined as a way of avoiding typographical confusion between bit and "bite", a term that project personnel had been using to designate small, character-oriented word segments. The sixty-four-bit format was adopted in September; like the previous format of sixty bits, it was accompanied by redundant bits for use by error-detection and -correction circuits." They footnote: Also see W. Buchholz, January 1981: "Origin of the Word Byte", _Annals _of _the _History _of _Computing 3, p. 72, which explains how "byte" later came to imply eight bits. P.S. The _Barron's Dictionary of Computer Terms_ says: BYTE A byte is the amount of memory space needed to store one character, which is normally 8 bits. ... (Wondering what the cryptographic relevance of all this might possibly be...) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jlasser at rwd.goucher.edu Sat Apr 13 14:44:27 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Sun, 14 Apr 1996 05:44:27 +0800 Subject: Contempt charges Message-ID: <Pine.SUN.3.91.960410101249.14133A-100000@rwd.goucher.edu> > Message-Id: <199604100152.DAA25396 at spoof.bart.nl> > To: cypherpunks at toad.com > From: anonymous at nowhere.goucher.edu (Senator Exon) > Comments: Please report misuse of this automated remailing service to > <remailer-admin at remailer.nl.com> Oooh... forged headers... forged to indicate they're coming from _my_ school. I wonder who _this_ could be... perhaps someone who has expressed anger at me on the list? Perhaps just a random choice? Perhaps me? (Not me, that I'll tell you...) > Borrowing inspiration from May, a page from Scheier and some code from > Gutman... Techniques from Detweiller, and lousy law from Jim Bell (I _wonder_ who might have posted this... :-) ) > Hard disk space being cheap now, Bob creates several distinct disk > partitions and uses Peter Gutman's Secure File System, or equivalent, to > encrypt all of them. [ ... ] >Practically, Bob cannot be forced to reveal the pass phrases to any >alleged remaining secret data, since this might not exist. To further >encourage this belief Bob might associate innocous data with a first pass >phrase, mildly embarrasing data with a second, and so on, and then, after >revealing the first, gradually allow himself to be be coaxed into revealing >the second and disclose a third only after the rubber hoses came out. > >Since all of the partitions have similar content, no statistic should >reveal which is which. Bob might have a bit refresher routine >periodically nibble read and rewrite the whole disk so that no >electronic characteristic exists that reveals record age. Sure, this will effectively hide the data; so will a plain old encrypted partition... >No doubt, a judge might whimsically keep Bob in jail for a while, trying >to assure that he has revealed all of the pass phrases, but the judge >can never be certain, even when Bob has disclosed everything. This >situation creates doubt that Bob is in contempt, even when he is, and >makes a prison term relatively pointless, unless for revenge. But that's what a contempt charge is _for_: "You're not treating me with respect, so I'm going to punish you." It might be described as being for a particular reason (ie supressing evidence), but each of those reasons ultimately boils down to lack of respect. In addition, were I handing down (or prosecuting) the contempt charges, I'd claim that the statement (even if it was made in public) that the individual didn't know all the keys in the first place was a lie, and that, by repeating the lie, they were purjuring themself. I am not a lawyer; however, I suspect that neither was the anonymous poster. In fact, I think I have a pretty good idea of who it was: someone on the list who: (1) Has recently been claiming that contempt charges were worthless, and that people should start ISPs, and pool money for insurance. (2) Has (probably) used this technique (at least once) before to create the appearances of support for one of his/her ideas which really has no support. (3) Might _possibly_ be upset with me (due to the headers...) I can't think of _anyone_ who meets THAT description, now can I? ;-) Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From frantz at netcom.com Sat Apr 13 15:04:54 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 14 Apr 1996 06:04:54 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199604100423.VAA17730@netcom9.netcom.com> At 6:27 PM 4/9/96 -0800, jim bell wrote: >At 07:08 PM 4/9/96 -0700, Bill Frantz wrote: >>At 3:21 PM 4/9/96 -0800, jim bell wrote: >>>And the rest of us are tired of seeing those non-responses! >> >>I wish to state that Jim Bell does not speak for me. > >Tell me, what is the most exciting, interesting, and imaginative usage of >"Yadda Yadda Yadda" that _you_ remember, Bill? This will be my last post on this subject. Since Jim Bell ALWAYS has to have the last word on any given subject, he will continue to try to read something into my statement that is not there. I can not get much clearer than: I have not authorized Jim Bell to speak for me. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ses at tipper.oit.unc.edu Sat Apr 13 15:05:31 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 14 Apr 1996 06:05:31 +0800 Subject: Open Systems, Closed Systems, & Killer Apps In-Reply-To: <2.2.32.19960409153328.0075c2c0@panix.com> Message-ID: <Pine.SOL.3.91.960409221604.3399A-100000@chivalry> you can call X.25 a lot of things, but proprietary is not one of them. X.25 did not fail because it wasn't open; X.25 failed because it was crap --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From perry at piermont.com Sat Apr 13 15:06:44 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 06:06:44 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604120314.WAA05634@homeport.org> Message-ID: <199604131757.NAA28090@jekyll.piermont.com> Adam Shostack writes: > Snow Crash is a book about a future in which governments are > ineffective. Companies run things, and have complete local control. > The world has gone to hell, and as a result, life is nasty, poor, > brutish and short. Many people do not look forward to this world. Snow Crash is hardly scary. You have characterized it as a story where life is nasty brutish and short but that isn't the same book that I read. at all. In any case, however, the future is pretty much not stoppable. There was a time where the nobility tried to stop the crossbow, and then firearms; there have been those who tried to stop the translation of the bible, and to stop factories, and to stop genetic engineering. Ideas aren't amenable to restraint. Nothing is as inevitable as an idea who's time has come. The key to a liveable future is learning how to adapt to the changes, not how to try to prevent them. Perry From perry at piermont.com Sat Apr 13 15:13:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 06:13:03 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <Pine.SUN.3.91.960409192104.24728B-100000@crl6.crl.com> Message-ID: <199604101300.JAA04920@jekyll.piermont.com> Folks; Just a small meta-request. I already filter everything Jim writes -- its all junk -- but when people reply to a message of his and send the mail only to Cypherpunks, it is hard for me to filter the reply. If people could make sure that he's in the To: line, or could make a practice of putting some standardized phrase (I suggest the words "Jim Bell YaddaYadda") into the Subject: line it would make it easier to filter. Some people (especially those who don't try to do it) don't actually understand how hard it is, technically, to heavily filter out the noise; in the general case the problem is AI complete. Sigh. Perry Sandy Sandfort writes: > To which Jim Bell wrote: > > > And the rest of us are tired of seeing those non-responses! > > Exactly for whom is Bell speaking? Jimbo, please let us know > who has given you a limited powers of attorney to be their > mouthpiece. From pgut001 at cs.auckland.ac.nz Sat Apr 13 15:16:22 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Sun, 14 Apr 1996 06:16:22 +0800 Subject: New paper on crypto regulation and the right to privacy available Message-ID: <199604100657.SAA28234@cs26.cs.auckland.ac.nz> A paper exploring various aspects of cryptography and cryptography regulation has just been published in the Journal of Universal Computer Science (J.UCS). J.UCS is a Springer-Verlag electronic publication available at <A HREF="http://hyperg.iicm.tu-graz.ac.at/0x811b9908_0x0008eaac;sk=74BEC6EF"> J.UCS</A>. It's coming off a non-HTTP server so I can't give a direct URL, you need to follow the links to Volume 2, No.3 to find: Government, Cryptography, and the Right to Privacy J.Shearer, P.Gutmann The notion of a right to privacy of citizens in their communications is discussed in the context of an international movement by governments towards regulation of cryptography, and consideration of key forfeiture systems in national cryptography use. The authors argue that the right to privacy in communications networks is an issue of major importance, assuring freedom of the individual in national and global communications. Regulation and control of cryptography use on the Internet by national governments may lead to an imbalance in the citizen/government power relationship, with sequelae including unprecedented surveillance of citizens, disruption of international commerce due to lack of powerful cryptography (and lack of standardisation), human rights abuses by less democratic or non-democratic governments, and limiting of the political potential of an Internet global political system. Peter. From s1113645 at tesla.cc.uottawa.ca Sat Apr 13 15:17:06 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Sun, 14 Apr 1996 06:17:06 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena In-Reply-To: <199604110423.VAA03176@infinity.c2.org> Message-ID: <Pine.3.89.9604131410.A19543-0100000@tesla.cc.uottawa.ca> On Wed, 10 Apr 1996, sameer wrote: > > Frankly, I'm getting antsy. Is C2 going to get subpoena'd or > not? I would be very disappointed if we don't. > (Subpeonas envy!) All you have to do is call up CoS's lawyers. Let your fingers do the walking... Seriously though, might it not be nicer (easier?) to establish some court precedents on remailers vs. CoS rather than the government? Think of it as a preemptive strike. The argument of CoS's religious copyright and trade secrets don't seem to me be as emotionally effective horsemen as "National Security Threats" or "Child Pornography". I really wouldn't want to see Congress get away with legislating on remailers in a legal vacuum. Go for it Sameer. ;-) (Hope you won't be needing Jim's ISP-Aspol inc. insurance against them pesky scientologists...[double ;-) ]) From roger at coelacanth.com Sat Apr 13 15:21:36 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 14 Apr 1996 06:21:36 +0800 Subject: [noise] Re: They're running scared. In-Reply-To: <2.2.32.19960409202520.0093ba00@mail.teleport.com> Message-ID: <9604100610.AA0414@sturgeon.coelacanth.com> >>>>> Alan Olsen <alano at teleport.com> writes: > The question is if they are truly random bombings and how do we > determine if they are. With a *noise* sphere, of course! -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From jkim at sn.no Sat Apr 13 15:33:41 1996 From: jkim at sn.no (Kim Johansson) Date: Sun, 14 Apr 1996 06:33:41 +0800 Subject: unsubscrive Message-ID: <199604100656.IAA25040@ekeberg.sn.no> At 09:18 09.04.96 +0000, Brad Shantz wrote: >Time May Wrote: > >>Maybe these dweebs are posting from an alternate universe? A universe in >>which not even messages explaining that "unsubscrive," "unsuscribe," >>"undescribe," "unscribe," and "unimbibe" are not valid alternate spellings >>of "unsubscribe." >> >>I've copied my short explanation of how to subscribe and unsubcribe too >>many times to do it again; and it is clear that these folks are either >>doing this out of spite, are not reading any of the messages we send them, >>or think it funny. > >I agree with you to a point, Tim. They probably haven't read the >messages about how to properly unsubscrive. Not because they are >dweebs or because they think it's funny. they probably haven't read >the messages because they have 2 or 3 thousand messages in their >inbox and they're all from cpunks. Unfortunately, this time, I have >to give them the benefit of the doubt for being ignorant. I don't >think they're being vindictive. > >How many of them have posted Unsub messages after being told the >proper way to unsub? > >Brad > I want off. Please help me. From sameer at c2.org Sat Apr 13 15:55:27 1996 From: sameer at c2.org (sameer at c2.org) Date: Sun, 14 Apr 1996 06:55:27 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <199604100202.TAA16568@toad.com> Message-ID: <199604100529.WAA10683@atropos.c2.org> > > I thought that most or all of the cypherpunk anonymous remailers don't > keep records. Not even on backup tapes. The whole idea is that there > aren't logs. But maybe they have found some remailers that are > non-cypherpunk. And I haven't verified the truth of what's in the msg > below. If anyone hears anything, please let me (or eff at eff.org) know. > Exactly. I'm not worried. I look forward to the publicity and added business this will bring. I might even be disappointed if it doesn't happen. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From steve at edmweb.com Sat Apr 13 17:27:53 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 14 Apr 1996 08:27:53 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v03005b03ad944efa70c3@[206.126.100.99]> Message-ID: <Pine.BSF.3.91.960413133800.18548A-100000@kirk.edmweb.com> > Multiple IP #s, multiple machines, multiple users, ONE account. > Which router will insert the "suggested" flag, and how will it decide which > packets to tag? > I suspect the people who thought this up haven't thought it through. :-) > They are confusing "ISP accounts" with "e-mail" addresses, maybe? Well, this was originally suggested by the CDA supporters, out of the mouth of their LAWYER. And, for sure, it's just legal posturing, saying it's possible, but not understanding the details. Really, the apropriate place for content filtering is at the application layer. It *could* be done at the transport layer, but that's really not the place for it. Analogy: It would be like putting a license plate on the engine of a car. It *could* be done that way, if you redesign the car so that the engine protrudes out from the back with a place for the license plate (let the technical people handle the technical details of that). But the best place for a license plate is on the outside body of the car, and the best place for content filtering is at the application layer. All of this, of course, is Just My Humble Opinion. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From ddt at lsd.com Sat Apr 13 17:49:04 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 14 Apr 1996 08:49:04 +0800 Subject: Tips on Tapping Taps Message-ID: <v03006300ad94fddd6097@[192.187.167.52]> Vernor, What's your thinking on some privacy protection measures for these types of "embedded systems?" Shouldn't these kinds of "instruments" (one ringy-dingy) have some user-defeats or -definable permissions settings built in from Day One? Do we risk e$ accounts being billed automatically by water/gas/electric meters on a daily basis without the possibility of users disputing the readings in a timely way? Is anyone proposing permissions on such boxes? What're the proposals, if any, for how the automated calls they make get billed, get scheduled and show up on customer phone bills? I wonder if the bills decrease, since this all saves the companies lots of money? I'm all for "smart houses" but I'd prefer they learn the tricks _I_ teach 'em. dave ................................. cut here ................................. >Date: 10 Apr 96 19:03:05 EDT >From: Dan Druck <73543.2304 at CompuServe.COM> >Subject: H2O Phone Taps > >WATER METER PHONE TAPS > >Recently, I received notice from our local water department (Algonquin, >Illinois) that new water meters are to be installed in every residence. >The twist is that the new meter taps into our telephone line and >periodically and automatically reports the meter reading to the water >department. > >Perhaps this is innocent enough but, being ever vigilant about my privacy, >I've contacted the water department to get more info which they've >promised to send. Interestingly, they told me I didn't have to accept this >phone-tap meter, however they asked to install a different meter with a >similar type of reporting device which is triggered via a device that also >receives the meter reading (from just outside my house). I can only assume >this transmission is made via a radio transmitter on the meter (which >isn't really much of a consolation for me). This seems a bit oxymoronical >since there already exists an external meter gauge on the exterior of my >house. What is the advantage to standing outside my home with a >transmitter/receiver over visually reading the external meter gauge??? > >Obviously, how can one tell what the little micro-chip within the gizmo is >*really* programmed to do? As you might imagine, I'm not at all >comfortable with this thing wired into my phone line. I know..... if Big >Brother wants to, he can listen in to my phone conversations or even into >my house without such hard-wire tap. But I don't feel compelled to >willingly submit to a potential invasion of my privacy, none-the-less! > >I can only assume resisting the installation of this Orwellian device will >result in putting my name on every Barney Fife "what's he got to hide" >list - who knows. > >I urge everyone who reads this to be vigilant about such things. If you >receive such a notice from a public utility, you might be well advised to >question them as I am doing. Sadly, most of my neighbors are probably >submitting to this without a thought as I've not seen any letters of >protest to the editor of the local newspaper ....a sign of the times, I >guess. > >Dan Druck, Council on Domestic Relations >Congressional Candidate / 8th District, Illinois > >Permission to repost/reprint (in whole or in part) >is granted so long as such is accurate and proper >credit is given. 96MML12 > >Council on Domestic Relations web page: > http://www.logoplex.com/shops/cdr/cdr.html > (last update 1/5/96) >Druck for Congress web page: > http://ourworld.compuserve.com/homepages/ddruck > (last update 2/1/96) >"CDR Info Hour" Radio Program / every Saturday @ 6:00p.m. CST > Shortwave 9.400 MHz > Satellite - Galaxy 6, Trnspndr 23, 6.1 Wide Band From dlv at bwalk.dm.com Sat Apr 13 18:10:40 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 14 Apr 1996 09:10:40 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <199604101300.JAA04920@jekyll.piermont.com> Message-ID: <PkecmD54w165w@bwalk.dm.com> "Perry E. Metzger" <perry at piermont.com> writes: > Just a small meta-request. I already filter everything Jim writes -- > its all junk -- but when people reply to a message of his and send the > mail only to Cypherpunks, it is hard for me to filter the reply. It's a pity most mailers don't preserve 'References:'. Can you filter out everything that says 'in-reply-to .* pacifier.com>'? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From perry at piermont.com Sat Apr 13 18:22:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 09:22:56 +0800 Subject: US crypto laws? Need help! In-Reply-To: <v02140b18ad91143a0d5e@[13.202.222.150]> Message-ID: <199604132142.RAA11775@jekyll.piermont.com> Jean Chouanard writes: > I was wondering if a foreigner like, with a valid work visa but not a > permanet green card, is allowed to use crypto in the state. There are no restrictions on the use of cryptography inside the U.S. of any kind. There are restrictions on exporting cryptography, and in some instances that can, technically, be giving a foreign person information on cryptography. However, you are allowed to use any crypto system your heart desires -- no regulations on it at all. Perry From steve at edmweb.com Sat Apr 13 18:31:43 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 14 Apr 1996 09:31:43 +0800 Subject: unsubscrive - Let's make a special list for these people! In-Reply-To: <199604091623.JAA05150@montana.nwlink.com> Message-ID: <Pine.BSF.3.91.960409210739.10189A-100000@kirk.edmweb.com> > I agree with you to a point, Tim. They probably haven't read the > messages about how to properly unsubscrive. Not because they are > dweebs or because they think it's funny. they probably haven't read > the messages because they have 2 or 3 thousand messages in their It is clearly explained in the Welcome message, that this is a high-volume list... And the instructions to unsubscribe are right there, along with the message saying that you should save those instructions in case you do want to leave. I have an idea.... Create a special "unsubscrive mailing list". Anyone who sends "unsubscrive" to a mailing list is removed from that list, and placed on this special "unsubscrive list". When anyone is annoyed by the latest wave of "unsubscrive"s, they can (after first moving the offenders to the special unsubscrive list) send their own "unsubscrive" messages out to that list, which will then copy it mailing-list-style to everyone who has improperly used any mailing lists. The idiots on the list will also try to send out their own "unsubscrive" messages trying to get off the special list, which will of course end up back in their mailboxes and in the mailboxes of all the other idiots. Eventually they will "graduate" by figuring out the CORRECT way to unsubscribe, and the list server will obey any unsubscribe commands it actually recieves. Having learned the hard way, they will never forget. Good idea, or what? :) From alano at teleport.com Sat Apr 13 18:40:08 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 14 Apr 1996 09:40:08 +0800 Subject: Is crypt(1) a prohibited export? Message-ID: <2.2.32.19960413223409.0096bcc8@mail.teleport.com> At 12:31 AM 4/10/96 -0700, Chris McAuliffe wrote: >The man page is a bit dated: > crypt implements a one-rotor machine designed along the lines of the > German Enigma, but with a 256-element rotor. Methods of attack on > such machines are known, but not widely; moreover the amount of work > required is likely to be large. > >Clearly written before CBW became popular. What they are not telling you is the "large amount of work" is to get CBW to *compile*, not to break crypt(1). (Crypt Breakers Workbench uses some obsolete calls. I do not know of an existing updated version, but that does not mean one does not exist...) --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From ravage at ssz.com Sat Apr 13 18:40:26 1996 From: ravage at ssz.com (Jim Choate) Date: Sun, 14 Apr 1996 09:40:26 +0800 Subject: Crypto, Right to privacy, International standards Message-ID: <199604132314.SAA17028@einstein.ssz.com> Forwarded message: > From: pgut001 at cs.auckland.ac.nz > Date: Wed, 10 Apr 1996 18:57:07 +1200 (NZST) > Subject: New paper on crypto regulation and the right to privacy available > > The notion of a right to privacy of citizens in their communications is > discussed in the context of an international movement by governments towards > regulation of cryptography, and consideration of key forfeiture systems in > national cryptography use. The authors argue that the right to privacy in > communications networks is an issue of major importance, assuring freedom of > the individual in national and global communications. Regulation and control > of cryptography use on the Internet by national governments may lead to an > imbalance in the citizen/government power relationship, with sequelae > including unprecedented surveillance of citizens, disruption of international > commerce due to lack of powerful cryptography (and lack of standardisation), > human rights abuses by less democratic or non-democratic governments, and > limiting of the political potential of an Internet global political system. > Doesn't the United Nations (UN) have some sort of statement about this? I have a vague recollection that it says something about individuals having a right to communicate with others including those outside their own countries. Jim Choate ravage at ssz.com From adam at lighthouse.homeport.org Sat Apr 13 18:50:50 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 14 Apr 1996 09:50:50 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604131757.NAA28090@jekyll.piermont.com> Message-ID: <199604140011.TAA13006@homeport.org> Perry E. Metzger wrote: | Adam Shostack writes: | > Snow Crash is a book about a future in which governments are | > ineffective. Companies run things, and have complete local control. | > The world has gone to hell, and as a result, life is nasty, poor, | > brutish and short. Many people do not look forward to this world. | | Snow Crash is hardly scary. You have characterized it as a | story where life is nasty brutish and short but that isn't the same | book that I read. at all. The CIA privatized & selling data to all comers? An unstoppable wave of illegal immigration coming to California? Sounds pretty scary to many people. There are other readings, but that one is there. | In any case, however, the future is pretty much not stoppable. There | was a time where the nobility tried to stop the crossbow, and then | firearms; there have been those who tried to stop the translation of | the bible, and to stop factories, and to stop genetic | engineering. Ideas aren't amenable to restraint. Nothing is as | inevitable as an idea who's time has come. The key to a liveable | future is learning how to adapt to the changes, not how to try to | prevent them. I said as much. I'm not purporting this as my opinions, just my understanding of Dr. Denning. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From perry at piermont.com Sat Apr 13 19:03:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 10:03:57 +0800 Subject: Tense visions of future imperfect In-Reply-To: <199604091857.LAA06933@netcom9.netcom.com> Message-ID: <199604101321.JAA04966@jekyll.piermont.com> Bill Frantz writes: > > Garfinkel described it like this: [...] > > "This counterfeit currency looked just like the real thing, > > except it was a fraud. She even found some of it -- a > > digital dollar that was signed and sealed by the US > > government's secret key, yet had a serial number that had > > never been issued. The money that was being made was on the > > Net. It was everywhere and nowhere. And it was encrypted, > > so that we wouldn't even know it if we found it. Last > > month, we estimate, the total fraud was up to $900,000 a > > month, and it is increasing still." > > I don't see how this third scam would work in a system such as DigiCash > which uses online clearing. Unissued serial numbers would be refused when > presented for clearing. The whole point of DigiCash is that its blind to the issuing bank; it doesn't know any serial numbers. However, Garfinkel's journalism is faulty, because the bank would never see "unissued serial numbers" in a system like DigiCash. Perry From merriman at arn.net Sat Apr 13 19:04:48 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 14 Apr 1996 10:04:48 +0800 Subject: JBell filter (was Re: So, what crypto legislation (if any) is necessary?) Message-ID: <2.2.32.19960413105947.006aaebc@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 05:22 PM 04/13/96 EDT, dlv at bwalk.dm.com (Dr. Dimitri Vulis) wrote: >"Perry E. Metzger" <perry at piermont.com> writes: >> Just a small meta-request. I already filter everything Jim writes -- >> its all junk -- but when people reply to a message of his and send the >> mail only to Cypherpunks, it is hard for me to filter the reply. > >It's a pity most mailers don't preserve 'References:'. >Can you filter out everything that says 'in-reply-to .* pacifier.com>'? > I initially tried filtering out anything _from_ JB; still got overloaded by people trying to talk some sense into him (at the time, it was Black Unicorn arguing law with him). Finally had to simply tell Eudora that anything from him, or including his name (contains:) goes straight to the trash. That finally did the trick. Interestingly, he's the only one I trash, sight unseen..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW96ocVrTvyYOzAZAQH+JgP9G9pAJEFsI0xV263ftQFVdZO1yKM50aKG 5CAqtyWp8fZPtocofo3kC2Z6qdGEbEd2hTM10uxdKh0tggRlWg61Ie44OVjgYfie 5ysPooKQdilinUh2m34lmYpuvMuc4RO+FKn3Y/yrJeUXpvvQX6C8OiWrAVlEAC+c DaTpcPYVkOc= =De5u -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From Jean.Chouanard at grenoble.rxrc.xerox.com Sat Apr 13 19:09:44 1996 From: Jean.Chouanard at grenoble.rxrc.xerox.com (Jean Chouanard) Date: Sun, 14 Apr 1996 10:09:44 +0800 Subject: US crypto laws? Need help! Message-ID: <v02140b18ad91143a0d5e@[13.202.222.150]> Hi! I was wondering if a foreigner like, with a valid work visa but not a permanet green card, is allowed to use crypto in the state. If yes, is there any restriction? Depending on crypto methods? Thank a lot, Jean --- let's all be different, just like me. --- Jean Chouanard | Jean.Chouanard at Grenoble.RXRC.Xerox.com Networks & Systems Eng. | Rank Xerox Research Centre Fax: (33) 76 61 51 99 | 6, Ch de maupertuis Ph: (33) 76 61 50 90 | 38240 Meylan FRANCE From adam at lighthouse.homeport.org Sat Apr 13 19:19:12 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 14 Apr 1996 10:19:12 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604120417.AA22212@pig.die.com> Message-ID: <199604140029.TAA13117@homeport.org> Dave Emery wrote: | My only disparaging comment (at least as intended by me) was that | the task was probably beyond some of the alt.2600 type crackers who | primarily use canned programs and scripts to perpetrate their attacks. | That comment was actually intended as a left handed warning about the | advisablity of releasing a readily reproduced hardware key cracker | design to the world at large. This seems especially true if entire FPGA | array PC plugin boards are becoming a commodity item and readily | available and the cracker recipe is buy one of those and install this canned | software on it. I disagree strongly about the advisability of this. If we demonstrate the utter weakness of 40 bit keys, the US business community will scream for a better solution. With a little correct publicity, like that provided by the BSA, and backed by most companies security folks who understand the ludicrousness of the law, the NSA comes up looking like jackasses. Anyway, I've found your comments to be very interesting & informative, and this was a small nit. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Sat Apr 13 19:20:02 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 14 Apr 1996 10:20:02 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <199604100704.AAA21801@toad.com> One issue with the "We could require that everybody label their packets" proposal is that a large part of the world isn't under FCC or even US control; why should some foreigner label their packets based on the tastes of US censors? Another problem is that adequate labelling requires public-key cryptography, and the US bans export of crypto; this means you can't use the best technical standards for domestic use and export, and means you can't mass-market exportable rating software. We EEEVILLL Net Users would certainly be _happy_ if the FCC or Congress talked the Administration into legalizing the use of decent authentication technology. (They could argue that the ITAR permits authentication-only technology, but there are clear technical advantages to RSA vs. DSS, and DSS has the subliminal-key options that mean you can use it for non-authentication encryption as well as signatures anyway. There's also the problem that both are patented, though the patents behind DSS are weak and run out in a year or two.) Another problem is that this proposal would require multiple authentication headers per IP packet - not only is it wasteful, but is it even supported? I suppose there's some tunneling approach possible, but it'd be really awkward and non-portable. ObExon: Does the Administration propose to label any on-line copies of the Federal Register? There's often material in there, such as the recent Congressional debates on partial-birth abortion, that are clearly in violation of the CDA if posted to the nets, so they would have to be labeled. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From perry at piermont.com Sat Apr 13 19:23:40 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 10:23:40 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604140011.TAA13006@homeport.org> Message-ID: <199604132331.TAA01039@jekyll.piermont.com> Adam Shostack writes: > Perry E. Metzger wrote: > > | Adam Shostack writes: > | > Snow Crash is a book about a future in which governments are > | > ineffective. Companies run things, and have complete local control. > | > The world has gone to hell, and as a result, life is nasty, poor, > | > brutish and short. Many people do not look forward to this world. > | > | Snow Crash is hardly scary. You have characterized it as a > | story where life is nasty brutish and short but that isn't the same > | book that I read. at all. > > The CIA privatized & selling data to all comers? An > unstoppable wave of illegal immigration coming to California? Sounds > pretty scary to many people. There are other readings, but that one > is there. Lets be concrete. You say that life in the book is nasty, brutish and short. The book does not depict people's lives as being short, and it especially does not appear that most people living in that world have lives that end in violence. Furthermore, it doesn't depict their lives as nasty -- it seems like America only more so, with ever escalating guarantees that your pizza will be delivered on time and fairly normal lives being lead. As for illegal immigration, I saw no depiction of it in the book, and so far as I can tell the legal structure depicted in the book has no such concept as "illegal immigration". I can't see that you read the same book. As the cypherpunks significance of this is rapidly vanishing, I'd suggest that this be taken to private mail. .pm From vznuri at netcom.com Sat Apr 13 19:28:58 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 14 Apr 1996 10:28:58 +0800 Subject: Any examples of mandatory content rating? In-Reply-To: <ad93dffc1b021004ed13@[205.199.118.202]> Message-ID: <199604132333.QAA22457@netcom11.netcom.com> Klaus writes: >I foresee major legal challenges to mandatory ratings of content. Issues >involving prior restrain, censorship, and the First Amendment of the U.S. >Constitution. there is a big distinction to be made here. are posts required to carry a rating system by which anyone can create ratings, or are they required to carry some "official" rating from some govt agency? for example, I think it would be odious if the government mandated PICS for various providers, but I sure would like it a lot more than them mandating a rating agency. that is, are they mandating the *capability* to rate, or some "official" rating system that involves judgement? >This MPAA situation is an important example because it is neither >"self-rating" nor "government" rating, but is, instead, something else. >This model would be extremely hard to apply to the Internet, as there is no >similar body to the MPAA, nor is there the same economic incentive for any >such body to form and then to try to cope with tens of thousands (at least) >of articles and pages per day.... totally disagree with you. the existence of Surfwatch etc. proves that there is *already* such a market and economic incentive. SurfWatch is in fact, in a sense, a ratings agency similar to the MPAA-- not a government body. I foresee that the "industry" of providing ratings is going to be a very significant aspect of future cyberspace. these ratings are generally always going to be advisory-- people can latch onto them for a fee if they like to determine quality. note that "good/bad" is the most simplistic rating possible. even more superior rating agencies might find "cool material". in fact in a sense, every editor of every newspaper is a sort of "rating server". he culls, filters, and selects information that the readers like. increasingly, we are going to see systems that place economic incentive on *selection* more than *copyright*. in other words, in the old system, there is a "thing" called an "article" in which one pays money to the owner whenever you copy it. in the new system, the article itself has no value-- what you pay is the system that delivers it to you (all intermediaries, editors, etc), all the way up to the author. it will take people awhile to realize, but ratings can actually be extremely liberating and useful if put into place in a robust way. I believe PICS is a very good step in the right directions. what today is limited to credit ratings etc. will expand into a system of rating everything, I suspect, and it will be done in such a way that everyone agrees it is a Good Thing and they couldn't imagine getting along without it. in the old system, censorship was accomplished by the government putting chains on, or burning, "atoms". in the future, people will just select whatever information they are interested in. censorship of bits is not only inappropriate, it is impossible. censorship can only work when you have atoms. those who are applying old "atom" ideas to "bits" will continue for some time to have sway with the public, until the general population realizes their arguments are completely specious. From ddt at lsd.com Sat Apr 13 19:29:24 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 14 Apr 1996 10:29:24 +0800 Subject: unsubscrive - Let's make a special list for these people! In-Reply-To: <199604091623.JAA05150@montana.nwlink.com> Message-ID: <v03006309ad95db747028@[192.187.167.52]> In Reply to the Message wherein it was written: [elided] >The idiots on the list will also try to >send out their own "unsubscrive" messages trying to get off the special >list, which will of course end up back in their mailboxes and in the >mailboxes of all the other idiots. [elided] This is so deliciously and diabolically clever it approaches genuine Satanism. I salute you, Sir. And here, all I was imagining was a pro-rated (to the number of parsable errors in the sender's attempt) automated mailbomb (min 10 identical msgs) with full instructions at every step of the way how to avoid each and every land-mine... I grovel in humbleness at your screen. ;) dave ________________________________________________________ Two cannibals are eating a clown and one asks the other: "Hey...does this taste kinda funny to you?" From stewarts at ix.netcom.com Sat Apr 13 19:35:22 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 14 Apr 1996 10:35:22 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <199604100719.AAA16107@cygnus.com> At 09:08 PM 4/9/96 -0400, Duncan Frissell <frissell at panix.com> wrote: >Of course that doesn't overcome the "technical problem" of getting the IETF >to adopt that change in the protocols and getting a significant number of >sites to adopt the new protocol. Even if you impose a substitutte on the >IETF, it doesn't stop them from wandering off and creating their independent >protocols and seeing whether the "official" or the "unofficial" get adopted. What, you mean requiring that Americans on an international standards body bully the whole anarchy into accepting a technically inferior kluge because some American politicians want it? This ain't the UN... or even ISO. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From unicorn at schloss.li Sat Apr 13 19:36:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 10:36:05 +0800 Subject: Web of Trust Keyring Message-ID: <Pine.SUN.3.91.960413194542.9295C-100000@polaris.mindport.net> Does anyone have a pointer to the Web of Trust Keyring? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From adam at lighthouse.homeport.org Sat Apr 13 19:36:42 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 14 Apr 1996 10:36:42 +0800 Subject: No matter where you go, there they are. In-Reply-To: <199604121744.MAA08365@proust.suba.com> Message-ID: <199604140025.TAA13102@homeport.org> Alex Strasheim wrote: | > Snow Crash is a book about a future in which governments are | > ineffective. Companies run things, and have complete local control. | > The world has gone to hell, and as a result, life is nasty, poor, | > brutish and short. Many people do not look forward to this world. | > Thats an understandable reaction; when I first heard about anonymous | > assasination markets, I thought it was pretty bizzare as a world to | > look forward to. | | I agree with you that it's a pretty bizzare world to look forward to, but | how likely is it? It's always seemed to me that both sides of the crypto | debate have been overselling the changes crypto is going to bring. | Crypto won't make surveillance impossible, it will make it expensive. | That's a big difference. I no longer feel its a bizzare world, but rather a fascinating one. If you're not working for the government. | My computer is loaded up with crypto. I use pgp, ssh, sfs, cfs, etc., | every day. I've picked strong passphrases, and I edit sensitive files on | a ram disk. But getting my data would be child's play for the nsa if | they were interested enough in me to come into my apartment and make an | active attack. But you're one person. The cost of a wiretap is ~ $150,000 per person. If there are a few hundred cpunks using the remailers, we lose. When there are thousands of people using penet, we win. The work that needs to be done is good remailer interfaces. I'm playing with Premail right now. PEP is available for the Mac, and I've heard good things about both Pegasus & Private Idaho on Wintel. | Military security depends as much upon military discipline and procedure | as it does on strong crypto tools. When crypted email becomes the norm, | remember that 95% of the keys in the world will be sitting on hard drives | in the clear or protected by passphrases like "bob1". Software that | forces people to pick strong passphrases won't be popular in the | marketplace. I know: I run an ISP, and everytime I tell someone how to | pick a password, they always come back with "bob1". But thats ok. All of this is about economics. If its as cheap for me to have a bank account in the Seychelles as it is to have one in Boston, why have one in Boston? And if my account isn't in Boston, the cost of finding out about my finances goes from a few hundred dollars to a few tens of thousands. | The truth is the police do surveillence easily and cheaply now, and it's | not working. Things are getting worse in many places, not better. Beat | cops who talk to people and who know the neighborhood are more effective | than spooks in vans or centralized monitoring facilities with | sophisticated electronics. If we don't want crime, we're going to have | to make sure people have enough skills to develop other economic | opportunities. The answer is jobs, not a telescreen in every home. The answer is to decriminalize things like drugs and prositution. The drop in taxes would create a jobs boom. :) | I reject the opposition's premise: surveillance is not necessary to keep | the four horsemen at bay. How can they have the chutzpah to demand that I | sacrifice my civil liberties in the name of the drug war, when everyone in | Chicago knows that dealers are allowed to sell without harassment on | literally thousands of street corners in this city? They don't need | clipper to stop the crack trade, they need to send cops out to arrest the | people who are standing out in broad daylight selling and buying. | | It doesn't take a gps system to track them down. I agree, but why arrest them? Why not tax them a little? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Sat Apr 13 19:37:16 1996 From: jya at pipeline.com (John Young) Date: Sun, 14 Apr 1996 10:37:16 +0800 Subject: PRE_dat Message-ID: <199604132335.TAA27077@pipe1.nyc.pipeline.com> 4-13-96. Ted's Publisher: "Internet Surprise." An editorial on Internet telephony. "Reconnaissance of Bosnia Goes On-Line. CIA Displays Computer System Using Images From Drone Vehicles." The system draws on material from drone vehicles known as Predators and provides computerized video, data and audio transmissions, using commercial technologies. Separate channels carry information at different levels of security for NATO members, peacekeepers, Russians and US troops. PRE_dat From s1113645 at tesla.cc.uottawa.ca Sat Apr 13 20:02:02 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Sun, 14 Apr 1996 11:02:02 +0800 Subject: Watch your language, Shabbir. In-Reply-To: <m0u6qZK-0008y1C@pacifier.com> Message-ID: <Pine.3.89.9604131930.D22882-0100000@tesla.cc.uottawa.ca> On Tue, 9 Apr 1996, jim bell wrote: > Look, very carefully, at the last paragraph quoted above. Mr. Safdar says, > "No reasonable person is objecting to the FBI's right to conduct a wiretap." That's right. Because no reasonable person thinks they can convince Congress or the Supremes otherwise. It isn't impossible, but energies are best spent elsewhere, like getting the Burns bill passed. Now none of us think wiretaps are a right and I presume Shabbir isn't much of a fan either or he wouldn't take the trouble of supporting something that makes wiretapping pointless (crypto). But we and he are not Washington and there lies all the difference. Do remember, Jim, that just 'cause most of this list is libertarian doesn't mean that the rest of the world is. I'm thankful that they can occasionally agree with us horsepeople, despite the hysteria. Be polite. Flames > /dev/null From adam at lighthouse.homeport.org Sat Apr 13 20:05:04 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 14 Apr 1996 11:05:04 +0800 Subject: Scientologists may subpoena anonymous remailer records In-Reply-To: <199604100202.TAA16568@toad.com> Message-ID: <199604101236.HAA26752@homeport.org> John Gilmore wrote: | I thought that most or all of the cypherpunk anonymous remailers don't | keep records. Not even on backup tapes. The whole idea is that there | aren't logs. But maybe they have found some remailers that are | non-cypherpunk. And I haven't verified the truth of what's in the msg | below. If anyone hears anything, please let me (or eff at eff.org) know. | | John Gilmore Does that prevent a subpeona as a form of harrassment? There are already reliability problems in the remailer network. (Witness the anon messages that get received twice, as insurance that it gets through.) Making the remailers less reliable is in the intrests of the bad guys. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From ddt at lsd.com Sat Apr 13 20:11:13 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 14 Apr 1996 11:11:13 +0800 Subject: US crypto laws? Need help! In-Reply-To: <v02140b18ad91143a0d5e@[13.202.222.150]> Message-ID: <v0300630aad95dd01cd43@[192.187.167.52]> In Reply to the Message wherein it was written: >I was wondering if a foreigner like, with a valid work visa but not a >permanet green card, is allowed to use crypto in the state. > >If yes, is there any restriction? Depending on crypto methods? Don't take this as legal advice, since I'm neither a lawyer nor French, but if you're a French citizen, there may be more restrictions concerning "utilisation du systemes cryptographique" placed on you by your _own_ government - no matter what your location is worldwide - than the US' ITAR regs (governing "export" of crypto restrictions will place on you when working here in the US). Especially if you're _working_ in the US, (depending on the exact length and specifications listed on your work permit itself - see the nearest embassy*) I believe you're allowed to _use_ crypto systems _here_ (it might even help if it was part of your work), as long as you are supervised in some way and do not take them away with you (clearly a serious violation under ITAR). Someone please correct me if I err here. You - or better yet, your company's legal representative - should contact the U.S. Department of State, Office of Defense Trade Controls (ODTC) at <URL:pgpfone:/+1.703.875.6644>**. At the _very_ least, you enjoy an slightly overlong yet entertaining bureaucratic journey. Bon Voyage! ;) dave * The Embassy of France (in the US): 4101 Reservoir Road, NW, Washington D.C. 20007; telephone (202) 944-6000; fax (202) 944-6072. US Embassies in France: The U.S. Embassy in Paris is located at 2 Avenue Gabriel, telephone (33) 1-43-12-22-22, fax (33) 1-42-66-97-83. The Consular Section is located one block away, across the Place de la Concorde, at 2 Rue St. Florentin, fax (33) 1-42-61-61-40. The U.S. Consulate in Marseille is located at 12 Boulevard Paul Peytral, telephone (33) 91-54-92-00, fax (33) 91-55-09-47. The U.S. Consulate in Strasbourg is located at 15 Avenue d'Alsace, telephone (33) 88-35-31-04, fax (33) 88-24-06-95. There is a Consular Agent in Nice, at 31 Rue du Marechal Joffre, telephone (33) 93-88-89-55, fax (33) 93-87-07-38. **relax, you don't have to visit netscape.com for the new html spec, it's just a joke. Well, for now, anyway... ;) _________________________________ "A furore Normannorum libera nos" From master at internexus.net Sat Apr 13 20:16:39 1996 From: master at internexus.net (Laszlo Vecsey) Date: Sun, 14 Apr 1996 11:16:39 +0800 Subject: Mixmaster through conventional anonymous remailer Message-ID: <Pine.LNX.3.91.960413195348.29649A-100000@micro.internexus.net> Is there a way to send an anonymous E-Mail message to anon.penet.fi and then have it pass through mixmaster from there, instead of invoking the mixmaster command locally? From cmca at alpha.c2.org Sat Apr 13 20:24:35 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Sun, 14 Apr 1996 11:24:35 +0800 Subject: Is crypt(1) a prohibited export? Message-ID: <199604100731.AAA16964@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: cypherpunks at toad.com] [Subject: Is crypt(1) a prohibited export?] Is crypt(1) a prohibited export from the US? I thought it was. The reason I ask is that it has come to my attention that HP ships that overseas too, with HP-UX versions 9 and 10... The man page is a bit dated: crypt implements a one-rotor machine designed along the lines of the German Enigma, but with a 256-element rotor. Methods of attack on such machines are known, but not widely; moreover the amount of work required is likely to be large. Clearly written before CBW became popular. Chris McAuliffe <cmca at alpha.c2.org> (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMWtg6IHskC9sh/+lAQF8gQP/XtCrYHjewBvt5EK0BVSRL99lbUqf4Cv7 xRDwlqMyBBPQ1BYOFQk4f3q+x/268EgLXcyu41zkCArdLVBImOmDNlqI8t/0PRLj JFkItIDUBrxd8buEs2LC8oNCJ4W+VyjqVsbHsKnCjmhW0MuclxZqbsaA2oFDOucV S6rkmWxb7XE= =A5mT -----END PGP SIGNATURE----- From jleonard at divcom.umop-ap.com Sat Apr 13 21:00:41 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Sun, 14 Apr 1996 12:00:41 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604091732.KAA29261@netcom9.netcom.com> Message-ID: <9604100832.AA06344@divcom.umop-ap.com> > At 12:13 AM 4/9/96 -0700, Steve Reid wrote: > >> Is it really that easy to break 40-bit? Don't you need access to a "fair > >> amount of cpu power" to brute force crack 40bit? > > > >I remember reading a recent paper at this URL: > > http://theory.lcs.mit.edu/~rivest/bsa-final-report.ascii > >They mentioned a Field Programmable Gate Array (FPGA), specifically a > >board-mounted AT&T Orca chip available for around $400. They said it could > >crack a 40-bit key in 5 hours (average). Sounds like anyone with root > >access on a major internet node could make a significant profit stealing > >credit card numbers. > > > >The FPGA sounds like a very interesting device, with quite a few > >legitimate uses... Has anyone out there seen one of these? > > I was hoping a hardware type would answer this question, and give > references to manufacture's spec sheets, but not having seen such an > answer, here is a software person's answer. I thought Perry Metzger's short answer (roughly "yes, but the software can be tricky") adequate, but as a hardware type I can give some more insight into the economics. While my experience is with gate array ASICs rather than field programmable chips, I have some idea. My short answer: Yes, it's that cheap, but only if you already work with the chip vendor and have the software tools to program the chips. If not, expect to spend many thousands of dollars buying engineering expertise and software. There's a lot of different ways to make chips for a custom application, which vary in unit cost, startup cost, engineering effort, and production time. Some points in the range: (costs are probably off a bit) type startup cost program design tool full custom $1000000 at design time schematic editors ASIC $100000 at design time gate synthesis FPGA $0 once vendor's tools reprogrammable FPGA $0 dynamically vendor's tools DSP chip $0 easily compiler General purpose CPU $0 very easily compiler Anyone who knows these better is welcome to correct me, of course. I've neglected software costs from this, which are significant. Chip synthesis tools are often more expensive than the workstations they run on. Also, in most cases some of the necesary tools are only available from the company that sells the chips. They tend to insist on nondisclosure agreements and software licenses, which makes anonymous production tricky. More design effort will give better price/performance. The appeal of the Orca and similar chips is that they can be reprogrammed, but still have the inherent parallelism of gates in silicon. I expect that in 5 or 10 years, PC's will come with reprogrammable logic chips and software that takes advantage of it. At present it really takes a trained engineer to use these things. That's just enough difficulty that people might feel secure, without actually being secure at all. Jon Leonard From unicorn at schloss.li Sat Apr 13 21:01:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 12:01:51 +0800 Subject: JBell filter (was Re: So, what crypto legislation (if any) is , necessary?) In-Reply-To: <2.2.32.19960413105947.006aaebc@arn.net> Message-ID: <Pine.SUN.3.91.960413205827.9295E-100000@polaris.mindport.net> On Sat, 13 Apr 1996, David K. Merriman wrote: > > I initially tried filtering out anything _from_ JB; still got overloaded by > people trying to talk some sense into him (at the time, it was Black Unicorn > arguing law with him). Sorry. Armchair lawyers really irritate me, especially when the is a lot of armchair, and not any lawyer. > Dave Merriman --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: xxxxell at paxifier.com From markm at voicenet.com Sat Apr 13 21:30:14 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 14 Apr 1996 12:30:14 +0800 Subject: Web of Trust Keyring In-Reply-To: <Pine.SUN.3.91.960413194542.9295C-100000@polaris.mindport.net> Message-ID: <Pine.LNX.3.92.960413203618.2697A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Sat, 13 Apr 1996, Black Unicorn wrote: > Does anyone have a pointer to the Web of Trust Keyring? ftp://utopia.hacktic.nl/pub/replay/pub/pgp/pgp-key-ring/weboftrust.* - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMXBJC7Zc+sv5siulAQFHIQP+JF0DAUha7I99MMIE7S/nFvJtRXttZYhp IkjCNryZwSckKYimCJP561sx7MK8khDo7cx98i4udB5ZnkJIlfpxWNIM/YMpsVy/ k9vIwc0VQW1gX4rHVpJAa+UUjG7US5OllfSvgTMV2SICvvBNoUyUogOQUsnbN3Uy Qd+stiHkFV8= =pIEC -----END PGP SIGNATURE----- From s1113645 at tesla.cc.uottawa.ca Sat Apr 13 22:08:14 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Sun, 14 Apr 1996 13:08:14 +0800 Subject: Tips on Tapping Taps In-Reply-To: <v03006300ad94fddd6097@[192.187.167.52]> Message-ID: <Pine.3.89.9604132207.B19854-0100000@tesla.cc.uottawa.ca> On Sat, 13 Apr 1996, Dave Del Torto wrote: > Do we risk e$ accounts being billed automatically by water/gas/electric > meters on a daily basis without the possibility of users disputing the > readings in a timely way? Is anyone proposing permissions on such boxes? Credit or user-defined escrow for clearing (user pays the escrow company on auto, company verifies that "the check is in the mail" at its escrow account, user defines duration of retention) If an e$ credit system comes about, it'd be like reversing the fees on on a cred card. From loki at obscura.com Sat Apr 13 22:36:01 1996 From: loki at obscura.com (Lance Cottrell) Date: Sun, 14 Apr 1996 13:36:01 +0800 Subject: Mixmaster through conventional anonymous remailer Message-ID: <ad961c07030210042ad5@[206.170.115.3]> Since Mixmaster requires a special message format, you must have the client. You can send a completed mixmaster message throught other kinds of remailers before sending it to the first Mixmaster in the chain (although there is not much point). -Lance At 4:59 PM 4/13/96, Laszlo Vecsey wrote: >Is there a way to send an anonymous E-Mail message to anon.penet.fi and >then have it pass through mixmaster from there, instead of invoking the >mixmaster command locally? ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From unicorn at schloss.li Sat Apr 13 22:38:13 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 13:38:13 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? In-Reply-To: <199604132333.QAA22457@netcom11.netcom.com> Message-ID: <Pine.SUN.3.91.960413211541.9295G-100000@polaris.mindport.net> On Sat, 13 Apr 1996, Vladimir Z. Nuri wrote: > >This MPAA situation is an important example because it is neither > >"self-rating" nor "government" rating, but is, instead, something else. > >This model would be extremely hard to apply to the Internet, as there is no > >similar body to the MPAA, nor is there the same economic incentive for any > >such body to form and then to try to cope with tens of thousands (at least) > >of articles and pages per day.... > > totally disagree with you. the existence of Surfwatch etc. proves > that there is *already* such a market and economic incentive. > SurfWatch is in fact, in a sense, a ratings agency similar to the MPAA-- > not a government body. > > I foresee that the "industry" of providing ratings is going to be > a very significant aspect of future cyberspace. I tend to disagree. Ratings are generally consumed by parents and otherwise custodial entities. The largest and richest market anywhere has always been the 18-25 range, or 18-30 depending on who you talk to. I don't have figures, but I think that internet users probably prodominantely fall into 18-25/18-30. This age group generally could care less. It's much easier to search by subject or key word than by paying attention to ratings in any event. There is no real market for ratings. If there were a strong market incentive for it, there would be no need for government intervention, which there clearly is. Sure some schools will purchase the services, maybe some parents, but this is a long leap from major market and industry making entities. > these ratings are > generally always going to be advisory-- people can latch onto them > for a fee if they like to determine quality. And like any ratings system, it relies on the raters subjective judgement. Not a very market stable or market wise system. Tell me who would pay extra for a movie that had a rating on it. No reason to bother. People don't like the movie, they can leave. Instead they pay for the newspaper that has the review of the movies subject matter. No one much cares about the motion picture rating in any event. Parents perhaps, and children, to the extent that 'R' and 'NC-17' films are mystified and thus interesting. I can't even think of what the rating of the last film I saw was. I simply don't care. Does anyone honestly think that you're going to walk to a movie booth and drop $7.50 instead of $7.00 to get a look at the film's rating before you go in? Put two box offices side by side with and without this policy and tell me where the line is going to form. > note that "good/bad" > is the most simplistic rating possible. even more superior rating > agencies might find "cool material". Like the "hot sites" on Netscape's home page, or Alta Vistas? Or the "site of the day" stuff? Note that all this is free today. Again, they all rely on the ratings judgement of the rater. Given that most of these services are funded by advertizing sales rather than user cost, I think it's fairly clear that users wouldn't bother to pay for them. They might pay in increased costs for products because of advertizing expenses, but actually paying someone is too much trouble. I might add that Yahoo is about to go public despite the fact that it charges end users nothing. > in fact in a sense, every > editor of every newspaper is a sort of "rating server". he culls, > filters, and selects information that the readers like. That's a far cry from rating. That's simple exclusion. There is no discussion of the reasons and rationale for excluding, merely the exclusion. This is the cypherpunks lite example. Will there be a place for content/subject based news review, yes. But it will be much more interactive than ratings made by a central authority. It will, I hope, consist of software agents which allow each user to personalize his or her tastes (WOW!, that new compuserve deal is selling custom news selection I believe). Given the option of that kind of control, who the hell wants a centralized rating system? I can perhaps see that there may be serach fields which include ratings on content, much like there are search fields in library databases that permit you to find all the books over 200 pages on the planet, but that these of themselves are going to be significant I very much doubt. > increasingly, we are going to see systems that place economic > incentive on *selection* more than *copyright*. in other words, > in the old system, there is a "thing" called an "article" in > which one pays money to the owner whenever you copy it. in the > new system, the article itself has no value-- what you pay is > the system that delivers it to you (all intermediaries, editors, > etc), all the way up to the author. I believe this wrong. Neither copyright or selection are going to be viable businesses without advertizing. I don't know where copyright is going to go precisely, aside perhaps from shareware (which is what it is now essentially, as the only people who pay for intellectual property are those who want to). Particularly so in the context of audio, textual (Information Liberation Front) and software piracy markets. Copyright will or will not eventually be saved by trade secret style withholding. Creators of intellectual property will just have to be paid larger up front purchase fees for release as royalities become impossible to collect. There will certainly still be collections of articles, information, software which will be paid for by people who need it NOW, but those who are willing to wait will just be patient as the material filters down through the underground markets. Creators will be paid by compliers, who will be paid by advertizers who are banking on the readers who purchase compilations (magizines, software packages, etc.) because they are looking for undefined new material in a known area and specific searching will not be effective in giving it to them. Given that agents will be software as well, even these will be paid for only by those who bother to obey the law out of charity. There has been much talk lately about a move back to the centralized computing model. Put the software on the server and let users buy dumb terminals and share the software. The personal computer market was made overnight because this is exactly the opposite of what people want. People want individual control. People want to customize the software they run, and they want to have it at their disposal immediately, not by the graces of a provider. This is literally carved in the philisophy of all the personal computer producers marketing tactics. "Macintosh: The power to be your best." "Radius: How the best get better." "Dayna: No bounderies, no limits." "Word Perfect for Macintosh: The power to express yourself." I think you can even show that those marketers who have failed to account for user customization have failed horridly and their products are the legends of failure. Who is going to bother with centralized ratings when customized ratings are a few keystrokes away. The basic premise that people will prefer to have material selected for them rather than select it themselves is, in my view, fatally flawed. > it will take people awhile to realize, but ratings can actually > be extremely liberating and useful if put into place in a > robust way. I believe PICS is a very good step in the right > directions. what today is limited to credit ratings etc. will > expand into a system of rating everything, I suspect, and > it will be done in such a way that everyone agrees it is > a Good Thing and they couldn't imagine getting along without > it. You really think central authority rating a la TRW is a "good thing"? I submit you've never had to deal with TRW. You are also ignoring the fact that if such an industry ever does exist, there will be a free market of raters. Those that don't end up fitting users wants will be discarded. You can't please all of the people all of the time. Custom agents can. A centralized and standardized ratings system is going to be an economic flop. > in the old system, censorship was accomplished by the government > putting chains on, or burning, "atoms". in the future, people will just > select whatever information they are interested in. In the future? They do that now. What do you think Alta Vista is? Alta Vista in its purest form, cataloging, is by no stretch of the imagination a ratings system. It's also free. So much a for massive retail ratings industry. > censorship > of bits is not only inappropriate, it is impossible. censorship > can only work when you have atoms. those who are applying old > "atom" ideas to "bits" will continue for some time to have sway > with the public, until the general population realizes their > arguments are completely specious. Its interesting to me that you can be both so freedom of information oriented, and central authority obsessed at the same time. I said interesting, not surprising. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Sat Apr 13 22:45:06 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 13:45:06 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <m0u8Hnr-0008xYC@pacifier.com> At 09:25 PM 4/9/96 -0700, Bill Frantz wrote: >At 6:27 PM 4/9/96 -0800, jim bell wrote: >>At 07:08 PM 4/9/96 -0700, Bill Frantz wrote: >>>At 3:21 PM 4/9/96 -0800, jim bell wrote: >>>>And the rest of us are tired of seeing those non-responses! >>> >>>I wish to state that Jim Bell does not speak for me. >> >>Tell me, what is the most exciting, interesting, and imaginative usage of >>"Yadda Yadda Yadda" that _you_ remember, Bill? > >This will be my last post on this subject. Since Jim Bell ALWAYS has to >have the last word on any given subject, he will continue to try to read >something into my statement that is not there. I can not get much clearer >than: > >I have not authorized Jim Bell to speak for me. > I seem to recall seeing this message about 4 days ago, when it was originally posted. Somehow it is not me who seems to need to "have the last word." Apparently, not only do you need to have the last word, you need to have it TWICE. From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 22:46:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 13:46:32 +0800 Subject: (Fwd) British Study Claims That Photo Credit Cards Don't Message-ID: <01I3IDEMJXFW8Y51D0@mbcl.rutgers.edu> From: IN%"adam at lighthouse.homeport.org" "Adam Shostack" 8-APR-1996 22:47:00.53 > Most merchant agreements prohibit asking for more ID beyond >the card. Umm... how many places have you seen with a minimum amount chargable? That isn't allowed by _any_ of the merchant agreements that I know of, and I've seen a lot of places do it anyway. How's the card company going to notice? Most people use cash for small stuff anyway. >cpunk relevance? Most security that relies on people being awake is >broken. Security that relies on people with no financial interest in >a transactions security is broken. Studying how security breaks today >is a good idea. Quite. -Allen From byrd at acm.org Sat Apr 13 22:46:39 1996 From: byrd at acm.org (Jim Byrd) Date: Sun, 14 Apr 1996 13:46:39 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <2.2.16.19960410092151.2fef491c@tiac.net> The complete deposition may be found in RealAudio format at http://www.northcoast.com/~grady/depo At 07:02 PM 4/9/96 -0700, John Gilmore wrote: >I thought that most or all of the cypherpunk anonymous remailers don't >keep records. Not even on backup tapes. The whole idea is that there >aren't logs. But maybe they have found some remailers that are >non-cypherpunk. And I haven't verified the truth of what's in the msg >below. If anyone hears anything, please let me (or eff at eff.org) know. > > John Gilmore > >Date: Tue, 9 Apr 1996 18:27:02 -0700 >To: fight-censorship+ at andrew.cmu.edu, eric at remailer.net, > farber at cis.upenn.edu (Dave Farber) >From: jwarren at well.com (Jim Warren) >Subject: (fwd fyi - NOT verified!!) very urgent news > >Seems like it's just a tad overbroad, if true. Another example of, "all >the 'justice' that one can buy"? > >--jim > >>Date: Tue, 9 Apr 1996 15:44:52 -0700 (PDT) >>From: shelley thomson <sthomson at netcom.com> >>Subject: very urgent news >>To: jwarren at well.com >> >>Hello, Jim Warren: >> >> The church of scientology plans to subpoena the records of every >>anonymous remailer in the USA. >> >> I publish a news/black humor magazine on the net called **Biased >>Journalism**. As a journalist I have covered the collision between the >>church of scientology and the net. My last three issues have focused on >>legal action by the church against Grady Ward and Keith Henson. >> >> Today I had a note from Grady Ward, whose deposition was finished >>today. He said that they asked him a lot of questions about me, and >>warned me that they may issue a subpoena for me and a demand for my >>email. >> >> The church presumably intends to claim that I am not a real >>journalist because I only publish on the net. I need to prepare a legal >>defense, and needless to say, can't afford a lawyer. If you can direct >>me to any resources, I would appreciate it very much. >> >> On the basis of events today, Ward believes the church will >>issue subpoenas for the records of every anonymous remailer in the USA. >> >> If these records are delivered to the church, our First Amendment >>rights go with them. >> >> Shelley Thomson >> >> publisher, **Biased Journalism** >> 800-731-0717 voice message > > From jimbell at pacifier.com Sat Apr 13 22:59:50 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 13:59:50 +0800 Subject: Contempt charges Message-ID: <m0u8Hnt-0008xbC@pacifier.com> At 10:32 AM 4/10/96 -0400, Moltar Ramone wrote: >>No doubt, a judge might whimsically keep Bob in jail for a while, trying >>to assure that he has revealed all of the pass phrases, but the judge >>can never be certain, even when Bob has disclosed everything. This >>situation creates doubt that Bob is in contempt, even when he is, and >>makes a prison term relatively pointless, unless for revenge. Despite your silly inferences below, I did not write this note that you are responding to. However, I'd be happy to enter into a $1000 wager with you on this. I'll give permission to any anonymous remailer through which this message might have passed (assuming it keeps reverse addresses, many do not) to release the original message IF I sent it. If I did not, you pay me $1000. If I did, I pay you $1000. Deal? Somehow I don't think you'll take me up on it. >But that's what a contempt charge is _for_: "You're not treating me with >respect, so I'm going to punish you." It might be described as being for >a particular reason (ie supressing evidence), but each of those reasons >ultimately boils down to lack of respect. Question: How can a judge tell he's being treated with "respect" under the conditions described? Simple answer: He can't. What, exactly, would the difference between "respect" and "no respect" be? >In addition, were I handing down (or prosecuting) the contempt charges, I'd >claim that the statement (even if it was made in public) that the individual >didn't know all the keys in the first place was a lie, and that, by repeating >the lie, they were purjuring themself. Proof would be a bit difficult under the circumstances. However, I am sure that you consider minor issues such as proof to be of no consequence. From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 23:13:08 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 14:13:08 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <01I3IE1P3TXW8Y51D0@mbcl.rutgers.edu> From: Sandy Sandfort <sandfort at crl.com> >To which Jim Bell wrote: >> And the rest of us are tired of seeing those non-responses! >Exactly for whom is Bell speaking? Jimbo, please let us know >who has given you a limited powers of attorney to be their >mouthpiece. It's sad when someone (correctly) deems their >opinions too weak to stand without (dare I say it?) pseudo- >spoofing by reference. I got rather tired of the Jim Bell - Black Unicorn debates a while back... and I was getting tired of _both_ sides. Neither came off very well. One reason was that they kept talking past one another, as someone else pointed out a bit back and neither bothered to notice. -Allen From roger at coelacanth.com Sat Apr 13 23:18:45 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 14 Apr 1996 14:18:45 +0800 Subject: Bank transactions on Internet In-Reply-To: <199604140029.TAA13117@homeport.org> Message-ID: <9604140338.AA3307@sturgeon.coelacanth.com> >>>>> Adam Shostack <adam at lighthouse.homeport.org> writes: > I disagree strongly about the advisability of this. If we > demonstrate the utter weakness of 40 bit keys, the US business > community will scream for a better solution... There is some precedent for this approach, yes... It sounds like an interesting project, to boot -- if Ian Goldberg ends up dropping it, I may take it on (using Xilinx chips) just for the hell of it. -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From ses at tipper.oit.unc.edu Sat Apr 13 23:20:27 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 14 Apr 1996 14:20:27 +0800 Subject: US crypto laws? Need help! In-Reply-To: <v02140b18ad91143a0d5e@[13.202.222.150]> Message-ID: <Pine.SOL.3.91.960413203112.28313A-100000@chivalry> On Wed, 10 Apr 1996, Jean Chouanard wrote: > I was wondering if a foreigner like, with a valid work visa but not a > permanet green card, is allowed to use crypto in the state. > > If yes, is there any restriction? Depending on crypto methods? You need to get an export licence if you want to be legal; however, this sort of licence is more or less automatic, and should only take a few weeks to process. Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 23:20:27 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 14:20:27 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <01I3IDUODNBE8Y51D0@mbcl.rutgers.edu> From: IN%"alano at teleport.com" "Alan Olsen" 10-APR-1996 02:41:54.68 >Forget the porno... What are the parents who believe in Creationism going >to do when little Johnny runs into a good skeptical site debunking all that >crap? What are they going to do when the little liberal kids are exposed to >the works of conservitives? Or Biblical Inerentists kidlets are exposed to >the debunkings of that faith? Or Dorthy Denning's kids (if she has any) get >exposed to the writings of the subversive known as Tim May? Quite. It's interesting in that regard that, as well as differentiating between homosexual and heterosexual content, the W3C PICS scheme includes a filtration scheme for attacks on religions. One wonders if they considered that Scientology is currently (probably unjustifiedly) considered a religion? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 23:30:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 14:30:36 +0800 Subject: Tense visions of future imperfect Message-ID: <01I3IEI1EIFI8Y51D0@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 11-APR-1996 00:21:15.87 >Personally, I find the idea that the government could hope to track the >economy so closely as to notice a $10M/year addition to the money supply to >be disturbing (though it was done in a science fiction story about >20 years ago :-) With digital cash, it's also unrealistic - we >finally have a technology for moving money around _without_ >them being able to track it all, if we want to deploy it. One related question is if the government would notice an underground fully anonymous digital cash setup - transactions disappearing from their "radar screen." -Allen From jimbell at pacifier.com Sat Apr 13 23:31:49 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 14:31:49 +0800 Subject: Watch your language, Shabbir. Message-ID: <m0u8Id7-0008ylC@pacifier.com> At 08:07 PM 4/13/96 -0400, s1113645 at tesla.cc.uottawa.ca wrote: > >On Tue, 9 Apr 1996, jim bell wrote: > >> Look, very carefully, at the last paragraph quoted above. Mr. Safdar says, >> "No reasonable person is objecting to the FBI's right to conduct a wiretap." > >That's right. Because no reasonable person thinks they can convince Congress >or the Supremes otherwise. It isn't impossible, but energies are best spent >elsewhere, like getting the Burns bill passed. But that's not entirely the issue. Mr. Safdar's wording is critical, because it concedes FAR too much about what the government is assumedly entitled to do. Below, you've admitted that everybody here believes in what Mr. Safdar claims "no reasonable person" believes. Is Mr. Safdar saying we're ALL not reasonable?!? Are you? Further, I've read of multiple polls (Unfortunately, I can't quote a specific one) that show that a substantial _majority_ of the population objects to wiretaps under most any circumstance. (The figure I seem to recall was somewhere between 60% and 70%) If this recollection is true, and if the poll was accurate, there is no reason to believe that even your adjustments to Mr. Safdar's position is a accurate limit on reasonableness. I claim: 1. The vast majority of the population does not believe that the ability to wiretap is a government "right." 2. A majority of the population does not believe that the government should wiretap, even if it is assumed to have this authority. >Now none of us think wiretaps are a right and I presume Shabbir isn't >much of a fan either or he wouldn't take the trouble of supporting >something that makes wiretapping pointless (crypto). However, why did he make the claim the way he did? Is it just sloppy spokesmanship? Worse, why did no one else catch this gaffe? Is everybody else asleep? I saw no other commentary indicating that anybody noticed his statements. Are they ignoring Mr. Safdar's postings? Are they not reading them at all? Do these people not recognize that his comments practically grant the entire enchilada to the government? Why did he do this? And why hasn't he corrected what is apparently a huge mistake? > But we and he are >not Washington and there lies all the difference. Let's assume that my recollection is correct and most people don't want wiretapping at all. Why, exactly, should you believe that we're fated to get it anyway? (If you recall, I quoted part of a Brittanica article which said that from 1934 to 1968, a number of attempts to write wiretapping into law FAILED. Clearly, wiretapping wasn't inevitable then, and it doesn't have to be inevitable now.) Consider a hypthetical discussion with some Senator or Representative, where we point out that the public, as a whole, does not want wiretaps at all. "Why," we should ask, "should wiretaps occur when the public doesn't want them? Doesn't the majority get its way, at least in situations such as this? (It violates nobody's rights to NOT have wiretaps.)" The bigshot could come back and say, "But law-enforcement WANTS wiretaps!" Our next question should be, "Okay, but why does a tiny fraction of the population get more say in what happens than 70% of the public? Even if, arguably, wiretaps are beneficial, if the majority says they want to forgo this benefit, why don't they have this privilege?" At this point, the government sleazeball might not admit to the problem, but I doubt he'd have much of a response. >Do remember, Jim, that just 'cause most of this list is libertarian >doesn't mean that the rest of the world is. If, say, 70% or even 60% or 50% of the public doesn't want wiretaps at all, calling oneself libertarian is not required to share the opinion that government doesn't have the "right" to do them. Thus, I didn't couch my argument in terms that would require a libertarian to agree with them. This was intentional: I wasn't attempting to claim that the politicians are somehow obligated to follow libertarian opinions, but they damn well listen to MAJORITY opinions, at least when they limit what government should do! > I'm thankful that they can >occasionally agree with us horsepeople, despite the hysteria. Be polite. Hey, I _was_ adequately polite. However, unlike many of the people who are asleep at the switch around here, I am observant and I don't accept bullshit just because it is couched in terms that sound friendly. This incident, and particularly the failure of nearly all of the regular posters to see the problem with Shabbir's comments, has convinced me that a substantial fraction of the people who regularly post on CP aren't carefully considering issues such as rights of the population when they read this kind of material. You, at least, acknowledged that wiretapping isn't a "right." Where is everyone else's objection to Shabbir's statement? BTW, I'm not suggesting that I think that the majority of the population must necessarily have the "right" to do wiretaps if they want them: I'm saying that they have a right to NOT do wiretaps. There is a distinct difference between these two positions. The constitution may prohibit wiretaps even if the majority wants them; logic and history shows that the constitution does not MANDATE wiretaps even if the majority doesn't want them. Jim Bell jimbell at pacifier.com From jwhiting at igc.apc.org Sat Apr 13 23:32:39 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Sun, 14 Apr 1996 14:32:39 +0800 Subject: Lucifer & DES Message-ID: <199604140347.UAA22331@igc2.igc.apc.org> Perry My apologies for any misunderstanding in my original post. I was merely trying to point out IBM's historical compliance with govt suggestions for the design of the S-boxes. Please excuse me if my facts are adrift. My point was that this may shed light on IBM/Lotus' acceptance of the 40+24 work force reduction scheme. IBM may be receptive to working with the government yet again. Jerry Whiting jwhiting at azalea.com From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 23:34:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 14:34:51 +0800 Subject: No matter where you go, there they are. Message-ID: <01I3IFBN6U2G8Y51D0@mbcl.rutgers.edu> From: IN%"hfinney at shell.portal.com" "Hal" 11-APR-1996 18:06:18.51 >The method of using authenticated devices which provide timestamped >data from satellites not visible to the authenticating site does not >need to provide that data in real time. Even if it is delayed so it >comes in later than the data from the remote site, the verifying site >can still use it to calculate what the remote site should have been >seeing, and so get the benefit of using timings from all the satellites >visible to the remote site (again, assuming the remote site itself has >a low latency connection to the authenticating site). In regards to these timestamping devices... how do they know the correct time? It looks like that would be distortable, and with that, you could simply simulate the satellites to them via placing the device inside a metal box and piping in the appropriately modified signals. If it's getting its time information from the signals themselves, things get even easier. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 13 23:46:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 14:46:04 +0800 Subject: RC4 on FPGAs (Was: Bank transactions on Internet) Message-ID: <01I3IG4C9C0E8Y51D0@mbcl.rutgers.edu> From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= <jk at digit.ee> >Once someone gets this kind of cracking device ready, I think it would be >nice to make the information freely available, or start selling these for >nominal price. >This would also make an interesting device connected to Internet. In case >of fast device people could use it either for free or pay using ecash for >using it, and crack their SSL sessions. May be Netscape or Microsoft or >someone else (may be even Community Connexion :) lobbying the government >for allowing export of strong encryption could sponsor it. It should not >be so expencive. Much more useful than amazing fish-cam or coke machine on >Internet. It would make it kind of difficult to argue that 40-bit encryption was anything near the required level, yes. Of course, I'd advise setting it up _outside_ the US or any other country with a habit of disliking cryptography - otherwise they'd just find some excuse or another to shut it down. For instance, you'd probably have to set it up if it were in the US to check where a request was from, in order to not violate some arcane ITAR rule or another. -Allen From jimbell at pacifier.com Sat Apr 13 23:52:00 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 14:52:00 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena Message-ID: <m0u8Iup-0008y0C@pacifier.com> At 02:30 PM 4/13/96 -0400, s1113645 at tesla.cc.uottawa.ca wrote: > > >On Wed, 10 Apr 1996, sameer wrote: > >> >> Frankly, I'm getting antsy. Is C2 going to get subpoena'd or >> not? I would be very disappointed if we don't. >> (Subpeonas envy!) > >All you have to do is call up CoS's lawyers. Let your fingers do the >walking... > >Seriously though, might it not be nicer (easier?) to establish some court >precedents on remailers vs. CoS rather than the government? Think of it as >a preemptive strike. Sounds like forum shopping/defendant shopping/plaintiff shopping. An excellent idea. The best part is that COS is one of the most unsympathetic organizations that could possibly be chosen, with the possible exception of the American Nazi Party or the KKK. The argument of CoS's religious copyright and trade >secrets don't seem to me be as emotionally effective horsemen as "National >Security Threats" or "Child Pornography". I really wouldn't want to see >Congress get away with legislating on remailers in a legal vacuum. I sure hesitate to "hope" that the COS thing gets turned into an SC decision, because that means that SOME defendant has to get pulled through the ringer until he eventually wins. Great for us; terrible for him. >Go for it Sameer. ;-) (Hope you won't be needing Jim's ISP-Aspol inc. >insurance against them pesky scientologists...[double ;-) ]) It's at this point that somebody usually observes that the COS could use AP to get rid of its critics. However, they're forgetting that with AP, its critics can remain absolutely anonymous and still punish COS. It would be no contest. From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 00:14:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 15:14:01 +0800 Subject: Scientologists may subpoena anonymous remailer records Message-ID: <01I3IGCYMLNS8Y51D0@mbcl.rutgers.edu> From: noring at netcom.com (Jon Noring) >On Wednesday afternoon, February 8th, three private >investigators visited the Caltech Security Office and the Campus >Computing Organization. The P.I.s wanted to know the identity of >the holder of the account "tc" on the Caltech Alumni Association >computer system (alumni.caltech.edu). They claimed to have >gotten the account name from the anon.penet.fi server via the >Helsinki police. Due to the unusual nature of this request, the >P.I.s were told that Caltech would need more information before >this type of information could be given out. Later that day, an >attorney representing the Church of Scientology called the >campus computing support office demanding the name of the >account holder. The attorney claimed that a document had been >stolen from a CoS computer system, and that the document had >been posted to the a.r.s newsgroup from alumni.caltech.edu via >the anon remailer. (The claim was the document was created on >Jan. 21 and appeared in a.r.s. on Jan. 24). The computing support >staff did not divulge the name of the account holder, and the CoS >attorney was referred to the Caltech General Counsel's office. Given that they didn't have a subpoena at this point, wouldn't the simplest way to solve this problem be to wipe the records? Somehow, I suspect that the judge is unlikely to put Caltech in contempt of court on suspicion that they're lying about the records being wiped. Now, contempt of court out of irritation... -Allen From jwhiting at igc.apc.org Sun Apr 14 00:33:58 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Sun, 14 Apr 1996 15:33:58 +0800 Subject: carrick, Blowfish & the NSA Message-ID: <199604140412.VAA24649@igc2.igc.apc.org> One reason we chose to use Blowfish as the basis for carrick is that it _is_ a new algorithm. One has to assume that the NSA et al. has tools optimized to crack DES and possibly IDEA/RSA. At least let's give them something else to sweat over. In the short term there's a high probability that a cross-platform Blowfish-based encryption toolkit will muddy the waters and make life interesting for us and a bit more challenging for them. We're shooting for a May 1 release for Windows with the Mac and DOS 6 weeks behind and VAX/Sun a month after that. We're aiming for the stars: encryption, time/date stamps, signatures, message digests, etc. all based on Blowfish. We're doing a core engine with APIs, a standardized file format, and extensability for other developers. We're very committed to making the spec including the API and file format VERY PUBLIC. Like I said, we're aiming high. So yes, if we're successful Blowfish should be taken more seriously. And yes, when I outlined the above to the NSA while asking for an export permit, I was met with silence on the phone. I can't wait to meet with them mid-May when they come out to visit. My sense is that some junior level person(s) looked at Blowfish when Bruce originally published it in Dr. Dobb's and that their report was filed away waiting for the day when someone actually used it in the real world. Our marketing tag ("Encryption software so good, the Feds won't let us export it.") may well become a self-fulfilling prophecy. But that's OK because having others adopt carrick is our real goal. Building up a strong U.S. user base is OK while we wrestle with the NSA over how big a key length we can export. Their initial response was that 40-bit keys were specific to RC2 and RC4 and that Blowfish was another kettle of fish (bad pun intended). Either way we're going to publish an extensive FAQ on carrick that should allow someone to not only work with carick but perhaps clone our efforts. IANAL but my understanding is that publishing such a document, with or without source code, and making it publicly available to non-U.S. citizens is perfectly legal. So NSA if you're reading this: This may be yet another example of locking the barn door after the genie is out of the bottle. Prohibiting us from exporting carrick the product is pointless if we're allowed to fully document carrick the API and file spec. Jerry Whiting jwhiting at azalea.com 1 800 ENCRYPT From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 00:49:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 14 Apr 1996 15:49:34 +0800 Subject: PICS Message-ID: <01I3IGVW330U8Y51D0@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 12-APR-1996 22:58:59.49 >I had a chance for a brief look at the PICS protocol, and it seems to have >a lot of cypherpunks relevance. It includes features such as: > Multiple third party rating systems No problem. Although it looks like the CDA-replacement bill would essentially require using one with at least as great anti-minor censorship abilities. > Digital signatures This is a problem, unless one simply deletes the signature on modifying a message, and takes the deny-everything-to-minors approach. -Allen From merriman at arn.net Sun Apr 14 00:55:28 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 14 Apr 1996 15:55:28 +0800 Subject: Tense visions of future imperfect Message-ID: <2.2.32.19960413163151.006b743c@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 11:33 PM 04/13/96 EDT, "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote: >From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 11-APR-1996 00:21:15.87 > >>Personally, I find the idea that the government could hope to track the >>economy so closely as to notice a $10M/year addition to the money supply to >>be disturbing (though it was done in a science fiction story about >>20 years ago :-) With digital cash, it's also unrealistic - we >>finally have a technology for moving money around _without_ >>them being able to track it all, if we want to deploy it. > > One related question is if the government would notice an underground >fully anonymous digital cash setup - transactions disappearing from their >"radar screen." I wouldn't expect Gov't to notice any individual transaction, of course, but doubtless they would eventually notice that the expected amounts of money weren't where anticipated. At that point, I suspect things would get "interesting" (moreso than now :-) regarding currency tracing. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW/Ii8VrTvyYOzAZAQEkdgQAqKqqbAAn3GIaW3/pdHKMWj8zN2FPuIa+ UEwJsz0Kjs4Whlt+UzjygJtKX1sXPnNjjf47l8tDQWqknrhxO1SDBlmsk1lHeM24 FPYFSwWH+y/zhlxjfj0mn2LlLngvN5UuWU7UG2Q7lKk0DjHvxqAYdbQDNfs1bXRm pxlXPaz1T2k= =rnwR -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From alano at teleport.com Sun Apr 14 00:57:42 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 14 Apr 1996 15:57:42 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <2.2.32.19960414043501.00940608@mail.teleport.com> At 11:15 PM 4/13/96 EDT, E. ALLEN SMITH wrote: > Quite. It's interesting in that regard that, as well as differentiating >between homosexual and heterosexual content, the W3C PICS scheme includes a >filtration scheme for attacks on religions. One wonders if they considered that >Scientology is currently (probably unjustifiedly) considered a religion? The more the irrational and indefensible the faith, the more that the proponents of that faith view any sort of debunking attempt as "an attack". (It is not just Scientologists that suffer from this mentality. I have seen those of the more fanatical Christian varieties make the same claim.) What these schemes will do is shield children from anything resembling a "controversial" discussion. (I expect Cypherpunks to be labeled as "could cause criminal behaviour" or some such malarky by the more protective and clueless. (It may be true, but why warn them upfront? ]:> )) You will see the forces of "good" try and protect the little kidlets from anything that might get them to think for themselves. It is already happening in some sectors of public thought, I expect the net to become its next victim. Soon everything will be "Sanitized for your Protection". --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jimbell at pacifier.com Sun Apr 14 01:14:50 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 16:14:50 +0800 Subject: Lotus Notes 24-bit sellout Message-ID: <m0u8JkZ-0008yjC@pacifier.com> At 09:21 AM 4/12/96 -0700, Jerry Whiting wrote: > >When Ray Ozzie announced the work reduction sellout at the RSA conference, >both he and Ms Denning (whom I spoke with about it later) mentioned that >there was something else in Lotus Notes 4 besides the 40+24 bit compromise. > >My thought is that the NSA gave them something else in exchange for the >mandatory escrow scheme they're all talking about publicly. Perhaps some >other crypto code the NSA had lying around unused. > >So looking for a common 24-bit subkey may reduce Notes' key to a 40-bit >brute force exercise but the 40+24 is probably not ALL that's in Notes 4. > >Definitely a deal with the Devil. Given that we're talking about IBM, not >Lotus none of this surprises me given IBM's Lucifer/DES history with spook >input years ago. Then again to be fair, I don't know if the 40+24 deal >was cooked up before or after the IBM/Lotus merger. What about the following idea, which I think might have been indirectly discussed a few months ago. Let's suppose "you" agreed with the NSA to limit their effort to 40 bits, and put 24 bits at the beginning of the file. The code to do this could be separated and highlighted and identified publicly, and a software patch could be engineered by somebody to NOP this stretch of code to death. The result is that those 24-bits simply don't appear; you've already gotten the export license. The NSA doesn't have any real reason to complain: _ANY_ program can be modified by suitably changing object code bit patterns. An even smaller change would be to put the number of bits to expose ("24") in a byte value ("00011000"), one that will be zeroed by a patch later on. I guess I'm not really suggesting this; I think that even appearing to come to some arrangement with the NSA is wrong. However, it would be an excellent way to give the finger to the NSA, because there is no way that they can ensure that a given program is "finagle-proof." From stend at grendel.texas.net Sun Apr 14 01:30:49 1996 From: stend at grendel.texas.net (Sten Drescher) Date: Sun, 14 Apr 1996 16:30:49 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <v03005b03ad944efa70c3@[206.126.100.99]> Message-ID: <199604140501.AAA00441@grendel.texas.net> >>>>> Steve Reid writes: SR> Analogy: It would be like putting a license plate on the engine of SR> a car. It *could* be done that way, if you redesign the car so SR> that the engine protrudes out from the back with a place for the SR> license plate (let the technical people handle the technical SR> details of that). But the best place for a license plate is on the SR> outside body of the car, and the best place for content filtering SR> is at the application layer. No, the best place for content filtering is in that grey lump mounted between the shoulders of most humans. But that relys too much on personal responsibility for the NetNannies to accept. Besides the fact that most of the NetNannies don't seem to use that grey lump that often. -- #include <disclaimer.h> /* Sten Drescher */ ObCDABait: For she doted upon their paramours, whose flesh is as the flesh of asses, and whose issue is like the issue of horses. [Eze 23:20] Unsolicited email advertisements will be proofread for a US$100/page fee. From jeremey at forequest.com Sun Apr 14 01:39:34 1996 From: jeremey at forequest.com (Jeremey Barrett) Date: Sun, 14 Apr 1996 16:39:34 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <199604100731.AAA16964@eternity.c2.org> Message-ID: <Pine.BSI.3.91.960413221855.7580A-100000@newton.forequest.com> crypt() is a hash function, and hence is not subject to export restriction. (To my knowledge). On Wed, 10 Apr 1996, Chris McAuliffe wrote: > Is crypt(1) a prohibited export from the US? I thought it was. The > reason I ask is that it has come to my attention that HP ships that > overseas too, with HP-UX versions 9 and 10... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeremey Barrett Senior Software Engineer jeremey at forequest.com The ForeQuest Company http://www.forequest.com/ "less is more." -- Mies van de Rohe. Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gage, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." -- 'fortune` output From jimbell at pacifier.com Sun Apr 14 02:17:35 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 17:17:35 +0800 Subject: Any examples of mandatory content rating? Message-ID: <m0u8KCD-0008ycC@pacifier.com> At 10:59 AM 4/13/96 -0400, Black Unicorn wrote: >On Fri, 12 Apr 1996, Timothy C. May wrote: > >> >> I'm interested in hearing about any _actual_ examples where a government >> body in the United States has mandated that intellectual property (roughly, >> written words, magazines, motion pictures, CDs, etc.) be "rated" or >> "age-labelled." Before anyone out there fires up his "Reply" and tells us >> about movie ratings, magazine warning labels, and the like, read on. > >Well, my examples aren't all going to be in the United States, or >strictly intellectual property, or 'age' based, but here: > >Age rated, I don't think there are many examples. General ratings exist. >The best place to look for this kind of thing is e.g., FAA safety >ratings on potential aircraft/aircraft part designs. > >While at first it may seem a bad example, It is a poor example. Aircraft parts are not "intellectual property." They are physical objects. Their design may be "intellectual property", but they are not being rated BECAUSE of their intellectual property. In fact, they would be rated for aircraft application even if nothing about their design or construction was patented, copyrighted, or was in any way restricted. >> So, if anybody's still reading this, I am interested in _any_ examples >> where intellectual content (as opposed to food or drug packaging, for >> example) is required to be labelled. >Still, governments are quite talented at making ratings schemes look >voluntary when practically speaking they are not. You know, it's amazing how you fail to ask and answer obvious questions when they arise! Why, exactly, should the government NEED to "make ratings schemes look voluntary when practically speaking they are not"? After all, you would love to take the position that the government has this authority anyway. Is it possible you're just afraid to admit that the government(s) doesn't have this authority? Is it possible to don't want to acknowledge that the government(s) try to force people do things it has no right to? >> Such examples might shed some light on how these various proposals for >> "labelling" of Net traffic might work. And absent such examples, might show >> just what a tough road lies ahead for those advocating such labelling. > >I think it will end up much like motion pictures. The net will be asked >to regulate itself under the threat of government regulation, which might >be an empty threat if the First Amendment rights are applied. Most >people will comply, it being easier than making a fuss. Sounds like wishful thinking on your part. See, unlike movies and TV shows, which are produced by a relatively tiny number of companies which are easily targetable, Internet content will be produced by hundreds of thousands or even millions of sources. Nobody will have to "make a fuss," they'll merely FAIL to rate their material. No fuss, just no rating. And there will be people out here who will excoriate anybody who complies with such a ratings system. There will be essentially no pressure on the smallest organizations, because there will be far too many of them to target. Besides, since there will be no enforceable standards they will not be targetable anyway. Over time, ever larger organizations will refuse to rate, if they ever did. Eventually, and probably immediately, the whole system would collapse. At that point, there will be no government "threat" to regulate, because everybody will realize that the system is working just fine without regulation. Everyone will see an unregulated Internet, and nobody will see a powerful need to regulate it. From kss01 at uow.edu.au Sun Apr 14 02:22:23 1996 From: kss01 at uow.edu.au (Kris Steven Shannon) Date: Sun, 14 Apr 1996 17:22:23 +0800 Subject: cyherpunks archive Message-ID: <199604140535.PAA18022@wumpus.its.uow.edu.au> I can't get access to the cypherpunks archive at berkeley Is there a mirror site anywhere? (I don't have FTP access but have been using ftpmail at doc.ic.ac.uk) Any suggestions very welcome! Thanx. -- Kris Shannon <kss01 at cs.uow.edu.au> 1st year Bachelor of Computer Science. From jimbell at pacifier.com Sun Apr 14 02:24:25 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 14 Apr 1996 17:24:25 +0800 Subject: Digital Cash Escrow Message-ID: <m0u8KXA-0008yyC@pacifier.com> At 08:51 PM 4/11/96 -0400, Jean-Francois Avon wrote: >Does anyone, especially in Canada, ever noticed that them or their local net >friends had their snail mail opened? > >A friend of mine has his regularly opened; he complained to Canada Post >three times, but it stills goes on AFAIK. He is pissed off at me, convinced >that the forwarding of Jim Bell's AP related articles is what justified the >mail opening. Actually, he does not even reply to my e-mails anymore. >We used to be great friends... >Neither of us ever engaged in any subversive activities or are involved in >illegal actions. It seems that FUD got him. ...sigh... It does sound like the guy is overreacting a bit. However, I don't know much about Quebec politics; with that close vote recently on separation, perhaps they are getting nervous about things. Is he in Quebec? I can say, however, that I've never gotten any kind of "official" feedback on the subject, not that I really expect it. I've gotten a few inquiries which on the surface appear to be innocuous, but which I suspect have hidden motives. This could be a little hidden official research, or maybe just self-motivated individuals trying to do a "good deed." It doesn't matter; my idea doesn't need any secrets in order to be successful. From richieb at teleport.com Sun Apr 14 02:37:35 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 14 Apr 1996 17:37:35 +0800 Subject: Watch your language, Shabbir. Message-ID: <2.2.32.19960414055241.006c7710@mail.teleport.com> At 08:34 PM 4/13/96 -0800, jim bell <jimbell at pacifier.com> wrote: >At 08:07 PM 4/13/96 -0400, s1113645 at tesla.cc.uottawa.ca wrote: >> >>On Tue, 9 Apr 1996, jim bell wrote: >> >>> Look, very carefully, at the last paragraph quoted above. Mr. Safdar says, >>> "No reasonable person is objecting to the FBI's right to conduct a wiretap." >> >>That's right. Because no reasonable person thinks they can convince Congress >>or the Supremes otherwise. It isn't impossible, but energies are best spent >>elsewhere, like getting the Burns bill passed. > >But that's not entirely the issue. Mr. Safdar's wording is critical, >because it concedes FAR too much about what the government is assumedly >entitled to do. Below, you've admitted that everybody here believes in what >Mr. Safdar claims "no reasonable person" believes. [snip] No. Shabbir claims just what he said, AFAIK, that "no reasonable person is objecting..." A very different matter. What I believe and what I choose to object to through organized political initiatives may be two different things. If Shabbir's wording is so critical, why did you change it by adding "believes?" I don't believe government should be able to wiretap it's citizens, but I also don't think there's a snowball's chance in hell of taking that power away from the FBI. That's why I want strong crypto. There is a far greater chance of getting some decent crypto legislation enacted than of completely removing the FBI's authority to wiretap. It's a much more "reasonable" goal, in that sense. There are people much more deserving of cypherpunk scorn than someone who works as hard on these issues as Shabbir. It's pretty pathetic, Jim. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From roger at coelacanth.com Sun Apr 14 03:08:02 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 14 Apr 1996 18:08:02 +0800 Subject: Bank transactions on Internet In-Reply-To: <9604100832.AA06344@divcom.umop-ap.com> Message-ID: <9604140611.AA3800@sturgeon.coelacanth.com> >>>>> "Jon Leonard" <jleonard at divcom.umop-ap.com> writes: > My short answer: Yes, it's that cheap, but only if you already > work with the chip vendor and have the software tools to program > the chips. If not, expect to spend many thousands of dollars... Huh? We're talking about modern FPGAs here. The cost of the tools necessary to actually *program* the damn things is very small, as almost all of them are SRAM-based and programmed out of an external EPROM, bus, or serial bitstream. Sure, we've spent $50,000 on FPGA *development* tools, but we program the serial EEPROMs themselves on $300 PC-based programmers which are available -- as are the FPGAs and EEPROMs -- from Digikey, Allied, Newark, etc., to anyone with a credit card. Actually, in almost all of our designs, the FPGAs are programmed in-circuit by application software. If I were to design a hardware key cracker, it would almost certainly be a simple ISA-bus card containing a couple of big Xilinx FPGAs which would get programmed by a simple C program. [Funny thing -- there seems to be a lot of "theft" of satellite and cable programming by folks who know just enough to use a soldering iron, but haven't a clue about what really happens inside a set-top box. How do they manage it, if they don't have the tools to design or reverse-engineer a cable converter? Hmmm...] -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From stewarts at ix.netcom.com Sun Apr 14 04:25:58 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 14 Apr 1996 19:25:58 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604140704.AAA07829@toad.com> At 01:33 PM 4/12/96 -0500, Scott Brickner <sjb at universe.digex.net> wrote: >Actually, I expect configurations like yours to become more widespread >in the near future. There are a lot of cable-modem designs that >basically put an ethernet port on your cable box. This leads to the paradoxical situation where your cable TV company can deliver you motion picture images of sex and nudity on the TV channel, but it's highly illegal for them to send you the same material as data.... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From dave.hodgins at westonia.com Sun Apr 14 04:45:13 1996 From: dave.hodgins at westonia.com (DAVE HODGINS) Date: Sun, 14 Apr 1996 19:45:13 +0800 Subject: UNSUBSCRIVE In-Reply-To: <199604100656.IAA25040@ekeberg.sn.no> Message-ID: <8BEA0D9.000101558E.uuout@westonia.com> -----BEGIN PGP SIGNED MESSAGE----- KJ> Subject: Re: unsubscrive I didn't keep the article, but there was a fairly recent post to the risks digest that mentioned that someone somewhere has set up an automated address grabber/spoofer of subscribe messages for several high volume mailing lists. This assumption was based on the large number of subscribers being added to the list, who were then complaining that they had never asked to be added to the list. Since the cypherpunks list is a rather high volume list, it shouldn't be surprising that it may become a tool for annoying people unfamiliar with mailing lists. Regards, Dave Hodgins. P.S. To unsubscribe from the cypherpunks mailing list, send a message addressed to majordomo at toad.com with unsubscribe cypherpunks in the body of the message. the subject is ignored. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMXCrcIs+asmeZwNpAQGyxAf9Fa0DxbyWFQRpnX/l2qMEH0Z4emkKtlGb SrRd8aUEgl5U4TvKYE556iAZk1mkYC4Gmvah5RQqZl6j3kHOzvZIQ35YkJMS4c9f OCncSMS6gyRzu0gIiHk4WDi5/8YKz54QspQzqqOlgq4ZSNFfniPIVASq1U3MuUih Io3dJq8XDSlpaD1kIjwIU/OIC7J4zcjUkYO51J82Qzh+5KII3vKfKv7FezG0N4cv 9v+9VfewWQCxUHVmnpSzdz7boN+wYyzN2GJ+rb7bAmQSv2LEpUBm3QYZlNT0Qiju H0uzWrQjiEGiy70UM6vcLLD4Uq2TrG/prQKCVu11/5XfTZXnpfk4hg== =1h8k -----END PGP SIGNATURE----- --- � RM 1.31 0820 � Internet:Dave.Hodgins at Westonia.com Rime->1347 Fido 1:250/636 From unicorn at schloss.li Sun Apr 14 04:56:00 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 14 Apr 1996 19:56:00 +0800 Subject: [Yadda Yadda] Re: Any examples of mandatory content rating? In-Reply-To: <m0u8KCD-0008ycC@pacifier.com> Message-ID: <Pine.SUN.3.91.960414034824.5253F-100000@polaris.mindport.net> On Sat, 13 Apr 1996, jim bell wrote: > At 10:59 AM 4/13/96 -0400, Black Unicorn wrote: > >Still, governments are quite talented at making ratings schemes look > >voluntary when practically speaking they are not. > > You know, it's amazing how you fail to ask and answer obvious questions when > they arise! Why, exactly, should the government NEED to "make ratings > schemes look voluntary when practically speaking they are not"? (Snore) If you need me to explain this to you..... After all, > you would love to take the position that the government has this authority > anyway. Is it possible you're just afraid to admit that the government(s) > doesn't have this authority? You have no idea what my position is, so you have to invent it. Really you grow quite boring. This begins to fall into pattern behavior. > system would collapse. At that point, there will be no government "threat" > to regulate, because everybody will realize that the system is working just > fine without regulation. Everyone will see an unregulated Internet, and > nobody will see a powerful need to regulate it. If you bothered to read what I said, you would notice that you just repeated it nearly exactly. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From bdavis at thepoint.net Sun Apr 14 05:06:08 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 14 Apr 1996 20:06:08 +0800 Subject: "Contempt" charges likely to increase In-Reply-To: <199604060105.RAA20223@jobe.shell.portal.com> Message-ID: <Pine.BSF.3.91.960414032750.22727V-100000@mercury.thepoint.net> On Fri, 5 Apr 1996, Hal wrote: > I think Tim has hit the nail right on the head with this one. > > I have been quite appalled to read the various analyses on the net (URLs > not handy, but they have been posted here before I think) which conclude > that compelled disclosure of a cryptographic pass phrase would probably > be OK despite the Fifth Amendment. This seems to be an area where there > is widespread agreement based on recent precedent. > > In the past, when crypto was not widely used, the issue didn't really > come up very often. If a criminal chose to write incriminating > information diary or financial ledger, and it could be found in a > search, then it was used as evidence against him. At one time not even > this was accepted but it has been this way for many decades. > > But crypto, if it becomes widely and routinely used, raises the bizarre > spectacle of criminals commonly being forced to produce information > which will then be used against them! Imagine if they'd found a file by > OJ on his computer, encrypted, which he refused to decrypt. The judge > could actually jail him for contempt until he revealed the password. > This could become a routine occurance in many kinds of crimes which rely > on private records as evidence. > > Currently, I don't think the subpoena power is widely used in criminal > cases. Rather, the prosecution relies on search warrants and the element > of surprise to prevent the destruction of incriminating records. I think > there is recognition that in practice subpoenas would not be effective, > that the records would not be produced, even if contempt charges were the > result. Subpoenas *are* widely used in white collar criminal investigations. Despite what many of you no doubt believe, investigators and prosecutors generally opt for the least intrusive method of getting the information needed for the investigation. Certainly, third parties' records are generally subpoenaed rather than seized (absent some articulable reason to believe that the records will be altered or destroyed ...). Even companies under investigation are frequently served with subpoenas, not warrants, as they usually try to appear to be cooperative while deciding which underling to throw to the wolves. EBD > If so, then probably the tactic will not be that effective in forcing > people to reveal cryptographic keys. Maybe if the jails start filling up > with defendants who refuse to go along with such order, judges will > decide that effective secrecy of records is now the new status quo. The > law will then once again extend the Fifth Amendment privileges to > personal papers. > > Hal > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From dan at dpcsys.com Sun Apr 14 05:16:42 1996 From: dan at dpcsys.com (Dan Busarow) Date: Sun, 14 Apr 1996 20:16:42 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <Pine.BSI.3.91.960413221855.7580A-100000@newton.forequest.com> Message-ID: <Pine.SV4.3.91.960414010416.20213C-100000@cedb> On Sat, 13 Apr 1996, Jeremey Barrett wrote: > crypt() is a hash function, and hence is not subject to export restriction. > (To my knowledge). SCO (and Novell, when it was selling Unix) both shipped libcrypt.a as a seperate product in their development systems. Only US and Canadian customers are allowed to buy the library. Programs statically compiled with libcrypt appear to be OK, but furineers can't have API access to this technology :) Dan -- Dan Busarow DPC Systems Dana Point, California From jeremey at forequest.com Sun Apr 14 05:18:00 1996 From: jeremey at forequest.com (Jeremey Barrett) Date: Sun, 14 Apr 1996 20:18:00 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <Pine.SV4.3.91.960414010416.20213C-100000@cedb> Message-ID: <Pine.BSI.3.91.960414014821.7867A-100000@newton.forequest.com> Did the library include other encryption functions, other than one-way functions? If so, I could see it being restricted. Linux, which is freely available anywhere, includes a DES-using crypt() one-way hash. But since a one-way hash function (implemented as a one way function) can't really be used for encrypted communication, I don't think it is subject to export restriction. On Sun, 14 Apr 1996, Dan Busarow wrote: > On Sat, 13 Apr 1996, Jeremey Barrett wrote: > > > crypt() is a hash function, and hence is not subject to export restriction. > > (To my knowledge). > > SCO (and Novell, when it was selling Unix) both shipped libcrypt.a as a > seperate product in their development systems. Only US and Canadian > customers are allowed to buy the library. Programs statically compiled > with libcrypt appear to be OK, but furineers can't have API access to > this technology :) > > Dan > -- > Dan Busarow > DPC Systems > Dana Point, California > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeremey Barrett Senior Software Engineer jeremey at forequest.com The ForeQuest Company http://www.forequest.com/ "less is more." -- Mies van de Rohe. Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gage, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." -- 'fortune` output From steve at edmweb.com Sun Apr 14 05:18:44 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 14 Apr 1996 20:18:44 +0800 Subject: Digital Ignorance (was Re: Protocols at the point of a gun) In-Reply-To: <199604140501.AAA00441@grendel.texas.net> Message-ID: <Pine.BSF.3.91.960413232250.19568B-100000@kirk.edmweb.com> SR> the best place for content filtering is at the application layer. > No, the best place for content filtering is in that grey lump > mounted between the shoulders of most humans. But that relys too much > on personal responsibility for the NetNannies to accept. Besides the > fact that most of the NetNannies don't seem to use that grey lump that > often. It *should* be at the "noodle layer", but I think it will be a lot more practical to install it at the application layer, unfortunately. :-/ [Note: What follows is a rant, but I think it's an important rant.] I think parents probably are expecting the internet to be a babysitter like they expect TV to be. A certain elected official (Exon?) tried to explain the net, and said it was "like a telephone"... <sigh> In a world where TV is about as high-tech as most people get, people don't even understand the potential of a single unlinked computer, nevermind the potential of the internet and crypto. Maybe the average person is trying to learn these things without learning the basics, and thus ends up clueless about everything... If people don't understand how text, programs, images, sound, video, and eventually ALL THINGS can be described as a series of ones and zeros, how can they understand the potential of the internet? It would be like trying to understand light bulbs without knowing what electricity is. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From perry at piermont.com Sun Apr 14 05:23:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 14 Apr 1996 20:23:19 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604140412.VAA24649@igc2.igc.apc.org> Message-ID: <199604140849.EAA05136@jekyll.piermont.com> Jerry Whiting writes: > One reason we chose to use Blowfish as the basis for carrick is that > it _is_ a new algorithm. One has to assume that the NSA et al. has > tools optimized to crack DES and possibly IDEA/RSA. At least let's > give them something else to sweat over. They won't sweat over it long. Blowfish was broken. > Like I said, we're aiming high. I believe you are having trouble distinguishing "up" from "down" while looking through your sights.... > So yes, if we're successful Blowfish should be taken more seriously. Why? Why exactly would it be hard to produce a crypto package based on any given algorithm? Its not exactly like Blowfish wasn't out and available already or anything. > Our marketing tag ("Encryption software so good, the Feds won't let > us export it.") They won't let you export DES and we know how good that is. Heck, they won't let you export 41 bit RC4 or better and we all know how good 41 bit RC4 would be. Perry From cmca at alpha.c2.org Sun Apr 14 05:55:53 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Sun, 14 Apr 1996 20:55:53 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <Pine.BSI.3.91.960413221855.7580A-100000@newton.forequest.com> Message-ID: <199604140937.CAA26892@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: Jeremey Barrett <jeremey at forequest.com>] [cc: cypherpunks at toad.com] [Subject: Re: Is crypt(1) a prohibited export? ] [In-reply-to: Your message of Sat, 13 Apr 96 22:21:14 MST.] <Pine.BSI.3.91.960413221855.7580A-100000 at newton.forequest.com> While not paying attention, Jeremey Barrett <jeremey at forequest.com> wrote: >crypt() is a hash function, and hence is not subject to export restriction. >(To my knowledge). crypt(3) is a library routine implementing a hash function. Crypt(1) is a general purpose cryptography program implementing an algorithm similar to an enigma rotor machine. My question stands. >On Wed, 10 Apr 1996, Chris McAuliffe wrote: >> Is crypt(1) a prohibited export from the US? I thought it was. The >> reason I ask is that it has come to my attention that HP ships that >> overseas too, with HP-UX versions 9 and 10... Chris McAuliffe <cmca at alpha.c2.org> (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMXDCjIHskC9sh/+lAQEZ6AQAik5whxKqkICtWaD48dZigxLpCg2LgKDS juRUVGL4bX1QvnBH9JPhnUDPB7k1y74pT3TBIUm6XD+AMMjxpH4Q6dF5iUiGWPYZ VDVpUT1R3qQ+Bn9siR7Y3xTShg1oeLLf7T7jQ1wG0/NSV/kd0UwB89XdbrOtH48x /9Z36ubniy4= =JQmB -----END PGP SIGNATURE----- From jeremey at forequest.com Sun Apr 14 06:06:38 1996 From: jeremey at forequest.com (Jeremey Barrett) Date: Sun, 14 Apr 1996 21:06:38 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <199604140937.CAA26892@eternity.c2.org> Message-ID: <Pine.BSI.3.91.960414025712.7867B-100000@newton.forequest.com> On Sun, 14 Apr 1996, Chris McAuliffe wrote: > While not paying attention, Jeremey Barrett <jeremey at forequest.com> wrote: > >crypt() is a hash function, and hence is not subject to export restriction. > >(To my knowledge). > > crypt(3) is a library routine implementing a hash function. Crypt(1) is > a general purpose cryptography program implementing an algorithm similar > to an enigma rotor machine. My question stands. > Ah. My mistake... the man page I have on crypt(1) says this: RESTRICTIONS This program is not available on software shipped outside the U.S. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jeremey Barrett Senior Software Engineer jeremey at forequest.com The ForeQuest Company http://www.forequest.com/ "less is more." -- Mies van de Rohe. Ken Thompson has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gage, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." -- 'fortune` output From junger at pdj2-ra.F-REMOTE.CWRU.Edu Sun Apr 14 06:54:13 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Sun, 14 Apr 1996 21:54:13 +0800 Subject: US crypto laws? Need help! In-Reply-To: <v02140b18ad91143a0d5e@[13.202.222.150]> Message-ID: <m0u8PEd-0004L0C@pdj2-ra.F-REMOTE.CWRU.Edu> Jean Chouanard writes: : Hi! : : I was wondering if a foreigner like, with a valid work visa but not a : permanet green card, is allowed to use crypto in the state. : : If yes, is there any restriction? Depending on crypto methods? : : Thank a lot, Jean In the U.S. there is no restriction on such a foreigner using crypto, but it is supposedly a serious crime (ten years in jail and a million dollar fine maximum) for anyone to disclose cryptographic software to him or explain how it works. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From m5 at vail.tivoli.com Sun Apr 14 08:10:47 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Sun, 14 Apr 1996 23:10:47 +0800 Subject: Watch your language, Shabbir. In-Reply-To: <Pine.3.89.9604131930.D22882-0100000@tesla.cc.uottawa.ca> Message-ID: <3170F667.6EEA@vail.tivoli.com> s1113645 at tesla.cc.uottawa.ca wrote: > > Look, very carefully, at the last paragraph quoted above. Mr. Safdar > > says, "No reasonable person is objecting to the FBI's right to conduct > > a wiretap." > > That's right. Because no reasonable person thinks they can convince Congress > or the Supremes otherwise. It isn't impossible, but energies are best spent > elsewhere, like getting the Burns bill passed. The choice of words was exceedlingly poor if that's what he really meant. Though I agree that it's unlikely any LEA will give up capabilities it's grown to imagine is has a "right" to have, I haven't stopped objecting. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From cpunk at remail.ecafe.org Sun Apr 14 09:08:08 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Mon, 15 Apr 1996 00:08:08 +0800 Subject: Enemies R Us Message-ID: <199604141330.OAA00385@pangaea.hypereality.co.uk> New York Times, 14 April 1996 Private Groups Lead Charge in War on Far Right By Michael Janofsky Washington. In the year since the worst terrorist act on American soil, the bombing of a Federal building in Oklahoma City that killed 168 people, the number of right-wing groups harboring anti-government sentiments has been estimated at mnre than 800, by some counts, and they now operate in every state. These are organized groups of militias, white supremacists, neo-Nazis- skinheads, survivalists and constitutionalists who are connected to each other with increasing frequency by the Internet, fax machines and a shared belief in Christian Identity, a renegade religious concept that. proclaims whites to be God's chosen people, Jews to be descendants of Satan and blacks to be subhuman. At the same time, however, as Federal agencies proceed with traditional means of intelligence gathering (as in the Unabomber case), and Congress ponders a new anti-terrorism bill (stalled by the gun lobby and civil libertarians), efforts to fight domestic terrorism are being supplemented more than ever by private human rights organizations that track the fringe right with their own networks. They willingly share information with law enforcement agencies, branches of the military and reporters. Federal law enforcement agencies, which were heavily criticized for their actions in fatal controntations in Ruby Ridge, Idaho, and Waco, Tex., appear to be trying a new, more patient approach in waiting for a peaceful solution to the current standoff with the anti-government group called the Freemen in eastern Montana. They have been criticized this time, largely by neighbors of the Freeman and local officials, for waiting so long to get involved, and for waiting at all. Undercover Work Most of the human rights organizations were actively campaigning against racism and anti-Semitism long before the Oklahoma City bombing on April 19, 1995 and the arrest of two suspects with links to militia groups. And with many of the right-wing groups now hiding racist views beyond a more acceptable veneer of anti-government oratory, the human rights groups say the need to collect information has become that much more critical. At least two of them -- the Southern Poverty Law Center in Montgomery, Ala., and the Simon Wiesenthal Center in Los Angeles -- use undercover operatives. Both organizations had spies attend a convention last weekend in Lake Tahoe that attracted hundreds of Christian Identity followers to hear a speech by Randy Weaver, the white separatist whose wife and son were killed three years ago in a siege by Federal agents in Ruby Ridge. The Southern Poverty Law Center has computer files of more than 12,000 people identified as members of a far-right group. The Wiesenthal Center operates an extensive electronic tracking station, where researchers monitor television, cable and radio shows all over the world for racist and anti-Semitic content. When the Army recently conducted an internal investigation to learn how many soldiers were involved with skinhead groups, senior officers at the Pentagon twice conferred with Wiesenthal Center officials, and when Patrick J. Buchanan was running for the Republican Presidential nomination, they produced names of Buchanan supporters who once worked for David Duke, a former Ku Klux Klan member, or had affiliation with the National Association for the Advancement of White People. Law enforcement agencies have credited the human rights groups with helping the public become more aware of the beliefs, factions and heroes of the far-right fringe. The human rights groups see their efforts as a necessary antidote to the sympathetic treatment of far-right groups on conservative talk radio programs, and to the reluctance of some conservative politicians to criticize the extremists. But the work may have also produced some unintended consequences. Writing in The Jubilee, a publication of the Christian Identity movement, a former militia leader from Alabama, Jeff Randall, said the drumbeat of concern over domestic terrorism has served as a welcome recruiting device for militias and other right-wing groups. "Throughout all this," he wrote, "the militias became stronger and better organized. "Many people are wondering if the militia movement is still alive and well," he added. "The answer to that question is a resounding 'yes.' " ----- Full page ad: "False Patriots: The Threat of Antigovernment Extremists" Fast-Growing "Patriot" Movement Poses Danger of Domestic Terrorism Early Warnings In October 1994, Morris Dees warned Attorney General Reno that white supremacists were infiltrating the "Patriot" militia movement. He called the development "a recipe for disaster." Six months later, a powerful bomb destroyed a federal building in Oklahoma City, killing 168 people. The country soon learned that Tim McVeigh, the prime suspect in the attack, had neo-Nazi ties and connections to the "Patriot" network, the combination that Dees had seen as so explosive before the bombing. Now, Dees and his colleagues at the Southern Poverty Law Center have again warned the Attorney General about the danger posed by the antigovernment "Patriot" movement. In an April 9, 1996 letter, Dees urged Reno to take concrete steps to counter the threat of further domestic terrorism. He also provided her with a copy of *False Patriots*, the Center's new report on the "Patriot" movement. This 72-page expose is the culmination of a Center investigation into the "Patriot" movement conducted since the Oklahoma City bombing. United By Hate The "Patriot" movement encompasses numerous elements of the American right, from certain Christian fundamentalists to the Ku Klux Klan. It includes tax protesters, survivalists and neo-Nazis, as well as radical anti-environmentalists and gun enthusiasts. The tie that binds those in the movement, estimated by some at five million strong, is a virulent hatred of the federal government. This hatred has been fueled in recent years by the passage of gun control legislation, the deaths of Randy Weaver's wife and son at the hands of federal agents on Ruby Ridge in Idaho, and the disastrous federal assault on the Branch Davidian compound in Waco. The False Patriots report reveals the people behind the "Patriot" movement, people like Louis Beam, a key Aryan Nations leader, and Pete Peters, a pastor of the bizarre Christian Identity faith. It identifies over 800 antigovernment "Patriot" organizations, including 441 unauthorized militia groups. It describes how "Patriot" paramilitary units are preparing for war with the federal government. It offers an inside look at guerrilla literature and the tools of terrorism. It documents crimes linked to the "Patriot" movement, including plots to blow up other federal buildings. It demonstrates that the "Patriot" movement poses "a clear and present danger" to the nation. Expect More Bombs Immediately after the Oklahoma City disaster, a spokesperson for the Militia of Montana predicted more antigovernment violence. "Patriot" groups flooded the underground book market and the Internet with manuals on bomb-making, railroad sabotage and the production of deadly chemicals. "Patriot" leaders openly suggested the need to kill government officials. Since the Oklahoma City tragedy, numerous "Patriot" terrorist plots have been discovered, including plans to poison federal employees in Minnesota and conspiracies to blow up a federal courthouse in Spokane and an IRS building in Reno. An AmTrak train was derailed by a group calling itself "Sons of the Gestapo." Over ten tons of explosives have been stolen from various locations around the country in the past year. Authorities suspect a large quantity has made its way into the "Patriot" movement. In December, a survivalist was arrested in the Ozark Mountains of Arkansas and charged with terrorism. He had produced 130 grams of the deadly poison ricin, enough to kill thousands. Secret Cells Formed >From California to Florida, "Patriots" are forming cells of five to ten men skilled in explosives, sniper fire, sabotage and terrorism. These secret cells operate without a chain of command to avoid compromising the larger movement. One cell recently uncovered in Idaho is financed by a wealthy businessman. These cells, like the one McVeigh is suspected of forming, are difficult to monitor and can strike when least expected. ____________________________________________________________ What You Can Do To Help Stop Domestic Terrorism You can take a number of steps to fight against domestic terrorists. + Contact your state attorney general's office Find out if your state has anti-militia and anti-paramilitary training statutes. If the answer is "Yes," insist that the laws be enforced. If "No," urge the attorney general's office to work for passage of such laws. + Support federal legislation to outlaw militia groups that are not authorized by state law These groups operate as a springboard for dangerous antigovernment activity. + Learn about the "Patriot" movement and share your knowledge with others The "Patriot" movement thrives on secrecy and citizen apathy. The *False Patriots* report offers the most complete way for concerned individuals to learn the full story of the "Patriot" movement. It was created by the Militia Task Force, a project of the Southern Poverty Law Center, and is available to those who support the Center's work with a tax-decutible gift of $15 or more. The Militia Task Force is leading the fight to expose the "Patriot" movement and protect those injured in hate crimes. The Center's Militia Task Force and its Klanwatch Project monitor "Patriot" groups, especially those with racist ties. Computerized investigative files contain over 11,000 photos and videos as well as data on 3,200 groups, 14,000 individuals and over 61,000 incidents. A quarterly "Intelligence Report" is provided free to law enforcement agencies and the media. This work has not been done without costs. In 1983, the Center's Montgomery, Alabama, offices were burned by the Klan. Its lawyers have received serious death threats. Just this past November, three members of the Oklahoma Constituional Militia were arrested in a plot to bomb the Center's offices. ____________________________________________________________ Support the Center and its Militia Task Force and Recieve *False Patriots* Militia Task Force A Project of the Southern Poverty Law Center 400 Washington Avenue, Montgomery, AL 36104 Yes, send me a copy of the 72-page *False Patriots*. Enclosed is my tax-deductible gist to help expose the "Patriot" movement and protect innocent people from hate crimes and injustice [ ]$15 [ ]$25 [ ]$50 [ ]$100 [ ]Other $_____________ Name _______________________________________________________ Address ____________________________________________________ City ____________________________ State _____ Zip __________ ____________________________________________________________ A copy of the latest official registration statement and financial report filed by the Souther Poverty Law Center may be obtained by contacting Office of Charities Registration, 162 Washington Avenue, Albany, NY 12231. Y9604NYT From sinclai at ecf.toronto.edu Sun Apr 14 09:21:22 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Mon, 15 Apr 1996 00:21:22 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604140849.EAA05136@jekyll.piermont.com> Message-ID: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu> > Jerry Whiting writes: > > One reason we chose to use Blowfish as the basis for carrick is that > > it _is_ a new algorithm. One has to assume that the NSA et al. has > > tools optimized to crack DES and possibly IDEA/RSA. At least let's > > give them something else to sweat over. > > They won't sweat over it long. Blowfish was broken. Yikes! Are you sure? This is the first I've heard of it. This would mean that PGPPhone is not secure. From apb at iafrica.com Sun Apr 14 09:36:40 1996 From: apb at iafrica.com (Alan Barrett) Date: Mon, 15 Apr 1996 00:36:40 +0800 Subject: [NOISE] Re: unsubscrive - Let's make a special list for these people! In-Reply-To: <Pine.BSF.3.91.960409210739.10189A-100000@kirk.edmweb.com> Message-ID: <Pine.NEB.3.91.960414155245.20353J-100000@apb.iafrica.com> > I have an idea.... > > Create a special "unsubscrive mailing list". It used to exist a few years ago. It was called the "Clueless Users Mailing List". The idea was that somebody annoyed by a clueless user's sending subscribe or unsubscribe messages to a list would subscribe the clueless user to the clueless users' mailing list, where the clueless users would all get each other's "help" and "get me out" and "unsubscrive" messages, but would not get any help from clueful folk, until they figured out how to use the appropriate "-request" address. --apb (Alan Barrett) From perry at piermont.com Sun Apr 14 09:44:13 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 00:44:13 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu> Message-ID: <199604141422.KAA05302@jekyll.piermont.com> SINCLAIR DOUGLAS N writes: > > Jerry Whiting writes: > > > One reason we chose to use Blowfish as the basis for carrick is that > > > it _is_ a new algorithm. One has to assume that the NSA et al. has > > > tools optimized to crack DES and possibly IDEA/RSA. At least let's > > > give them something else to sweat over. > > > > They won't sweat over it long. Blowfish was broken. > > Yikes! Are you sure? At least partially broken, yes. I've forgotten the details. I believe they were discussed at Eurocrypt. It may be that with the full number of rounds that no one yet has a cryptanalysis but I don't recall and it doesn't particularly matter from my perspective. > This is the first I've heard of it. This would mean > that PGPPhone is not secure. I was unaware that PGPPhone used Blowfish, but if it does that was a stupid idea in the first place. Perry From dan at dpcsys.com Sun Apr 14 09:58:50 1996 From: dan at dpcsys.com (Dan Busarow) Date: Mon, 15 Apr 1996 00:58:50 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <Pine.BSI.3.91.960414014821.7867A-100000@newton.forequest.com> Message-ID: <Pine.SV4.3.91.960414073239.21515A-100000@cedb> On Sun, 14 Apr 1996, Jeremey Barrett wrote: > Did the library include other encryption functions, other than one-way > functions? The library includes the functions encrypt(3) and des_encrypt(3). In the US-Only version of the library each of these functions accepts a flag value of 1 to indicate de-cryption, the export version ignores the flag, decryption is disabled. > On Sun, 14 Apr 1996, Dan Busarow wrote: > > seperate product in their development systems. Only US and Canadian > > customers are allowed to buy the library. I should have said only US and Canadian customers can purchase the uncrippled version of the library. Dan -- Dan Busarow DPC Systems Dana Point, California From s1113645 at tesla.cc.uottawa.ca Sun Apr 14 10:38:51 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 15 Apr 1996 01:38:51 +0800 Subject: [long rant] Re: Watch your language, Shabbir. In-Reply-To: <3170F667.6EEA@vail.tivoli.com> Message-ID: <Pine.3.89.9604141047.B18706-0100000@tesla.cc.uottawa.ca> I promise myself to go back to lurking mode after this. On Sun, 14 Apr 1996, Mike McNally wrote: > The choice of words was exceedlingly poor if that's what he really meant. > Though I agree that it's unlikely any LEA will give up capabilities it's > grown to imagine is has a "right" to have, I haven't stopped objecting. None of us have stopped objecting, except that now we have methods of preventing it on our own. One must remember that while the basic uses of crypto are not only reasonable and even essential in some cases, the full application leads to some very objectionable extremes (regulatory arbitrage, full anon digicash, easier drug sales, gutting of income taxes...). Now being one of those people who enthusiastically supports those extremes, I have to ask myself, how will we get there with the least interference? Now for one thing I wouldn't go around repeating the indignant "unconstitutional US government" threads on oh let's say talk.politics.libertarian (or .crypto) to the faces of legislators and the media. One doesn't get the ITAR repealled by telling congress that child porn and mafia conversations will become impossible to police and that the first amendment lets us shout "fire" in a theatre (though I think it does). I would leave all the carping and "four horsemen"ing to Louis Freeh. That makes him sound unreasonable. "Sounding" reasonable may be the best way for our crowd to keep legal the tools that will help us do "unreasonable" (though not from our perspective) things. So as long as Shabbir & co insert statements supportive of crypto deregulation, I really don't care what the rest of their speeches say, the rest is only packaging. (Though one must determine what's the packaging and what's the content.) (And if I were in his shoes, I probably wouldn't be saying anything different. I may be an anarchist, but I call myself a free-marketeer. Same thing but not the same-sounding thing, get it? Politics is unfortunately very backwards. As long as the civil lib'ers tow enough of our party line and get the job done, I'm happy with 'em.) I leave the judgement call up to you, Mike. From hfinney at shell.portal.com Sun Apr 14 11:16:28 1996 From: hfinney at shell.portal.com (Hal) Date: Mon, 15 Apr 1996 02:16:28 +0800 Subject: carrick, Blowfish & the NSA Message-ID: <199604141545.IAA02699@jobe.shell.portal.com> Blowfish has not been broken in my opinion. I wonder if Perry is thinking of MacGuffin, the block cipher by Schneier and Matt Blaze based on an asymmetrical Feistel network. It was broken, and I think it was at Eurocrypt. Here is a message from sci.crypt a month ago where Bruce discusses the status of Blowfish. A weak key attack is known against a weakened version, but I think the weak keys are rare. > From: schneier at parka.winternet.com (Bruce Schneier) > Date: 1996/03/14 > MessageID: 4i907g$9lj at blackice.winternet.com#1/1 > > The most successful attack against Blowfish to date has been against the > weak keys (two identical entries in an S-box). These can be detected in > a 12-round variant, but not in the full 16 rounds. I still believe that > random S-boxes are better than chosen ones, and think that more rounds > is better than fewer rounds with better S-boxes. There are a few > things I would do differently if I was to write the algorithm from scratch > right now, but on the whole I am still pleased with the results. > > Bruce Hal From jimbell at pacifier.com Sun Apr 14 11:40:48 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Apr 1996 02:40:48 +0800 Subject: Watch your language, Shabbir. Message-ID: <m0u8UBq-0008z1C@pacifier.com> At 07:58 AM 4/14/96 -0500, Mike McNally wrote: >s1113645 at tesla.cc.uottawa.ca wrote: >> > Look, very carefully, at the last paragraph quoted above. Mr. Safdar >> > says, "No reasonable person is objecting to the FBI's right to conduct >> > a wiretap." >> >> That's right. Because no reasonable person thinks they can convince Congress >> or the Supremes otherwise. It isn't impossible, but energies are best spent >> elsewhere, like getting the Burns bill passed. > >The choice of words was exceedlingly poor if that's what he really meant. >Though I agree that it's unlikely any LEA will give up capabilities it's >grown to imagine is has a "right" to have, I haven't stopped objecting. > Exactly! I think the issue is important enough so that we really ought to develop new wording, something that far more accurately reflects the bulk of our opinion towards wiretapping. For years, I've looked at it this way: Before the telephone era, "all" search warrants were probably issued for a specific address, and had to be served for a limited time period, a few hours or less. The owners of the location being searched were aware, at the time the search was going on, that the search was occuring. Moreover, once that search ended it was no more and those searched were aware of it. Unlike this, and quite unlike any warrants which preceded it, wiretaps: 1. Take an almost unlimited time period, compared to a 1-hour search. (Yes, they do come to an end, but...) 2. The users of the telephone line are not informed, while the search (wiretap) is being done. 3. To my knowledge, albeit limited, targets of wiretaps are NOT informed, subsequent to the tap, that they have been wiretapped. Therefore they are denied the opportunity to complain, even after the fact. I see no legal reason why wiretaps should have the "features" listed above. There is a certain practical reason they can: Due to the nature of wiretapping, it is not physically necessary to show up to do the tap, or tell those targeted, or tell them after the tap has been disconnected. However, it seems very unlikely that the mere fact that an invention allows a kind of search that was possible before, should automatically change the interpretation of the Constitution to allow that search. If a new invention allowed the cops to walk through walls untraceably, would that automatically mean that the normal protections that search warrants are supposed to provide are no longer valid? I don't think so! Jim Bell jimbell at pacifier.com From dbender at cupidnet.com Sun Apr 14 11:52:33 1996 From: dbender at cupidnet.com (Daniel Bender) Date: Mon, 15 Apr 1996 02:52:33 +0800 Subject: Anybody know of a WinNT Remailer? Message-ID: <199604141641.MAA05719@junior.wariat.org> I'm not sure if this is really the right place to ask this, but... Does anyone know of a remailer that will work on Windows NT??? Dan From grafolog at netcom.com Sun Apr 14 11:52:54 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 15 Apr 1996 02:52:54 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? In-Reply-To: <Pine.SUN.3.91.960413211541.9295G-100000@polaris.mindport.net> Message-ID: <Pine.3.89.9604141600.A8552-0100000@netcom15> On Sat, 13 Apr 1996, Black Unicorn wrote: > And like any ratings system, it relies on the raters subjective > judgement. Not a very market stable or market wise system. Tell me who Since somebody else brought up SurfWatch, remember that it was SurfWatch that declared whitehouse.org to be off-limits for obscene content. A mistake on their part --- or at least that is their claim. << This was just before CDA passed, btw. >> << I personally thought it was a great way to demonstrate the absurdity of CDA. >> xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * *********************************************************************** From jwhiting at igc.apc.org Sun Apr 14 12:12:07 1996 From: jwhiting at igc.apc.org (Jerry Whiting) Date: Mon, 15 Apr 1996 03:12:07 +0800 Subject: Blowfish ain't broken Message-ID: <199604141628.JAA17215@igc2.igc.apc.org> > Jerry Whiting writes: > > One reason we chose to use Blowfish as the basis for carrick is that > > it _is_ a new algorithm. One has to assume that the NSA et al. has > > tools optimized to crack DES and possibly IDEA/RSA. At least let's > > give them something else to sweat over. > > Perry writes: > They won't sweat over it long. Blowfish was broken. My understanding is that Blowfish using only 3 rounds, not the full 16, has been broken. And yes, duplicate entries in an S-box are weak keys. carrick uses the full 16 rounds and we check for weak keys. I'll sleep at night. Jerry Whiting From medea at alpha.c2.org Sun Apr 14 12:21:43 1996 From: medea at alpha.c2.org (Medea) Date: Mon, 15 Apr 1996 03:21:43 +0800 Subject: washington post notices archives Message-ID: <199604141637.JAA04623@eternity.c2.org> Andrew K. Bressen wrote: >we here at HKS.net have today received a cease and desist >letter from the washington post regarding editorial copy >of theirs that was evidently posted to c'punks and then >abosrbed into our c'punk archives. IMO, if you didn't remove the material from your archives, the Washington Post wouldn't be able to press the issue any further. Email posted to a listserv enters into and becomes the possession of the public domain. If they ran a search looking for their material, then obviously credit was appropriately given to the quote. The Unabomber's Manifesto was posted on the Net. Since the Post published it in its entirety, then they have a right to tell me to remove it if I had downloaded it? Personally, I think the letter is full of the stuff one would step into out on the range where the deer and the antelope play. Medea ============================================================ +++++++++++++++++++++++++++++++++++++++++++++++++++ + |---------------------------------------------| + + | The mind is its own place, and of itself | + + | Can make a heaven of hell, a hell of heaven | + + |---------------------------------------------| + +++++++++++++++++++++++++++++++++++++++++++++++++++ From tien at well.com Sun Apr 14 13:15:23 1996 From: tien at well.com (Lee Tien) Date: Mon, 15 Apr 1996 04:15:23 +0800 Subject: math patents Message-ID: <199604141700.KAA26641@mh1.well.com> In reply to the message excerpted below: I believe Jim's not looked back far enough. My recollection from law school is that the law was friendly to math patents in the period before the Supreme Court weighed in. There were some PTO denials, which courts reversed (I think the Court of Claims heard these back then). So I think the trend was toward patenting processes even if mathematical until Gottschalk v. Benson. It's a conceptually messy area because "processes" have long been patentable (like the Morse telegraphy/Bell telephony patents) but the Supreme Court saw the Benson application as violating the doctrine against patenting "laws of nature." Lee From: jim bell <jimbell at pacifier.com> Date: Sat, 06 Apr 1996 14:52:12 -0800 Subject: Re: So, what crypto legislation (if any) is necessary? At 01:07 PM 4/6/96 -0500, Black Unicorn wrote: >> I contend that had he talked to Phillip Zimmermann in 1990 or so, he would >> have told Zimmermann that "It's illegal to write an encryption program using >> RSA, because it's patented! You'll never get away with it!" > >I would have indicated that "you're going to face the prospect of >intellectual property litigation, and that can get nasty in the extreme." One thing I've never heard is an explanation of how computer software and especially mathematics went from "extremely not patentable" in the early and middle 1970's, to "patentable" once Messr's Rivest, Shamir, and Adleman invented a piece of mathematics that the government wanted to deny to the public. How convenient. From s1113645 at tesla.cc.uottawa.ca Sun Apr 14 13:29:52 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 15 Apr 1996 04:29:52 +0800 Subject: [increasingly irrelevant] Re: Watch your language... In-Reply-To: <m0u8UBq-0008z1C@pacifier.com> Message-ID: <Pine.3.89.9604141344.A21471-0100000@tesla.cc.uottawa.ca> Enough of this thread. On Sun, 14 Apr 1996, jim bell wrote: > Exactly! I think the issue is important enough so that we really ought to > develop new wording, something that far more accurately reflects the bulk of our > opinion towards wiretapping. The quote should be taken in context. If you look at the whole thing (it's still at www.vtw.org) he was talking about a corrupt cop who had killed a mother of three while he was being wiretapped by the FBI. The wiretap did nothing to save her. He continues in the same sentence as the one we're disputing, to question the effectiveness and utility of wiretaps in light of this and does so throughout the rest of the text. Come on, Jim, no offense meant, but there's criticizing and then there's nitpicking. One half of one sentence does not sell out the whole argument, no matter how it's worded. We're not in court, let's not waste our time on semantics. Cheers. From markm at voicenet.com Sun Apr 14 13:34:45 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 15 Apr 1996 04:34:45 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604141422.KAA05302@jekyll.piermont.com> Message-ID: <Pine.LNX.3.92.960414121820.358A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Sun, 14 Apr 1996, Perry E. Metzger wrote: > At least partially broken, yes. I've forgotten the details. I believe > they were discussed at Eurocrypt. It may be that with the full number > of rounds that no one yet has a cryptanalysis but I don't recall and > it doesn't particularly matter from my perspective. I haven't heard of any efficient cryptanalysis against Blowfish. I know there are weak keys, but they are difficult to exploit. 16 round Blowfish can be broken using differential cryptanalysis with 2^128+1 chosen plaintexts. > > > This is the first I've heard of it. This would mean > > that PGPPhone is not secure. > > I was unaware that PGPPhone used Blowfish, but if it does that was a > stupid idea in the first place. Blowfish is unpatented, free for commercial use, and very fast so I don't see how the use of Blowfish could be considered stupid. IDEA and triple-DES may be more secure, but I think that they are too slow for voice communication. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMXEmo7Zc+sv5siulAQFNugP/eajuzeBDrGi5LfQy5IYANVzYnt/FRQYF egUkJuWtkxI8ff/CzS9dKxOW95c8SuvYyis9D8NfwAcPesKI/YQp734l/v+NYH4V G7AZvzdLEKpDWVzo524o326o4ufXV7ycysLNq4yrkPJ5LJyLdm5A3z/0IYeoXStK 2HWAf22Iksc= =cwEh -----END PGP SIGNATURE----- From s1113645 at tesla.cc.uottawa.ca Sun Apr 14 13:58:50 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 15 Apr 1996 04:58:50 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu> Message-ID: <Pine.3.89.9604141322.A21250-0100000@tesla.cc.uottawa.ca> On Sun, 14 Apr 1996, SINCLAIR DOUGLAS N wrote: > > They won't sweat over it long. Blowfish was broken. > > Yikes! Are you sure? This is the first I've heard of it. This would mean > that PGPPhone is not secure. > If it's the one that's in applied crypto 2 (p.339) and ddj, then it's only a partial crack on a low number of rounds (according to AC2). Schneier still thought it was secure at the time of the publishing of AC2, but then he may be biased. (and since this is crypto why not be paranoid, eh?) � Besides, doesn't PGPfone give you a choice of algorithms? (including IDEA?) I haven't gotten it yet, no sound card. Perry, you've mentioned this before, was this the same crack that's in the book or something newer? (paper references?) (I just caught your reply to Sinclair after writing this. In any case Schneier lists the diff. cryptanalysis of blowfish paper as unpublished.) From s1113645 at tesla.cc.uottawa.ca Sun Apr 14 14:05:27 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 15 Apr 1996 05:05:27 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604140849.EAA05136@jekyll.piermont.com> Message-ID: <Pine.3.89.9604141414.B21250-0100000@tesla.cc.uottawa.ca> Jerry Whiting writes: > One reason we chose to use Blowfish as the basis for carrick is that > it _is_ a new algorithm. One has to assume that the NSA et al. has > tools optimized to crack DES and possibly IDEA/RSA. At least let's > give them something else to sweat over. Algorithms die. If you want to publish and implement an API that will last, try to improve on of the many multi-algorithm specs that are already out there. If the next round of research kills one particular algorithm, your work will then still not be wasted. (Apologies for writing something so obvious and general.) From thecrow at iconn.net Sun Apr 14 14:07:35 1996 From: thecrow at iconn.net (Jack Mott) Date: Mon, 15 Apr 1996 05:07:35 +0800 Subject: key bit lengths Message-ID: <31713CED.42E2@iconn.net> In Applied Crypto, it talks about thermodynamic limitations of brute force attacks. I did some calculations and it looks like it will take, given a perfectly effecient computer, the combined energy of 509,485,193 average supernovas to brute force a 256 bit key. I was just wondering if there are any theoretical ways around this. I am just talking about plain brute force here, not attacking other weaknesses. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From alano at teleport.com Sun Apr 14 14:09:26 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 15 Apr 1996 05:09:26 +0800 Subject: Blowfish ain't broken Message-ID: <2.2.32.19960414181603.00a9f404@mail.teleport.com> At 09:28 AM 4/14/96 -0700, Jerry Whiting wrote: >> Perry writes: >> They won't sweat over it long. Blowfish was broken. > >My understanding is that Blowfish using only 3 rounds, not the full 16, has been >broken. And yes, duplicate entries in an S-box are weak keys. > >carrick uses the full 16 rounds and we check for weak keys. I thought there was a variant of Blowfish that fixed the problems that had been found with the algorythm. I believe it was called "Blowfish-SK". (I need to check my archives for further details.) Are you using the original Blowfish or the improved version? --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jya at pipeline.com Sun Apr 14 14:17:10 1996 From: jya at pipeline.com (John Young) Date: Mon, 15 Apr 1996 05:17:10 +0800 Subject: NOS_tal Message-ID: <199604141822.OAA19475@pipe1.nyc.pipeline.com> 4-14-96. TP: "Was McCarthy Right About the Left?" Citing the Venona program decryption "revelations," Nicholas von Hoffman polemicizes about the consequences of the left's refusal to face that McCarthy may have been more truthful about communist infiltration of the USG than he knew. Von Hoffman recounts the high points of the 50-year history of left dissimulation and avenges the right with a nostalgic nukem dead red-under-bedder: As yet unexplored is the possibility that certain features in the political culture of the American left are hand-me-downs from this period. The "elitism" and didacticism that so gall its opponents may be a morphed version of the communist doctrine of vanguard leadership. The liberal penchant for government gigantism, complex bureaucracy and central planning may also have taken root in the liberal admiration of the Soviet system in the 1930s. NOS_tal From olbon at dynetics.com Sun Apr 14 15:23:32 1996 From: olbon at dynetics.com (Clay Olbon II) Date: Mon, 15 Apr 1996 06:23:32 +0800 Subject: [NOISE] Consolidation of threads ... Message-ID: <v01540b0cad96f6491958@[193.239.225.200]> OK, I have a proposal that consolidates two threads that have been discussed recently. How about proposing legislation that mandates that a byte is now 9 bits instead of 8. This would allow the ninth bit to be the decent/indecent bit, thereby solving all of our problems. Clay --------------------------------------------------------------------------- Clay Olbon II | Clay.Olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: on web page Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 TANSTAAFL --------------------------------------------------------------------------- From markm at voicenet.com Sun Apr 14 15:36:40 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 15 Apr 1996 06:36:40 +0800 Subject: key bit lengths In-Reply-To: <31713CED.42E2@iconn.net> Message-ID: <Pine.LNX.3.92.960414141633.893A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Sun, 14 Apr 1996, Jack Mott wrote: > In Applied Crypto, it talks about thermodynamic limitations of brute > force attacks. I did some calculations and it looks like it will take, > given a perfectly effecient computer, the combined energy of 509,485,193 > average supernovas to brute force a 256 bit key. I was just wondering if > there are any theoretical ways around this. I am just talking about > plain brute force here, not attacking other weaknesses. I doubt it. This calculation is based on the minimum amount of energy needed to invert a bit. The amount of energy is a function of the temperature, so a brute force attack might take much less energy several billion years hence, since the universe will cooled off more. There only way for there to be any way around this, is if a way was found to lower the termperature to near absolute zero consuming a very little amount of energy, or if some way was found to invert a bit using less energy than is currently believed (very doubtfull). Of course, if P=NP, then brute-force attacks will be pointless. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMXFCPbZc+sv5siulAQF2jAP9GgSk+YqNjcnyThzs6ow1Ecyp60iK0kiE Y9RMqLtdwpMv2Jx10KigDsyOvQrM0+W/RJ3Q2Zka+VF4aBT82z5NcbUvzEG4Y1iT t12PZF8rhFgxNB+jNOOCxS0BYRcFAC3epZ050+gRdtOenLLNsczyrXJN+fMyaTAf gnCis3s1n1o= =Rvcm -----END PGP SIGNATURE----- From perry at piermont.com Sun Apr 14 15:52:32 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 06:52:32 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <Pine.3.89.9604141322.A21250-0100000@tesla.cc.uottawa.ca> Message-ID: <199604142002.QAA05493@jekyll.piermont.com> s1113645 at tesla.cc.uottawa.ca writes: > If it's the one that's in applied crypto 2 (p.339) and ddj, then it's only > partial crack on a low number of rounds (according to AC2). Schneier still > thought it was secure at the time of the publishing of AC2, but then he > may be biased. (and since this is crypto why not be paranoid, eh?) Its only the partial crack, from what I know. It still makes me nervous, and besides there are very good cryptosystems like 3DES that are available and well studied. .pm From perry at piermont.com Sun Apr 14 16:00:23 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 07:00:23 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <Pine.LNX.3.92.960414121820.358A-100000@gak> Message-ID: <199604141933.PAA05457@jekyll.piermont.com> "Mark M." writes: > > I was unaware that PGPPhone used Blowfish, but if it does that was a > > stupid idea in the first place. > > Blowfish is unpatented, free for commercial use, and very fast so I don't see > how the use of Blowfish could be considered stupid. IDEA and triple-DES may > be more secure, but I think that they are too slow for voice communication. Huh? Voice communication is typically under 20kbps. Using Phil Karn's latest code, a pentium can do about 10Mbps for single DES, and presumably about 3Mbps for 3DES. Thats orders of magnitude larger than you need. 3DES is unencumbered. Perry From jf_avon at citenet.net Sun Apr 14 16:40:29 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 15 Apr 1996 07:40:29 +0800 Subject: Infrared photography Message-ID: <9604142026.AA16940@cti02.citenet.net> >No, Clay, I did not say that the flesh RADIATED near IR. (it does, but only >a very tiny amount.) The identification system I describe would probably >use 940 nm IRLEDs to illuminate the face, and a silicon CCD detector to pick >up the images. Or it would use ambient near-IR, perhaps from the sun or a >tungsten filament or fluorescent lighting, along with an IR filter to ensure >that the CCD camera picked up only the IR bands of interest. It would be >easy to check out the results: Put such an IR-passing filter in front of a >CCD-based camcorder, and take a picture of somebody. > >Incidentally, this simplicity shows the flaw in using this kind of system as >an identifier: Since people's faces are usually visible, and can be >photographed in the near-IR surreptitiously, it isn't clear how to prevent >faking a face which appears to have the same IR signature and pattern. I remember in a booklet from Kodak on their Ektachrome IR film, there was a picture of a forearm where all the veins were made clearly visible. This film is near infrared (if I remember, the red color on the film corresponds to around 1100 nm). Veins and artery identification might be possible, maybe, since fingerprint identification is possible. A friend of mine developped a quite functionnal algorithm doing just that in the late eighties. OTOH, the blood vessels patterns are probably much more constant, from individual to individual, than fingerprints. Just correct me if I am wrong. JFA PGP 2048 bits key at: http://w3.citenet.net/users/jf_avon ID:C58ADD0D 52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 Unsollicited commercial e-mail will be proofread at US165 $/h Any sender of such material will be considered as to have ac- cepted the above mentionned terms. From dlv at bwalk.dm.com Sun Apr 14 16:50:55 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 15 Apr 1996 07:50:55 +0800 Subject: [NOISE] Consolidation of threads ... In-Reply-To: <v01540b0cad96f6491958@[193.239.225.200]> Message-ID: <wa7DmD88w165w@bwalk.dm.com> olbon at dynetics.com (Clay Olbon II) writes: > OK, I have a proposal that consolidates two threads that have been > discussed recently. How about proposing legislation that mandates that a > byte is now 9 bits instead of 8. This would allow the ninth bit to be the > decent/indecent bit, thereby solving all of our problems. Hmm. In the days of COCOM (a relative of ITAR) there was a doctrine that individual pieces of a mosaic may be unclassified, yet together they may form a whole that needs to be export-controlled. Likewise 8-bit values 0x46,0x55,0x43,0x4B may not be obscene individually, but together they comprise a vile, CDA-prohibited obscenity. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From JonWienke at aol.com Sun Apr 14 17:04:41 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Mon, 15 Apr 1996 08:04:41 +0800 Subject: Enemies R Us [Political Rant] Message-ID: <960414163840_271703650@emout08.mail.aol.com> >These are organized groups of militias, white supremacists, >neo-Nazis- skinheads, survivalists and constitutionalists who >are connected to each other with increasing frequency by the >Internet, fax machines and a shared belief in Christian >Identity, a renegade religious concept that. proclaims whites >to be God's chosen people, Jews to be descendants of Satan and >blacks to be subhuman. These views are shared by only a small minority of the patriot movement. This paragraph is pure propaganda. There are some of these people in the patriot community, but their percentages are not much higher than in the general population. >At the same time, however, as Federal agencies proceed with >traditional means of intelligence gathering (as in the >Unabomber case), and Congress ponders a new anti-terrorism >bill (stalled by the gun lobby and civil libertarians), >efforts to fight domestic terrorism are being supplemented >more than ever by private human rights organizations that >track the fringe right with their own networks. They willingly >share information with law enforcement agencies, branches of >the military and reporters. If Federal LEO's are getting so much help from volunteer snitches, why do we need the anti-terrorism bull? :) >Federal law enforcement agencies, which were heavily >criticized for their actions in fatal controntations in Ruby >Ridge, Idaho, and Waco, Tex., appear to be trying a new, more >patient approach in waiting for a peaceful solution to the >current standoff with the anti-government group called the >Freemen in eastern Montana. They have been criticized this >time, largely by neighbors of the Freeman and local officials, >for waiting so long to get involved, and for waiting at all. Don't wait. Act precipitously. Burn all the [insert disliked individuals/groups here]. Oh, wait. Isn't that what Hitler did? >Most of the human rights organizations were actively >campaigning against racism and anti-Semitism long before the >Oklahoma City bombing on April 19, 1995 and the arrest of two >suspects with links to militia groups. And with many of the >right-wing groups now hiding racist views beyond a more >acceptable veneer of anti-government oratory, the human rights >groups say the need to collect information has become that >much more critical. There is NO clearly established connection between McVeigh and ANY militia group. This notion is more government propaganda. >At least two of them -- the Southern Poverty Law Center in >Montgomery, Ala., and the Simon Wiesenthal Center in Los >Angeles -- use undercover operatives. Both organizations had >spies attend a convention last weekend in Lake Tahoe that >attracted hundreds of Christian Identity followers to hear a >speech by Randy Weaver, the white separatist whose wife and >son were killed three years ago in a siege by Federal agents >in Ruby Ridge. > >The Southern Poverty Law Center has computer files of more >than 12,000 people identified as members of a far-right group. >The Wiesenthal Center operates an extensive electronic >tracking station, where researchers monitor television, cable >and radio shows all over the world for racist and anti-Semitic >content. I find it ironic that the SPLC is run by far-left radicals of the type who did a lot of bitching in the 60's when their ox was being gored. (Does anyone remember COINTELPRO?) The Wiesenthal center is actively supporting legislation (the anti-terror bill, various gun control bills, etc.) that would give our gov't many of the same powers Hitler had, which he eventually used against the Jews. Those who refuse to learn from history will be condemned to repeat it. >When the Army recently conducted an internal investigation to >learn how many soldiers were involved with skinhead groups, >senior officers at the Pentagon twice conferred with >Wiesenthal Center officials, and when Patrick J. Buchanan was >running for the Republican Presidential nomination, they >produced names of Buchanan supporters who once worked for >David Duke, a former Ku Klux Klan member, or had affiliation >with the National Association for the Advancement of White >People. About 3 in all, if I recall the news reports correctly. This "KKK people support Buchanan so Buchanan is bad" idea is fatuous liberal propaganda. If one were to poll the members of North American Man-Boy Love Association, a majority of them would probably support Clinton, because of his policy of loosening restrictions on "alternate lifestyles." However, I have yet to see any demonization of Clinton on this basis anywhere. (Not that I think it would be justified, mind you.) BTW, if the "advancement" of people on the basis of skin color is racist, then the NAACP, La Raza, et al, should be put out of business as well as the KKK and the National Association for the Advancement of White People. [B.S. snipped] >Now, Dees and his colleagues at the Southern Poverty Law >Center have again warned the Attorney General about the danger >posed by the antigovernment "Patriot" movement. In an April 9, >1996 letter, Dees urged Reno to take concrete steps to counter >the threat of further domestic terrorism. He also provided her >with a copy of *False Patriots*, the Center's new report on >the "Patriot" movement. This 72-page expose is the culmination >of a Center investigation into the "Patriot" movement >conducted since the Oklahoma City bombing. > >United By Hate > >The "Patriot" movement encompasses numerous elements of the >American right, from certain Christian fundamentalists to the >Ku Klux Klan. It includes tax protesters, survivalists and >neo-Nazis, as well as radical anti-environmentalists and gun >enthusiasts. The tie that binds those in the movement, >estimated by some at five million strong, is a virulent hatred >of the federal government. The 5 million figure is low. The NRA had almost that many members last I heard, and most of them are not survivalists, tax protestors, or neo-Nazis. Gun enthusiast == virulent hatred of government? More propaganda... >This hatred has been fueled in recent years by the passage of >gun control legislation, the deaths of Randy Weaver's wife and >son at the hands of federal agents on Ruby Ridge in Idaho, and >the disastrous federal assault on the Branch Davidian compound >in Waco. Shooting and burning people without a compelling reason for doing so pisses people off, and lowers public confidence in the agencies doing the shooting and burning. What is so radical about that? >The False Patriots report reveals the people behind the >"Patriot" movement, people like Louis Beam, a key Aryan >Nations leader, and Pete Peters, a pastor of the bizarre >Christian Identity faith. Beam may be a poo-bah in the Aryan Nations, but most "partiots" find his views revolting. This is another example of using an atypical aberration as an excuse for demonizing an entire group. I have yet to see a major news organization use the Unabomber to demonize radical leftist environmental extremists in this way, but the comparison would be far more truthful the ones made here. [Anti-patriot B.S. snipped] >Since the Oklahoma City tragedy, numerous "Patriot" terrorist >plots have been discovered, including plans to poison federal >employees in Minnesota and conspiracies to blow up a federal >courthouse in Spokane and an IRS building in Reno. An AmTrak >train was derailed by a group calling itself "Sons of the >Gestapo." Which turned out to have been done by a disgruntled former railroad employee who left the "sons of gestapo" note as a red herring. Could you at least stick to propaganda that has at least some basis in fact? >Over ten tons of explosives have been stolen from various >locations around the country in the past year. Authorities >suspect a large quantity has made its way into the "Patriot" >movement. In December, a survivalist was arrested in the Ozark >Mountains of Arkansas and charged with terrorism. He had >produced 130 grams of the deadly poison ricin, enough to kill >thousands. Explosives thefts are nothing new. Regulation of explosive materials is. Explosives and poisons can be made out of commonly available materials. If this is such a problem, how come this country wasn't bombed and poisoned into oblivion 50 years ago? >Secret Cells Formed > >>From California to Florida, "Patriots" are forming cells of >five to ten men skilled in explosives, sniper fire, sabotage >and terrorism. These secret cells operate without a chain of >command to avoid compromising the larger movement. One cell >recently uncovered in Idaho is financed by a wealthy >businessman. These cells, like the one McVeigh is suspected of >forming, are difficult to monitor and can strike when least >expected. Another unsubstantiated insinuation that McVeigh is a militia/patriot/skinhead type. >What You Can Do To Help Stop Domestic Terrorism [Snip] >Find out if your state has anti-militia and anti-paramilitary >training statutes. If the answer is "Yes," insist that the >laws be enforced. If "No," urge the attorney general's office >to work for passage of such laws. > >+ Support federal legislation to outlaw militia groups that >are not authorized by state law > >These groups operate as a springboard for dangerous >antigovernment activity. Yes, throw out the second amendment. The government can control people much more easily when they are helpless... >+ Learn about the "Patriot" movement and share your knowledge >with others Absolutely, yes, hallelujah, preach it brother! You might want to chesk out other sources than the SPLC, however. The best way to find out what views an organization holds is to directly contact the organization, rather than a member of the opposition with an axe to grind. >The "Patriot" movement thrives on secrecy and citizen apathy. So does government tyranny and oppression. [B.S. deleted] >The Militia Task Force is leading the fight to expose the >"Patriot" movement and protect those injured in hate crimes. >The Center's Militia Task Force and its Klanwatch Project >monitor "Patriot" groups, especially those with racist ties. Yes, concentrate on the skinheads and other kooks. That way, you can tar everyone else with the same stick... [SPLC fund-raising crap deleted] >A copy of the latest official registration statement and >financial report filed by the Souther Poverty Law Center may >be obtained by contacting Office of Charities Registration, >162 Washington Avenue, Albany, NY 12231. I find it disgusting that a radical left-wing propaganda outlet like the SPLC can legally call itself a "charity." Jonathan Wienke From jimbell at pacifier.com Sun Apr 14 17:05:39 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Apr 1996 08:05:39 +0800 Subject: math patents Message-ID: <m0u8Ysr-0008yhC@pacifier.com> At 09:08 AM 4/14/96 -0800, Lee Tien wrote: >In reply to the message excerpted below: > >I believe Jim's not looked back far enough. My recollection from law >school is that the law was friendly to math patents in the period before >the Supreme Court weighed in. There were some PTO denials, which courts >reversed (I think the Court of Claims heard these back then). So I think >the trend was toward patenting processes even if mathematical until >Gottschalk v. Benson. It's a conceptually messy area because "processes" >have long been patentable (like the Morse telegraphy/Bell telephony >patents) but the Supreme Court saw the Benson application as violating the >doctrine against patenting "laws of nature." > >Lee I seem to recall reading that one of the breakthrough "algorithm" patents was from the 1970's, in which a rubber-curing/molding process's cure time was determined by a mathematical formula based on heat, pressure, mold shape, and a number of other variables. I don't really object to this, because some engineering tasks are complicated and mathematical formulas are required to solve them optimally. However, I don't see the basis for patenting what is just about pure mathematics, and RSA is very close to pure math. The fact that there is a practical use for it is almost a secondary consideration. If factoring numbers were easy, RSA wouldn't have been useful, even though the math would still have "existed," at least theoretically. Clearly, it is not the math itself which is useful; it is a specific characteristic of that math, its difficult reversibility. A person looking for a mathematical algorithm to apply to public-key cryptography probably doesn't try to do new math; what he tries to do is to find old math that has this characteristic. Had mathematics always been patentable, the patent on that math would have expired at least decades, and possibly centuries ago. In any case, I don't think it's unrealistic to suspect that the government was playing games with the patent system due to RSA. After all, let's get back to basics: What, exactly, does a patent do? A patent on RSA doesn't prevent the EVIL SOVIETS from using it. It doesn't "allow" the USG to use it; if there was no patent on it they'd be able to use it for free. The only thing a patent on RSA might arguably do is to keep other people, mostly Americans, from using it. That's right, the patent system was actuallly denying the public this system. From system at decode.com Sun Apr 14 17:18:37 1996 From: system at decode.com (Dan Veeneman) Date: Mon, 15 Apr 1996 08:18:37 +0800 Subject: DC Cypherpunks meeting report Message-ID: <5X9DmD1w165w@decode.com> C'punks, The DC Cypherpunks held their monthly meeting on April 13 at the Digex offices, with about a dozen people attending. The agenda was light, with discussion ranging from ISDN in Virginia and Maryland, a security hole in rlogin, various biometric identification methods and Dorothy Denning's GPS ID plan. Carl Ellison gave an overview of Cybercash, and answered several questions. After the meeting, a smaller group adjourned to a local Chinese restaurant, where most of the discussion focused on getting inexpensive ISDN or IP connectivity between Baltimore and northern Virigina. No meeting date was set for May. Dan -- system at decode.com (Dan Veeneman) Cryptography, Security, Privacy BBS +1 410 730 6734 Data/FAX From proff at suburbia.net Sun Apr 14 17:35:32 1996 From: proff at suburbia.net (Julian Assange) Date: Mon, 15 Apr 1996 08:35:32 +0800 Subject: key bit lengths In-Reply-To: <Pine.LNX.3.92.960414141633.893A-100000@gak> Message-ID: <199604142137.HAA05553@suburbia.net> > so a brute force attack might take much less energy several billion years > hence, since the universe will cooled off more. Proportionally to the amount of energy available in the universe to conduct such an attack however. You have to get it from somewhere. -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From jimbell at pacifier.com Sun Apr 14 17:37:16 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 15 Apr 1996 08:37:16 +0800 Subject: "Contempt" charges likely to increase Message-ID: <m0u8Z2k-0008yfC@pacifier.com> At 11:57 AM 4/13/96 -0400, Black Unicorn wrote: > >I will not, of course, reply to Bell's reply. That's strange. George Orwell (in the book "1984") said "Freedom is slavery. War is Peace." etc. In 1993 Waco, the FBI said "This is not an attack!" Today, Unicorn says, "I will not, of course, reply to Bell's reply" I would have to agree that yours is not a _good_ reply, but it sure appears to be some kind of reply, despite your silly claim. >On Sat, 13 Apr 1996, jim bell wrote: > >> At 07:59 PM 4/12/96 -0400, Black Unicorn wrote: > >> >The government of the United States doesn't play "fair" when they want >> >something. >> >> But if the government of the United States does play "fair," then why can we >> not play "fair" and kill their agents who violate what we feel is our >> rights? > >Are you planning on affording them due process rights? There are over 150 nations in this world, today. Each of them probably has a different view of what "due process rights" are. Which nation's "due process rights" are you referring to? And are you referring to the letter of the law (or Constitution) or merely what passes for "due process" in each of these countries? Are you showing your biases by using a term of art such as "due process rights" at all? In any case, not all criminals at not all times are entitled to "due process." Self-defense is legitimate, without trial, in the case of an emergency. I suggest that what constitutes an "emergency" depends on the likelihood of getting assistance and justice if that self-defense and counter-attack is foregone. If you've just managed to tie your attacker to a tree, and the cops are a phone call away, society declares that you shouldn't shoot him, and should let the court system handle it. However, if you're a black in 1955 Mississippi, and the sheriff's brother has just attacked you with a knife out in the woods and you grab a gun and are holding him at bay, I think it is not unreasonable to conclude that the fairest outcome that you can expect is to shoot him dead for his stupidity, then run and hope that nobody figures out who did it. And the whole basis for asking people to forego their own version of justice is simple: Society claims that courts exist to provide justice, and also claims that a criminal who's caught will get a fair trial. But it's obvious that government will not judge its own agents fairly (except in unusual cases where incriminating videotape exists, and sometimes not even then), so there is no presumption that a person victimized by government can expect justice. I think it's clear that whatever "social contract" that you might want to claim exists no longer applies in such a circumstance, and it's reasonable to act entirely outside the current "justice system" in those circumstances. Naturally, government thugs will disagree, but they're PAID to disagree! > What about other >rights generally? At least the U.S. government attempts to do this. More accurately, it occasionally attempts to APPEAR to do this. But since the government, through the SC, claims to be the final arbiter of what those "due process rights" are, you can't expect an unbiased opinion from it in this area. > How about a trial, or does it merely take a single bidder with >money to have someone offed? Sounds like tyrrany of the rich to me. I >might add that if this is the way things were the richest would be the >survivors, able to kill their enemies, protect themselves better, and >deploy their own agents. In fact, to a "rich" person it would look like quite the opposite situation! Even a relatively small number of non-rich people could finance his death, and he wouldn't even know who his enemies are. As usual, you show almost not grasp of the concept. Your opposition is based on your desire to maintain the current tyrannical system, or at least enough of it to allow you to keep your current privileged position. >> After all, the government is merely the representative of the >> people (at least in theory!) and it 'must' follow the rules (laws, >> Constitution, etc). > >I think the U.S. government does a much better job at this than almost >any other sovereign excepting perhaps the U.K., which has still had its >share of self contradiction. Is that relevant? I don't recall ever having stated or implied that the USG is the worst offender, either qualitatively or quantitatively. However, it _is_ an offender. Sounds like you're trying to set up a straw-man again; par for the course for you. >> To whatever extent it exceeds those limits, and to >> whatever extent the public can't get justice to prevent those violations, >> why would the public be obligated to accept them? > >Really Mr. Bell has recognized something important, though I'm not sure >even he realizes it. Unfortunately, I think that Unicorn hasn't recognized anything. > Specifically, that when his allies are so few in >number he must resort to general terrorism and low intensity conflict to >have any hope of success at all. I've never supported "general terrorism." In any case, the term has been abused over the years so that it carries a lot of rhetorical baggage. If you know of a "terrorist" that would prefer to attack innocent civililians (those who are not government employees) instead of the people who are really causing the trouble, please tell me who he is. And "low-intensity conflict", in many cases, exists ONLY because the government maintains it. Much of the warfare in the inner cities, for instance, exists ONLY because of the so-called "war on drugs." I think it's realistic to conclude that this is not simply an accident. >> To believe otherwise is to believe that the government has some sort of >> special dispensation to violate the law. I don't believe this; it wouldn't >> surprise me to hear that you do, however. Which is it? > >I don't believe anyone has any special dispensation. It's all a question >of who can get away with it. For a long time, governments at all levels and in all countries have been "getting away with it." I favor a system that makes this impossible. You don't. > For all your moaning and whining, you are >still less able to get away with it than agents of the CIA and the men on >top. It must be killing you. I can feel the way the knife twists in you >with the realization that you are another small gear in the machine. What gear? which machine? I must be a gear that got away! >You and the Unabomber. Horrified at the thought that you might be >insignificant. Driven by the need to be important, noticed. Having not read his manifesto, I hesitate to comment. However, from what I've read about it, he's long on discussing what he sees as being the problem, short on prescribing a practical solution. And he seemed to select his targets without regard to whether killing them would do any "good." I'm quite the opposite: I don't pretend that my AP essays contain a complete description of what I see as the problem, or even the outline of it. In fact, I carefully avoided the issue in most cases, for that would have increased its length manyfold. (I assumed that most people who read it would already have at least been aware of many problems, whether or not they conclude that my solution is justified by them. I don't claim that my view of the problems is somehow special, merely that everyone knows of enough problems to justify formulating a solution.) My solution, however, despite being distasteful to some people, is frequently if not usually thought of as being not only possible, but in fact practical. >Some people work to change the system by developing structures to work >within it, or around it. I intend to go THROUGH it, every bit of it. But it isn't just me; essentially everthing I've described is merely the unavoidable consequence of the modern developments of networking, good encryption, and digital cash, three facts that no government is going to be able to stop. Some of what I've discussed was considered years ago by others; I've merely extended it. >You call for the assassination of (not even particularly important) >public officials on the whim of the individual who happens to have cash. That's not true. Hey, they can always resign! And I've repeatedly stated that most of them will resign, especially when their paychecks stop coming. From holovacs at styx.ios.com Sun Apr 14 17:50:22 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Mon, 15 Apr 1996 08:50:22 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? In-Reply-To: <Pine.3.89.9604141600.A8552-0100000@netcom15> Message-ID: <Pine.3.89.9604141756.A29879-0100000@styx.ios.com> On Sun, 14 Apr 1996, Jonathon Blake wrote: > > Since somebody else brought up SurfWatch, remember that > it was SurfWatch that declared whitehouse.org to be > off-limits for obscene content. A mistake on their > part --- or at least that is their claim. << This > was just before CDA passed, btw. >> << I personally > thought it was a great way to demonstrate the absurdity > of CDA. >> > Alas I suspect this will be used by the CDA supporters to claim that ballyhooed technology to 'protect' children does not work, and that legal restrictions are necessary... ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 From stewarts at ix.netcom.com Sun Apr 14 17:51:15 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Apr 1996 08:51:15 +0800 Subject: Is crypt(1) a prohibited export? Message-ID: <199604142149.OAA28351@toad.com> At 10:21 PM 4/13/96 -0700, you wrote: >crypt() is a hash function, and hence is not subject to export restriction. >(To my knowledge). >> Is crypt(1) a prohibited export from the US? I thought it was. The >> reason I ask is that it has come to my attention that HP ships that >> overseas too, with HP-UX versions 9 and 10... crypt(3) is a hash function, used for passwords and login, and is exportable. crypt(1) is the rotor-based enigma-like encryption filter, and is not exportable. The Unix versions that support crypt(1) generally also have a -x option for ed and vi to let you edit encrypted files. Crypt Breaker's Workbench works on it. Actually, unless you specifically apply for permission, even rot13 isn't exportable. Unfortunately, this means it's illegal for me to make Rot13-Breaker's Workbench available for ftp :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From vznuri at netcom.com Sun Apr 14 18:11:02 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 15 Apr 1996 09:11:02 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? In-Reply-To: <Pine.SUN.3.91.960413211541.9295G-100000@polaris.mindport.net> Message-ID: <199604142144.OAA04096@netcom5.netcom.com> Unicorn takes time off from his busy schedule of smearing and ridiculing me with sniping pot shots to write up a more comprehensive attack: >> I foresee that the "industry" of providing ratings is going to be >> a very significant aspect of future cyberspace. > >I tend to disagree. Ratings are generally consumed by parents and >otherwise custodial entities. The largest and richest market anywhere >has always been the 18-25 range, or 18-30 depending on who you talk to. you seem to not address the more liberal concept of "rating" that I am using, which does give me an opportunity to elaborate. in my view, anyone who exercises judgement is in fact applying a process of "rating". the results of that rating may be "explicit" in the form of things like measurements, (MPAA ratings being discussed) or they may be implicit, such as the selection of content for a magazine by an editor. however, at the root these are the same activities-- taking a subjective human judgement, and creating some objective "product" or "conclusion" from these judgements. ratings abound in our society. we have SAT tests for students. every test is a kind of a "rating" by a "trusted rating agency". we have the Better Business Bureau. we have credit ratings. we have "referral services". all of these someday are going to be seen for what they are: services that measure the "quality" or "value" of various other services or information pieces. as we move into an information society, people will begin to understand the commonalities between all these seemingly diverse areas. they will tend to become more unified and diverse at the same time. most people are applying the concept of ratings far too narrowly in my view, like you do above. I tried to expand your horizons, but you lept into the trap of seeing ratings only of value to parents. ratings in general are extremely valuable to everyone who lives on the planet. imagine some of the following ratings services: 1. quality of internet providers around the country 2. lists of people who spam internet mailboxes 3. best hi tech companies to work for based on packages etc. ad infinitum all of these have audiences, and would be economically viable to maintain in my view. we will let the market decide. but when the future of our economy is "information", you are going to see some very radical new industries emerge. ratings are one of them. >And like any ratings system, it relies on the raters subjective >judgement. Not a very market stable or market wise system. false. subjective judgement is relied on all the time by everyone. it is not perfect, but because it is not perfect does not mean it is worthless. you are relying on the subjective judgements of zillions of people by living on the planet, who made subjective decisions like: how do I best build a house? how do I build a computer? how do I plan this city? these are all subjective situations. Tell me who >would pay extra for a movie that had a rating on it. completely incorrect concept. people pay a lot of money for TV guide, for movie rating books, the advertisers pay Siskel and Ebert (a rating service), etc. (btw, it was Klaus who first gave the Siskel and Ebert example, and because he is so sensitive to being properly credited for his visionary ideas, well I am crediting him <g>) No reason to >bother. People don't like the movie, they can leave. oh brother. surely you see how weak your argument is. they paid $7 to leave at the beginning? and you think there is no market for a movie rating service? such services already exist. Instead they pay >for the newspaper that has the review of the movies subject matter. right. a rating service. you will see more and more in the future as information is recognized to have value in our economy. > No >one much cares about the motion picture rating in any event. Parents >perhaps, and children, to the extent that 'R' and 'NC-17' films are >mystified and thus interesting. I can't even think of what the rating of >the last film I saw was. I simply don't care. > you have gone off on a strange tangent that was not in any way justified by what I wrote, although you have a pretty good argument against *something*, I'm not sure what <g> -- I didn't claim that MPAA ratings were the best example of a rating service. in fact it is a very primitive kind of rating system in my view. >> note that "good/bad" >> is the most simplistic rating possible. even more superior rating >> agencies might find "cool material". > >Like the "hot sites" on Netscape's home page, or Alta Vistas? Or the >"site of the day" stuff? Note that all this is free today. false. they get paid by their advertisers to maintain that. just because you don't pay doesn't mean that no money is involved. furthermore there is a great example of an internet web site rating service called "point communications top 5%"-- another economically viable venture. these people do nothing but surf and rate sites, essentially, and now they have a marketed book out on the subject. it's a rating service. > Again, they >all rely on the ratings judgement of the rater. Given that most of these >services are funded by advertizing sales rather than user cost, I think >it's fairly clear that users wouldn't bother to pay for them. that doesn't mean, as I repeat, that rating services will not increase and thrive. there are many ways for an economy to run outside of direct fees. >> in fact in a sense, every >> editor of every newspaper is a sort of "rating server". he culls, >> filters, and selects information that the readers like. > >That's a far cry from rating. That's simple exclusion. There is no >discussion of the reasons and rationale for excluding, merely the >exclusion. no, frequently you will see editors write columns about what kind of information they are excluding etc. the whole concept of how much space they dedicate to an article, the size of the headlines, the placement of the articles, all are an "implicit" rating of the material. as I said, some ratings are explicit, some are implicit. but the whole field is going to become increasingly blurry in the future. > This is the cypherpunks lite example. Will there be a place >for content/subject based news review, yes. But it will be much more >interactive than ratings made by a central authority. notice you seem to equate "ratings" with "central authority". PICS is a good example of how this is a fallacious line of thinking. indeed what I and Klaus have openly advocated is a distributed rating system in which there are no "official rating agencies" other than those that simply choose to be rating systems. you let the information market decide. PICS does support such a system, and is designed with that as a key design goal. repeatedly in your message you try to extrapolate on the future based on some very primitive and rudimentary systems in the present, which I think is not going to give you a very realistic view. it would be like the prediction made in popular mechanics, "computers will some day become as small as a room". your notes on copyright I don't really want to respond to, as I have written essays here on my thoughts on the subject before that cover it. >There has been much talk lately about a move back to the centralized >computing model. not by me. but note that the concepts of "centralized" vs. "distributed" can become blurry in various situations, and I believe this blurring will continue. >Who is going to bother with centralized ratings when customized ratings >are a few keystrokes away. nowhere in my article did I say that ratings would be centralized. it is true they will be "centralized" in the sense that each agency decides what ratings they have and how to store them etc.-- but the agencies themselves are decentralized. their systems may in fact also be decentralized (e.g. rely on many different reviewers). The basic premise that people will prefer to >have material selected for them rather than select it themselves is, in >my view, fatally flawed. hmm, that's strange then that magazines and newspapers exist, or mailing lists with moderators, etc. maybe we don't live on the same planet or something. >You really think central authority rating a la TRW is a "good thing"? I >submit you've never had to deal with TRW. imagine a rating service that rated the quality of companies. such a company would be the consumer's complementary tool. the companies rate their customers, and the customers rate their companies. indeed a rating service designed for one audience (such as companies) is going to be mostly worthless and perhaps even opposed by other audiences (such as consumers). but once everyone has ratings that they use, perhaps they will "live and let live". >You are also ignoring the fact that if such an industry ever does >exist, there will be a free market of raters. ... > A centralized and >standardized ratings system is going to be an economic flop. you seem to want to argue with me no matter what I say, so you read all kinds of things into my essay I didn't write. I advise you to stick to what I wrote if you are going to attribute things to me, although your fiery passion against debunking the nonexistent is amusing and I wouldn't want to squelch all future emanations of it. a major point of the post I wrote was that ratings is a system that involves a free market. nowhere did I argue for "a centralized and standardized rating system" in the sense of one authority making all the subjective decisions. what I *do* favor is a unified *framework* wherein such decisions can be collected and traded within, with PICS a very nice early attempt at this important capability. >> in the old system, censorship was accomplished by the government >> putting chains on, or burning, "atoms". in the future, people will just >> select whatever information they are interested in. > >In the future? They do that now. What do you think Alta Vista is? >Alta Vista in its purest form, cataloging, is by no stretch of the >imagination a ratings system. no, I consider it a ratings system. the ratings are "implicit" vs. "explicit". they are making subjective decisions about how to organize/ present the material etc similar to what an editor does, which again I suggest is a "rater of information", although his judgements are reflected implicitly, not explicitly, in his end product. > It's also free. So much a for massive >retail ratings industry. again, I never said that individual consumers would pay for every rating they consume. systems whereby advertisers effectively pay for these ratings will be very useful as well. you seem to be "hot and bothered" by something I wrote, but I can't pinpoint exactly what I said that got you so torqued up. >Its interesting to me that you can be both so freedom of information >oriented, and central authority obsessed at the same time. your idea that I am interested in a central authority as far as "one unified rating agency" is totally incorrect and not supported by anything that I wrote in my post, and in fact I think outrightly contradicted by serveral statements in it. again, what I do advocate is a unified technical standard by which multiple rating agencies can all coexist. I am expressly against coercion of consumers or retailers to follow particular rating guides for any purposes. the entire system must be voluntary in most aspects. however, an individual retailer should be free to screen his merchandise or selection based on his own judgement, which may or may not be based on ratings. if a large group of retailers agree to ban various material based on their voluntary decision to follow particular ratings, so be it. the consumer is free to choose a different retailer that better suits their needs. a consumer cannot demand a particular kind of service however in my view if the retailer is not interested in providing it. From thecrow at iconn.net Sun Apr 14 18:12:04 1996 From: thecrow at iconn.net (Jack Mott) Date: Mon, 15 Apr 1996 09:12:04 +0800 Subject: RC4 licensening Message-ID: <3171774B.35F3@iconn.net> Hello Cypherworld, Anyone know how much it costs to license RC4 or how RSA has been handling the whole situation? I finally got my Turbo C implementation to work with the DELPHI 2.0 version, I'm pumped. Now I just have to get GCC figured out and I'll make the Linux version work too. yyyeeeeha. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From stewarts at ix.netcom.com Sun Apr 14 18:12:57 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Apr 1996 09:12:57 +0800 Subject: Open Systems, Closed Systems, & Killer Apps Message-ID: <199604142149.OAA28361@toad.com> At 10:14 AM 4/10/96 -0400, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Various correspondents have pointed out that X.25 is an "open system" in >that it is not proprietary. I knew that. I was thinking more of >hierarchical vs peer-to-peer. I have been under the impression that >TCP/IP connections are more peer-to-peer between different sorts of >networks (or nodes) than X.25. Isn't X.25 more of a standard for a >single network? Don't X.25 networks need someone more "in charge" than >TCP/IP networks, or am I mixing up different layers on the OSI reference >model? X.25 is an interface between a Data Terminal Equipment and a Data Communications Equipment, rather than a whole-network format like IP and TCP. X.25 networks often have random proprietary internals, and they're designed for a world where there IS only one network, because after all, there's only one Phone Company; the X.75 protocol lets X.25 networks talk to each other. But if you look at the higher levels of the protocols, they're not really that different than TCP applications - you've typically got a listener application waiting around for connections from client programs. It feels a bit less peer-to-peer because usually the service you want is the X.3/X.28/X.29 stuff that's X.25's equivalent to telnet, so the server end is a MainFrame, and the client end is a terminal pad that you've connected your 3270 or dumb terminal to. But you can do other things as well, if your computer environment will support it. Simon Spero wrote: } you can call X.25 a lot of things, but proprietary is not one of them. } X.25 did not fail because it wasn't open; X.25 failed because it was crap It's not dead yet, and you can't even say it's failed, given that it's still in wide use in much of the world. X.25 was design to work on networks with really bad bit loss - we're talking modems on barbed wire here, or whatever the French use instead of barbed wire, and in days when computers were _slow_. Yes, it's bureaucratically designed, and parts of it genuinely are ugly, and it does lots of work at Layer 2 that these days you'd do at a higher layer. And, yes, it's a lousy environment to do full-duplex character echo over. But it works ok for a large fraction of the world's data communications, which are designed for less interactive environments. It's fine for email. It's fine for 3270 fill-in-the-blanks applications. It's fine for pre-Web online service applications like CompuServe. It reeks badly for client-server applications which do a dozen little handshakes per transaction, which are designed assuming they're on a LAN and fail badly when stretched across an ocean, but you'll find they often do badly on frame relay as well. Are the Internet and Frame Relay both better ways to do anything than X.25? Yeah. Would I want to do interactive work on it? Of course not. Would I like to do another project getting vendors to modify their X.25 and CLNP to support a set of seldom-used options that some security consultant once convinced one of my customers they needed? No way. Was I susprised that not only does AT&T still use X.25 in some of its older dialup networks, but that it's still very big overseas? Well, yeah :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From weidai at eskimo.com Sun Apr 14 18:14:21 1996 From: weidai at eskimo.com (Wei Dai) Date: Mon, 15 Apr 1996 09:14:21 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604140412.VAA24649@igc2.igc.apc.org> Message-ID: <Pine.SUN.3.93.960414144321.29416B-100000@eskimo.com> On Sat, 13 Apr 1996, Jerry Whiting wrote: > We're shooting for a May 1 release for Windows with the Mac and DOS 6 > weeks behind and VAX/Sun a month after that. We're aiming for the > stars: encryption, time/date stamps, signatures, message digests, etc. > all based on Blowfish. We're doing a core engine with APIs, a > standardized file format, and extensability for other developers. We're > very committed to making the spec including the API and file format VERY > PUBLIC. Like I said, we're aiming high. This sounds like an interesting project. However, I'm having trouble understanding your goals. Blowfish is a block cipher. Why are you using it to do anything but encryption? I know there are cryptographic constructions that allow you to do message digests with block ciphers, but they are slow and not guaranteed to be as secure as the underlying block ciphers. I suggest that instead you use an established message digest algorithm such as SHA. How are you planning to do timestamps and signatures? I presume you'll need some other algorithms besides Blowfish. Also, will the software be freeware, shareware, or commercial? Wei Dai From perry at piermont.com Sun Apr 14 18:16:53 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 09:16:53 +0800 Subject: [NOISE] Consolidation of threads ... In-Reply-To: <v01540b0cad96f6491958@[193.239.225.200]> Message-ID: <199604142009.QAA05517@jekyll.piermont.com> Clay Olbon II writes: > OK, I have a proposal that consolidates two threads that have been > discussed recently. How about proposing legislation that mandates that a > byte is now 9 bits instead of 8. This would allow the ninth bit to be the > decent/indecent bit, thereby solving all of our problems. Ah, the naughty bits. .pm From a9401816 at unet.univie.ac.at Sun Apr 14 18:41:13 1996 From: a9401816 at unet.univie.ac.at (Clemens Stiglechner) Date: Mon, 15 Apr 1996 09:41:13 +0800 Subject: [fwd] Undeliverable Message Message-ID: <3171755D.5A09@unet.univie.ac.at> -----BEGIN PGP SIGNED MESSAGE----- It seems that mailer-daemon at usafa.af.mil is running amok; it has sent 64 *different* *encrypted* messages to the Hemingway List within 6 hours until now. I just wonder which kind of encryption _they_ might use. Here is the first one: - -----Beginn Forwarded Message----- Sender: owner-heming-l-outgoing at mtu.edu Received: from opus.mtu.edu (opus.mtu.edu [141.219.70.3]) by arl-img-4.compuserve.com (8.6.10/5.950515) id KAA06421; Sun, 14 Apr 1996 10:17:40 -0400 Received: from mtu.edu (mtu.edu [141.219.70.1]) by opus.mtu.edu (8.6.13/8.6.10) with ESMTP id KAA18535; Sun, 14 Apr 1996 10:17:37 -0400 Received: (from daemon at localhost) by mtu.edu (8.6.13/8.6.10) id KAA06326 for heming-l-outgoing; Sun, 14 Apr 1996 10:17:15 -0400 Received: from 34trwmail.usafa.af.mil ([128.236.38.1]) by mtu.edu (8.6.13/8.6.10) with SMTP id KAA06314 for <heming-l at mtu.edu>; Sun, 14 Apr 1996 10:17:13 -0400 X-Authentication-Warning: mtu.edu: Host [128.236.38.1] claimed to be 34trwmail.usafa.af.mil Received: by 34trwmail.usafa.af.mil; Sun, 14 Apr 96 8:17:03 MDT Date: Sun, 14 Apr 96 8:17:02 MDT Message-ID: <vines.g1Y7+SXEQlA at 34trwmail.usafa.af.mil> X-Priority: 3 (Normal) To: <heming-l at mtu.edu> From: <MAILER-DAEMON at usafa.af.mil> Subject: Undeliverable Message X-Incognito-SN: 547 X-Incognito-Format: VERSION=2.01 ENCRYPTED=YES Precedence: list Reply-To: heming-l at mtu.edu begin 600 attach.Z M'YV0:=R,>7/&31HZ;URTF7,&@,.'$"-*G$BQHL6+&"N"V&@#!@P0`#:"B$&# M!DB1)$V&%"G2A at T:,CC&F`$3!@V:'T?*B,$S)(R,0(,*'4IT8ITY=,+(V0B` MS9LQ8=@4I>@4JM2I6+-JW<JUJU>L5-[H8$E6)`\T9=H$/-."#9`V=.JX*$.F MC@\%0\:,+4M6P90Z8M24&4-G+]DJ;LB489/&3ADY8<2P*0.B29DY<\*<*:-` M at 67,FBF[>4,'A&+&CN70!8$0A.HQ:>"D*>.&SAP08A:_N>-B(Q35F$$8B0'" MS)NE:-G``7'G(!H05IPT4?!8SG$0`Q7/Z<V7;^<$T9O,L#ECKV759)PK00*$ MB)$B3HX`J3(EB)$@"AKD5Q!^_$T0+;1061!),"'$$UB`D,04PE7!!!.=B40% M6B"T<5EFFV$7AANCE9:;:8LU]MAJN4%U%&5TH*6`2*_%-EMM)]S61AAIL"'& M&WA@]T9M-+IQ6XJ4S8A'&FW4T08(;AB9VU)OF`'"BAM9"-IF<[``0ABWS5&& MAWFP1N$<>2"5UI5DJ&404I`A)`=W$W+&XF`NTE9:D4B!.!D=E,WQAH457AC: M;;D9I]J5;N0!)0BDH;64E!A>IJ$;N%%VFHCHN7#HH6U6&,:011[):&@@,*96 M:8)>"<*)<L2H:8TWYIC&;8?&``,+'L'`)H6*F1%&'6S,Z6>&HAX$PJLCU=KG ME)=Q=V at 090;T*AUI'G<;5)!JZ2NRH1)YT&U'K>4E98<V0:.-.&XTQ99TK'6; M&74(E.Z.5]HQ;F23#0LID$^*)*X;H%:AY:*TU;$1"DW05X04*?06X497H`5I M&*?^J^J,K):K6AACH/4CA<'2826^AZ):X5&EG;9EGGM2UN2WQS8*:!F"@BL2 MOA23FR.U5XXQ1AEPE+9AEVT<1UE``YEY1LM_6JI`@$PW[?33`6[TA!QIG!%0 M5)7]2ID1;[#AU!VW`0CUV$^'95AW()R5UEIMO1777'7=E=?9W?D%F&"$T;T1 M8I.F1B]EGS7:6>"@=F at GI:NUUJ)L<K[\-7>_72@<<:4FMUQS*4(G'75R6+=4 M=LFB7=9W_9%GWHCII;A>>^_%-U]]]^VG7^G_1=T$@08BJ""#1C@((:84?IHA MM89_V#?JD9JHY;>'+OXB'1./VZJ./`:T<9";$FDDDDH^AJB3API_F958 at F`M M;EWB"Z:81X;1[)G0AJ'FK6YNY+R<(]=I,I[FIXPTE9&*&:$,)9)$>4]\T]I0 MI`Z7&KI82B3`PQZGMB>^;(VJ.->!&*JB5S%7P0HELZH5_4"D*UY=JU$6%!:Q M9.61_X4N7QMAEIF>%2TY)+!:6W)A"FT3,6^!3%_2*Q<(SD6'=+GA#.MJ%V'2 M`*\PR*M&?[,7R\*UH7[]JT])&EC!IG"PA#WI4`VCC:DV**, at YNAB&7,4OCKV M,0J%[(IT*MEB3M8_/JV,9EI[F0`/13,S/BIG.^O9`"LD-'L5S5L(5!K9%LDT MJ5'-:OQB0]:PQ36O[29LC&2DV42W$;49K6UPD0M=[**?N7$2!/KY2V`&4QB^ M2*$,8T'"VHYXAS#DP4IPF`R6RA`"_>B'<!DRW/'0PYHWN`9.C*N-XW8#.>#< M9C at 81,YB+N<<S35!/]6Y#NBV<TJ1^%(!X)&.?\JSD?/013WL<0]\Y$,?^P3A MF[,3)WG$-J`"'2A!"VK0@[XIH>!I[5'%DU2(&DB&Y.UJ>4#2SYM at DTSHE;&# MU$N*]5 at F).T=*4EM6-+W4!F^/)(O2SD40_J^%"8\M>]]-)3?<>BG4/LA\WGY MD^.=4,8G!`:PD#]K*:*`!#!DW7"!PW2 at 3G6:J8IV2H<=B^88)?90FPWK-CJ5 M%:T\,L)<[:I72-56:59HK$1N1*<R=!::5&K#/YZO at AWCUAQ\2"&=B at NB0T27 MNHJCQ'<][(ELB&)`6.;6*F;(7P<,F!8-AK#>\)-A#EOJ8SCH5#1JC&5LY.L; M#T at R.]%13W9T$AY]>M-!Z;2/$,49Q at +ILT(1<E!$VQ,B\^B";V9RD8ZLVM4D M"<RM=>UKF'SMV+B&'&+)*0V#8HP9*%,$)(``#>XS%1RL(YDQ8>XY9%"M&\KP M&&_=(64/2\RW]&,A2-T!#<9$P5[10*PWR,8 at .TK!E2QYA\2AY4BMB:Z9Y%>& MW at PAKZH1"&4V5-`C0&9G^E$*9>#P&.3"X7H at V,QTUWJ;.Y(7I#XJ at Y7$4(>M MEF8 at M0E('5:SU]8880I&`($)]*.%Q9`!8BAH[WHEN8;1W.%*-ZHP"(JK*O*> MX3GF=1:\5J:H%)!/NWO=D'X"@B?@&/%HM>S2$1AD`A`$@3$[`P$*:'R;]#"D MLL^-IH6D:9V`4&;)5S)#D?6#+Q%`09?+@\-1P&2EZ+KA!'00 at 2'3H)C:2%$. M&P:1<"93!SS/P8L-DY^7B!45-G"W#!LJ36N**\4B+V2C:<'2&'@E/R9"2BTW M]M!^D92&*,,A#`1>BJ#T@]DR[*B^W[R""XK@@BGT!@E*F9$;9@=<2*8!8D/8 M4]#<T-ZH9`XQE%HK'?*@'RET&@V[)H.5K/#._7SEV=".MK2G3>UJ6_O:V,ZV MMK?-[6Y[^]O@#K>XQTWN<IO[W.A.M[K7S>YVN_O=\(ZWO.=-[WK;^][XSK>^ M]\WO?OO[WP`/N,`'3O""&_S@"$^XPA?.\(8[_.$0C[C$)T[QBEO\XAC/N,8W /SO&.>_SC(`^YR$=.\G@# ` end - -----End Forwarded Message----- - -- Clemens Stiglechner a9401816 at unet.univie.ac.at compuserve: 100725,3222 0xE7A9BDE5 1024 bit - 1996/03/28 99 EC A6 35 0F 85 4D 0D 14 BA 81 D5 71 37 F8 8A -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXFzouKiyjznqb3lAQEWpQP/bJ01LVanoLiRAUlotLK2O9zxuN06TAZ9 n4FkJWN7dDcXAPLrlrgVlh//0sUnpgmGYeaP0+jrySv6OchtqGaRg6wlqvIIML6+ M+uxz9ntq1/AtEWEmRoYzI/PaPSWg9LtSGZotRukpXen47mKuQGqXvrusy/zbgzH x9g0ztmOeNM= =/o0z -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 18:48:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 15 Apr 1996 09:48:44 +0800 Subject: "Contempt" charges likely to increase Message-ID: <01I3JIBPU6VW8Y5179@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 13-APR-1996 11:57:34.92 >Are you planning on affording them due process rights? Due Process rights are an interesting question in this regard. One, self-defense goes up against due process, particularly lethal self defense. One liberal justification for various bans or limits on lethal self defense (i.e., those against potentially lethal defense against property crimes - including preventing the criminal from making away with his stolen property) is that the criminal does not get due process. In such a case, it's usually reasonably obvious to the victim that self-defense is necessary, although others (such as, so far as I can tell, in the Goetz case) may not realize it. Two, who's going to apply the trial? As you've noted regarding overturning contempt charges, judges are very rarely willing to consider each other wrong (outside of the realm of appeals), much less sentence each other. Another instance of how judges tend to resist even the appointed mechanisms for removal can be found in the recent judicial commentary regarding a threatened impeachment for another judge; while they were correct in that case, the instance is instructive. This is a common tendency inside the government in general; cops are very loyal to one another, even when they're crooked. Seldom is anyone but an internal body (Internal Affairs) permitted to go after a cop (except with massive opposition by the police department), and even they are hated. >How about a trial, or does it merely take a single bidder with money to have >someone offed? The risk of innocents dying is a valid problem, and is the major reason that I have not "endorsed" assasination politics. The essential question is whether more innocents will die under such a system than do now, or under other proposed (non-violent) alternatives. The latter would be preferable, _if_ they work. As yet, I have hopes that they will; others, such as Mr. Bell, are more pessimistic. >Sounds like tyrrany of the rich to me. Unfortunately, it isn't. I say unfortunately because a tyrrany of the rich would be preferable to the tyrrany of the (incompetent) majority we've got currently; even the provisions in the Bill of Rights are removable by a super-majority. Of course, a tyrrany of no-one at all would be preferable, but I'm not sure if there's any way to do that. >> To whatever extent it exceeds those limits, and to >> whatever extent the public can't get justice to prevent those violations, >> why would the public be obligated to accept them? >Really Mr. Bell has recognized something important, though I'm not sure >even he realizes it. Specifically, that when his allies are so few in >number he must resort to general terrorism and low intensity conflict to >have any hope of success at all. This is essentially the moral problem of ends justifying the means; I do not regard this difficulty as solvable in any provable manner. >> To believe otherwise is to believe that the government has some sort of >> special dispensation to violate the law. I don't believe this; it wouldn't >> surprise me to hear that you do, however. Which is it? >I don't believe anyone has any special dispensation. It's all a question >of who can get away with it. For all your moaning and whining, you are [irrelevant material deleted] Essentially, can we stop _everybody_ from getting away with it, as you put it, or just some people? And if the latter, who should we stop? -Allen From weidai at eskimo.com Sun Apr 14 19:02:13 1996 From: weidai at eskimo.com (Wei Dai) Date: Mon, 15 Apr 1996 10:02:13 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604141422.KAA05302@jekyll.piermont.com> Message-ID: <Pine.SUN.3.93.960414145921.29416C-100000@eskimo.com> On Sun, 14 Apr 1996, Perry E. Metzger wrote: > At least partially broken, yes. I've forgotten the details. I believe > they were discussed at Eurocrypt. It may be that with the full number > of rounds that no one yet has a cryptanalysis but I don't recall and > it doesn't particularly matter from my perspective. It doesn't make much sense to condemn an iterated cipher based on attacks on reduced-round versions. Any such cipher becomes weak if you use sufficiently few rounds. Conversely, many broken ciphers become secure if you use sufficiently many rounds (in which case they also become too slow to be useful). I don't think there are currently any public attacks that seriously affect the security of Blowfish. On the other hand, if you ask cryptographers what they would use if they were not concerned with efficiency, I think most of them would say triple DES. Wei Dai From shamrock at netcom.com Sun Apr 14 19:03:46 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 15 Apr 1996 10:03:46 +0800 Subject: carrick, Blowfish & the NSA Message-ID: <v02120d4aad9726d82937@[192.0.2.1]> At 21:12 4/13/96, Jerry Whiting wrote: >Our marketing tag ("Encryption software so good, the Feds won't let us >export it.") may well become a self-fulfilling prophecy. But that's OK >because having others adopt carrick is our real goal. Building up a >strong U.S. user base is OK while we wrestle with the NSA over how big a >key length we can export. Their initial response was that 40-bit keys >were specific to RC2 and RC4 and that Blowfish was another kettle of fish >(bad pun intended). > >Either way we're going to publish an extensive FAQ on carrick that should >allow someone to not only work with carick but perhaps clone our efforts. >IANAL but my understanding is that publishing such a document, with or >without source code, and making it publicly available to non-U.S. citizens >is perfectly legal. I hope you are still going to publish source for US citicens? -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From aba at dcs.ex.ac.uk Sun Apr 14 19:17:53 1996 From: aba at dcs.ex.ac.uk (Adam Back) Date: Mon, 15 Apr 1996 10:17:53 +0800 Subject: Is crypt(1) a prohibited export? In-Reply-To: <Pine.BSI.3.91.960414014821.7867A-100000@newton.forequest.com> Message-ID: <199604142234.XAA00563@adam.test.net> Jeremey Barrett <jeremey at forequest.com> writes on cpunks: > [...] But since a one-way hash function (implemented as a one way > function) can't really be used for encrypted communication, One way hashes can be used to produce an block encryption system running in CFB mode, eg: Peter Gutmann's MDC. (CFB mode is where you encrypt an IV (just a random salt) with the key, and XOR the result with the data (you chaing the encrypting for subsequent blocks) -- to decrypt you just repeat the process, use the same IV and encrypt again. As you never actually use the block ciphers decrypt function, you can therefore (and this is what MDC does) use a one way hash in the place of a block encryption algorithm in CFB mode.) > I don't think it is subject to export restriction. They don't seem to be subject to export restrictions, but then perhaps that is paradoxical, perhaps they should be. (Well no crypto should be export restricted in my view naturally, but for logical consistency you understand...) It would in my view be a good thing if one way hash functions were declared to be non-exportable, as this would clearly hinder commerce, as they are used in signatures and authentication. Also I seem to remember that Dan Berntstien's case was based on the prior restraint in him not being free to discuss his method for turning a one way hash into a symmetric key function. Adam -- Exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 19:19:53 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 15 Apr 1996 10:19:53 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? Message-ID: <01I3JIYYDAEA8Y5179@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 14-APR-1996 00:37:25.93 >I tend to disagree. Ratings are generally consumed by parents and >otherwise custodial entities. The largest and richest market anywhere >has always been the 18-25 range, or 18-30 depending on who you talk to. >I don't have figures, but I think that internet users probably >prodominantely fall into 18-25/18-30. This age group generally could >care less. It's much easier to search by subject or key word than by >paying attention to ratings in any event. There is no real market for >ratings. If there were a strong market incentive for it, there would be >no need for government intervention, which there clearly is. Sure some >schools will purchase the services, maybe some parents, but this is a >long leap from major market and industry making entities. I'm not sure if the major use for ratings may not be searching for material that the raters don't like. I'd be interested in many things the fundys don't like, for instance. One could even do this via one of the "services" that mails out listings of places to be locked from kids - just sign up one of your anonymous employees, and get the data and put it on your anonymous web access site. Doing so - if you don't admit you've done it - may be cheaper than doing the research yourself. Of course, you'll need to check out each such site to make sure that it isn't a decoy that they've inserted. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 19:27:28 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 15 Apr 1996 10:27:28 +0800 Subject: washington post notices archives Message-ID: <01I3JIIUTEUU8Y5179@mbcl.rutgers.edu> From: tcmay at got.net (Timothy C. May) >1. Expect more and more of these sorts of copyright "cease and desist" (or, >as I like to say, "decease and cyst") orders, as newspapers and magazines >use search engines to find their stuff. Expect some "automated searches" to >be done routinely, even offered as services by third parties. ("Find >infringing copies...make $1000 a week in your spare time.") >4. Suppose the HKS archives were actually offshore, in the Cayman Islands >or in some place that doesn't recognize copyright law in the same way most >Western or Berne Convention countries do? In addition, what if the material is edited down to try to conform to fair use, as I do? First, you're still going to find it using the search engines - and will have to filter it out. Second, the hoster of the data, if locatable, will have to decide whether to respond to a legal threat and delete something that may be within such guidelines. Third, such guidelines may vary from country to country. >5. Suppose access to such archives is done via Web remailers, and the >location is not easily determinable? (To be sure, lots of hits means >traffic analysis will reveal the location....the same general problem with >"reply-blocks," of course.) To what degree could a remailer sense that its remailings are getting too predictable (susceptible to traffic analysis)? If it had some means of doing so (without keeping enough information to make subpoenaing it a profitable proposition), then it could do something like the random looping-back remailer chains, on an automatic basis to the degree needed to offset analysis. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 14 19:30:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 15 Apr 1996 10:30:56 +0800 Subject: Enforcing the CDA improperly may pervert Internet architecture Message-ID: <01I3JIQVU0U48Y5179@mbcl.rutgers.edu> From: IN%"alano at teleport.com" "Alan Olsen" 14-APR-1996 00:34:14.24 >What these schemes will do is shield children from anything resembling a >"controversial" discussion. (I expect Cypherpunks to be labeled as "could >cause criminal behaviour" or some such malarky by the more protective and >clueless. (It may be true, but why warn them upfront? ]:> )) You will see >the forces of "good" try and protect the little kidlets from anything that >might get them to think for themselves. It is already happening in some >sectors of public thought, I expect the net to become its next victim. The proposed standard wants to make kid-nonavailable material on "glorifying drug use" and gambling. In both these cases, many political arguments on the subject (i.e., those arguing that the substances or behaviors in question are less harmful than some suppose) would be classified as something that parents should be able to block out. -Allen From perry at piermont.com Sun Apr 14 19:40:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 10:40:26 +0800 Subject: RC4 licensening In-Reply-To: <3171774B.35F3@iconn.net> Message-ID: <199604142327.TAA05691@jekyll.piermont.com> Jack Mott writes: > Anyone know how much it costs to license RC4 Zero, since the thing was protected by trade secret, not patent, and it is no longer secret. However, it appears that the name "RC4" is a trademark and so you should probably use another name. I suggest "arcfour", which is the name of the known RC4 compatible cipher in SSH. Perry From orrin at redshift.com Sun Apr 14 19:44:12 1996 From: orrin at redshift.com (O.C.Winton WN1Z) Date: Mon, 15 Apr 1996 10:44:12 +0800 Subject: instructions for anon.penet.fi? please Message-ID: <317172B2.2121@redshift.com> Wonder if someone here could pls tell me how to go about finding out how to use the anonymous remail services @ anon.penet.fi. On the list please. Thank you. orrin at redshift.com http://www.redshift.com/~orrin From perry at piermont.com Sun Apr 14 19:57:20 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 15 Apr 1996 10:57:20 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <Pine.SUN.3.93.960414145921.29416C-100000@eskimo.com> Message-ID: <199604142325.TAA05683@jekyll.piermont.com> Wei Dai writes: > On the other hand, if you ask cryptographers what they would use if they > were not concerned with efficiency, I think most of them would say triple > DES. I'd say that for most applications these days one needn't worry too much. Almost all my internal communications these days inside my own LAN are encrypted. I hardly if ever notice performance issues. When I do, I decide if I don't care about the traffic (which sometimes is the case) and then I use RC4. Anyway, the point is that performance shouldn't be thought of as an issue unless you have a system built and in use and you find that it is a bottleneck. Often you would be surprised at how little of a bottleneck it really is. Perry From tcmay at got.net Sun Apr 14 20:14:17 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Apr 1996 11:14:17 +0800 Subject: Rot-weiler (Re: Is crypt(1) a prohibited export?) Message-ID: <ad96d87f070210049d80@[205.199.118.202]> At 9:45 PM 4/14/96, Bill Stewart wrote: >Actually, unless you specifically apply for permission, even rot13 isn't >exportable. >Unfortunately, this means it's illegal for me to make Rot13-Breaker's Workbench >available for ftp :-) S.Boxx made this available a couple of years ago--it was called "Rot-weiler." But it was bit of a dog. --Klaus From tcmay at got.net Sun Apr 14 20:18:15 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Apr 1996 11:18:15 +0800 Subject: key bit lengths Message-ID: <ad96d54106021004da68@[205.199.118.202]> At 5:59 PM 4/14/96, Jack Mott wrote: >In Applied Crypto, it talks about thermodynamic limitations of brute >force attacks. I did some calculations and it looks like it will take, >given a perfectly effecient computer, the combined energy of 509,485,193 >average supernovas to brute force a 256 bit key. I was just wondering if >there are any theoretical ways around this. I am just talking about >plain brute force here, not attacking other weaknesses. By "perfectly efficient" do you mean a computer which dissipates (uses) a kT per logical operation? If so, then calculations are easy to do. However, there are two theorized alternative approaches. First, disssipationless or "reversible" computing, a la Landauer, Bennett, Toffoli, Fredkin, Merkle, et. al. If actually feasible (and some of us are skeptical), then computation could be done with much less energy per logical operation than kT. Second, quantum computation, a la Deutsch, Shor, Bennett, et. al. (Yes, some of the same players.) See the work on quantum factoring. As with reversible computing, the energy consumption may be vastly less than the kT per logical operation usually considered to be the lower bound on energy needed. As I said, I am skeptical. Interested readers may want to track down several references: -- "Workshop on Physics and Computation," Proceedings, 1992, put out by the IEEE. -- a Santa Fe Institute publication, "Complexity, Entropy, and the Physics of Information," ed. W. Zurek. I have more references and discussion in my Cyphernomicon. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Apr 14 21:43:45 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Apr 1996 12:43:45 +0800 Subject: washington post notices archives Message-ID: <ad96d2eb050210044ddc@[205.199.118.202]> At 10:38 PM 4/14/96, E. ALLEN SMITH wrote: > In addition, what if the material is edited down to try to conform to >fair use, as I do? First, you're still going to find it using the search >engines - and will have to filter it out. Second, the hoster of the data, if >locatable, will have to decide whether to respond to a legal threat and delete >something that may be within such guidelines. Third, such guidelines may vary >from country to country. "Fair use" is very tricky. The Church of Scientology files lawsuits against even those that mention that Saint Ron believed the Key to Becoming Clear lay in communicating with plants. And if the editors of a newspaper want to file suit, they can. In fact, newspapers don't necessarily have more copyright rights than others do. What if a person like me demands that an archive site remove articles by me? I have not signed any waivers authorizing an archive site to distribute, sell, trade, or otherwise disperse my articles! (Recall the controversy some years back when a compilation of jokes from rec.humor.* was sold, without compensation to the joke authors. Changes are being proposed in copyright law. Maybe good, maybe bad. I don't follow the controversy. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From shamrock at netcom.com Sun Apr 14 22:03:05 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 15 Apr 1996 13:03:05 +0800 Subject: RC4 licensening Message-ID: <v02120d51ad975a9b17ff@[192.0.2.1]> At 18:08 4/14/96, Jack Mott wrote: >Hello Cypherworld, > Anyone know how much it costs to license RC4 or how RSA has been >handling the whole situation? Who cares how much it costs to license RC4. Just use the fully compatible freeware RS4 (I believe?) code. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From adam at lighthouse.homeport.org Sun Apr 14 22:05:41 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 15 Apr 1996 13:05:41 +0800 Subject: Hobsian interpretations of Snow Crash ( was No matter where you go...) In-Reply-To: <199604132331.TAA01039@jekyll.piermont.com> Message-ID: <199604150240.VAA17552@homeport.org> Perry E. Metzger wrote: | Adam Shostack writes: | > Perry E. Metzger wrote: | > | > | Adam Shostack writes: | > | > Snow Crash is a book about a future in which governments are | > | > ineffective. Companies run things, and have complete local control. | > | > The world has gone to hell, and as a result, life is nasty, poor, | > | > brutish and short. Many people do not look forward to this world. | > | | > | Snow Crash is hardly scary. You have characterized it as a | > | story where life is nasty brutish and short but that isn't the same | > | book that I read. at all. | > | > The CIA privatized & selling data to all comers? An | > unstoppable wave of illegal immigration coming to California? Sounds | > pretty scary to many people. There are other readings, but that one | > is there. | | Lets be concrete. You say that life in the book is nasty, brutish and | short. The book does not depict people's lives as being short, and it | especially does not appear that most people living in that world have | lives that end in violence. Furthermore, it doesn't depict their lives | as nasty -- it seems like America only more so, with ever escalating | guarantees that your pizza will be delivered on time and fairly normal | lives being lead. Given that 'nasty, poor, brutish and short' is clearly an allusion to Hobbes, I'm not sure I should defend it literally. However, I'd see life in a converted self store (where Hiro & Vitaly live), or in a job with a lie detector test every 2 weeks (such as YT's mom is forced into), or working in a computer industry where brains get fried (da5vid), as nasty. See below for brutish. | As for illegal immigration, I saw no depiction of it in the book, and | so far as I can tell the legal structure depicted in the book has no | such concept as "illegal immigration". And how do you think the people panicking over the raft's arrival see the 'yellow peril?' I would expect that parts of the remaining US government are quite distraught over it, and consider it illegal. | I can't see that you read the same book. | | As the cypherpunks significance of this is rapidly vanishing, I'd | suggest that this be taken to private mail. The Cypherpunks relevance is that you & I see Snow Crash as a neat place to live, while Dorothy sees it as a hell. I'm attempting to explain that viewpoint. If you'd like to continue in private mail, thats fine. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Sun Apr 14 22:11:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Apr 1996 13:11:47 +0800 Subject: [fwd] Undeliverable Message Message-ID: <199604150209.TAA04585@toad.com> It's not encrypted - it's just Unix :-) The "begin 600 attach.Z" tells you it's uuencoded, which is a way of representing binary data in ASCII to make it safe for mailing, and that the resulting file is named "attach.Z". This looks very much like something compressed with the Unix compress program, so you can use uncompress or gunzip to uncompress it. Inside that is a binary file, starting off with characters that look like a Unix "tar" archive format; there are some headers including filenames and nulls, followed by ASCII files. So use a tar program to unpack it. Bill At 11:59 PM 4/14/96 +0200, Clemens Stiglechner <a9401816 at unet.univie.ac.at> wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >It seems that mailer-daemon at usafa.af.mil is running amok; it has >sent 64 *different* *encrypted* messages to the Hemingway List within >6 hours until now. I just wonder which kind of encryption _they_ might >use. Here is the first one: .... >begin 600 attach.Z >M'YV0:=R,>7/&31HZ;URTF7,&@,.'$"-*G$BQHL6+&"N"V&@#!@P0`#:"B$&# # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From steve at edmweb.com Sun Apr 14 23:44:51 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 15 Apr 1996 14:44:51 +0800 Subject: key bit lengths In-Reply-To: <31713CED.42E2@iconn.net> Message-ID: <Pine.BSF.3.91.960414193845.21140A-100000@kirk.edmweb.com> > force attacks. I did some calculations and it looks like it will take, > given a perfectly effecient computer, the combined energy of 509,485,193 > average supernovas to brute force a 256 bit key. I was just wondering if I'd be interested to see those calculations. If 128 bit keys would require sqr(509485193) supernovas, I think we probably don't need to go much higher with the number of bits. OTOH, if the feds can somehow figure out how to convert all the matter in the solar system into energy, they might be able to get enough energy... e=mc^2... But, there wouldn't be anywhere to put the computers. :) While we're exchanging calculations.... I've done some simple calculations myself (which have probably already been done, but anyway...), regarding 128 bit keys, assuming a billion (10**9) computers trying a billion keys per second... I heard it would take an average of 6 billion years to crack a 128 bit key with those resources, but my calculations (using GNU bc v1.02 under FreeBSD) figure it at over 5 trillion years... echo "2^128 / 10^9 / 10^9 / (60 * 60 * 24 * 365.25)" | bc 10782897524556 With commas, that's 10,782,897,524,556 years. Cut that in half (for average cracking time), it comes to 5,391,448,762,278 years. I don't know where I heard the 6 billion year figure, it might have been in the Wired Cypherpunks article, but I think I read it somewhere else as well... Is my calculation okay? Similar calculation... Assume you have a 384 bit key that you want to brute-force, and you have 10^73 computers trying 10^9 calculations per second. (Last I heard, 10^73 is the number of particles in the universe). echo "2^384 / 10^73 / 10^9 / (60 * 60 * 24 * 365.25)" | bc 124857423240026108488221664 That's an impressive number. :) As an aside, I've heard that "billion" and "trillion" are different in different parts of the world... Western British billion 10^9 10^12 trillion 10^12 10^18 A British friend mentioned to me that they are different... We checked with American and British dictionaries to get those figures. AFAICS, Canada seems to use the American system. Weird, eh? ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From JonWienke at aol.com Mon Apr 15 00:05:29 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Mon, 15 Apr 1996 15:05:29 +0800 Subject: Watch your language, Shabbir. Message-ID: <960414214548_469881389@mail02.mail.aol.com> In a message dated 96-04-14 15:10:21 EDT, you write: >I see no legal reason why wiretaps should have the "features" listed above. >There is a certain practical reason they can: Due to the nature of >wiretapping, it is not physically necessary to show up to do the tap, or >tell those targeted, or tell them after the tap has been disconnected. >However, it seems very unlikely that the mere fact that an invention allows >a kind of search that was possible before, should automatically change the >interpretation of the Constitution to allow that search. > >If a new invention allowed the cops to walk through walls untraceably, would >that automatically mean that the normal protections that search warrants are >supposed to provide are no longer valid? I don't think so! Mandating that phone companies allow wiretaps is analogous to mandating that all houses be constructed of Plexiglas, with the shades on the outside, so the gov't can look in at their leisure. From markm at voicenet.com Mon Apr 15 00:23:27 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 15 Apr 1996 15:23:27 +0800 Subject: PGPCrack Message-ID: <Pine.LNX.3.92.960414212045.1225A-100000@gak> [ I tried sending this a couple days ago, but apparently no mail I sent that day ever got delivered. My apologies if any one has already received this. -- Mark ] -----BEGIN PGP SIGNED MESSAGE----- I have written a UNIX program that will brute-force crack a PGP conventionally encrypted file using a dictionary of passphrases. I am working on making it possible to break secret keys also. If you have any suggestions or bug reports, feel free to e-mail them to me. The URL is: http://www.voicenet.com/~markm/pgpcrack5b.tar.gz The MD5 hash of this file is 46aa9e37020ac2efce73d870fe1acbdc. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMW6j0LZc+sv5siulAQETGAQAnKr1n/OnWS6CpQqTQSRAJhTTCkq1zP8N l0QZYKrvO9i3EE0uXYF88EIXludrXq2mzEZCOeh4vjF0Ym8KEc82gUdRwAfxPxTU YxHylDI56PdvgLwRBAoBiGTaUZwajM+sEtvJaH1fYshPR7neTF+Aw3YL+cMQ/iQt PMFKXEM9GWQ= =fgA8 -----END PGP SIGNATURE----- From roger at coelacanth.com Mon Apr 15 00:26:23 1996 From: roger at coelacanth.com (Roger Williams) Date: Mon, 15 Apr 1996 15:26:23 +0800 Subject: [fwd] Undeliverable Message In-Reply-To: <3171755D.5A09@unet.univie.ac.at> Message-ID: <9604150435.AA4358@sturgeon.coelacanth.com> >>>>> Clemens Stiglechner <a9401816 at unet.univie.ac.at> writes: > ... 64 *different* *encrypted* messages... Here is the first one: > begin 600 attach.Z Huh -- *what* encrypted message? As the header implies, attach.Z is a very ordinary uuencoded compressed ASCII text attachment (full of "VNM3043 -- MAILBOX IS FULL" messages). -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From mhinze at why.net Mon Apr 15 00:29:16 1996 From: mhinze at why.net (Matt Hinze) Date: Mon, 15 Apr 1996 15:29:16 +0800 Subject: [NOISE] Consolidation of threads ... In-Reply-To: <v01540b0cad96f6491958@[193.239.225.200]> Message-ID: <3171ce98.12537811@why.net> >OK, I have a proposal that consolidates two threads that have been >discussed recently. How about proposing legislation that mandates that a >byte is now 9 bits instead of 8. This would allow the ninth bit to be the >decent/indecent bit, thereby solving all of our problems. The question of decency is still a fundamental problem. What is decent? What is indecent? Who decides? Plus, wouldn't it be difficult to *legislate* an additional bit? How would one implement that into transfer protocols and the like? From frantz at netcom.com Mon Apr 15 00:42:51 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 15 Apr 1996 15:42:51 +0800 Subject: X.25 [NOISE] Message-ID: <199604150450.VAA12551@netcom9.netcom.com> At 2:45 PM 4/14/96 -0700, Bill Stewart wrote: >And, yes, it's [X.25] a lousy environment to do full-duplex character >echo over. I implemented and have been supporting a system with full-duplex character echo over X.25. I can only agree with Bill Stewart's assessment, but you hold your nose and do it. I have learned that an X.25 "standard" network is about as standard as a K&R C compiler. Sure you can talk to the network, but each network is different in what you have to do to get it to send you the ASCII characters so you can echo them. Many times you have to use non-standard, network specific extensions. I am also responsible for getting Zmodem style data transfers to work. To make it work means the network must be fully 8-bit transparent, AND send the last chunk of data eventually (within a few seconds) to complete the transfer. Don't even ask about getting Zmodem transfers working thru X.25 to various "Unix" systems. Now you know why I claimed the title, "Wizard of Trailing Edge Technology" in Dogbert's New World Order. Regards - Bill [To be complete, I also do work in electronic commerce, Java and other things you see on this list.] ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ses at tipper.oit.unc.edu Mon Apr 15 01:31:30 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 15 Apr 1996 16:31:30 +0800 Subject: RC4 licensening In-Reply-To: <v02120d51ad975a9b17ff@[192.0.2.1]> Message-ID: <Pine.SOL.3.91.960414222327.29016C-100000@chivalry> On Sun, 14 Apr 1996, Lucky Green wrote: > At 18:08 4/14/96, Jack Mott wrote: > >Hello Cypherworld, > > Anyone know how much it costs to license RC4 or how RSA has been > >handling the whole situation? > > Who cares how much it costs to license RC4. Just use the fully compatible > freeware RS4 (I believe?) code. Well, if you're using RC4, you're probably using some sort of public-key based key exchange, which you're probably going to need to licence, and BSAFE is the easiest way to do that, so RC4 is pretty much a freebie Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Mon Apr 15 02:31:09 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 15 Apr 1996 17:31:09 +0800 Subject: key bit lengths Message-ID: <ad9713050002100436c2@[205.199.118.202]> At 6:21 PM 4/14/96, Mark M. wrote: >I doubt it. This calculation is based on the minimum amount of energy >needed to invert a bit. The amount of energy is a function of the temperature, >so a brute force attack might take much less energy several billion years >hence, since the universe will cooled off more. There only way for there to >be any way around this, is if a way was found to lower the termperature to >near absolute zero consuming a very little amount of energy, or if some way >was found to invert a bit using less energy than is currently believed (very >doubtfull). Of course, if P=NP, then brute-force attacks will be pointless. A late April Fool's joke, methinks? Arguing that in "several billion years" the "temperature" of the universe will have anything to do with computation....well, your physics is all wrong. The approximate figure, kT, for the minimum energy in a conventional bit flip, can be reduced by simple cooling. Not a problem. And what the so-called "average temperature" of the Universe may be in, say, 10 billion years, will not affect computation. Fusion will still occur, stars will still burn, sunshine will still produce heat. And so on. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Mon Apr 15 02:38:35 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 15 Apr 1996 17:38:35 +0800 Subject: Enemies R Us [Political Rant] In-Reply-To: <960414163840_271703650@emout08.mail.aol.com> Message-ID: <Pine.ULT.3.92.960414215916.11233A-100000@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- [I've done my best to make this somewhat relevant, and to ignore most of the obvious trolls.] On Sun, 14 Apr 1996 JonWienke at aol.com responded to an anonymous troll: > >At the same time, however, as Federal agencies proceed with > >traditional means of intelligence gathering (as in the > >Unabomber case), and Congress ponders a new anti-terrorism > >bill (stalled by the gun lobby and civil libertarians), > >efforts to fight domestic terrorism are being supplemented > >more than ever by private human rights organizations that > >track the fringe right with their own networks. They willingly > >share information with law enforcement agencies, branches of > >the military and reporters. > > If Federal LEO's are getting so much help from volunteer snitches, why > do we need the anti-terrorism bull? :) We don't. Not that the "volunteer snitches" are anywhere near as important ans they think they are. Most LEO types will just blow them off, because there isn't probable cause. Where the private orgs come into play is *after* some wacko goes postal, and the government wants expert witnesses. This raises some interesting questions about the power of private data collection and data havens, though. There is something to be said for the rule of law. At least the government is somewhat accountable, and will always be "infiltrated" by professional bureaucrats who care about human rights. Private organizations are more ideologically coherent and less likely to open their affairs to public scrutiny. > >Most of the human rights organizations were actively > >campaigning against racism and anti-Semitism long before the > >Oklahoma City bombing on April 19, 1995 and the arrest of two > >suspects with links to militia groups. And with many of the > >right-wing groups now hiding racist views beyond a more > >acceptable veneer of anti-government oratory, the human rights The more I get into this, the more backwards this sounds. As a FUCKING STATIST, I'm a lot more comfortable with certain racists than with anti-government zealots of any political persuasion. This assumes, of course, that the racists lack sufficient power to put their genocidal ideas into practice. > >At least two of them -- the Southern Poverty Law Center in > >Montgomery, Ala., and the Simon Wiesenthal Center in Los > >Angeles -- use undercover operatives. Both organizations had > >spies attend a convention last weekend in Lake Tahoe that > >attracted hundreds of Christian Identity followers to hear a > >speech by Randy Weaver, the white separatist whose wife and > >son were killed three years ago in a siege by Federal agents > >in Ruby Ridge. "Undercover operatives" is much too maudlin. I went under my own name, said hello to a few folks. Weaver is a fucking lunatic, but the skiing was good. > >Since the Oklahoma City tragedy, numerous "Patriot" terrorist > >plots have been discovered, including plans to poison federal > >employees in Minnesota and conspiracies to blow up a federal > >courthouse in Spokane and an IRS building in Reno. An AmTrak > >train was derailed by a group calling itself "Sons of the > >Gestapo." > > Which turned out to have been done by a disgruntled former railroad employee > who left the "sons of gestapo" note as a red herring. Could you at least > stick to propaganda that has at least some basis in fact? This is news to me. What's your source for this? > Explosives thefts are nothing new. Regulation of explosive materials is. > Explosives and poisons can be made out of commonly available materials. If > this is such a problem, how come this country wasn't bombed and poisoned into > oblivion 50 years ago? 50 years ago, American citizens of Japanese descent were just being let out of "internment camps," and the State of Mississippi was keeping files on 87,000 "political subversives" -- never mind the FBI. I'm not a big fan of the bad, old days. 30 and 76 years ago, many parts were bombed. Berkeley. Ronald Reagan. Sacco & Vanzetti. Eugene Debs. Attorney General A. Mitchell Palmer. Forget everything you've ever been told about "right" and "left"; it's the same people, really, fighting for the same things, mostly. > >+ Learn about the "Patriot" movement and share your knowledge > >with others > > Absolutely, yes, hallelujah, preach it brother! You might want to chesk out > other sources than the SPLC, however. The best way to find out what views an > organization holds is to directly contact the organization, rather than a > member of the opposition with an axe to grind. You're joking, right? To learn what the Church of Scientology is really about, see http://www.theta.com/ To learn what Watergate was really about, visit the Nixon Presidential Library. To learn what the IRA is really about, talk to Gerry Adams. To learn what the Cuban Revolution is really about, talk to Castro or your local "Pastors for Peace" propagandist. No, the only way to learn about an organization is to JOIN IT. You should see the mail I'm getting now. > I find it disgusting that a radical left-wing propaganda outlet like the > SPLC can legally call itself a "charity." Don't worry, Newt is working on it. - -rich http://www.c2.org/~rich/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXHqX43DXUbM57SdAQEJ9QP/e1BASvp//RnwJieTnkQYuS+x6SUZ0S7m Vbny4r0Eu7HYUWIyAsMHrme19P/AUVbbxc0O0Ar+uRILfiFkTjM9xIVe6SOTIelX y3CX96icMObnj5UP5NGcYXJAg11/bAdDlEHWFezXg/qgGdkpzH2iUOhV33gmVwiJ vLd7DhHORcg= =XEvm -----END PGP SIGNATURE----- From mpd at netcom.com Mon Apr 15 02:46:13 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 15 Apr 1996 17:46:13 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604150519.WAA09619@toad.com> Message-ID: <199604150622.XAA07542@netcom4.netcom.com> On Fri, 29 Mar 1996, Mike Duvos wrote: > On a more serious note, does anyone know what is happening > with Arjen Lenstra and RSA-130? Last I heard back in late > December, FAFNER, the magic WWW sieving dragon, had collected > more than enough relations from participants to yield a > factorization. Surely they have not spent an additional four > months crunching the big boolean matrix at CWI. On Sat, 30 Mar 1996, Wei Dai wrote: > Apparently the Cray they are using to crunch the matrix is > busy with higher priority users and they have not been able > to squeeze in enough CPU time. I was told at the beginning > of March that they didn't expect to finish before late > April, but now it looks like the job will take another two > to three months. Anyone got a spare supercomputer laying > around? On Sun, 14 Apr 1996, Arjen Lenstra wrote: > On April 10, 1996, we found that [RSA-130] has the following > factorization > RSA-130 = 39685999459597454290161126162883786067576449112810064832555157243 > * 45534498646735972188403686897274408864356301263205069600999044599 [deletia] > Using Peter Montgomery's Cray implementation of his blocked > Lanczos algorithm (cf. [M95]), it took 67.5 CPU-hours and > 700 Mbyte central memory on the Cray-C90 at the SARA > Computer Center in Amsterdam to do the linear algebra. It appears that the estimates of "another two to three months" were overly pessimistic. Does anyone know how big a check Jim Bidzos has to write for this one? Also, a ballpark guess of how this result extrapolates to the MIPS years required to factor a 512 bit PGP key would probably be of interest to all. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ravage at ssz.com Mon Apr 15 02:48:20 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 15 Apr 1996 17:48:20 +0800 Subject: Heat death of the universe Message-ID: <199604150448.XAA18708@einstein.ssz.com> Forwarded message: > Date: Sun, 14 Apr 1996 21:19:27 -0700 > X-Sender: tcmay at mail.got.net > Subject: Re: key bit lengths > > A late April Fool's joke, methinks? Arguing that in "several billion years" > the "temperature" of the universe will have anything to do with > computation....well, your physics is all wrong. > > The approximate figure, kT, for the minimum energy in a conventional bit > flip, can be reduced by simple cooling. Not a problem. And what the > so-called "average temperature" of the Universe may be in, say, 10 billion > years, will not affect computation. Fusion will still occur, stars will > still burn, sunshine will still produce heat. And so on. > True, but there will be considerably fewer of them doing it. Jim Choate From shamrock at netcom.com Mon Apr 15 02:55:41 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 15 Apr 1996 17:55:41 +0800 Subject: instructions for anon.penet.fi? please Message-ID: <v02120d56ad979d984034@[192.0.2.1]> At 14:48 4/14/96, O.C.Winton WN1Z wrote: >Wonder if someone here could pls tell me how to go about finding >out how to use the anonymous remail services @ anon.penet.fi. >On the list please. Thank you. Send email, any subject, any message body, to help at anon.penet.fi -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From timd at consensus.com Mon Apr 15 03:34:04 1996 From: timd at consensus.com (Tim Dierks) Date: Mon, 15 Apr 1996 18:34:04 +0800 Subject: RC4 licensening Message-ID: <v02140b00ad977b97b135@[205.149.165.24]> At 6:08 PM 4/14/96, Jack Mott wrote: > Anyone know how much it costs to license RC4 or how RSA has been >handling the whole situation? If, for whatever reason, you decide to license RC4 from RSA, you have two options: you can license BSAFE from RSA, or you can license RSAREF from Consensus Development, which will soon be available with an RC4/RC2 implementation. Costs vary. It's my understanding that RSA has threatened legal action against anyone shipping RC4 without a license, but I don't know of any lawsuits that have been filed. - Tim Dierks Disclaimer: I am an employee of Consensus Development. Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From hal9001 at panix.com Mon Apr 15 03:59:24 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 15 Apr 1996 18:59:24 +0800 Subject: [Political Rant] Was: examples of mandatory content rating? Message-ID: <v02140b04ad97a0080cf4@[166.84.254.3]> At 18:52 4/14/96, E. ALLEN SMITH wrote: >I'm not sure if the major use for ratings may not be searching for >material that the raters don't like. I'd be interested in many things the >fundys don't like, for instance. One could even do this via one of the >"services" that mails out listings of places to be locked from kids - just >sign up one of your anonymous employees, and get the data and put it on your >anonymous web access site. Doing so - if you don't admit you've done it - may >be cheaper than doing the research yourself. Of course, you'll need to check >out each such site to make sure that it isn't a decoy that they've inserted. When you do the checking, make sure it is from an IPN that does not point back at you (or at least only points to a Server Supplied not a Dedicated IPN). You might also want to watch out for "Canary Trap" Decoys (where each list has an unique set of Decoys [or at least one unique Decoy] so they can tell which copy was compromised). I'm assuming that the Decoy is a "valid" [possibly virtual] domain address which is being logged. From wolv at infosys.utm.my Mon Apr 15 04:29:27 1996 From: wolv at infosys.utm.my (Ramli Bin Jaafar) Date: Mon, 15 Apr 1996 19:29:27 +0800 Subject: Trojan Horse Loose On The Internet Message-ID: <19960415073947953.AAA74@Executioner.utm.my> According to several reliable sources there is a deadly virus on the Internet. This is NOT a hoax! CAN ANYBODY CHECK THIS OUT, PLEASE.. Note: The reliability of all information below is UNKNOWN. WHAT: Virus Alert: PKZIP 3.0 Trojan Loose on the Internet BACKGROUND: A trojan (virus) program, PKZIP 3.0, which is advertised as an updated version of the popular compression utility PKZIP, is currently being distributed on the Internet. Please note that this trojan is REAL and DESTRUCTIVE. Once executed, this program will destroy data on your hard drive; there's no stopping it. According to PKWARE, makers of PKZIP, the only released versions of PKZIP are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on the Internet are suspect and should not be used. ACTION REQUIRED: Please do not download or execute any files that are named PKZ300B.EXE, PKZ300B.ZIP, PKZIP300.ZIP, PKZIP300.EXE, etc. from the Internet or other external source. Anybody with any information on this..?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Best Regards, _\|/_ Q(@ @)Q |-------------------oOO-(_)-OOo--------------------| | If I can, it doesn't mean that I will. | |--------------------------------------------------| | Ramli Bin Jaafar | |Faculty Of Computer Science And Information System| | University Technology Of Malaysia, | | 80990 Johor Baharu, | | Johor Darul Takzim, | | Malaysia. | | Tel: (607)-5576160 ext: 3593 | |--------------------------------------------------| | E-mail: wolv at infosys.utm.my | | ramli at raptor.utm.my | | wolv at cyberspace.org | |--------------------------------------------------| From jim at ACM.ORG Mon Apr 15 04:36:16 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Mon, 15 Apr 1996 19:36:16 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604150622.XAA07542@netcom4.netcom.com> Message-ID: <199604150751.AAA06516@mycroft.rand.org> mpd at netcom.com (Mike Duvos) writes: >one? Also, a ballpark guess of how this result extrapolates to >the MIPS years required to factor a 512 bit PGP key would >probably be of interest to all. I don't have a good guess for this, but Arjen did say that the cost to break RSA-130 was a fraction of what it cost to break RSA-129 because of the improved algorithm, so I'd guess we'll find out soon. The next target of the consortium is planned to be RSA-155, I believe, which is above 512 bits; that means skipping RSA-140 to go for the one with the higher psychological value. While 512-bit PGP keys are interesting to Cypherpunks, other 512-bit RSA keys are vitally important to some banks. Jim Gillogly Trewesday, 25 Astron S.R. 1996, 07:50 From timd at consensus.com Mon Apr 15 04:59:11 1996 From: timd at consensus.com (Tim Dierks) Date: Mon, 15 Apr 1996 19:59:11 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research Message-ID: <v02140b00ad97b6a6eca6@[205.149.165.24]> At 12:51 AM 4/15/96, Jim Gillogly wrote: >mpd at netcom.com (Mike Duvos) writes: >>one? Also, a ballpark guess of how this result extrapolates to >>the MIPS years required to factor a 512 bit PGP key would >>probably be of interest to all. > >I don't have a good guess for this, but Arjen did say that the cost to >break RSA-130 was a fraction of what it cost to break RSA-129 because >of the improved algorithm, so I'd guess we'll find out soon. The next >target of the consortium is planned to be RSA-155, I believe, which is >above 512 bits; that means skipping RSA-140 to go for the one with the >higher psychological value. While 512-bit PGP keys are interesting to >Cypherpunks, other 512-bit RSA keys are vitally important to some banks. Also, note that 512 bits is the current exportable limit for RSA encryption. - Tim Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From stewarts at ix.netcom.com Mon Apr 15 05:07:36 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 15 Apr 1996 20:07:36 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research Message-ID: <199604150519.WAA09619@toad.com> From: alenstra at fwi.uva.nl (A. Lenstra) Newsgroups: sci.crypt.research Subject: new factorization record Date: 14 Apr 1996 10:35:20 GMT Organization: FWI, University of Amsterdam, Bellcore Lines: 189 Message-ID: <4kqkd8$g37 at net.auckland.ac.nz> Summary: factorization of RSA-130 using the Number Field Sieve Keywords: factoring, Number Field Sieve, RSA On April 10, 1996, we found that RSA-130 = 18070820886874048059516561644059055662781025167694013491701270214\ 50056662540244048387341127590812303371781887966563182013214880557 has the following factorization RSA-130 = 39685999459597454290161126162883786067576449112810064832555157243 * 45534498646735972188403686897274408864356301263205069600999044599 This factorization was found using the Number Field Sieve (NFS) factoring algorithm, and beats the 129-digit record that was set on April 2, 1994, by the Quadratic Sieve (QS) factoring algorithm (cf. [AGLL]). The amount of computer time spent on this new 130-digit NFS-record is only a fraction of what was spent on the old 129-digit QS-record (see below for details). For information about NFS, see [LL]. For additional information, implementations and previous large NFS factorizations, see [BLZ, DL, E, GLM]. We used the polynomial 5748,30224,87384,05200 X^5 + 9882,26191,74822,86102 X^4 - 13392,49938,91281,76685 X^3 + 16875,25245,88776,84989 X^2 + 3759,90017,48552,08738 X - 46769,93055,39319,05995 and its root 125,74411,16841,80059,80468 modulo RSA-130. This polynomial was selected from a list of 14 candidates provided by Scott Huddleston, after extensive sieving experiments carried out by Joerg Zayer at the University of Saarland. Sieving was done on a great variety of workstations at many different locations: 28.37% by Bruce Dodson (Lehigh University) 27.77% by Marije Elkenbracht-Huizing (CWI, Amsterdam) 19.11% by Arjen K. Lenstra (Bellcore) 17.17% by contributors to the www-factoring project (organized by Jim Cowie, Wojtek Furmanski, and Arjen Lenstra, among others) 4.36% by Matt Fante (IDA) 1.66% by Paul Leyland (Oxford University) 1.56% by Damian Weber (University of Saarland) Except for a relatively small part of the contribution of the CWI and the entire contribution by the University of Saarland, all contributors used the NFS sieving program that was developed at Bellcore. This program uses `lattice sieving with sieving by vectors' as introduced by Pollard in [P], and is based on the implementation described in [GLM]. The main difference is the more liberal use of `special q-primes' that define the lattices (see also [E]). Unlike [GLM], these special q's do not necessarily belong to the factor base (as is the case in [P]); this idea can also be found in [B]. Another difference is the more liberal interpretation of the factor base sizes, which results in a much more flexible memory usage. These changes allowed us to run the sieving program in parallel on almost any number of processors, as long as they have at least about 6 megabytes of memory. This was exploited in the Web-based sieving effort, which used a collection of CGI scripts ("FAFNER", from Cooperating Systems Corporation) to automate and coordinate the flow of tasks and relations within the globally distributed network of anonymous sieving clients. As a consequence almost any user of the Web can contribute to future, larger factoring efforts, simply by a few appropriate mouse clicks. The changes also made it hard to estimate how much time was spent on the sieving stage, because the performance of the siever strongly depends on the amount of memory it gets. We can say, however, that we would have spent about 500 mips years (i.e., 10% of the computing time spent on the 129-digit QS-record) if we had done all the sieving on average workstations with at least 24 megabytes of memory. Sieving started in September 1995, initially on a very limited number of workstations. The Web-based sieving started relatively late, in December 1995. Relations were collected and merged and duplicates were removed at Bellcore. On Jan 14, 1996, we had 56,515,672 unique relations. In uncompressed ASCII format, with only the primes >2000000 listed per factorization, storage of the relations required more than 3.5 gigabytes. With a rational factor base of 250,001 elements (the primes <= 3,497,867) and an algebraic factor base of 750,001 elements (ideals of norm <= 11,380,951), the breakdown of full and partial relations is as follows. \ number of prime ideals of norm > 11,380,951: \________ 0 1 2 3 4 5 6 number of \ rational \_____________________________________________________________ primes > | 3,497,867 | | 0 | 48400 479737 1701253 1995537 6836 403 9 1 | 272793 2728107 9617073 11313254 39755 2212 44 2 | 336850 3328437 11520120 13030845 56146 3214 71 3 | 1056 9022 24455 0 0 0 0 4 | 3 9 31 0 0 0 0 The first successful dependency used 4143834 relations, of which 3506 were free relations. The breakdown of large prime ideals amongst the other contributing relations is as follows. 0 | 24242 154099 330738 255742 1054 52 1 1 | 75789 443647 885136 648148 2734 164 2 2 | 56326 300369 565605 389046 1923 131 4 3 | 182 776 1105 0 0 0 0 4 | 2 4 7 0 0 0 0 Once every week during the collection the cycles were counted at Bellcore. The final collection of 56,467,272 relations with one or more large primes generated 2,844,859 cycles. In these cycles 18,830,237 (33.3%) of the partial relations occurred (i.e., were useful). As in our previous NFS factorizations, we witnessed an explosion in the number of cycles, with first a sharp increase in the number of useful relations, followed by a sudden growth of the number of cycles: # partials # usefuls # cycles 41,319,347 47,660 16,914 45,431,262 8,214,349 224,865 53,282,421 11,960,120 972,121 56,467,272 18,830,237 2,844,859 Using the approach sketched in [DL], these data resulted in a 3,504,823 x 3,516,502 matrix of total weight 138,690,744 (on average 39.4 entries per column). Using Peter Montgomery's Cray implementation of his blocked Lanczos algorithm (cf. [M95]), it took 67.5 CPU-hours and 700 Mbyte central memory on the Cray-C90 at the SARA Computer Center in Amsterdam to do the linear algebra. This resulted in 18 useful dependencies. These were processed on 1 processor of an SGI Challenge (150 MHz R4400SC processors) using Peter Montgomery's square root program (cf. [M93]), which took 49.5 hours per dependency (with initial numerator and denominator of approximately 9.7 million decimal digits). The factorization was found by the third dependency. It is likely that slightly more sieving (and therefore more partials) would have led to substantially smaller (and easier) matrix and square root problems. Arjen K. Lenstra, Bellcore, April 11, 1996 with Jim Cowie Marije Elkenbracht-Huizing Wojtek Furmanski Peter L. Montgomery Damian Weber Joerg Zayer Acknowledgements are due to the contributors, and to the Dutch National Computing Facilities Foundation (NCF) for the use of the Cray-C90 supercomputer. [AGLL] D. Atkins, M. Graff, A.K. Lenstra, P.C. Leyland, THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE, Proceedings Asiacrypt'94, Lecture Notes in Comput. Sci. 917, (1995) 263-277. [B] D.J. Bernstein, The multiple-lattice number field sieve, Chapter 3 of Ph.D. thesis, ftp://koobera.math.uic.edu/pub/papers/mlnfs.dvi. [BLZ] J. Buchmann, J. Loho, J. Zayer, An implementation of the general number field sieve, Proceedings Crypto'93, Lecture Notes in Comput. Sci. 773, (1994) 159-165. [DL] B. Dodson, A.K. Lenstra, NFS with four large primes: an explosive experiment, Proceedings Crypto 95, Lecture Notes in Comput. Sci. 963, (1995) 372-385. [E] R.M. Elkenbracht-Huizing, An implementation of the number field sieve, Technical Report NM-R9511, Centrum voor Wiskunde en Informatica, Amsterdam, 1995. To appear in Experimental Mathematics [GLM] R. Golliver, A.K. Lenstra, K.S. McCurley, Lattice sieving and trial division, Algorithmic number theory symposium, proceedings, Lecture Notes in Comput. Sci. 877, (1994) 18-27. [LL] A.K. Lenstra, H.W. Lenstra, Jr., The development of the number field sieve, Lecture Notes in Math. 1554, Springer- Verlag, Berlin, 1993 [M93] Peter L. Montgomery, Square roots of products of algebraic numbers, in Proceedings of Symposia in Applied Mathematics, Mathematics of Computation 1943-1993, Vancouver, 1993, Walter Gautschi, ed. [M95] Peter L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Proceedings Eurocrypt 1995, Lecture Notes in Comput. Sci. 921, (1995) 106-120. [P] J.M. Pollard, The lattice sieve, pages 43-49 in [LL]. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From unicorn at schloss.li Mon Apr 15 06:21:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 15 Apr 1996 21:21:19 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604150519.WAA09619@toad.com> Message-ID: <Pine.SUN.3.91.960415025411.19675R-100000@polaris.mindport.net> Excellent work! --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Mon Apr 15 07:39:03 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 15 Apr 1996 22:39:03 +0800 Subject: pgpcrack review [failed] Message-ID: <Pine.SUN.3.91.960415010258.19675P-100000@polaris.mindport.net> I complied pgpcrack (which was on the list a few days ago) on a SPARCstation-10 running SunOS 4.1.4. Running pgpcrack on a -c encrypted file (duress.pgp) encrypted with the passphrase "lover" (which is in my dictionary file) results in the following output after under 1 second. (The dictionary file I was using is about 250k): PGPCrack passphrase: cruddy Using the same plaintext encrypted with "pain" the following output after 3 seconds or so: PGPCrack passphrase: promulgate A third time, same plaintest -c'd with "avoid" results in: PGPCrack passphrase: cerebral Seems to work just fine on linux. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From bugs at netcom.com Mon Apr 15 10:55:16 1996 From: bugs at netcom.com (Mark Hittinger) Date: Tue, 16 Apr 1996 01:55:16 +0800 Subject: security dynamics buys pkp? Message-ID: <199604151344.GAA04748@netcom2.netcom.com> As I was trying to wake up this morning I heard an announcement on CNBC that Security Dynamics purchased the RSA guys. It was evidently a stock swap and not a cash deal (interesting). Later Mark Hittinger Netcom/Dallas bugs at freebsd.netcom.com From Adam_Pingitore at alli.wnyric.org Mon Apr 15 10:55:55 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Tue, 16 Apr 1996 01:55:55 +0800 Subject: What backs up digital money? Message-ID: <9603158295.AA829582357@ccmail.wnyric.org> CANCEL SUBSCRIPTION From jya at pipeline.com Mon Apr 15 11:00:39 1996 From: jya at pipeline.com (John Young) Date: Tue, 16 Apr 1996 02:00:39 +0800 Subject: FIX_rsa Message-ID: <199604151351.JAA23246@pipe1.nyc.pipeline.com> 4-15-96, W$U: "RSA Data May Be Sold in Stock Deal." Security Dynamics Technolgies, Inc. is in talks to buy closely held RSA Data Security Inc., the dominant supplier of privacy technology for the Internet, for stock valued at about $200 million. Industry executives said Security Dynamics may hope to combine its proprietary technology with standard encryption software from RSA, which could yield products that can be used with a broader array of computer products. Some of RSA's partners may be taken aback, since few are familiar with relatively obscure Security Dynamics. The largest single RSA shareholder is Addison Fischer, founder of a Florida security-products concern called Fischer International. FIX_rsa From mpc at star.sr.bham.ac.uk Mon Apr 15 11:13:50 1996 From: mpc at star.sr.bham.ac.uk (Mark Cooke) Date: Tue, 16 Apr 1996 02:13:50 +0800 Subject: Distributed Key Breaking Message-ID: <Pine.SOL.3.91.960415151333.14114J-100000@xun9> Just as a quick thought - given the prevelance of Web Browsers - has anyone considered writing a Java Applet that would could run key space searches and factoring in an easily distributed manner. This would seem to be a 'reasonable' way to gain access to more CPU power - even though the Java code would not be as efficient as a native app. Perhaps as a supplement to the more 'traditional' methods that have been used in the past. Regards, Mark ------------------------------------------------------------------------------ Mark Cooke The views expressed above are mine Systems Programmer and do not reflect in any way the University Of Birmingham current policy of my employers. ------------------------------------------------------------------------------ From raph at CS.Berkeley.EDU Mon Apr 15 11:20:06 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 16 Apr 1996 02:20:06 +0800 Subject: List of reliable remailers Message-ID: <199604151350.GAA04644@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = "<remail at miron.vip.best.com> cpunk pgp special"; $remailer{"portal"} = "<hfinney at shell.portal.com> cpunk pgp hash"; $remailer{"alumni"} = "<hal at alumni.caltech.edu> cpunk pgp hash"; $remailer{"bsu-cs"} = "<nowhere at bsu-cs.bsu.edu> cpunk hash ksub"; $remailer{"c2"} = "<remail at c2.org> eric pgp hash reord"; $remailer{"penet"} = "<anon at anon.penet.fi> penet post"; $remailer{"hacktic"} = "<remailer at utopia.hacktic.nl> cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = "<remailer at flame.alias.net> cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = "<homer at rahul.net> cpunk pgp hash filter"; $remailer{"mix"} = "<mixmaster at remail.obscura.com> cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = "<remailer at bi-node.zerberus.de> cpunk pgp hash ksub ek"; $remailer{"vishnu"} = "<mixmaster at vishnu.alias.net> cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = "<robo at c2.org> cpunk hash mix"; $remailer{"replay"} = "<remailer at replay.com> cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = "<remailer at spook.alias.net> cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = "<remailer at armadillo.com> mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = "<cpunk at remail.ecafe.org> cpunk mix"; $remailer{"wmono"} = "<wmono at valhalla.phoenix.net> cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = "<remailer at shinobi.alias.net> cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = "<amnesia at chardos.connix.com> cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = "<mix at remail.gondolin.org> cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = "<remailer at tjava.com> cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = "<pamphlet at idiom.com> cpunk pgp hash latent cut ?"; $remailer{'alpha'} = '<alias at alpha.c2.org> alpha pgp'; $remailer{'gondonym'} = '<alias at nym.gondolin.org> alpha pgp'; $remailer{'nymrod'} = '<nymrod at nym.alias.net> alpha pgp'; $remailer{'cubed'} = '<alias at alias.alias.net> alpha pgp'; $remailer{"lead"} = "<mix at zifi.genetics.utah.edu> cpunk pgp hash latent cut ek"; $remailer{"treehole"} = "<remailer at mockingbird.alias.net> cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = "<remailer at meaning.com> cpunk pgp hash latent cut"; $remailer{"exon"} = "<remailer at remailer.nl.com> cpunk pgp hash latent cut ek"; $remailer{"vegas"} = "<remailer at vegas.gateway.com> cpunk pgp hash latent cut"; $remailer{"haystack"} = "<haystack at holy.cow.net> cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = "<ncognito at gate.net> mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 15 Apr 96 6:47:58 PDT remailer email address history latency uptime ----------------------------------------------------------------------- mix mixmaster at remail.obscura.com -++++------ 2:33:23 99.98% exon remailer at remailer.nl.com +***+*+++*** 5:41 99.98% portal hfinney at shell.portal.com ####+*####*# 1:58 99.96% amnesia amnesia at chardos.connix.com -++-----+--- 2:32:50 99.96% vishnu mixmaster at vishnu.alias.net --.-*.-*++** 2:41:08 99.95% treehole remailer at mockingbird.alias.net -..-+.---+-+ 4:27:26 99.93% ecafe cpunk at remail.ecafe.org #+####**+--* 1:08:04 99.93% vegas remailer at vegas.gateway.com -***-..+*##* 2:28:26 99.89% ncognito ncognito at gate.net **#*##+ *### :59 99.81% alpha alias at alpha.c2.org ++++++++ *+* 41:19 99.74% shinobi remailer at shinobi.alias.net +-.--*-+*# + 1:08:56 99.52% alumni hal at alumni.caltech.edu # ##+#* ## * 6:51 99.41% c2 remail at c2.org ++++++++++++ 45:38 99.31% hacktic remailer at utopia.hacktic.nl **** +**+* + 11:03 98.93% nymrod nymrod at nym.alias.net --. *-+**+** 1:55:40 98.91% extropia remail at miron.vip.best.com ---.------ 5:38:19 98.22% penet anon at anon.penet.fi -.--.__-_ 32:46:03 97.87% replay remailer at replay.com -*** **+* 10:15 97.83% haystack haystack at holy.cow.net -## ++#*#++ 12:46 95.67% cubed alias at alias.alias.net ********* +* 18:13 95.06% spook remailer at spook.alias.net +*****+++ ** 29:30 94.97% flame remailer at flame.alias.net ---------- 3:57:11 94.82% lead mix at zifi.genetics.utah.edu +++++++++++ 41:35 93.39% nemesis remailer at meaning.com 2:39:59 1.03% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From Doug.Hughes at Eng.Auburn.EDU Mon Apr 15 11:24:31 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Tue, 16 Apr 1996 02:24:31 +0800 Subject: Trojan Horse Loose On The Internet In-Reply-To: <19960415073947953.AAA74@Executioner.utm.my> Message-ID: <doug-9603151349.AA0273400@netman.eng.auburn.edu> > >According to several reliable sources there is a deadly virus on the >Internet. This is NOT a hoax! >CAN ANYBODY CHECK THIS OUT, PLEASE.. > >Note: The reliability of all information below is UNKNOWN. > >WHAT: >Virus Alert: PKZIP 3.0 Trojan Loose on the Internet > >BACKGROUND: >A trojan (virus) program, PKZIP 3.0, which is advertised as an updated >version of the popular compression utility PKZIP, is currently being >distributed on the Internet. Please note that this trojan is REAL and >DESTRUCTIVE. Once executed, this program will destroy data on your hard >drive; there's no stopping it. > >According to PKWARE, makers of PKZIP, the only released versions of PKZIP >are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently >circulating on the Internet are suspect and should not be used. > >ACTION REQUIRED: >Please do not download or execute any files that are named PKZ300B.EXE, >PKZ300B.ZIP, PKZIP300.ZIP, PKZIP300.EXE, etc. from the Internet or other >external source. > >Anybody with any information on this..?? 100% true and verifiable. Although I wouldn't call it deadly or rampant, it has been making the rounds of late. Mostly it's victims are new users. After all, how many times have you upgraded your copy of pkzip? ;) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From mattt at microsoft.com Mon Apr 15 11:54:33 1996 From: mattt at microsoft.com (Matt Thomlinson) Date: Tue, 16 Apr 1996 02:54:33 +0800 Subject: FIX_rsa Message-ID: <c=US%a=_%p=msft%l=RED-77-MSG-960415150036Z-56244@red-05-imc.itg.microsoft.com> From jim at ACM.ORG Mon Apr 15 12:03:51 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Tue, 16 Apr 1996 03:03:51 +0800 Subject: Old Trojan news [Re: Trojan Horse Loose On The Internet] In-Reply-To: <19960415073947953.AAA74@Executioner.utm.my> Message-ID: <199604151515.IAA07048@mycroft.rand.org> wolv at infosys.utm.my (Ramli Bin Jaafar) writes: >According to several reliable sources there is a deadly virus on the >Internet. This is NOT a hoax! >CAN ANYBODY CHECK THIS OUT, PLEASE.. >Note: The reliability of all information below is UNKNOWN. Uhh -- then perhaps you should check it out before doing the alarmist number. Appropriate places are the VIRUS-L mailing list or comp.virus... or the VIRUSPUNKS list, if you can find the right majordomo. >WHAT: >Virus Alert: PKZIP 3.0 Trojan Loose on the Internet This trojan was constructed a couple of years ago, and the warning report goes around every few months; we're currently in the middle of another resurgence. It's like the Good Times Virus, except that there really is a trojanized PKZIP... but I haven't seen a confirmed sighting of it or a report of somebody actually being bitten for many yonks now. There are plenty of current and active viruses and trojan horses, and some crypto relevance with some of them (e.g. KOH and encrypting viruses)... but this isn't one of them. Jim Gillogly Trewesday, 25 Astron S.R. 1996, 15:13 From wb8foz at nrk.com Mon Apr 15 12:03:58 1996 From: wb8foz at nrk.com (David Lesher) Date: Tue, 16 Apr 1996 03:03:58 +0800 Subject: rsa bought!!! [fwd] Message-ID: <199604151505.LAA30805@nrk.com> Security Dynamics To Acquire RSA In Transaction Valued At Approximately $200 Million CAMBRIDGE, Mass. and REDWOOD CITY, Calif.--(BUSINESS WIRE)--April 15, 1996--Security Dynamics Technologies, Inc. (NASDAQ:SDTI) and RSA Data Security, Inc. today announced that they have signed a definitive agreement for Security Dynamics to acquire RSA, a Redwood City, California vendor of encryption software. The transaction is intended to be carried out by the merger of RSA and a wholly-owned subsidiary of Security Dynamics in a tax-free transaction accounted for as a pooling of interests. For the year ended December 31, 1995, RSA had revenues and net income of approximately $11,600,000 and $950,000, respectively. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From perry at piermont.com Mon Apr 15 12:10:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 16 Apr 1996 03:10:37 +0800 Subject: security dynamics buys pkp? In-Reply-To: <199604151344.GAA04748@netcom2.netcom.com> Message-ID: <199604151508.LAA08228@jekyll.piermont.com> Mark Hittinger writes: > As I was trying to wake up this morning I heard an announcement on CNBC that > Security Dynamics purchased the RSA guys. It was evidently a stock swap and > not a cash deal (interesting). A similar article appears in today's Wall Street Journal. .pm From alano at teleport.com Mon Apr 15 12:13:33 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 16 Apr 1996 03:13:33 +0800 Subject: Trojan Horse Loose On The Internet Message-ID: <2.2.32.19960415152907.00a5b394@mail.teleport.com> At 03:40 PM 4/15/96 +0800, Ramli Bin Jaafar wrote: >According to several reliable sources there is a deadly virus on the >Internet. This is NOT a hoax! >CAN ANYBODY CHECK THIS OUT, PLEASE.. > >Note: The reliability of all information below is UNKNOWN. > >WHAT: >Virus Alert: PKZIP 3.0 Trojan Loose on the Internet Not again! There is a trojan that claims to be a new version of PKZip. (Actually there is a long list of them.) The program you are refering to here is about three years old or more! Some of them destroy hard drives, some of them do not. (One I have seen is pretty buggy.) The reasons these warnings have started to crop up again is that the program was sighted by someone who did not remember the last go around with these trojans and wrote a panic type broadsheet. The posting is now curculating on every newsgroup and mailing list on the planet. (At least once.) I expect that it has attained "The Shergold Effect" and taken on a life of its own. As for the data on the released versions of PKZip, there is a Windows version (2.01 I think) that you do not have listed and is available from the PKWare site. There are also non-pkware unzippers that are not trojans. (Translated over from the Unix world. They are useful for handling long file names. (Something the PKWare version does not always do gracefully.)) Facts are useful, but the panic style of the warnings on this problem make things worse, not better. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From walrus at ans.net Mon Apr 15 12:16:16 1996 From: walrus at ans.net (michael shiplett) Date: Tue, 16 Apr 1996 03:16:16 +0800 Subject: pgpcrack review [failed] In-Reply-To: <Pine.SUN.3.91.960415010258.19675P-100000@polaris.mindport.net> Message-ID: <199604151501.LAA06984@fuseki.aa.ans.net> You need to #define HIGHFIRST for idea.c & md5.c on big-endian architectures. It worked after I did this. michael From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Mon Apr 15 12:44:11 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Tue, 16 Apr 1996 03:44:11 +0800 Subject: No matter where you go, there they are. Message-ID: <9604151827.AA0857@> >Re spoofing the system. If you think about the geometry of the >problem, the delay to be induced for each satellite is a time >varying function of the satellite's position, the reference site, >and the target. It will vary from positive to negative values for >many satellite passes. It can be precomputed, but the precomputed >adjustment will be in error by some amount due to the orbital >perturbations mentioned in the original article. Fine, but that doesn't address the point missed by the original article, which is that you don't need to precompute this stuff. It's easy to compute in real time (under a second) which eliminates the perturbations issue. You don't need to worry about inability to predict those if you're not predicting but rather measuring/correcting in real time. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From talon57 at well.com Mon Apr 15 12:49:16 1996 From: talon57 at well.com (Brian D Williams) Date: Tue, 16 Apr 1996 03:49:16 +0800 Subject: GPS privacy/ECM Message-ID: <199604151548.IAA19700@well.com> I have been following the recent discussion on Denning's GPS I.D. plan and had some thoughts: I wonder what the pro-govt anti-privacy types would do if some obnoxious group started publishing a list with the home/work GPS of say various congresspersons/senatepersons? Since cruise missile's already use GPS to find/destroy their target, how long do you figure before some terrorist group use's this ever cheaper tech to trigger one of it's devices? <car bombs, the poor man's air force> What defences are there? Just how small/inexpensive could a home GPS/ECM system be? Personnel dithering? Locally transmitting your own public key encrypted location. This is thoughtfood only. Brian From erc at dal1820.computek.net Mon Apr 15 13:50:16 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Tue, 16 Apr 1996 04:50:16 +0800 Subject: GPS privacy/ECM In-Reply-To: <199604151548.IAA19700@well.com> Message-ID: <Pine.3.89.9604151139.C19977-0100000@dal1820.computek.net> On Mon, 15 Apr 1996, Brian D Williams wrote: > What defences are there? Just how small/inexpensive could a home > GPS/ECM system be? The portable handheld GPS receivers are well under $300. I've seen a couple under $200. Clinton is supposed to have either turned off dithering or will soon (crossing fingers). Dithering is a real nuisance at times... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From ben.rothke at citicorp.com Mon Apr 15 14:00:10 1996 From: ben.rothke at citicorp.com (Ben Rothke) Date: Tue, 16 Apr 1996 05:00:10 +0800 Subject: RSA & Sec. Dyn. Message-ID: <199604151631.AA14619@egate.citicorp.com> It's true: FOR IMMEDIATE RELEASE Security Dynamics to Acquire RSA in Transaction Valued at Approximately $200 Million Cambridge MA and Redwood City, CA -- April 15, 1996 -- Security Dynamics Technologies, Inc. (NASDAQ: SDTI) and RSA Data Security, Inc. today announced that they have signed a definitive agreement for Security Dynamics to acquire RSA, a Redwood City, California vendor of encryption software. The transaction is intended to be carried out by the merger of RSA and a wholly-owned subsidiary of Security Dynamics in a tax-free transaction accounted for as a pooling of interests. For the year ended December 31, 1995, RSA had revenues and net income of approximately $11,6000,000 and $950,000, respectively. Ben From jya at pipeline.com Mon Apr 15 14:46:34 1996 From: jya at pipeline.com (John Young) Date: Tue, 16 Apr 1996 05:46:34 +0800 Subject: TOG_oon Message-ID: <199604151737.NAA10959@pipe1.nyc.pipeline.com> 4-15-96. FT: "Chatter control in cyberspace. US universities are the testing ground for free speech issues on the Internet." A report on celebrated cases: Cornell, Virginia Tech, Memphis, Jake Baker. "Nearly all the university cases in the US so far have had sexual overtones." Among other commentators quoted, Declan says, "There's a very disturbing trend out there to try to control what students say online." Peter Toren of DoJ says, "I think we can expect this controversy to go on for some time." TOG_oon From hfinney at shell.portal.com Mon Apr 15 15:03:54 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 16 Apr 1996 06:03:54 +0800 Subject: What can the judge do to me? Message-ID: <199604151721.KAA03490@jobe.shell.portal.com> From: Black Unicorn <unicorn at schloss.li> > I've been involved in a private discussion with a list reader about > the extent to which courts can impose contempt fines and sanctions. I > thought I would post the results to the list as many have expressed > interest in the ways that courts might try to compel production of > crypto keys or compel offshore e-cash institutions. The bulk of my > answer follows. I thought this was very interesting and I appreciate Unicorn taking the time to lend us his expertise. > The key to limiting the ability of a court to summarily enter contempt > sanctions has always been the classification of the sanctions. > "Criminal" sanctions, may entitle the witness to a trial by jury. > [...] > "Civil" sanctions do > not require such protections and can be imposed on the spot and > without review. I didn't understand what distinguishes civil and criminal sanctions. Is it the nature of the proceedings, whether it is a civil or criminal case that is before the judge? Or is it the nature of the contempt charge itself, where not doing what the judge wants, in broad terms, is civil contempt? And in that case, what would be criminal contempt? > The court makes a point to justify severe sanctions where testimony is > sought, or the proceedings are threatened. "The necessity > justification for the contempt authority is at its pinnacle, of > course, where contumacious conduct threatens a court's immediate > ability to conduct its proceedings, such as where a witness refuses to > testify, or a party disrupts the court... [t]hus, petty, direct > contempts in the presence of the court traditionally have been subject > to summary adjudication, 'to maintain order in the courtroom and the > integrity of the trial process in the face of an 'actual obstruction > of justice.'" International Union, supra (quoting Codispoti v. > Pennsylvania, 418 U.S., at 513 and citing numerous other sources). Would there be a distinction between contempt by a witness and that by the defendant (in a criminal case)? I could see justification for attempting to compel testimony from a witness who can shed needed light on guilt or innocence in the case. A man's freedom or perhaps his very life is at stake. But it seems to be another matter to compel the defendant himself to provide some information which will be detrimental to himself. The defendant has some Fifth Amendment rights, but for those cases where what he is ordered to do has been found not to be protected by the Fifth Amendment it still seems bizarre to imagine him jailed for contempt if he refuses. Are there precedents for holding a defendant in contempt for standing mute at his own trial? (Part of my problem with this scenario is my sense that despite gradual erosion of the rights against self incrimination, verbally revealing a pass phrase which will unlock an encrypted document seems like testimony, and something which should be protected. Is there such a difference between "Reveal the pass phrase" and "Reveal what you did with the knife", if the judge doesn't believe the denials of the ability to comply?) > Most interesting to the crypto crowd: > > "Contempts such as failure to comply with document discovery, for > example, while occurring outside the court's presence, impede the > court's ability to adjudicate the proceedings before it and thus touch > upon the core justification for the contempt power.... Similarly, > indirect contempts involving discrete, readily ascertainable acts, > _such as turning over a key_ or payment of a judgment, properly may be > adjudicated through civil proceedings since the need for extensive, > impartial fact-finding is less pressing." International Union, supra > (emphasis added). I would guess that "turning over a key" here refers not to production to the court by rather to passing a physical key between two contesting parties, say a seller and buyer of some property that the key gives access to. The phrase "turning over" rather than "production of" suggests this interpretation. So this sounds like something which would be more likely to occur in a civil proceeding than a criminal one. Hal From eriksmit at euronet.nl Mon Apr 15 15:26:21 1996 From: eriksmit at euronet.nl (eriksmit) Date: Tue, 16 Apr 1996 06:26:21 +0800 Subject: [NOISE] Consolidation of threads ... In-Reply-To: <v01540b0cad96f6491958@[193.239.225.200]> Message-ID: <2F902565.27A6@euronet.nl> Clay Olbon II wrote: > > OK, I have a proposal that consolidates two threads that have been > discussed recently. How about proposing legislation that mandates that a > byte is now 9 bits instead of 8. This would allow the ninth bit to be the > decent/indecent bit, thereby solving all of our problems. > > Clay > > --------------------------------------------------------------------------- > Clay Olbon II | Clay.Olbon at dynetics.com > Systems Engineer | ph: (810) 589-9930 fax 9934 > Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html > 550 Stephenson Hwy | PGP262 public key: on web page > Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 > TANSTAAFL > --------------------------------------------------------------------------- Get me off from the list From frantz at netcom.com Mon Apr 15 15:38:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 16 Apr 1996 06:38:32 +0800 Subject: Distributed Key Breaking Message-ID: <199604151814.LAA02463@netcom9.netcom.com> At 3:18 PM 4/15/96 +0100, Mark Cooke wrote: >Just as a quick thought - given the prevelance of Web Browsers - has >anyone considered writing a Java Applet that would could run key space >searches and factoring in an easily distributed manner. > >This would seem to be a 'reasonable' way to gain access to more CPU power >- even though the Java code would not be as efficient as a native app. >Perhaps as a supplement to the more 'traditional' methods that have been >used in the past. This approach will become even more "reasonable" as just-in-time compilation and native code Bignum packages get distributed. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sameer at c2.org Mon Apr 15 15:44:39 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 16 Apr 1996 06:44:39 +0800 Subject: on corporations and subpoenas Message-ID: <199604151800.LAA06083@atropos.c2.org> Suppose a corporation has multiple subsidiaries. Would a subpoena served on the parent corp be binding on the subsidiaries? Or would the better way to handle this be to create spinoff corporations rather than subsidiaries? -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From vznuri at netcom.com Mon Apr 15 16:27:01 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 16 Apr 1996 07:27:01 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604150519.WAA09619@toad.com> Message-ID: <199604151824.LAA07600@netcom6.netcom.com> regarding these collaborative, "open" factorizations and cracking projects: I have been wondering about malicious hackers getting into these pools. would it be possible for them to contribute false data that screws up the end results? or are such anomalies easily discarded or disregarded by the final processes? there is a reduction step in the NFS (number field sieve, technique used to factor large numbers) in which all the collected data is mashed. how sensitive is this process to spurious data? i.e. if there was a little bit of bad data in its computation, does it completely screw it up, or is it robust and resistant to this kind of problem? it seems to me that in many cases, these collaborative projects virtually cannot check the validity of the supplied data without repeating the computation effort, although there may be good tests that tend to screen out "most" bad data. future implementors of these programs might amuse themselves with trying to create such safeguards or anticipate such "attacks" which are pretty significant the more the processes become distributed. From erc at dal1820.computek.net Mon Apr 15 16:37:46 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Tue, 16 Apr 1996 07:37:46 +0800 Subject: GPS privacy/ECM In-Reply-To: <m0u8u5P-0008z9C@pacifier.com> Message-ID: <Pine.3.89.9604151445.C13698-0100000@dal1820.computek.net> On Mon, 15 Apr 1996, jim bell wrote: > At 11:03 AM 4/15/96 +0100, Ed Carp wrote: > > >Clinton is supposed to have either turned off dithering or will soon > >(crossing fingers). Dithering is a real nuisance at times... > > True, but we'll still need DGPS for 1-meter accuracy, as opposed to 20-meter > accuracy for uncorrected C/A GPS. Better than what we have now - isn't GPS guaranteed to within 100 meters or so? -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From jimbell at pacifier.com Mon Apr 15 17:02:02 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Apr 1996 08:02:02 +0800 Subject: GPS privacy/ECM Message-ID: <m0u8u5P-0008z9C@pacifier.com> At 11:03 AM 4/15/96 +0100, Ed Carp wrote: >Clinton is supposed to have either turned off dithering or will soon >(crossing fingers). Dithering is a real nuisance at times... True, but we'll still need DGPS for 1-meter accuracy, as opposed to 20-meter accuracy for uncorrected C/A GPS. Jim Bell, N7IJS From vhd at pobox.com Mon Apr 15 17:14:33 1996 From: vhd at pobox.com (Computer Virus Help Desk) Date: Tue, 16 Apr 1996 08:14:33 +0800 Subject: Trojan Horse Loose On The Internet Message-ID: <2.2.32.19960415183326.006d334c@indy.net> At 03:40 PM 4/15/96 +0800, wolv at infosys.utm.my (Ramli Bin Jaafar) wrote: >According to several reliable sources there is a deadly virus on the >Internet. This is NOT a hoax! I hope the following message from CIAC helps explain that this is aTROJAN and NOT a VIRUS: > From: ciac at llnl.gov > Subject: RE:PKZIP trojan horse? > Date: Monday, April 01, 1996 11:26AM > ============The following is from PKWare ============= > It has come to PKWARE's attention that a trojan version of PKZIP is being > distributed under the name PKZ300B.ZIP or PKZ300B.EXE. This version is not > an offical version and will attempt to destroy your HD. Delete it immediately > if you have downloaded this version. If you have any further questions about > this trojan version, contact PKWARE at: support at pkware.com. > ======= End PKWare Message === > PKWare lists the following as known PKZIP related hacks (modified or bogus versions) as of 06/01/95: > PKZIP120 Early hack of 1.1 > PKZIP20B Hack of 1.1 > PKZIP_V2.EXE Trojan, will erase hard drive > PKZ201.ZIP Hack of 1.93 > PKZ201.EXE " > PKX201.EXE " > PKZ201.EXE " > PKX201.EXE " > PKZ210F.EXE Unknown > PKZIPV2 **TROJAN** will erase hard drives > PKUNZIP.COM Unknown > PKZIP203.EXE Unknown > PUTAV 1.93 Fake putav program (Trojan) > PKZIP 1.99 Unknown > PKZIP 2.02 Unknown > PKZIP 2.2 **TROJAN** destroys hard drives > PKZ305.EXE Hack of 1.93, fave AV, **VIRUS** > PKZ41V.EXE Hack of 1.93 > PKZ300B.ZIP Trojan, will erase hard drives > PKZ300B.EXE " > If you have any questions or problems, please let us know. > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Computer Incident Advisory Capability (CIAC) David L. Crawford > (510)422-8193 (510)423-9905 > ciac at llnl.gov crawford1 at llnl.gov > (510)422-8193 (510)423-9905 > ciac at llnl.gov crawford1 at llnl.gov > ************** I hope this answers questions concerning PKZ300.ZIP Computer Virus Help Desk http://www.a1.com/cvhd From wb8foz at nrk.com Mon Apr 15 17:26:13 1996 From: wb8foz at nrk.com (David Lesher) Date: Tue, 16 Apr 1996 08:26:13 +0800 Subject: Article on PGP flaws Message-ID: <199604152026.QAA31962@nrk.com> I'm told a periodical: Crypto & Security Vol 15 #1 has an article: Probabilistic [sp] Flaws in PGP {aprox title} by Thierry Moreau Has anyone seen/commented on it? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From apd at openix.com Mon Apr 15 17:41:55 1996 From: apd at openix.com (Lurch) Date: Tue, 16 Apr 1996 08:41:55 +0800 Subject: Hey... someone please teach me... Message-ID: <199604152022.QAA09109@pantera.openix.com> hey, i figured this would be as good place to ask as any... If possible, and if you have some free time, would someone please PRIVATELY mail me and explain PGP and similar types of encryption. I am extremely interested in the topic, but there isn't much I can see from any of the source code floating around everywhere, not too much docs on the algo itself... Please do not recommend books, as I seriously have no ability to get them. :( - Mike From mpd at netcom.com Mon Apr 15 17:42:34 1996 From: mpd at netcom.com (Mike Duvos) Date: Tue, 16 Apr 1996 08:42:34 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604151824.LAA07600@netcom6.netcom.com> Message-ID: <199604152038.NAA03204@netcom10.netcom.com> "Vladimir Z. Nuri" <vznuri at netcom.com> writes: > I have been wondering about malicious hackers getting into > these pools. would it be possible for them to contribute > false data that screws up the end results? or are such > anomalies easily discarded or disregarded by the final > processes? If you are doing a distributed search of a key space, then it is of course possible that people, either accidently or deliberately, may fail to correctly do their part of the search and report misleading results. You may recall a hostile attack on SSL a while back where the design was flawless but the desired key failed to appear when the results of the individual searches were merged. Fortunately, where integer factorization is concerned, it is trivial to verify the full and partial relations for correctness and discard any bad data during the counting process. Thus there is no chance of garbage making it into the final reduction. > there is a reduction step in the NFS (number field sieve, > technique used to factor large numbers) in which all the > collected data is mashed. how sensitive is this process to > spurious data? i.e. if there was a little bit of bad data > in its computation, does it completely screw it up, or is it > robust and resistant to this kind of problem? The input to the reduction step is simply a large number of ways of making the number "1" by multiplying together elements of the factor base, all modulo the number of be factored. Given an overdetermined set of such relations, one can can search for linearly dependent combinations of their exponents modulo 2. Each such dependency permits one to construct a relation in which all the exponents are even, and possibly a non-trivial square root of 1 modulo N. Since each dependency has at least a 50-50 chance of yielding a factor of N, only a handful of them are needed. Certainly bad data in the matrix could cause problems, but the matrix is sparse and damage would probably be localized. You might get out some dependencies that weren't real, but unless you had quite a lot of garbage data, you would probably get enough good ones to succeed. Non-relations involving small primes would probably be more poisonous than ones involving the high end of the factor base. In any case, as I stated earlier, it is trivial to guarantee all the data going into the final reduction has been sterilized. > it seems to me that in many cases, these collaborative > projects virtually cannot check the validity of the > supplied data without repeating the computation effort, > although there may be good tests that tend to screen out > "most" bad data. > future implementors of these programs might amuse > themselves with trying to create such safeguards or > anticipate such "attacks" which are pretty significant the > more the processes become distributed. The only safeguards I can think of when doing a distributed search of a keyspace are to randomly assign each area to be searched to multiple participants, and to encapsulate the software in some sort of hack-resistant module, possibly calculating a running hash which could be checked when results were submitted to the central authority. If you have 10,000 volunteers, each searching 0.01% of the keyspace using a klutz-proof software module, quite a few sophisticated users would have to collaborate to create a significant chance of missing the key. In cyptography, as in life, there are no guarantees. -- Mike $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From weidai at eskimo.com Mon Apr 15 18:52:32 1996 From: weidai at eskimo.com (Wei Dai) Date: Tue, 16 Apr 1996 09:52:32 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <ad931eee1502100491ce@[205.199.118.202]> Message-ID: <Pine.SUN.3.93.960415135928.14546B-100000@eskimo.com> On Thu, 11 Apr 1996, Timothy C. May wrote: > That there can be no simple definition of entropy, or randomness, for an > arbitrary set of things, is essentially equivalent to Godel's Theorem. I think what you mean is that there is no simple way to measure randomness. Simple, nice definitions of randomness do exist. Actually there are two closely related definitions of randomness. The first is entropy, which is a measure of the unpredictability of a random variable. (A random variable is a set of values with a probability assigned to each value. In this case the values are bit strings.) The second is algorithmic complexity, which is a measure of the uncompressibility of a bit string. Notice that it doesn't make sense to talk about the entropy of a string or the algorithmic complexity of a random variable. Unfortunately both of these values are very difficult to measure. Algorithmic complexity is provably uncomputable, because given a string you can't tell when you have found the best compression for it. Entropy can in principle be determined, but in practice it's hard because you must have a good probability model of the mechanism that generates the random variable. What we want to do is calculate the entropy of the output of a physical random number generator. Now if we have a probability model of the rng, then we're home free. For example, if the rng is tossing a fair coin 64 times, then it's easy to calculate that the entropy is 64 bits. But what if the rng is too complex to be easily modeled (for example if it's a human being pounding on the keyboard)? Algorithmic information theory says the entropy of a random variable is equal to its expected algorithmic complexity. So if we could calculate algorithmic complexity, then we can estimate the entropy by sampling the output of the rng many times, calculate the algorithmic complexity of each sample, and take their average as the estimated entropy. Unfortunately, we already know that algorithmic complexity is NOT computable. The best we can do, and what is already apparently done in practice, is to find an upper bound (call it x) on the algorithmic complexity of a string by trying various compression schemes, divide that number by a constant (say 10), and use x/10 as a conservative estimate of the algorithmic complexity. (Tim, I know you already understand all this, but your earlier explanation wasn't very clear. I hope this helps those who are still confused.) > (To forestall charges that I am relying on an all-too-common form of > bullshitting, by referring to Godel, what I mean is that "randomness" is > best defined in terms of algorithmic information theory, a la Kolmogorov > and Chaitin, and explored in Li and Vitanyi's excellent textbook, > "Algorithmic Information Theory and its Applications.") A year ago, you recommended me a book by the same authors titled _An Introduction to Kolmogorov Complexity and Its Applications_. Have the authors written a new book, or are these the same? Wei Dai From markm at voicenet.com Mon Apr 15 19:18:52 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 16 Apr 1996 10:18:52 +0800 Subject: key bit lengths In-Reply-To: <ad9713050002100436c2@[205.199.118.202]> Message-ID: <Pine.LNX.3.92.960415161540.304A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Sun, 14 Apr 1996, Timothy C. May wrote: > A late April Fool's joke, methinks? Arguing that in "several billion years" > the "temperature" of the universe will have anything to do with > computation....well, your physics is all wrong. > > The approximate figure, kT, for the minimum energy in a conventional bit > flip, can be reduced by simple cooling. Not a problem. And what the ^^^^^^^^^^^^^^ > so-called "average temperature" of the Universe may be in, say, 10 billion > years, will not affect computation. Fusion will still occur, stars will > still burn, sunshine will still produce heat. And so on. I'm a little rusty on physics, but it seems to me that you are forgetting the fact that energy needs to be used in order to lower the temperature below the temperature of background radiation. A lot of energy. I don't have any numbers available, but I think that it would takes much more energy to invert a bit where energy has to be used to keep the temperature below the temperature of background radiation then to invert the bit at temperatures greater than or equal to the temperature of background radiation. Brute-force cracking will take less energy when the universe has cooled off more (assuming it does implode first). - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMXKwFbZc+sv5siulAQFv8wP/aiC93myrk4swZYJ2ocCVsvy/+HAJyu/9 ujQl910QUrs27BfkHfiHnVbTYUWQycEPxe0o4b6KGOJwkJ2TssMpuVY5TE+35GKL a0fdaaKUxb2DDXWvr6jyOi682dLzx0gqvMo+gWXSKccFk8U5KcHZEh9TL53CopvP 2KzTet/lB0o= =ef7j -----END PGP SIGNATURE----- From jim at ACM.ORG Mon Apr 15 19:27:28 1996 From: jim at ACM.ORG (Jim Gillogly) Date: Tue, 16 Apr 1996 10:27:28 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604151824.LAA07600@netcom6.netcom.com> Message-ID: <199604152135.OAA07769@mycroft.rand.org> "Vladimir Z. Nuri" <vznuri at netcom.com> writes: >I have been wondering about malicious hackers getting into these >pools. would it be possible for them to contribute false data >that screws up the end results? or are such anomalies easily >discarded or disregarded by the final processes? The latter, for this application -- unlike the straightforward approach to RC4 cracking, the partial relations that contributors find for the factoring exercise are (like the factoring itself) time-consuming to compute but dead simple to check... and, in fact, each of them is checked before accepting it. >it seems to me that in many cases, these collaborative projects >virtually cannot check the validity of the supplied data without >repeating the computation effort, although there may be good >tests that tend to screen out "most" bad data. Yes, that's a good point and one we hashed around a bit at the beginning of the RC4 project, with less than a perfect conclusion -- but some good ideas. You need to account for several kinds of people, including people plaing with less than a full deck of clues; and the target of the cracking ring allocating and turning in a "not found" report on the actual target part of the space. >future implementors of these programs might amuse themselves with >trying to create such safeguards or anticipate such "attacks" which >are pretty significant the more the processes become distributed. Absolutely. Jim Gillogly Trewesday, 25 Astron S.R. 1996, 21:32 From jimbell at pacifier.com Mon Apr 15 19:55:33 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Apr 1996 10:55:33 +0800 Subject: Infrared photography Message-ID: <m0u8vqf-000928C@pacifier.com> At 03:16 PM 4/14/96 -0400, Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: >>Incidentally, this simplicity shows the flaw in using this kind of system as >>an identifier: Since people's faces are usually visible, and can be >>photographed in the near-IR surreptitiously, it isn't clear how to prevent >>faking a face which appears to have the same IR signature and pattern. > >I remember in a booklet from Kodak on their Ektachrome IR film, there was a >picture >of a forearm where all the veins were made clearly visible. This film is near >infrared (if I remember, the red color on the film corresponds to around >1100 nm). 1100 sounds pretty far into the IR spectrum for silver-halide film to pick up, but I don't know how far they can "push" film to do this. Silicon CCD image pickups peak at somewhere around 900 nm, but they can probably handle 1100 nm at a reduced sensitivity. >Veins and artery identification might be possible, maybe, since fingerprint >identification is possible. A friend of mine developped a quite functionnal >algorithm doing just that in the late eighties. OTOH, the blood vessels >patterns are probably much more constant, from individual to individual, >than fingerprints. Just correct me if I am wrong. Do you mean "constant" over time? Fingerprints are fairly constant, I assume artery and vein number and location is fairly constant too if major weight gains and losses can be ignored. What I don't know is how unique such blood vessel patterns are, compared to fingerprints. The huge numbers frequently given to show how unique fingerprint patterns are, and thus how reliable fingerprinting techniques are often based on a full set of 10 fingerprints, not just one print. From attila at primenet.com Mon Apr 15 20:00:16 1996 From: attila at primenet.com (attila) Date: Tue, 16 Apr 1996 11:00:16 +0800 Subject: on corporations and subpoenas Message-ID: <199604152212.PAA29987@usr5.primenet.com> ** Reply to note from sameer at c2.org 04/15/96 11:00am -0700 = To: cypherpunks at toad.com = Date: Mon, 15 Apr 1996 11:00:19 -0700 (PDT) = = Suppose a corporation has multiple subsidiaries. = = Would a subpoena served on the parent corp be binding on the = subsidiaries? = yes, but not the other way around. (shit flows downhill!) However, that's on face value also as a judge can order a parent corporation (and its assets) to be subject to the order granted against the subsidiary --e.g. the same principle would be sustained until appeal --in other words, produce the "evidence" to convict yourself and argue about it on appeal. If that does not work, they will go for conspiracy charges, which generally carry the same penalty as commiting the crime! = Or would the better way to handle this be to create spinoff = corporations rather than subsidiaries? = depends. if it is collection of S-corps, they are all lumped together for tax purposes and the Fed goes right past the corporate veil. If they are C-corps, the Fed ignores the fine line print on corporate protection, etc. secondly, prosecuters have a tendency to subpoena *individuals* to produce records --easy to identify in small businesses, subsidiary or "clustered." Even so, they can effectively take the shotgun approach by naming the individual --i.e. whether the target has the files at home, or company A-Z, it does not matter: produce 'em. I don't know about today, but 20 years ago I told them rather obscenely which part of the anatomy they could use for their head (and the horse they rode in on). WARNING: I am not licensed to practice law in the State of California, so take it for what it's worth. -- Obscenity is a crutch for inarticulate motherfuckers. Fuck the CDA! cc: Cypherpunks <cypherpunks at toad.com> From steve at edmweb.com Mon Apr 15 22:05:39 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 16 Apr 1996 13:05:39 +0800 Subject: RSA & Sec. Dyn. In-Reply-To: <199604151631.AA14619@egate.citicorp.com> Message-ID: <Pine.BSF.3.91.960415162807.22774A-100000@kirk.edmweb.com> > It's true: > FOR IMMEDIATE RELEASE > Security Dynamics to Acquire RSA in Transaction Valued at > Approximately $200 Million Okay, so what do we know about Security Dynamics? What are they expected to do about licensing etc? The question of the day is... HOW WILL THIS AFFECT CRYPTO? ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From jimbell at pacifier.com Mon Apr 15 22:06:53 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Apr 1996 13:06:53 +0800 Subject: RSA & Sec. Dyn. Message-ID: <m0u8y6n-00090vC@pacifier.com> At 12:37 PM 4/15/96 edt, Ben Rothke wrote: >FOR IMMEDIATE RELEASE > >Security Dynamics to Acquire RSA in Transaction Valued at >Approximately $200 Million > >Cambridge MA and Redwood City, CA -- April 15, 1996 -- Security Dynamics Technologies, Inc. >(NASDAQ: SDTI) and RSA Data Security, Inc. today announced that they have signed a definitive >agreement for Security Dynamics to acquire RSA, a Redwood City, California vendor of encryption >software. The transaction is intended to be carried out by the merger of RSA and a wholly-owned >subsidiary of Security Dynamics in a tax-free transaction accounted for as a pooling of >interests. For the year ended December 31, 1995, RSA had revenues and net income of >approximately $11,6000,000 and $950,000, respectively. A 200-1 price/earnings ratio?!? From unicorn at schloss.li Mon Apr 15 22:12:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Apr 1996 13:12:55 +0800 Subject: What can the judge do to me? In-Reply-To: <m0u8wb7-0008zLC@pacifier.com> Message-ID: <Pine.SUN.3.91.960415190758.342B-100000@polaris.mindport.net> On Mon, 15 Apr 1996, jim bell wrote: > At 10:21 AM 4/15/96 -0700, Hal wrote: > >From: Black Unicorn <unicorn at schloss.li> [...] > >I didn't understand what distinguishes civil and criminal sanctions. Is > >it the nature of the proceedings, whether it is a civil or criminal case > >that is before the judge? Or is it the nature of the contempt charge > >itself, where not doing what the judge wants, in broad terms, is civil > >contempt? And in that case, what would be criminal contempt? > > He may answer those questions, but I don't think he'll dare answer the > question about if there is a constituional justification for a difference > between "civil" and "criminal" in most things the government's courts do. Mr. Bell amuses me because he can never decide if he's a constitutional formalist, as above (all things the government does must be explicitly justified in the constitution) or a pragmatist, as when he is defending his murderous proposals (we can ignore the due process clause of the constitution and order assassinations anonymously because due process rights are vaguely defined in the constitution and we should look to the concepts of other nations in quashing the U.S. version). > My impression is that the "civil" classification is often simply used to > dilute or eliminate the various constitutional protections that the > government hasn't yet dared to remove from areas it calls "criminal." I will discuss the rationale the courts use in making the distinction, and discuss the constitutional issues briefly, as I did before. Mr. Bell will, as always, impute some express or implied approval of some policy that appears nowhere in my writings. (a) A criminal contempt fine is punitive and can be imposed only through criminal proceedings, including the right to jury trial. A contempt fine is considered civil and remedial if it either coerces a defendant into compliance with a court order or compensates the complainant for losses sustained. United States v. United Mine Workers of America, 330 U.S. 258, 303-304, 91 L. Ed. 884, 67 S. Ct. 677. Where a fine is not compensatory, it is civil only if the contemnor has an opportunity to purge, such as with per diem fines and fixed, suspended fines. Id. (b) Most contempt sanctions share punitive and coercive characteristics, and the fundamental question underlying the distinction between civil and criminal contempts is what process is due for the imposition of any particular contempt sanction. Direct contempts can be penalized summarily in light of the court's substantial interest in maintaining order and because the need for extensive factfinding and the likelihood of an erroneous deprivation are reduced. Greater procedural protections are afforded for sanctions of indirect contempts. Certain indirect contempts are particularly appropriate for imposition through civil proceedings, including contempts impeding the court's ability to adjudicate the proceedings before it and those contempts involving discrete, readily ascertainable acts. For contempts of more complex injunctions, however, criminal procedures may be required. Id. Because civil contempt sanctions are viewed as nonpunitive and avoidable, fewer procedural protections for such sanctions have been required. To the extent that such contempts take on a punitive character, however, and are not justified by other considerations central to the contempt power, criminal procedural protections may be in order. International Union. The justification for the contempt charges are on the proper administration of justice, to which every citizen is entitled. While I'm sure Mr. Bell would like it if he could just flip off a court, as with most self centered types, I don't think he has considered the ramifications of this kind of impunity in the aggregatre. Mr. Bell claims this is a new tyrranical development. Mr. Bell is incorrect. Consider: In re Nevitt, 117 Fed. 451 (1902) (upholding the contempt power of courts). (94 years ago). Ex parte Robinson, 86 U.S. 505, 19 Wall. 505, 510, 22 L. Ed. 205 (1874) (contempt authority is vital to the administration of justice). (122 years ago). Courts must be "vested with the power to impose silence, respect, and decorum, in their presence, and submission to their lawful mandates, and . . . to preserve themselves and their officers from the approach and insults of pollution." Anderson v. Dunn, 19 U.S. 204, 6 Wheat. 204, 227, 5 L. Ed. 242 (1821). (175 years ago). The contempt power is a power "necessary to the exercise of all others." United States v. Hudson, 11 U.S. 32, 7 Cranch 32, 34, 3 L. Ed. 259 (1812). (184 years ago). One might also remember where the term "pressing the defendant for a plea" originated. Contempt sanctions are nearly 500-600 years old and are a response to the need to effect compliance with orders and summons. > Too bad we won't get a straight answer... You mean an answer that argues semantics and devolves into your Yadda Yadda Yadda stuff. > We also won't get a straight answer about the constitutional justification > for "contempt of court" penalties at all! The Constitution defines the > powers of government; it does not restrict those of the people. I suppose you don't think anyone need serve on juries? Or appear before a court when summoned? Or testify if its inconvenient? Your absoluteism betrays a grave ignorance and sheltered view of the world. > The idea > that a judge can punish someone, especially someone not present in court, is > bizarre. It is even more odd when such punishment appears to exceed what > the government is allowed to do absent any kind of jury decision and > conviction. Huh? Ever hear of late filing fees? Administrative fines? Taxes? How many examples do you want where government can impose costs on persons without a fully jury trial? Even contracts are in the end enforced by government in the United States. > If you're willing to accept NON-Constitutional "justifications," I'm sure > you'll get plenty of that. > > The only hint of a Constitutional obligation to testify comes from an > amendment which states that defendants have a right to compel testimony > favorable to them; it does not say that prosecution has the right to compel > testimony from a third party that incriminates a defendant. Look, Mr. Bell. I don't know where you get this stuff, but you really need to take a few classes in jurisprudence. You need to learn what life would really be like if the strict reading of the constitutional you urge was followed, and you need to transcend your political Yaddaing into a set of criteria which resemble something like earthbound possibilities. > If his > response is, "Oh, but we've ALWAYS done it that way!", you need to remember > that until the American Civil war, slavery was legal in southern states, and > until 1920 women weren't allowed to vote, and until 1955 "separate but > equal" was the law of the land, until 1972 or so the death penalty was > constitutional...and then it wasn't...and then it was again...and so on. > Government is never willing to admit it's wrong until it's good and ready. By 'wrong' you mean doesn't agree with you. I'm sure precident and it's rationale means little to you. > That doesn't mean we can't express our own opinions "prematurely." Opinions are like rectums.... > I'd sure like to hear the "why" behind this stuff, but I won't... Sigh. Apply to law school. The questions you are struggling with will be answered in your first year readings. I'm hardly going to type in all of Ernst on property or Goldman on constitutional law for your benefit. Time to start doing your own homework. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From wombat at mcfeely.bsfs.org Mon Apr 15 22:43:12 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Tue, 16 Apr 1996 13:43:12 +0800 Subject: Trojan Horse Loose On The Internet In-Reply-To: <doug-9603151349.AA0273400@netman.eng.auburn.edu> Message-ID: <Pine.BSF.3.91.960415202856.1893A-100000@mcfeely.bsfs.org> This one has been around for ages, but the story seems to be making the rounds once again. See PKWARE's web site: http://www.pkware.com/fake.html (posted May, 1995) ---------------------------------------- Rabid Wombat wombat at mcfeely.bsfs.org ---------------------------------------- On Mon, 15 Apr 1996, Doug Hughes wrote: > > > > >According to several reliable sources there is a deadly virus on the > >Internet. This is NOT a hoax! > >CAN ANYBODY CHECK THIS OUT, PLEASE.. > > > >Note: The reliability of all information below is UNKNOWN. > > > >WHAT: > >Virus Alert: PKZIP 3.0 Trojan Loose on the Internet > > > >BACKGROUND: > >A trojan (virus) program, PKZIP 3.0, which is advertised as an updated > >version of the popular compression utility PKZIP, is currently being > >distributed on the Internet. Please note that this trojan is REAL and > >DESTRUCTIVE. Once executed, this program will destroy data on your hard > >drive; there's no stopping it. > > > >According to PKWARE, makers of PKZIP, the only released versions of PKZIP > >are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently > >circulating on the Internet are suspect and should not be used. > > > >ACTION REQUIRED: > >Please do not download or execute any files that are named PKZ300B.EXE, > >PKZ300B.ZIP, PKZIP300.ZIP, PKZIP300.EXE, etc. from the Internet or other > >external source. > > > >Anybody with any information on this..?? > > 100% true and verifiable. Although I wouldn't call it deadly or rampant, > it has been making the rounds of late. Mostly it's victims are new users. > After all, how many times have you upgraded your copy of pkzip? ;) > > -- > ____________________________________________________________________________ > Doug Hughes Engineering Network Services > System/Net Admin Auburn University > doug at eng.auburn.edu > Pro is to Con as progress is to congress > From mixmaster at remail.obscura.com Mon Apr 15 23:10:59 1996 From: mixmaster at remail.obscura.com (Mixmaster) Date: Tue, 16 Apr 1996 14:10:59 +0800 Subject: patent licenses Message-ID: <199604152140.OAA02717@sirius.infonex.com> Simon Spero <ses at tipper.oit.unc.edu> writes: >Well, if you're using RC4, you're probably using some sort of public-key >based key exchange, which you're probably going to need to licence, and >BSAFE is the easiest way to do that, so RC4 is pretty much a freebie If the Diffie-Hellmann patent covers all kind of public key crypto, you need a license from Cylink, i.e. BSAFE is not enough, and if it doesn't you can use El Gamal without a license. From unicorn at schloss.li Mon Apr 15 23:26:22 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Apr 1996 14:26:22 +0800 Subject: What can the judge do to me? In-Reply-To: <199604151721.KAA03490@jobe.shell.portal.com> Message-ID: <Pine.SUN.3.91.960415172347.1228D-100000@polaris.mindport.net> On Mon, 15 Apr 1996, Hal wrote: > From: Black Unicorn <unicorn at schloss.li> > > I've been involved in a private discussion with a list reader about > > the extent to which courts can impose contempt fines and sanctions. I > > thought I would post the results to the list as many have expressed > > interest in the ways that courts might try to compel production of > > crypto keys or compel offshore e-cash institutions. The bulk of my > > answer follows. > > I thought this was very interesting and I appreciate Unicorn taking the > time to lend us his expertise. Thanks for taking the time to tell me so. > > > The key to limiting the ability of a court to summarily enter contempt > > sanctions has always been the classification of the sanctions. > > "Criminal" sanctions, may entitle the witness to a trial by jury. > > [...] > > "Civil" sanctions do > > not require such protections and can be imposed on the spot and > > without review. > > I didn't understand what distinguishes civil and criminal sanctions. Is > it the nature of the proceedings, whether it is a civil or criminal case > that is before the judge? Or is it the nature of the contempt charge > itself, where not doing what the judge wants, in broad terms, is civil > contempt? And in that case, what would be criminal contempt? It's muddled. The key seems to be the nature and purpose of the sanctions. (And mostly the purpose). As a very general rule of thumb (as these tend to be case by case analysis) when the sanctions are punative, intended to punish past conduct and not influence future conduct, contempt sanctions are "criminal" and require due process and other protections. Where contempt sanctions are intended to effect compliance with court orders, or are the result of disruptive or destructive behavior that interferes with a court's proceedings (withholding testomony, outbursts or insulting behavior in the court, withholding evidence, refusal to appear), contempt sanctions are civil, and can be leveled on the spot without any protections or review. > > The court makes a point to justify severe sanctions where testimony is > > sought, or the proceedings are threatened. "The necessity > > justification for the contempt authority is at its pinnacle, of > > course, where contumacious conduct threatens a court's immediate > > ability to conduct its proceedings, such as where a witness refuses to > > testify, or a party disrupts the court... [t]hus, petty, direct > > contempts in the presence of the court traditionally have been subject > > to summary adjudication, 'to maintain order in the courtroom and the > > integrity of the trial process in the face of an 'actual obstruction > > of justice.'" International Union, supra (quoting Codispoti v. > > Pennsylvania, 418 U.S., at 513 and citing numerous other sources). > > Would there be a distinction between contempt by a witness and that by > the defendant (in a criminal case)? I could see justification for > attempting to compel testimony from a witness who can shed needed light > on guilt or innocence in the case. A man's freedom or perhaps his very > life is at stake. But it seems to be another matter to compel the > defendant himself to provide some information which will be detrimental > to himself. Historically, and in my experience, criminal defendants are given a lot more leeway. No judge is going to push constitutional rights with contempt sanctions. If, however, in the judge's view there are not constitutional rights which apply, defendant's are just as likely to get smacked. (One example that comes to mind is where the defendant waived his Fifth Amendment rights, then refused to testify anyhow. Prosecution objected and asked for contempt sanctions [for which there was a very good argument, the waiver was quite explicit and the prosecution had based a good deal of argument on it and defendant's existing testomony already.] The judge refused to level contempt, prosecution appealed the decision immediately and we went all the way to oral argument before the appeals court upheld the judge's decision. The appeals court judge cited specifically the importance of leeway in criminal cases and refused to find clear error). > > The defendant has some Fifth Amendment rights, but for those cases > where what he is ordered to do has been found not to be protected by > the Fifth Amendment it still seems bizarre to imagine him jailed for > contempt if he refuses. Are there precedents for holding a defendant in > contempt for standing mute at his own trial? > These are generally only after an explicit waiver of fifth amendement rights, or when they clearly, quite clearly, do not apply. I'll dig up cites if there is enough interest. > (Part of my problem with this scenario is my sense that despite gradual > erosion of the rights against self incrimination, verbally revealing a > pass phrase which will unlock an encrypted document seems like > testimony, and something which should be protected. Is there such a > difference between "Reveal the pass phrase" and "Reveal what you did with > the knife", if the judge doesn't believe the denials of the ability to > comply?) To trigger Fifth amendment rights, an act must be testimonial, and incriminating. I discussed it a bit in my note on asset concealing. I've reproduced the passage below: The cases following In re Grand Jury Proceedings, 814 F.2d 791 (1st Cir. 1987) demonstrate how the fifth amendment has been eroded or eliminated in application to this problem. In the In re case the defendant was directed by the district court to sign a consent form permitting the disclosure and production by a financial institution of documents protected by Singapore banking secrecy law. On refusing to sign, the defendant was held in contempt. The investigation alleged reporting and currency violations. The defendant appealed to the First Circuit which held the signature as both "testimonial" and "self-incriminating." The court reasoned that the consent form "amounts to an assertion" that the bank customer consented to production of the requested records and that it was "self- incriminating" because it could be used to demonstrate incriminating facts (e.g., that the accounts in the witness's name existed and were within the witness's control). Even at the time, however, this decision was in conflict with the Second, Fifth and Eleventh circuits, which have held such an order does not violate the fifth amendment. (Typically on the grounds that the forms signed were non-testimonial). Lately, clever prosecutors and private litigants have evaded the testimonial hitch entirely by phrasing their consent forms in the hypothetical, and not naming specific account names or numbers. The Supreme Court upheld the order of contempt for a defendant refusing to sign such a document. See, Doe v. United States, 108 S. Ct. 2341 (1988). The Court noted that the form was carefully drafted not to make reference to a specific account, but only to speak in the hypothetical. [...] For more examples See also, United States v. Davis, 767 F.2d at 1040 (holding any problem of testimonial self-incrimination is solved by such an order precluding use of directive as admission); In re Grand Jury Proceedings, 814 F.2d at 795 (expressly approving of reasoning in Davis); United States v. A Grand Jury Witness, 811 F.2d 114, 117 (2d Cir. 1987); United States v. Cid-Molina, 767 F.2d 1131, 1132 (5th Cir 1985); United States v. Ghidoni, 732 F.2d 814, 818 (11th Cir.), cert. denied, 469 U.S. 932 (1984); United States v. Browne, 624 F. Supp. 245, 248 (N.D.N.Y. 1985); United States v. Quigg, 48 A.F.T.R.2d 81- 5953, 5955 (D. Vt. 1981). *end If there is enough interest, I will do a small note on the distinctions that have been important to courts in compelling production of potentially incriminating evidence. > > Most interesting to the crypto crowd: > > > > "Contempts such as failure to comply with document discovery, for > > example, while occurring outside the court's presence, impede the > > court's ability to adjudicate the proceedings before it and thus touch > > upon the core justification for the contempt power.... Similarly, > > indirect contempts involving discrete, readily ascertainable acts, > > _such as turning over a key_ or payment of a judgment, properly may be > > adjudicated through civil proceedings since the need for extensive, > > impartial fact-finding is less pressing." International Union, supra > > (emphasis added). > > I would guess that "turning over a key" here refers not to production to > the court by rather to passing a physical key between two contesting > parties, say a seller and buyer of some property that the key gives > access to. The phrase "turning over" rather than "production of" suggests > this interpretation. So this sounds like something which would be more > likely to occur in a civil proceeding than a criminal one. I have seen a court compell the production of safety deposit box keys in a criminal case when those boxes were suspected to hold the fruits of a crime and the court had acknowledged the defendant's possesion of the key, and ownership of the box as well as the potential incriminating nature of the boxes contents. A per day fine was imposed. If you want specifics I'll attempt to get a waiver from the client and pass them on. > Hal --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From lzirko at isdn.net Mon Apr 15 23:26:43 1996 From: lzirko at isdn.net (Lou Zirko) Date: Tue, 16 Apr 1996 14:26:43 +0800 Subject: UNSUVSCRIVE Broken - Film last week Message-ID: <199604160218.VAA23341@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit I have found the crack to the, until now, unbreakable and frustrating unsuvscrive algorithm on another list. This is what you need to do. Please read these instructions carefully before beginning. tools needed: one Hammer, one screwdriver, one pair of pliers, one heavy-duty pair of wire cutters, one bucket of saline water, a box of sani-wipes. Step #1: Stop payment on any checks that you may have sent to your Internet Service Provider (GOD). Step #2: If GOD is unresponsive and you are still receiving mail from this list, you will need to find the "mailhost". This is a machine usually located in a locked office. Every day around noon, the mailman will deliver a box of diskettes with that day's mail messages, including yours from this list, to this machine. Typically, only a handful of people have keys to the "mailhost". The reason why this machine is locked up is because this is typically the best, fastest, most powerful computer at your facility and the people with keys don't want to share it. If you must, break or pry the door down with one (1) hammer (you did get all the tools needed?). Step #3: find the ON/OFF switch for this machine. Using the pliers, set the switch to the OFF position by tugging downwards until the disposable plastic switch breaks away from the computer casing. Discard the disposable plastic switch in an environmental-friendly manner. This will alert the mailman to not deliver the diskettes with the messages to the "mailhost" not unlike the little red flag found on mailboxes. This should resolve your mail problem immediately. Step #4: You may experience a recurrence of mail within 72 hours. If this should happen, you will need to disable the "mailhost" once again with more forceful measures. Repeat Step #2. Don't be surprised if there is a sturdier door in place than the one you destroyed previously. This is due to the fact that the "Have Key" clique found out that someone has seen their private stash of computer equipment. Step #5: After you have once again regained entry into the "mailhost" room, open up the back of the "mailhost". There may be a large tv-like device on top of the "mailhost" You will need to remove this first. Take your wire cutters, and cut any cables binding the tv-like device to the "mailhost". Set the tv-like device to the side. With your screwdriver, remove each and every screw that you can find on the "mailhost". Once this is done, the "mailhost" should break away into two or more pieces. Step #5: Find a large box with a fan attached to it. It will be clearly marked with the following labels: "Danger" "High Voltage" "Do not open - no user-servicable parts". Don't worry, these labels are merely in place to satisfy OSHA requirements and you are not in any danger at all. Take the bucket of saline water and pour it into any vents or ports that the large box may have. Any extra water should be poured directly into the computer chassis, be sure to properly soak each and every component. Step #6: In the event of fire (OSHA has been known to be right on occasion), douse any flames with the sani-wipes. This solution is provided without warranty. It is not biodegradable or fat-free. In the event of sudden death, contact a physician immediately. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMXMDQRKvccEAmlQ9AQHEywf9F42LWdhmmhg9RtTicWnQW26rAYD2koPk DKoM4r8yIEtVvZfxsdzNQRovpcmC4k2SWkwIb/yu1obVr9y2vC6y25PkxYOppeiA PXjfnAfLE3eBzhfEjLiFdEmCAlsMrJKDdH7LhOtx4r/hbH4OsJmTVuu87sZ+lNJ0 tBSpOae9cfW/4B6Iny3NmTVCWU0RrrGPrie6gzyC95h6kKIJ7JXBQ0Ux11UWVtYW Ef/CYE3jUo/lnlYrTWeTtUSf1Zd9aJzvETYKAqr+EK8HXH0eKECsol5QYR+7atvk XhacowMgdTwVdlait2hXhejR2qGccVr52DqWuTpF1d1ctW7xeSjGxA== =kF21 -----END PGP SIGNATURE----- From nsa at omaha.com Mon Apr 15 23:27:39 1996 From: nsa at omaha.com (Omaha Remailer) Date: Tue, 16 Apr 1996 14:27:39 +0800 Subject: Lotus notes 24 bit hack project? Message-ID: <199604160135.UAA05462@glucose.suba.com> > Revealing what? Its not like there is a mystery, Mr. Detweiler. Well, for one it might be nice to reveal how much easier it is to crack 64-bit RC4 given 24 of the bits than it is to crack straight RC4. (If it is easier.) Just a thought. From jimbell at pacifier.com Mon Apr 15 23:29:01 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Apr 1996 14:29:01 +0800 Subject: What can the judge do to me? Message-ID: <m0u8wb7-0008zLC@pacifier.com> At 10:21 AM 4/15/96 -0700, Hal wrote: >From: Black Unicorn <unicorn at schloss.li> > >> The key to limiting the ability of a court to summarily enter contempt >> sanctions has always been the classification of the sanctions. >> "Criminal" sanctions, may entitle the witness to a trial by jury. >> [...] >> "Civil" sanctions do >> not require such protections and can be imposed on the spot and >> without review. > >I didn't understand what distinguishes civil and criminal sanctions. Is >it the nature of the proceedings, whether it is a civil or criminal case >that is before the judge? Or is it the nature of the contempt charge >itself, where not doing what the judge wants, in broad terms, is civil >contempt? And in that case, what would be criminal contempt? He may answer those questions, but I don't think he'll dare answer the question about if there is a constituional justification for a difference between "civil" and "criminal" in most things the government's courts do. My impression is that the "civil" classification is often simply used to dilute or eliminate the various constitutional protections that the government hasn't yet dared to remove from areas it calls "criminal." Too bad we won't get a straight answer... We also won't get a straight answer about the constitutional justification for "contempt of court" penalties at all! The Constitution defines the powers of government; it does not restrict those of the people. The idea that a judge can punish someone, especially someone not present in court, is bizarre. It is even more odd when such punishment appears to exceed what the government is allowed to do absent any kind of jury decision and conviction. If you're willing to accept NON-Constitutional "justifications," I'm sure you'll get plenty of that. The only hint of a Constitutional obligation to testify comes from an amendment which states that defendants have a right to compel testimony favorable to them; it does not say that prosecution has the right to compel testimony from a third party that incriminates a defendant. If his response is, "Oh, but we've ALWAYS done it that way!", you need to remember that until the American Civil war, slavery was legal in southern states, and until 1920 women weren't allowed to vote, and until 1955 "separate but equal" was the law of the land, until 1972 or so the death penalty was constitutional...and then it wasn't...and then it was again...and so on. Government is never willing to admit it's wrong until it's good and ready. That doesn't mean we can't express our own opinions "prematurely." I'd sure like to hear the "why" behind this stuff, but I won't... Sigh. From grafolog at netcom.com Mon Apr 15 23:45:46 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Tue, 16 Apr 1996 14:45:46 +0800 Subject: Trojan Horse Loose On The Internet In-Reply-To: <doug-9603151349.AA0273400@netman.eng.auburn.edu> Message-ID: <Pine.3.89.9604160236.A21102-0100000@netcom2> On Mon, 15 Apr 1996, Doug Hughes wrote: > >Virus Alert: PKZIP 3.0 Trojan Loose on the Internet Please don't confuse a trojan horse with a virus. > 100% true and verifiable. Although I wouldn't call it deadly or rampant, > it has been making the rounds of late. Mostly it's victims are new users. Isn't this trojan << PKZip 3.0 >> about 4 years old? > After all, how many times have you upgraded your copy of pkzip? ;) 10 times. << Went thru the 204 alphabet of bug fixes. :-( >> xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From secret at secret.alias.net Mon Apr 15 23:59:27 1996 From: secret at secret.alias.net (K00l Secrets) Date: Tue, 16 Apr 1996 14:59:27 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <199604141422.KAA05302@jekyll.piermont.com> Message-ID: <199604160315.WAA15829@paulsdesk.phoenix.net> In article <Pine.LNX.3.92.960414121820.358A-100000 at gak> "Mark M." <markm at voicenet.com> writes: > I haven't heard of any efficient cryptanalysis against Blowfish. I > know there are weak keys, but they are difficult to exploit. 16 > round Blowfish can be broken using differential cryptanalysis with > 2^128+1 chosen plaintexts. Doesn't this assume known S-boxes, though? If so, since the S-boxes are key dependent, is this anything to worry about? From jimbell at pacifier.com Tue Apr 16 00:04:05 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 16 Apr 1996 15:04:05 +0800 Subject: What can the judge do to me? Message-ID: <m0u90Yb-00090RC@pacifier.com> At 07:51 PM 4/15/96 -0400, Black Unicorn wrote: >On Mon, 15 Apr 1996, jim bell wrote: > >> At 10:21 AM 4/15/96 -0700, Hal wrote: >> >From: Black Unicorn <unicorn at schloss.li> > >[...] > >> >I didn't understand what distinguishes civil and criminal sanctions. Is >> >it the nature of the proceedings, whether it is a civil or criminal case >> >that is before the judge? Or is it the nature of the contempt charge >> >itself, where not doing what the judge wants, in broad terms, is civil >> >contempt? And in that case, what would be criminal contempt? >> >> He may answer those questions, but I don't think he'll dare answer the >> question about if there is a constituional justification for a difference >> between "civil" and "criminal" in most things the government's courts do. > >Mr. Bell amuses me because he can never decide if he's a constitutional >formalist, as above (all things the government does must be explicitly >justified in the constitution) or a pragmatist, Above, I merely asked a question that you still can't answer. The fact that courts claim that there is a difference between "civil" and "criminal" does not mean that any such difference is constitutionally mandated, or for that matter even allowed. Nothing in your response showed otherwise. >(a) A criminal contempt fine is punitive and can be imposed only through >criminal proceedings, including the right to jury trial. Does that mean that it would have been constitutionally impermissible to take the different position that ALL fines are ultimately "punitive"? That position is apparently not _excluded_ by the constituion, which means that at best, you might try to argue that your position is _allowed_ by the constitution. But since the Constitution is, indeed, the statement of the government's authority, not its limits, that would be a contradiction. The obvious conclusion is that your sentence above is simply unsupported by the Constitution, as are many of your statements below. I'm not claiming that you are, necessarily, the source of the contradiction: Obviously, most of it is simply governmental misbehavior that you are reporting. >A contempt fine is >considered civil and remedial if it either coerces a defendant into >compliance with a court order You do love those circular arguments, don't you! Maybe it's pointless to ask you why anybody has to "comply with a court order." I've already asked this before: What, in the Constitution, gives judges authority over non-defendant citizens? >(b) Most contempt sanctions share punitive and coercive characteristics, and >the fundamental question underlying the distinction between civil and >criminal contempts is what process is due for the imposition of any >particular contempt sanction. Direct contempts can be penalized summarily >in light of the court's substantial interest in maintaining order and >because the need for extensive factfinding and the likelihood of an >erroneous deprivation are reduced. Greater procedural protections are >afforded for sanctions of indirect contempts. Certain indirect contempts >are particularly appropriate for imposition through civil proceedings, >including contempts impeding the court's ability to adjudicate the >proceedings before it and those contempts involving discrete, readily >ascertainable acts. For contempts of more complex injunctions, >however, criminal procedures may be required. Id. A paragraph which is delightfully free of constitutional justification. It apparently merely parrots the decisions of courts, it doesn't explain them. Typical Unicorn behavior. >Because civil contempt sanctions are viewed as nonpunitive and avoidable, >fewer procedural protections for such sanctions have been required. Hmmm... I wonder why? I mean, would it have been impossible for the SC to have declared that regardless of those assertions, ALL such sanctions require those "procedural protections." Unicorn has no answer, as usual. Hint: If the position you support is true, then you should be able to show me evidence that no other alternative position is consistent with the Constitution. As long as you cannot show that one PARTICULAR interpretation is uniquely supported, you haven't supported this particular claim. >To the extent that such contempts take on a punitive character, however, >and are not justified by other considerations central to the contempt >power, criminal procedural protections may be in order. International Union. No constitutional justification, again. Ho hum. >The justification for the contempt charges are on the >proper administration of justice, to which every citizen is entitled. Unicorn fails to show that "Proper administration of justice" requires contempt charges. And the most obvious problem with the "to which every citizen is entitled" argument is that it is vastly overbroad: If it could be used in this instance, it could be used to justify beating confessions out of prisoners, shooting unarmed suspects, and practically every other act that somebody claimed was necessary for "the proper administration of justice." After all, consider how "justice" was administered 300 years ago. I'm sure those people did a lot of things, based on a claim that it was necessary for "the proper administration of justice." Was it really? What, BTW, is "proper"? >While I'm sure Mr. Bell would like it if he could just flip off a court, >as with most self centered types, I don't think he has considered the >ramifications of this kind of impunity in the aggregatre. Is that a satisfactory justication for your position? > >Mr. Bell claims this is a new tyrranical development. Mr. Bell is incorrect. Where, EXACTLY, did I claim that it was a "new" development? I've carefully re-read my statements, and I see nothing that states or even implies this. Continuing to knock down that straw man, huh? >Ex parte Robinson, 86 U.S. 505, 19 Wall. 505, 510, 22 L. Ed. 205 (1874) >(contempt authority is vital to the administration of justice). >(122 years ago). In 1860, slavery was considered vital to the running of much of the US. So? [a couple other old decisions excised because they are irrelevant, and they are irrelevant because I didn't claim this was a "new" development."] >One might also remember where the term "pressing the defendant for a >plea" originated. Contempt sanctions are nearly 500-600 years old and >are a response to the need to effect compliance with orders and summons. Which simply means that what a court thinks it "needs" is frequently wrong. If courts "needed" pressing, why do they no longer do it? Hmmmmm? Apparently, it wasn't really necessary, and thus, any justifications based on the claim that it was necessary were dishonest. As are your justifications today, on a somewhat different issue. I've long pointed out that your own arguments self-destruct, and perhaps that was the most laughable example. >> We also won't get a straight answer about the constitutional justification >> for "contempt of court" penalties at all! The Constitution defines the >> powers of government; it does not restrict those of the people. > >I suppose you don't think anyone need serve on juries? Generally in a non-slavery society, if you want people to do something for you, you hire them at a wage they will accept, and they'll happily do what you want. It's called "capitalism." Too bad courts still believe in slavery. >Or appear before a court when summoned? Tell me, if _I_ "summon" somebody, do they have to show as well? If not, why should a "court" have any such authority. > Or testify if its inconvenient? If it's testimony in favor of the prosecution, and I don't want to give that testimony, I see no constitutional justification for forcing me to do so. You'll probably try to claim that this testimony is "necessary." Let's suppose I was out of the country and was unavailable for subpoena. The trial would go on, anyway, so obviously my testimony was not "necessary" by any logical definition. It was merely desirable, by somebody's opinion. Sure, the prosecution may lose the case, but the prosecution doesn't have a "right" to win the trial, now does it? At best, it only has the "right" (arguably; but even that "right" is conditional) to have a trial. The outcome is not guaranteed! >> The idea >> that a judge can punish someone, especially someone not present in court, is >> bizarre. It is even more odd when such punishment appears to exceed what >> the government is allowed to do absent any kind of jury decision and >> conviction. > >Huh? Ever hear of late filing fees? Administrative fines? Taxes? I said it was "bizarre." I did not say it was "uncommon." BTW, note that "late filing fees" assumes that somebody is obligated to file something, and likewise "Administrative fines" assumes that somebody is entitled to levy them, etc. We won't get into taxes, that would take FAR too long. > How >many examples do you want where government can impose costs on persons >without a fully jury trial? Even contracts are in the end enforced by >government in the United States. But they apparently don't have to be. Arbitration is an option. >> If you're willing to accept NON-Constitutional "justifications," I'm sure >> you'll get plenty of that. >> >> The only hint of a Constitutional obligation to testify comes from an >> amendment which states that defendants have a right to compel testimony >> favorable to them; it does not say that prosecution has the right to compel >> testimony from a third party that incriminates a defendant. > >Look, Mr. Bell. I don't know where you get this stuff, I notice that you failed to address the point. You're unable to find any Constitutional justification for compelling prosecution testimony. There is no constitutionally-defined mechanism for it, either. That's because none exists. > but you really >need to take a few classes in jurisprudence. I am well aware of the misbehavior of government. The issue is constitutional justifications for it. They seem to be, well, practically nonexistent. > You need to learn what life >would really be like if the strict reading of the constitutional you urge 5>was followed, and you need to transcend your political Yaddaing into a set >of criteria which resemble something like earthbound possibilities. I'm working on it. But you won't like the outcome; there will be no "kings", either stated or implied, in the system I am crafting. No centralizations of power at all. It will be a system you can't understand. > >> If his >> response is, "Oh, but we've ALWAYS done it that way!", you need to remember >> that until the American Civil war, slavery was legal in southern states, and >> until 1920 women weren't allowed to vote, and until 1955 "separate but >> equal" was the law of the land, until 1972 or so the death penalty was >> constitutional...and then it wasn't...and then it was again...and so on. >> Government is never willing to admit it's wrong until it's good and ready. > >By 'wrong' you mean doesn't agree with you. I'm sure precident and it's >rationale means little to you. That's spelled "precedent." But why am I telling you this? From unicorn at schloss.li Tue Apr 16 00:09:27 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Apr 1996 15:09:27 +0800 Subject: [Yadda Yadda Yadda] Re: What can the judge do to me? In-Reply-To: <m0u90Yb-00090RC@pacifier.com> Message-ID: <Pine.SUN.3.91.960415230235.7936G-100000@polaris.mindport.net> On Mon, 15 Apr 1996, jim bell wrote: As I predicted, Mr. Bell attributes positions to me I never took. > At 07:51 PM 4/15/96 -0400, Black Unicorn wrote: > take the different position that ALL fines are ultimately "punitive"? That > position is apparently not _excluded_ by the constituion, which means that ^^^^^^^^ > at best, you might try to argue that your position is _allowed_ by the ^^^^^^^^^^^^^ > constitution. Woah, nice transition. "That position" suddenly becomes "my position." Tell me, what is my position? I never expressed an opinion. > >A contempt fine is > >considered civil and remedial if it either coerces a defendant into > >compliance with a court order > > You do love those circular arguments, don't you! ^^^ ^^^ The above is the argument of the court, not my argument. I never expressed an opinion on the argument. > Hint: If the position you support is true, then you should be able to show ^^^^^^^^^^^^^^^^^^^^^^^^ > Is that a satisfactory justication for your position? ^^^^^^^^^^^^^ What was my position again? > Apparently, it wasn't really necessary, and thus, any justifications based > on the claim that it was necessary were dishonest. As are your ^^^^ > justifications today, on a somewhat different issue. ^^^^^^^^^^^^^^ My justifications? Where? > > I've long pointed out that your own arguments self-destruct, and perhaps ^^^^^^^^^^^^^^^^^^ I'm making none here. > >By 'wrong' you mean doesn't agree with you. I'm sure precident and it's > >rationale means little to you. > That's spelled "precedent." But why am I telling you this? Because English is my third (or fourth depending on how you count them) language and I don't bother with spell checkers? How well do you spell in German, Alemanish or Estonian? As always, I never expressed opinions on the courts view. You asked for justifications, I gave you the court's. I've not commented on my own view. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From alano at teleport.com Tue Apr 16 00:23:10 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 16 Apr 1996 15:23:10 +0800 Subject: Portland Cypherpunk Meeting for April Message-ID: <2.2.32.19960416035657.00ab813c@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- There will be another physical meeting on the Cypherpunks in Portland, OR. The particulars: Location: Powell's Technical Bookstore 33 NW Park Portland, OR 97209 (Just north of Burnside off of the Park blocks.) Date: April 27th, 1996 Time: 5:23pm Discussions will cover: ** A Portland Remailer ** Various Coding Projects ** Events in the News ** Other Projects related to Crypto (Web sites and Documentation) ** Possible PGP Keysigning (Depends on the response) ** General Discussion Devolving into Chaos If you have any other topics for discussion, bring them up at the meeting or you can e-mail me in advance. Powell's Technical Book has a good selection of crypto books, so you might want to be prepared. (Do not bring money you cannot afford to spend. Powell's has an evil force that seduces people into buying books.) A PGP keysigning will be held if there are enough interested people. If you are interested in participating, please send me your public key via e-mail. Any comments, suggestions, ideas, and/or complains can be sent to me at alano at teleport.com. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMXMZZeQCP3v30CeZAQG0/Af/To2q0fuLk8Q6KquP+6LX1/1EOqGGoxBZ jWfCJoz40Wk1EHMJMis+XpiPgcXg2nAZNeQXubS4Q9se8uGG57UbzpX8rv5GnzdV HWimufNeL/bfxSn+OYswTEQExSwG2V/TSWZNwfFf5Xl/6V0zy1Xa5qY8CEtXn1fr 3/vXicYexd3NwSvToN5udYYtUe2kH14O3RIoXAnaJwMZLvS+oiDzw8LWXI7UMdsf akUbhisfgf/lu3wiMVQkN2hdP15rioIlAhryA0skvl1fxh3OkFC8/GDJpRBRWD+K RjO5VgRRXYrQUG4PKAK8Y1/PSINzandOkaMc2duaSshslZYyI3YRmg== =zD1a -----END PGP SIGNATURE----- --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From shamrock at netcom.com Tue Apr 16 00:49:53 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 16 Apr 1996 15:49:53 +0800 Subject: Just wondering... Message-ID: <v02120d65ad98c5937a3a@[192.0.2.1]> --- begin forwarded text Posted-Date: Mon, 15 Apr 1996 17:54:06 -0400 Date: Mon, 15 Apr 1996 17:54:06 -0400 (EDT) From: Black Unicorn <unicorn at schloss.li> X-Sender: unicorn at polaris.mindport.net To: Lucky Green <shamrock at netcom.com> Subject: Re: Just wondering... MIME-Version: 1.0 On Mon, 15 Apr 1996, Lucky Green wrote: > Uni, > Just from past experience: if the judge realizes after putting you into the > slammer for a month and levying a $10k fine for contempt that you don't > have the information he is trying to coerce out of you, do you usually get > your money back? What about income lost while incarcerated? The former I have seen happen, the latter never. In the former case a tax document was "lost" by the witness's accountant who was in Moldavia and could not be located. The judge, reasonably, thought the witness was full of it. He imposed a per day fine, and after a time incarcerated the witness before the accountant was (finally) located and testified (by long distance telephone and intrepreter) that the documents have been lost in a fire at the national administration building, proof of which was entered in the form of newpaper articles. A motion to quash the fine was granted. The court apologized for the incarceration. Fines that are large and seem reasonable in the heat of court are more likely to get quashed when a judge who wasn't there later reviews it. Still, this is rare. As to the latter, that doesn't mean it won't, but seems unlikely. You don't usually get paid for the time you lose in court either, unless you sue for wrongful prosecution or costs which require malicious and wrongful prosecution. (Unlikely, extremely hard to prove or get a court to enforce). Pay your own costs tends to include opportunity cost of time in court. > TIA, > > -- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. Feel free to repost this to the list. I don't forward private mail without explicit permission, but I think the list, and Mr. Finney might like to see it. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com --- end forwarded text -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From ses at tipper.oit.unc.edu Tue Apr 16 01:07:08 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 16 Apr 1996 16:07:08 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) In-Reply-To: <MlQivta00YUuQxjmpq@andrew.cmu.edu> Message-ID: <Pine.SOL.3.91.960415222001.679A-100000@chivalry> Dash it Declan, I spent a hard day up to my eyeballs in ASN.1. When I get home I want something cute to look at. Where are the darn ducks? Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From furballs at netcom.com Tue Apr 16 01:50:22 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Tue, 16 Apr 1996 16:50:22 +0800 Subject: Trojan Horse Loose On The Internet In-Reply-To: <19960415073947953.AAA74@Executioner.utm.my> Message-ID: <Pine.3.89.9604151845.A4741-0100000@netcom12> Yes, the PKZIP 3.0 virus does exist, but it is a trojan, not a virus. You have to run the program - then it does a dance on your disk with less than pleasurable results. The latest official version of PKZIP I know of is 2.04g. Any other version greater than this should be suspect. ...Paul ------------------------------------------------------------------------- "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everybody gets busy on the proof" -- John Kenneth Galbraith "Success is attending a funeral as a spectator" -- E. BonAnno ------------------------------------------------------------------------- On Mon, 15 Apr 1996, Ramli Bin Jaafar wrote: > According to several reliable sources there is a deadly virus on the > Internet. This is NOT a hoax! > CAN ANYBODY CHECK THIS OUT, PLEASE.. > > Note: The reliability of all information below is UNKNOWN. > > WHAT: > Virus Alert: PKZIP 3.0 Trojan Loose on the Internet > > BACKGROUND: > A trojan (virus) program, PKZIP 3.0, which is advertised as an updated > version of the popular compression utility PKZIP, is currently being > distributed on the Internet. Please note that this trojan is REAL and > DESTRUCTIVE. Once executed, this program will destroy data on your hard > drive; there's no stopping it. > > According to PKWARE, makers of PKZIP, the only released versions of PKZIP > are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently > circulating on the Internet are suspect and should not be used. > > ACTION REQUIRED: > Please do not download or execute any files that are named PKZ300B.EXE, > PKZ300B.ZIP, PKZIP300.ZIP, PKZIP300.EXE, etc. from the Internet or other > external source. > From secret at secret.alias.net Tue Apr 16 02:21:59 1996 From: secret at secret.alias.net (K00l Secrets) Date: Tue, 16 Apr 1996 17:21:59 +0800 Subject: None Message-ID: <199604160615.BAA16813@paulsdesk.phoenix.net> > If the Diffie-Hellmann patent covers all kind of public key crypto, > you need a license from Cylink, i.e. BSAFE is not enough, and if it > doesn't you can use El Gamal without a license. Are there any freely available implementations of El Gamal? From Robin.Felix at felixpc.delfinsd.delfin.com Tue Apr 16 02:55:46 1996 From: Robin.Felix at felixpc.delfinsd.delfin.com (Robin Felix) Date: Tue, 16 Apr 1996 17:55:46 +0800 Subject: math patents Message-ID: <01BB2B22.63457780@delfinsd-gw.delfinsd> At 04/14/96 1457, jim bell may have written: >At 09:08 AM 4/14/96 -0800, Lee Tien wrote: >>My recollection from law >>school is that the law was friendly to math patents in the period before >>the Supreme Court weighed in. There were some PTO denials, which courts >>reversed (I think the Court of Claims heard these back then). So I think >>the trend was toward patenting processes even if mathematical until >>Gottschalk v. Benson >I seem to recall reading that one of the breakthrough "algorithm" patents >was from the 1970's, in which a rubber-curing/molding process's cure time >was determined by a mathematical formula based on heat, pressure, mold >shape, and a number of other variables. You're referring to Diamond v. Diehr, 450 U.S. 175, 195 (1981). I have a half-finished article I wrote in 1994 on software algorithm patents, about 32K, available at <http://www.delfinsd.delfin.com/felix/Algorithm_Patents.htm>. It's the good part, the background material minus footnotes. Although it's a bit dated, the description of foundational cases is still accurate. From grafolog at netcom.com Tue Apr 16 03:18:06 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Tue, 16 Apr 1996 18:18:06 +0800 Subject: Distributed Key Breaking In-Reply-To: <Pine.SOL.3.91.960415151333.14114J-100000@xun9> Message-ID: <Pine.3.89.9604160251.A21102-0100000@netcom2> Mark: On Mon, 15 Apr 1996, Mark Cooke wrote: > anyone considered writing a Java Applet that would could run key space > searches and factoring in an easily distributed manner. Interesting idea. > This would seem to be a 'reasonable' way to gain access to more CPU power And a "reasonable" way to get people who aren't interested in helping to break keys, by doing so ---- every time somebody hits your webpage, they get held up for, say 3 minutes, to do a little keybreaking of their own. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From watson at tds.com Tue Apr 16 03:20:26 1996 From: watson at tds.com (watson at tds.com) Date: Tue, 16 Apr 1996 18:20:26 +0800 Subject: Article on PGP flaws In-Reply-To: <199604152026.QAA31962@nrk.com> Message-ID: <Pine.SOL.3.91.960415234347.5127B-100000@mailman.tds.com> On Mon, 15 Apr 1996, David Lesher wrote: > I'm told a periodical: > Crypto & Security > Vol 15 #1 > has an article: > Probabilistic [sp] Flaws in PGP {aprox title} > by Thierry Moreau > > Has anyone seen/commented on it? ... Actually it's Computers and Security. Complains about the PRNG. Says if someone gets your randseed.bin they can infer the PRNG output sequence and your IDEA key. Doesn't develop in any detail. Says the IDEA key should be chosen from _truly_ random numbers. And this is an expensive magazine. From declan+ at CMU.EDU Tue Apr 16 03:20:41 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 16 Apr 1996 18:20:41 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) Message-ID: <MlQivta00YUuQxjmpq@andrew.cmu.edu> ----------------------------------------------------------------------------- The CDA Challenge, Update #7 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Courtesy of The Netly News ----------------------------------------------------------------------------- From the Netly News at <http://pathfinder.com/Netly/daily/nnhome.html>: We've become fans of Declan McCullagh's dispatches from Philadelphia where a three-judge panel is determining the fate of the so-called Communications Decency Act. McCullagh, as you probably know, is an activist with the EFF whose free-speech stance mirrors our own. We'd be happy to run an opposing viewpoint, but we don't know anyone who's actually pro-CDA. Still, if you are and would like to use this bully pulpit to pitch your ideas to an extremely hostile audience, drop us a line. In the meantime, here's a piece we asked McCullagh to do for us as the hearing winds down. ----------------------------------------------------------------------------- In this update: Ducks on the Net! More on BYU's Dan Olsen's censorhappy boondoggle Grey Flannel Suit wears Blue Pinstripe, surfs for porn April 15, 1996 PHILADELPHIA -- Ducks were a hit at the most recent Communications Decency Act hearing in Philadelphia's Federal court. Yes, ducks. Last Friday the Department of Justice's cybersleaze expert took the stand to show how easily children can stumble across online porn -- but the three-judge panel limited his demonstration to G-rated GIFs that he sucked down from alt.binaries.pictures.animals. (The judges already had hundreds of pages of dirty downloads in large black binders, courtesy of the Feds.) After the second or third image of waterfowl cartoons, Judge Stewart Dalzell said: "I'm sure we can agree that this is a cute duck." U.S. Third Circuit Court of Appeals Chief Judge Dolores Sloviter ruled: "I think we've seen enough of the ducks." Justice Department attorneys had reserved the day to defend the constitutionality of the CDA, arguing that the criminal provisions of the law and a system to label sexually-explicit materials combine to form the best way to prevent children from stumbling across cyberporn. Key to the DoJ strategy was the testimony of Dan Olsen, Jr., their pet censorhappy toady from Brigham Young University who testified that to comply with the CDA, everyone who uses "indecent" speech should label it as "-L18," meaning unsuitable for those less than 18 years old. An intense cross examination by the ALA/CIEC's Bruce Ennis forced the BYU computer scientist to admit that his proposal has fatal problems: * Web browsers, IRC clients, newsreaders, and even the telnet application must be rewritten to recognize the "-L18" string. * Everyone who posts or publishes "indecent" materials must comply, including folks overseas. * "-L18" relies on the poster or publisher to decide what is "decent" or not -- unlike PICS, which our witness testified allows third parties to rate content, including non-U.S. material. On the fight-censorship mailing list, online activist Carl Kadie has pointed out why Olsen's plan is unconstitutional: 1. "The Government generally can not compel speech (including self-labels)" 2. "It would restrict 17-year olds to material suitable for 5-year olds." Given the braindead nature of Olsen's scheme, it's not surprising that he has no expertise in protocol design or distributed computing environments like the Internet. He also admitted during cross-examination that he invented the "-L18" boondoggle in the last two weeks and was unaware that similar proposals like "KidCode" already exist. An odd mix of prudish themes and Orwellian overtones laced his testimony. Olsen, the incoming director of the Human Computer Interaction Institute at Carnegie Mellon University, testified that he found both Playboy centerfolds and "the seven dirty words" patently offensive. (He'll fit in nicely at his new job. CMU still bans the alt.binaries.pictures.erotica.* hierarchy from campus computers.) When asked if a list of URLs looked like a bunch of porn sites, Olsen hesitated: "I don't know, but I wouldn't go there." Judge Dalzell interrupted: "The 'Chick of the Day' could be poultry!" Judge Sloviter said: "Are you sure it isn't a duck?" In response to Bruce Ennis' question about how ISPs can check the ages of their users, Olsen replied: "The only people who might have this would be the Social Security Administration. I'm sure they have that information." So Olsen proposes that the _Social Security Administration_ would control who is allowed to access to the Net? +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ GREY FLANNEL SUIT SURFS NET FOR PORN, WEARS BLUE PINSTRIPE +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ The DoJ's net.sex expert who testified in the morning was Grey Flannel Suit -- AKA Howard Schmidt, Special Agent, Director of the Air Force Office of Special Investigations, Computer Crime Investigations. Schmidt started surfing the Net to show how easily a child could stumble across cyberporn. His smooth demonstration was interrupted when ALA/CIEC attorney Ann Kappler pressed for details and Schmidt reluctantly allowed that he had run his initial searches without SurfWatch activated. Schmidt admitted: "SurfWatch would not have allowed the search." He also had typed in URLs from the paper copy of Playboy Magazine -- which children are prevented from buying. Kappler told me over lunch: "He left himself wide open." The judges seemed to agree. No matter what our Philly panel decides, this case is headed for the Supreme Court. Today is the last day of our hearing, followed by closing arguments on June 3. [As of late 4/15, this has been rescheduled to 5/10. -DBM] Then the three-judge panel will issue an opinion by the end of the summer. The losing side will appeal to the Supreme Court, which returns from summer recess on October 7. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court 4/15 for the last day of the hearing and 5/10 for closing arguments. The 4/26 date is no longer necessary since we finished a day early. Mentioned in this CDA update: Carl Kadie's note on how Olsen's plan is unconstitutional <http://fight-censorship.dementia.org/fight-censorship/dl?num=2174> CDA Update #6, with more details on Dan Olsen's proposal <http://fight-censorship.dementia.org/fight-censorship/dl?num=2143> Net-Guru David Reed's article: "CDA may pervert Internet architecture" <http://fight-censorship.dementia.org/fight-censorship/dl?num=2093> Social Security Admin. <http://www.ssa.gov/> Dan Olsen at BYU <http://www.cs.byu.edu/info/drolsen.html> Fight-Censorship list <http://fight-censorship.dementia.org/top/> BYU's censorship policy <http://advance.byu.edu/pc/releases/guidelines.html> Rimm ethics critique <http://www.cs.cmu.edu/~declan/rimm/> Int'l Net-Censorship <http://www.cs.cmu.edu/~declan/zambia/> CMU net-censorship <http://www.cs.cmu.edu/~kcf/censor/> University censorship <http://joc.mit.edu/> Grey Flannel Suit <howardas at aol.com> Carl Kadie's CAF site <http://www.eff.org/CAF/> This report and previous CDA Updates are available at: <http://fight-censorship.dementia.org/top/> <http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/> <http://www.epic.org/free_speech/censorship/lawsuit/> To subscribe to the fight-censorship mailing list for future CDA updates and related net.censorship discussions, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: <http://www.eff.org/> <http://www.aclu.org/> <http://www.cdt.org/> <http://www.ala.org/> ----------------------------------------------------------------------------- From unicorn at schloss.li Tue Apr 16 03:30:43 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Apr 1996 18:30:43 +0800 Subject: What can the judge do to me? In-Reply-To: <199604160641.XAA16500@netcom9.netcom.com> Message-ID: <Pine.SUN.3.91.960416024611.15421A-100000@polaris.mindport.net> On Mon, 15 Apr 1996, Bill Frantz wrote: > At 7:51 PM 4/15/96 -0400, Black Unicorn wrote: > >Even contracts are in the end enforced by government in the United States. > > The fact the illegal contracts can't be enforced is responsible for most > "drug" violence. Hmmm. Interesting point. But would admitting you had a contract with Fred to smuggle 100 kilos of herion into the United States be a waiver of your Fifth Amendment right against self incrimination? (I think most certainly so). Even if that could be enforced in civil proceedings, it would hardly encourage litigants to just come to court instead of shooting themselves. > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From tcmay at got.net Tue Apr 16 05:05:04 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 16 Apr 1996 20:05:04 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) Message-ID: <ad987d0e0002100459cc@[205.199.118.202]> At 12:51 AM 4/16/96, Declan B. McCullagh wrote: >In this update: Ducks on the Net! > More on BYU's Dan Olsen's censorhappy boondoggle > Grey Flannel Suit wears Blue Pinstripe, surfs for porn ???? Apparently "The Netly News" has given up on simple, straightforward reporting in favor of "Pop Journalism." Cute headlines instead of informative ones. (The reason I no longer try to wade through the cuteness of "Wired," another example of postmodernism carried too far.) Curmudgeonly Yours, --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue Apr 16 06:03:41 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 16 Apr 1996 21:03:41 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <ad987fec02021004063f@[205.199.118.202]> At 9:16 PM 4/15/96, Wei Dai wrote: >On Thu, 11 Apr 1996, Timothy C. May wrote: > >> That there can be no simple definition of entropy, or randomness, for an >> arbitrary set of things, is essentially equivalent to Godel's Theorem. > >I think what you mean is that there is no simple way to measure >randomness. Simple, nice definitions of randomness do exist. Actually Well, I don't view any of the "simple definitions" of randomness as especially useful; that is, the simple definitions have a kind of circularity (implicit in the points we both make). For example, "an object is "random" if it has no shorter description than itself," the classic Solomonoff-Kolmogorov-Chaitin definition, is quite elegant, but doesn't help much in many cases. Because even this definition needs to be fleshed out, thought about, pondered, and explored, this is why I said "there can be no simple definition of entropy, or randomness, for an arbitrary set of things." Maybe you would say a simple definition does exist, but that interpreting that definition and applying it to a set of things is harder....a difference, I think, of emphasis. I hold that in looking at some object (set, sequence, string, etc.) and asking "Is it random?," the very question is misleading. It may _appear_ to be random to me, or to a particular machine which is unable to find a compression (= shorter description, implying nonrandomness), but someone else or some other program may find the compression. >> (To forestall charges that I am relying on an all-too-common form of >> bullshitting, by referring to Godel, what I mean is that "randomness" is >> best defined in terms of algorithmic information theory, a la Kolmogorov >> and Chaitin, and explored in Li and Vitanyi's excellent textbook, >> "Algorithmic Information Theory and its Applications.") > >A year ago, you recommended me a book by the same authors titled _An >Introduction to Kolmogorov Complexity and Its Applications_. Have the >authors written a new book, or are these the same? The same book. I rely on carbon-based memory. By the way, Greg Chaitin has a new version of his "Universal Turing Machine" system implemented in JavaScript. At: http://www.research.ibm.com/people/c/chaitin/nv/index.html (Here I rely on non-carbon-based cut-and-paste.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Tue Apr 16 06:32:17 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 16 Apr 1996 21:32:17 +0800 Subject: What can the judge do to me? Message-ID: <199604160641.XAA16500@netcom9.netcom.com> At 7:51 PM 4/15/96 -0400, Black Unicorn wrote: >Even contracts are in the end enforced by government in the United States. The fact the illegal contracts can't be enforced is responsible for most "drug" violence. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From alano at teleport.com Tue Apr 16 06:46:40 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 16 Apr 1996 21:46:40 +0800 Subject: None Message-ID: <2.2.32.19960416070406.00a8a95c@mail.teleport.com> At 01:15 AM 4/16/96 -0500, K00l Secrets wrote: >> If the Diffie-Hellmann patent covers all kind of public key crypto, >> you need a license from Cylink, i.e. BSAFE is not enough, and if it >> doesn't you can use El Gamal without a license. > >Are there any freely available implementations of El Gamal? >From what I remember, RSA had made various legal threats to anyone using El Gamal. (They claimed it was covered under their patents.) Since the Cylink/PKP blowup, I am not certain of the status of this algorithm. Does anyone have more information on the current status of El Gamal? --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From unicorn at schloss.li Tue Apr 16 07:46:15 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 16 Apr 1996 22:46:15 +0800 Subject: What can the judge do to me? In-Reply-To: <2.2.32.19960416105311.00ce803c@panix.com> Message-ID: <Pine.SUN.3.91.960416065243.15421B-100000@polaris.mindport.net> On Tue, 16 Apr 1996, Duncan Frissell wrote: > At 07:36 PM 4/12/96 -0400, Black Unicorn wrote: > > >I think it's clear, the court literally spells this out, that holding > >a witness indefinitely until he complies with court orders is within > >the discretion of a judge. Compelling through sanctions the > >production of a "key" (though I'm not sure a crypto key is directly > >contemplated) is likewise clearly permitted. > > In practice though, two years seems to be the limit. That was the duration > for Dr. Elizabeth Morgan and for the guy in SF in the mid 70's who won the > Irish Sweepstakes and refused to repatriate his winnings so they could be > taxed. Is anyone aware of a contempt sentence longer than two years? If no > examples exist, then two years is the limit. I seem to remember a pair, let me look. > > There is always more bluff than reality in enforcement. See the > Transactional Records Clearing House (http://www.trac.syr.edu/) for real > info on federal criminal referrals and filings. Total tax fraud and evasion > filings were circa 1000 in 1994, for example. Notice that those do not include deficancies which were discovered, assessed, and settled without charges. Doesn't make any difference if it's bluff or reality if you can't or wont call. > DCF > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From adam at lighthouse.homeport.org Tue Apr 16 07:47:15 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 16 Apr 1996 22:47:15 +0800 Subject: None In-Reply-To: <199604160615.BAA16813@paulsdesk.phoenix.net> Message-ID: <199604161222.HAA23955@homeport.org> See www.homeport.org/~adam/crypto/ K00l Secrets wrote: | | | > If the Diffie-Hellmann patent covers all kind of public key crypto, | > you need a license from Cylink, i.e. BSAFE is not enough, and if it | > doesn't you can use El Gamal without a license. | | Are there any freely available implementations of El Gamal? | -- "It is seldom that liberty of any kind is lost all at once." -Hume From frissell at panix.com Tue Apr 16 07:55:28 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 16 Apr 1996 22:55:28 +0800 Subject: What can the judge do to me? Message-ID: <2.2.32.19960416105311.00ce803c@panix.com> At 07:36 PM 4/12/96 -0400, Black Unicorn wrote: >I think it's clear, the court literally spells this out, that holding >a witness indefinitely until he complies with court orders is within >the discretion of a judge. Compelling through sanctions the >production of a "key" (though I'm not sure a crypto key is directly >contemplated) is likewise clearly permitted. In practice though, two years seems to be the limit. That was the duration for Dr. Elizabeth Morgan and for the guy in SF in the mid 70's who won the Irish Sweepstakes and refused to repatriate his winnings so they could be taxed. Is anyone aware of a contempt sentence longer than two years? If no examples exist, then two years is the limit. There is always more bluff than reality in enforcement. See the Transactional Records Clearing House (http://www.trac.syr.edu/) for real info on federal criminal referrals and filings. Total tax fraud and evasion filings were circa 1000 in 1994, for example. DCF From ddt at lsd.com Tue Apr 16 08:48:43 1996 From: ddt at lsd.com (Dave Del Torto) Date: Tue, 16 Apr 1996 23:48:43 +0800 Subject: [NEWS] Security Dynamics Buys RSA Message-ID: <v03006309ad9939c9cd91@[192.187.167.52]> <http://www.rsa.com/ANNOUNCE/buyout.htm> For information about RSA: Patrick Corman or Lisa Croel Corman/Croel Marketing & Communications (415) 326-9648 or (415) 326-0487 Corman at cerf.net or Lcroel at mediacity.com FOR IMMEDIATE RELEASE Security Dynamics to Acquire RSA in Transaction Valued at Approximately $200 Million Cambridge MA and Redwood City, CA -- April 15, 1996 -- Security Dynamics Technologies, Inc. (NASDAQ: SDTI) and RSA Data Security, Inc. today announced that they have signed a definitive agreement for Security Dynamics to acquire RSA, a Redwood City, California vendor of encryption software. The transaction is intended to be carried out by the merger of RSA and a wholly-owned subsidiary of Security Dynamics in a tax-free transaction accounted for as a pooling of interests. For the year ended December 31, 1995, RSA had revenues and net income of approximately $11,6000,000 and $950,000, respectively. Upon consummation of the merger, Security Dynamics will issue or reserve for issuance 4,000,000 shares of its Common Stock in exchange for all of the outstanding shares and options to acquire shares of RSA. Based on the closing price of Security Dynamics Common Stock on the Nasdaq Market on April 12, 1996, the transaction is valued at approximately $200,000,000. The transaction is scheduled to close in June 1996. The consummation of the merger is subject to approval by the stockholders of both Security Dynamics and RSA and the satisfaction of antitrust and certain other conditions. In connection with the merger agreement, certain RSA stockholders, who currently own approximately 70% of the outstanding shares of RSA, have agreed to vote their RSA shares in favor of the merger. "RSA's technology is an excellent fit with Security Dynamics' enterprise-wide security solutions," said Charles R. Stuckey, Jr., President and Chief Executive Office of Security Dynamics. "In the rapidly growing Internet and Intranet markets, security has become on of the major issues. The merger of RSA and Security Dynamics combines our user identification and authentication technology and RSA's public key and encryption technology, each of which is a de facto standard. We believe this brings into a single organization the management and technical talent needed to bring to market the most effective security applications." "The synergy between the two companies is outstanding," said Jim Bidzos, President and Chief Executive Officer of RSA. "RSA and Security Dynamics technologies must be delivered as an integrated solution to corporate and Internet users. The best way to accomplish this is for the two companies to become one." According to both executives, RSA will continue its existing license business as a subsidiary of Security Dynamics. Security Dynamics Technologies, Inc. Security Dynamics designs, develops, markets and supports a family of security products used to protect and manage access to computer-based information resources and is the de facto standard for secure user identification and authentication. The Company's family of products employ a patent-protected combination of super smart token technology and software for hardware access control products to authenticate the identity of users accessing networked or stand-alone computing resources. The Company's customers include Fortune 500 companies and financial institutions as well as academic institutions, research laboratories, hospitals and federal, state and foreign government organizations. RSA Data Security, Inc. RSA is a recognized world leader in cryptography, with millions of copies of RSA software encryption and authentication technologies installed and in use worldwide. RSA's encryption technology is embedded in Microsoft Windows, Netscape Navigator, Intuit's Quicken, Lotus Notes, and hundreds of other products. RSA technologies are part of existing and proposed standards for the Internet and World Wide Web, CCITT, ISO, ANSI, and IEEE as well as business, financial and electronic commerce networks around the world. RSA develops and markets platform-independent software developers' kits and end-user products and also provides comprehensive cryptographic consulting services. Founded in 1982 by the inventors of the RSA Public Key Cryptosystem, the company is headquartered in Redwood City, Calif. From ddt at lsd.com Tue Apr 16 08:53:20 1996 From: ddt at lsd.com (Dave Del Torto) Date: Tue, 16 Apr 1996 23:53:20 +0800 Subject: carrick, Blowfish & the NSA In-Reply-To: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu> Message-ID: <v03006308ad9938166745@[192.187.167.52]> At 11:01 am -0700 4/14/96, s1113645 at tesla.cc.uottawa.ca wrote: >Besides, doesn't PGPfone give you a choice of algorithms? (including IDEA?) >I haven't gotten it yet, no sound card. PGPfone currently offers Blowfish (fast, iffy) and TripleDES (slow, secure). From ddt at lsd.com Tue Apr 16 08:55:04 1996 From: ddt at lsd.com (Dave Del Torto) Date: Tue, 16 Apr 1996 23:55:04 +0800 Subject: [IRS] Elvis in Escrow Message-ID: <v03006307ad99344080b5@[192.187.167.52]> [from SF Examiner somewhere around 12-14 April 96] .............................................................................. "IRS Worker Took Peek at Celebrities' Records" [Associated Press] Memphis - A former IRS employee who said boredom had led him to peek at the tax records of President Clinton, Elvis Presley and other famous people has been acquitted of federal charges. Robert Patterson, 38, said it wasn't malicious - he was just trying to learn how to better use the Internal Revenue Service computers. "I was sitting there bored, so I started punching up names," said Patterson. .............................................................................. Hmmm. _We_ do it, it's "malicious cracking/hacking" and they toss us in the clink... _they_ do it, and it's "practice" (and they get acquitted). And _these_ are the people who want to escrow _my_ keys? As IF! Not only that, but also if the guy's so damn _bored_, why doesn't he spend some time FIXING the damn computer systems at IRS (see current cover of Information Week mag). Not that I particularly WANT them to fix the infernal revenue suckers... BTW, where do they _find_ these people? He's hacking around in Clinton's tax records and he _doesn't_ expect Secret Service agents crawling up his yin-yang within minutes? Obviously, "thinking too much" is _not_ this chap's problem. From s1113645 at tesla.cc.uottawa.ca Tue Apr 16 10:56:23 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Wed, 17 Apr 1996 01:56:23 +0800 Subject: None In-Reply-To: <199604160615.BAA16813@paulsdesk.phoenix.net> Message-ID: <Pine.3.89.9604160941.A24249-0100000@tesla.cc.uottawa.ca> On Tue, 16 Apr 1996, K00l Secrets wrote: > > If the Diffie-Hellmann patent covers all kind of public key crypto, > > you need a license from Cylink, i.e. BSAFE is not enough, and if it > > doesn't you can use El Gamal without a license. > > Are there any freely available implementations of El Gamal? Wei Dai's crypto++ has pretty much everything, in c++. <http://www.eskimo.com/~weidai> has the info and a pointer to the latest version (2.0) at an export-controlled-site. The old versions, (1.0 still has the algorithms RSADSI disputed) are available in <ftp://ftp.utopia.kacktic.nl/pub/replay/pub/crypto/LIBS> under the names crypto10.zip and crypto11.zip (I think). I didn't see 2.0 . I think Hal Finney's has some of it ported to Java. ( www.portal.com is inaccessible at the moment) From nobody at REPLAY.COM Tue Apr 16 11:20:47 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 17 Apr 1996 02:20:47 +0800 Subject: TIME Daily: Policing China's Firewall Message-ID: <199604161334.PAA25484@utopia.hacktic.nl> >From http://pathfinder.com/time/daily/ Policing China's Firewall BEIJING: The Chinese government is requiring all Internet users and companies marketing Internet services to register with the police. Mailed warnings from the Beijing Police Public Security Bureau announce all individuals using the Internet must register with a special police section of Computer Security Supervision, and include their email addresses, presumably for monitoring purposes. The rules, which are taking effect as these notices surface, require each Chinese registering to sign a pledge agreeing to abide by Chinese law and respect state security. Users are also required to pay a 400 yuan (about $50) registration fee, and pay 100 yuan a month for six hours nline time. The fee, close to a month's salary many urban Chinese, could stop many from logging on. The country's some 100,000 Internet users are already barred from newsgroups containing 'undesirable' material such as government human rights violations and pornography. "This is the latest move to try to control the Internet," says TIME's Beijing Bureau Chief, Jaime Florcruz. "It dawned on the Chinese government that new ideas from overseas were leaking into the psyche of the Chinese people. It's still unclear how they will block the flow of information, especially when the government has such need for it, itself. Its a losing battle, especially in the provinces. If the Party cadres there want Internet access, or satellite TV, Beijing will have a hard time curbing them." From brucem at wichita.fn.net Tue Apr 16 11:27:35 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Wed, 17 Apr 1996 02:27:35 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604151824.LAA07600@netcom6.netcom.com> Message-ID: <Pine.BSI.3.91.960416090319.2962C-100000@wichita.fn.net> On Mon, 15 Apr 1996, Vladimir Z. Nuri wrote: > I have been wondering about malicious hackers getting into these > pools. would it be possible for them to contribute false data > that screws up the end results? or are such anomalies easily > discarded or disregarded by the final processes? > future implementors of these programs might amuse themselves with > trying to create such safeguards or anticipate such "attacks" which > are pretty significant the more the processes become distributed. I guess I would have to ask you why you think hackers would be interested in these projects in the first place? Your typical hacker would care very little about such a project and in fact may be interested in seeing it succeed. However, I do feel that you may have a valid point when switching "hackers" to "opponents of the research." Anyone with an interest in preventing or slowing down the progress in such a project would be more dangerous in my mind than your average hacker. Preventing that from happening would be necessary if it is decided that such a threat truly exists. Bruce Marshall From declan+ at CMU.EDU Tue Apr 16 11:32:14 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 17 Apr 1996 02:32:14 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) In-Reply-To: <ad987d0e0002100459cc@[205.199.118.202]> Message-ID: <YlQug3C00YUu0Bzm98@andrew.cmu.edu> Excerpts from cypherpunks: 15-Apr-96 Re: CDA Court Challenge: Up.. by Timothy C. May at got.net > ???? > > Apparently "The Netly News" has given up on simple, straightforward > reporting in favor of "Pop Journalism." Cute headlines instead of > informative ones. > > (The reason I no longer try to wade through the cuteness of "Wired," > another example of postmodernism carried too far.) The headlines were mine, not The Netly News'. They do not appear on TNN's web site. -Declan, now guilty of "cute headlines" From watt at sware.com Tue Apr 16 11:35:44 1996 From: watt at sware.com (Charles Watt) Date: Wed, 17 Apr 1996 02:35:44 +0800 Subject: Bank transactions on Internet Message-ID: <9604161346.AA06924@mordred.sware.com> -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, ApDNkoCKfI0iz1XP4rYpl2XlbqF9/llmB3tLaunuqLWlnD5+VcGwYDNR/HJQa+AV 7s41qt0zFhiYbhidj7zh4e8= > From: Eric Young <eay at mincom.oz.au> > On Mon, 8 Apr 1996, JR Weaver wrote: > > with SFNB to purchase my own copy of 128-bit Netscape Navigator. You can make > > transactions over the net and SFNB does not limit you to 128-bit. Is it really > > that easy to break 40-bit? Don't you need access to a "fair amount of cpu > > power" to brute force crack 40bit? As far as I know client authentication is > Put put it in a word, 'yes'. > > > strictly username & password. What other authentication system exists?? > This would be a very good system to attack. > > ... (details on Eric's break-SSL saga) > > Please remember that I'm not talking about theory. Besides the person > working next to me, no-one at work knew I was participating in the brute > force beaking attempt. Well this is not totally true, the owner of the SGI > with 6 R4400 CPU's noticed that I was using a few of the CPU's but they > did not know what the programs were doing :-). > > I would say that RC4 40 should not be used if possible, especially to do > with anything to do with banking. > > eric (just putting in his own 2 certs worth). As Chief Scientist for SecureWare and one of the designers of SFNB's security architecture, I would like to make a couple of points regarding this thread: 1. SFNB customers are at absolutely NO RISK from Internet attacks 2. It's a whole lot harder to break into SFNB than just cracking a 40-bit RC4 key. 3. 40-bit SSL, when used within a properly designed security framework, is more than adequate for personal banking transactions. Along the way I'll outline my understanding of SFNB's plans for future security enhancements (as only an advisor to SFNB I cannot speak for them directly) with the hope of getting some useful feedback from the experts on this list. I'll apologize in advance for the length of this post, but while I enjoy this list for its occasional emphasis on crypto, sometimes the participents get a little too focused and forget that encryption does not equate to security. First, the U.S. banking system is very nice to account holders. The banks, rather than the customers, assume all risk associated with security problems in telephone banking, ATMs, etc... Internet banking is no different, which explains why so few banks have jumped onto the net with real transactions. If an SFNB customer should lose any funds due to a security problem, SFNB pays, not the customer. Second, in order to break the SSL-protected password of an SFNB account holder, you need access to the encrypted data. This is not easy to obtain over the Internet, and would generally require illegal activity in order to gain control of a host within the Internet infrastructure or collusion with the account holder. Should an attacker crack the key and obtain the account number and password of an SFNB account holder, they are clearly warned upon login that they are engaging in illegal activity. Once they have logged in, there is no way to transfer money out of the account without leaving a target address and phone number for the recipient. Furthermore, any payment to an individual or unknown entity would be made in the form of a physical check that would have to be cashed at a physical bank. The whole process is heavily audited with real-time audit filtering and pattern matching capabilities -- SFNB is, afterall, running on a military grade secure operating system (see SWP at www.secureware.com). Any security system that is deployed should be compared against the value you are trying to protect. It seems like a pretty big risk to an attacker -- and I assure you SFNB will prosecute. Finally, I whole-heartedly agree that 40-bit encryption is far too weak for many applications, and that the current export limitations are absurd. I have my own copy of the Xilinx development tool set at home and am quite capable of using it to design a 40-bit key cracking engine. I assume that others on this list might be able to as well. However, it is important to note that strong encryption does NOT equate to strong security. Encryption is merely one of many tools that are available in building secure systems. For example, a Web-based application running over 128-bit SSL would still be vulnerable to: - attacks against the server host - server spoof attacks - client side attacks, e.g. a Trojan Horse In my estimation, all of these are more likely (and more dangerous if successful) than an attacker cracking the 40-bit key used for a bank transaction. Any security sensitive application, such as Internet banking, that does not protect against all of these attacks is asking for trouble in the long run. Note that in the long run the Trojan Horse problem is the most severe for a banking application, for the bank cannot control end user PCs. And no matter how good the tools they are provided for their protection (see Troy at www.secureware.com), ultimately the bank cannot protect users from their own foolish actions. Also, despite the noise currently being made in Washington about relaxing export regulations, the current limitations are reality. Thus, it has been SFNB's goal from the start to design a personal banking solution that protects against all of these attacks and is secure running over 40-bits. At this time, as SFNB does not have this solution fully deployed, SNFB offers the 128-bit version of the Netscape browswer FREE to any SFNB customer that wants it. Just call their customer support line. The trick to secure personal banking at 40-bits is to remember that encryption can be used for many functions. For personal checking, it is the authenticity and integrity of a transaction that must be strongly protected, not the confidentiality. For the latter, 40-bits is sufficient, i.e., while confidentiality of account holder transactions is certainly important, the value of discovering this information does not justify the cost of an attack against the encryption. Thus, if the 40-bit encrypted traffic between the browser and server does not contain any repeatable authentication information, 40-bits is sufficient. For commercial accounts this is not the case and SFNB does is planning to use security beyond SSL. In the long term SFNB plans to disassociate the authentication of a transaction from its encryption through the use of SmartCard-based client-side private keys and bank-issued certificates. This has the advantage of permitting signatures to obtain non-repudiable transactions, making the bank "electronic commerce enabled". However, this feature has not been available in commercial browsers within the originally estimated time frame. We considered running the browsers transparently over SecureWare's Hannah product (www.secureware.com) to get client-side keying and a stronger protocol than SSL, but SFNB decided it was a better business decision to wait for client-side support in the browsers -- i.e, the cost to SFNB of distributing and supporting special client-side software >> cost of projected loss due to successful attacks on the bank during the estimated interval before browser support becomes available. It is, after all, SFNB's decision to make. They, not the customer, will pay any costs associated with a successful attack, whether financial or PR. But as the availability of client-side certificates has been pushed out, we have prepared two interim solutions, both of which solve the list of problems above. SFNB is currently debating whether to deploy one (or both): 1. Distribute a browser plug-in or locally resident Java applet to calculate an MD5/SHA hash computed over: - the user's password - a secret key created and distributed by SFNB that is unique to the account holder - a login challenge (random number) issued by the server This hash, rather than the password, would be sent over the SSL protected connection to authenticate the user. 2. Distribute SecureID or some other token-based authentication device to account holders. (Remember when banks used to give away toasters?). With either approach server-spoof attacks are prevented, for the server cannot access the local key material or token. Attacks against 40-bit keys are effectively negated, for any such attack would have to be mounted: - in real-time before the account holder logs out of the bank and invalidates the session key. SFNB imposes an inactivity log out. - from a gateway through which the account holder's SSL session is routed in order to grab control of the account holder's session due to the complex cookie mechanism being used. Note that even our final solution using hardware-based crypto is not perfect. But then there is no such thing as perfect security. SFNB does have, even with its current implementation, a system that is more difficult to defeat than current financial instruments such as paper checks, credit cards, ATM cards, etc... Charles Watt SecureWare, Inc. -----END PRIVACY-ENHANCED MESSAGE----- From perry at piermont.com Tue Apr 16 12:07:09 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 03:07:09 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <ad987fec02021004063f@[205.199.118.202]> Message-ID: <199604161407.KAA15253@jekyll.piermont.com> Timothy C. May writes: > Well, I don't view any of the "simple definitions" of randomness as > especially useful; that is, the simple definitions have a kind of > circularity (implicit in the points we both make). For example, "an object > is "random" if it has no shorter description than itself," the classic > Solomonoff-Kolmogorov-Chaitin definition, is quite elegant, but doesn't > help much in many cases. Except that it goes against our normal definitions of random in a crypto context. A string that is compressable might still be random. There is no reason you can't have a string of 20 1 bits in a row in a perfectly random sequence, for example. Usually, random sequences are non-compressable, but it is possible (though very improbable) for Hamlet to appear out of a random number generator, and it is of course quite compressable... Perry From jya at pipeline.com Tue Apr 16 12:19:56 1996 From: jya at pipeline.com (John Young) Date: Wed, 17 Apr 1996 03:19:56 +0800 Subject: IRO_nic Message-ID: <199604161513.LAA27379@pipe1.nyc.pipeline.com> 4-16-96. Jour: "Bidzos Holds Key to Guarding Internet Secrets." Mr. Bidzos has made shrewd deals to build a powerful franchise, but he has also angered the government's security apparatus and some of his own customers and partners. Mr. Bidzos has fended off the government with a mix of stratagems and chutzpah. Lynn McNulty, an ex- Commerce official, said Mr. Bidzos always found "the open door that we hadn't thought about locking." Adds NSAper Stew Baker, "Jim has made a career out of bashing the NSA." 4-16-96. Fint: "A hacker's paradise. One computer on the Internet is broken into every 20 seconds." Despite a proliferation of computer security products ranging from "secure" server and browser software to firewalls, encryption and authentication schemes, computer break-ins are on the rise. Security experts say US Internet sites are under frequent attack by hackers from eastern Europe. But there are also now more than 20,000 aggressive, deliberately destructive hackers in the US and the number is said to be growing at a minimum of 5 per cent per month. Ironically, as the number of sophisticated hackers rises, there is a dire shortage of computer security professionals. IRO_nic From jimbell at pacifier.com Tue Apr 16 13:15:26 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 17 Apr 1996 04:15:26 +0800 Subject: [IRS] Elvis in Escrow Message-ID: <m0u9Cvl-00090DC@pacifier.com> At 04:40 AM 4/16/96 -0700, Dave Del Torto wrote: >[from SF Examiner somewhere around 12-14 April 96] >.............................................................................. >"IRS Worker Took Peek at Celebrities' Records" >[Associated Press] > Memphis - A former IRS employee who said boredom had led him to peek at >the tax records of President Clinton, Elvis Presley and other famous people >has been acquitted of federal charges. > Robert Patterson, 38, said it wasn't malicious - he was just trying to >learn how to better use the Internal Revenue Service computers. > "I was sitting there bored, so I started punching up names," said Patterson. >.............................................................................. >Hmmm. _We_ do it, it's "malicious cracking/hacking" and they toss us in the >clink... _they_ do it, and it's "practice" (and they get acquitted). And >_these_ are the people who want to escrow _my_ keys? As IF! I have a solution to this problem. Jim Bell jimbell at pacifier.com From tcmay at got.net Tue Apr 16 14:12:13 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 17 Apr 1996 05:12:13 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <ad99193c040210040b50@[205.199.118.202]> At 2:07 PM 4/16/96, Perry E. Metzger wrote: >Timothy C. May writes: >> Well, I don't view any of the "simple definitions" of randomness as >> especially useful; that is, the simple definitions have a kind of >> circularity (implicit in the points we both make). For example, "an object >> is "random" if it has no shorter description than itself," the classic >> Solomonoff-Kolmogorov-Chaitin definition, is quite elegant, but doesn't >> help much in many cases. > >Except that it goes against our normal definitions of random in a >crypto context. A string that is compressable might still be >random. There is no reason you can't have a string of 20 1 bits in >a row in a perfectly random sequence, for example. Usually, random >sequences are non-compressable, but it is possible (though very >improbable) for Hamlet to appear out of a random number generator, >and it is of course quite compressable... Sure, compressibility is not a determinant of randomness....nothing is, actually. This is my point about there being no simple definition of randomness. However, "most" objects derived from a "random-like process" have no shorter description than themselves, by a variant of the pigeonhole principle (i.e., there are more things of some size than descriptions of less than that size, so most "random" objects, are, perforce, not describable in short descriptions). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vin at shore.net Tue Apr 16 14:19:51 1996 From: vin at shore.net (Vin McLellan) Date: Wed, 17 Apr 1996 05:19:51 +0800 Subject: RSA & SDI Message-ID: <v02130501ad98fd7a87b0@[198.115.179.225]> Steve Reid <steve at edmweb.com> exclaimed: >> It's true: >> FOR IMMEDIATE RELEASE >> Security Dynamics to Acquire RSA in Transaction Valued at >> Approximately $200 Million > >Okay, so what do we know about Security Dynamics? What are they expected >to do about licensing etc? I know a lot about SDI's technology and history. (Under contract to SDI, I just finished writing a draft FAQ on their ACE/SecurID user authenication system. It's unofficial and in-process, but I'm willing to e-mail the SecurID FAQ to anyone willing to read it and give me comments, criticism, and suggestions on how to improve it. Fair warning: it is 20,000+ words and written to educate a lay audience.) I haven't heard anything yet about SDI's position on RSA licences; but I doubt if there will be any surprises in that area soon. Among people associated with either company, it has been common knowledge that SDI and RSA folk have been very close for years, on both personal and professional levels. RSA's technical expertise has been apparent in SDI's user authentication system at several levels (albiet undocumented) and SDI's marketing expertise has doubtless informed RSA's policies in recent years. SDI, with over 150 salesmen on the street, fields the largest and most successful sales force selling Computer Security. SDI's SecurIDs tokens dominate the large-site (<1,500 tokens) corporate market for user authentication tokens with an estimated 70-80 percent of the market -- largely on the basis of the relative ease-of-use of the SecurID over its challenge/response competitors; SDI's early committment to client/server environments; and SDI's corporate promise to evolve to meet the changing CompSec threat. A SecurID generates the token's 4-8 digit token-code from an SDI-proprietary hash that puts Current Time and a token-specific key through a one-way function to create a PRN that changes every 30 or 60 seconds. All SecurID authentication calls also require two-factor validation; both the token-code and a user-memorized PIN must be submitted to the ACE/Sever for validation. There has never been any doubt -- given the evolving risks and the needs of on-line business community -- that SDI would eventually sell both authentication and encryption services. (It has also been obvious for years that SDI had, in its SecurID token-code, a neat symmetrical encryption key-generator already in widespread use in many networked environments. SDI had a mocked-up system that effectively used a SecurID token to generate DES keys seven or eight years ago, as I recall -- but apparently SDI never felt the market opportunities were sufficient to lure them into the political malestrom around crypto... until now.) I have no secrets to share, but it would surprise me if many SDI customers don't read a major opportunity for themselves in SDI's purchase of RSA. Last fall, SDI upgraded its ACE/Server to a new version (2.X) which manages user records on a fully-integrated Progress relational database. This integration of a SQL and 4GL-accessible RDBS brought a whole new level of functionality, complexity, and opportunity into ACE system administration -- but it also offers the security, scalability, and RDBS-to-RDBS communication options necessary to manage enterprise-wide IS security systems. Managing a large key-management system through a flat text database would be a nightmare. With the flexibility of an indexed RDBS, it becomes feasible to look to SDI's ACE/Server as a vehicle to hold and manage crypto keys, either PKC pairs or symmetrical keys, for an enterprise-wide system with multiple and distributed sysadmin sites. Some ACE/Server systems now support over 20,000 SecurID users, and the ESQL comm options will finally open the door to integrated multiple-server environments. >The question of the day is... HOW WILL THIS AFFECT CRYPTO? I have no answer on that one, but the marrage of RSA's technology and SDI's marketing muscle -- given RSA's credibility and SDI's installed base in commercial MIS sites -- unveils a world of interesting opportunities. One interesting thought: since SDI has a shoe-leather sales force on the street in 20-odd nations, SDI (with RSA) might be able to leverage an integrated crypto/authentication technology and sell in markets where RSA's algorithms doesn't even enjoy patent protection. In the best of commercial traditions, SDI would be selling a solution rather than a technology. Suerte, _Vin Vin McLellan +The Privacy Guild+ <vin at shore.net> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From tedwards at Glue.umd.edu Tue Apr 16 14:28:30 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Wed, 17 Apr 1996 05:28:30 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604121257.IAA24747@jekyll.piermont.com> Message-ID: <Pine.SUN.3.91.960416114925.6156C-100000@kolo.isr.umd.edu> [only relevant in terms of ecash lending and counterfeiting effect on the money supply] On Fri, 12 Apr 1996, Perry E. Metzger wrote: > You are correct that the fed creates and destroys money. You are not > correct that ordinary banks do, or in your assertion that the fed > substantially controls the expansion of the money supply through the > discount rate. We may be talking about different definitions of "making money." I'll quote from "Secrets of the Temple" by Wiliam Greider... "New money was created not only by the Federal Reserve but also by private commercial banks. They did it by new lending, by expanding the outstanding loans on their books. Routinely, a bank borrowed money from one group, the depositors, and lent it to someone else, the borrowers, a straightforward function as intermediary. But, if that was all that occurred, then credit would be frozen in size, unable to expand with new economic growth. On the margins, therefore, bankers expanded their lending on their own and the overall pool of credit grew - and the bank turned credit into money." If the Fed was the only organization that create or destroyed money (through sales and purchases of federal securities), then the money supply could be finely controlled. The reality is that the money supply can only be slightly controled by the Fed. The challenge of the Fed, though, is that banks create money with credit. If the Fed makes $1 billion through the purchase of securities, that $1 billion injection will be multiplied by bank lending and credit up to $5 billion of new deposits, which would now be counted in the M1 money supply. The banks would loan out $840 million of new loans (keeping 16% for reserves), creating $840 in new deposits. Those new deposits would enable banks to loan out $706 million, and so on, and so on, until around $5 billion would be created. -Thomas From m5 at vail.tivoli.com Tue Apr 16 14:29:18 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 17 Apr 1996 05:29:18 +0800 Subject: 20,000 hackers! In-Reply-To: <199604161513.LAA27379@pipe1.nyc.pipeline.com> Message-ID: <3173CBE0.2820@vail.tivoli.com> John Young wrote: > Security experts say US Internet sites are under frequent attack by > hackers from eastern Europe. But there are also now more than > 20,000 How do they count them? Do they just add up the subscription list to "2600" and attendees at CFP & HoHoCon? > aggressive, deliberately destructive hackers in the US and the number > is said to be growing at a minimum of 5 per cent per month. Ironically, > as the number of sophisticated hackers rises, there is a dire shortage > of computer security professionals. Is a destructive aggressive hacker who makes money at it a "computer security professional"? :-) ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 16 14:40:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 17 Apr 1996 05:40:19 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research Message-ID: <01I3LZNNU4DC8Y52YJ@mbcl.rutgers.edu> From: Bruce Marshall <brucem at wichita.fn.net> > However, I do feel that you may have a valid point when switching >"hackers" to "opponents of the research." Anyone with an interest in >preventing or slowing down the progress in such a project would be more >dangerous in my mind than your average hacker. > Preventing that from happening would be necessary if it is decided >that such a threat truly exists. Actually, people would also have a motivation to turn in false results if they were being paid (perhaps in ecash) for their computer time. If they could take less time and turn in a supposedly correct job, they would be able to be paid the same amount for less work. Fortunately, it does appear possible to filter out bad ones. In creating such a paid system, keeping this possibility in mind would be needed. -Allen From jimbell at pacifier.com Tue Apr 16 14:49:01 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 17 Apr 1996 05:49:01 +0800 Subject: math patents Message-ID: <m0u9Duq-0008zqC@pacifier.com> At 11:21 PM 4/15/96 -0700, Robin Felix wrote: >At 04/14/96 1457, jim bell may have written: >>At 09:08 AM 4/14/96 -0800, Lee Tien wrote: >>>My recollection from law >>>school is that the law was friendly to math patents in the period before >>>the Supreme Court weighed in. There were some PTO denials, which courts >>>reversed (I think the Court of Claims heard these back then). So I think >>>the trend was toward patenting processes even if mathematical until >>>Gottschalk v. Benson > >>I seem to recall reading that one of the breakthrough "algorithm" patents >>was from the 1970's, in which a rubber-curing/molding process's cure time >>was determined by a mathematical formula based on heat, pressure, mold >>shape, and a number of other variables. > >You're referring to Diamond v. Diehr, 450 U.S. 175, 195 (1981). I have a >half-finished article I wrote in 1994 on software algorithm patents, about >32K, available at <http://www.delfinsd.delfin.com/felix/Algorithm_Patents.htm. It's the good >part, the background material minus footnotes. Although it's a bit dated, >the description of foundational cases is still accurate. Thanks for the reference, and yes, the article was very interesting. As usual, it sounds like the legal system has gotten the whole thing screwed up. I am still mystified, however! If I understand the thrust of the legal cases you cited, purely mathematical algorithms are still not patentable, yet the patents on public-key cryptography are about the most purely mathematical ones that could be imagined. They are not an element in the process, they ARE the process. To recap, I've asserted (with no definitive proof, obviously) that when public-key cryptography was invented, in about 1976, the US government decided that it wanted to restrict it as much as possible from ordinary US citizens. Due to the 1st amendment, legal restrictions on speech would not fly, and copyright was out because that would only have protected one particular program, if even that much. The final alternative, patent protection, was essentially unavailable (or thought to be so) because of the traditional non-patentability of software and mathematics. Patents would not have prevented the Russians from using RSA, nor any other foreigners, so as far as I can see the only group of people impaired by the RSA patent were American citizens as a group. To me, there are at least two mysteries that need to be solved here. The first is why the cryptography patents were issued in the first place. The second, and perhaps even more incriminating, has to do with why the patents were applied for. Because the patent application has to be filed within a year of disclosure, the RSA patent would have to have been filed at latest by April of 1977. Yet, that predates some of the earliest cases in your article by a year or more. I've never heard a cogent explanation as to how R, S, and A decided that a "doomed" patent application was worthwhile, unless they had some insider information that the Gottschalk v. Benson case would be essentially ignored and the patent granted anyway. This isn't unrealistic paranoia or conspiracy theory, either. It is reasonable to assume that since the government would be the first, largest beneficiary of keeping RSA out of the hands of the public, and since the government made up and controlled the patent office and the court system as well, it could easily have made a decision that RSA was going to be patented, and Messr's Rivest, Shamir, and Adleman told of their luck in plenty of time to apply for a patent. The other cases from 1978 on might simply have been window-dressing, to make it look like the courts had had a change of heart unrelated to the subject of public-key cryptography. My question is this: "Is there anything you're aware of that contradicts this impression?" Or, is there a way to confirm this? From Clay.Olbon at dynetics.com Tue Apr 16 15:30:11 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Wed, 17 Apr 1996 06:30:11 +0800 Subject: [NOISE] Consolidation of threads ... Message-ID: <v01540b09ad9981f27fbb@[193.239.225.200]> At 9:58 PM 4/15/95, eriksmit wrote: >Clay Olbon II wrote: >> >> OK, I have a proposal that consolidates two threads that have been >> discussed recently. How about proposing legislation that mandates that a >> byte is now 9 bits instead of 8. This would allow the ninth bit to be the >> decent/indecent bit, thereby solving all of our problems. >> >> Clay >> >> --------------------------------------------------------------------------- >> Clay Olbon II | Clay.Olbon at dynetics.com >> Systems Engineer | ph: (810) 589-9930 fax 9934 >> Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html >> 550 Stephenson Hwy | PGP262 public key: on web page >> Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 >> TANSTAAFL >> --------------------------------------------------------------------------- > >Get me off from the list OK, this is either a comment on my admittedly weak attempt at humor, or the unsubscrives have gotten more creative <g> Go Wings! Clay From lzirko at isdn.net Tue Apr 16 15:32:43 1996 From: lzirko at isdn.net (Lou Zirko) Date: Wed, 17 Apr 1996 06:32:43 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) Message-ID: <199604161746.MAA00539@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hope the Kinks don't see this. (Ducks on the Wall). >Excerpts from cypherpunks: 15-Apr-96 Re: CDA Court Challenge: Up.. > by >Timothy C. May at got.net >> ???? >> >> Apparently "The Netly News" has given up on simple, straightforward >> reporting in favor of "Pop Journalism." Cute headlines instead of >> informative ones. >> >> (The reason I no longer try to wade through the cuteness of > "Wired," >> another example of postmodernism carried too far.) > >The headlines were mine, not The Netly News'. They do not appear on >TNN's web site. > >-Declan, now guilty of "cute headlines" > > -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMXPc0BKvccEAmlQ9AQFHigf/Qy1h07dX6GQF6Bqoqz7y9SG8IrIQYaDE M88a+4r/k90caBDE42T0l7aiZpjuehLIq/ouvrFtW3ZTM5Z1aEM6GdhF30f794qK el0dZWBztePlNhINDBauXUQQlDa+o4QSEhJHBOfBoN1k1sOpjlumimeNjZpgaTYv ZU1ufXlb6DcfaAePsJUWezLzcZx7Y9RCZAcCKV941/UOsNqPcogCimlieVwu0EEf ZJNRFGXb1ZfHvgyAzsEoP2QfajXudboGyeLY66fRS1uFwdzKQ2WbUI+dRzWRPchA Rm54MsDVusEemw9auho83olNlJ189n1Oi8cvhKOa6LIr0Sc6sGBHrg== =wEGj -----END PGP SIGNATURE----- From hoz at univel.telescan.com Tue Apr 16 15:54:48 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Wed, 17 Apr 1996 06:54:48 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604161843.LAA19508@toad.com> At 10:07 AM 4/16/96 -0400, Perry E. Metzger wrote: >...Usually, random >sequences are non-compressable, but it is possible (though very >improbable) for Hamlet to appear out of a random number generator, >and it is of course quite compressable... But even if it came from a completely random source, it would still make a bad one-time pad. When people say "compressable" or "algorithmic complexity" or "random", a context is always implied. In the context of "fair coin flips" the text of Hamlet is NOT compressible. Because no string is more likely than any other. Any algorithm that could compress that string, will, on the average INCREASE the length of "fair coin flip" strings it tries to compress. Under the context of "pads that might be used for cryptographic purposes" the text of Hamlet is quite compressible. An attacker is much more likely to test for such a stream than one that appears more random. So, even if you got "Hamlet" from a perfectly random source, you should reject it for crypto purposes. There is an exception to this rule. If you are so revered as a cryptographer that no analyst would believe that you would deliberately choose a non-random pad, then it would be safe to use Hamlet if it appeared in a random source. It is amazing that one's reputation can affect the randomness of the bitstrings one uses. PS: I have written a compressor that can compress ANY string to the single byte "X". There are 2**n different decompressor programs, where n is the bit size of the original file. All you have to do is specify the number of the correct decompressor program, and you have the original file. Note that no computer is required for either the compressor or the decompressor. (patent pending) From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 16 16:13:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 17 Apr 1996 07:13:43 +0800 Subject: A possible problem with more regulation possible? Message-ID: <01I3M1YLW11S8Y52YJ@mbcl.rutgers.edu> This proposal would appear to increase vulnerability to regulation. -Allen From: IN%"educom at elanor.oit.unc.edu" 7-APR-1996 18:42:00.83 >MORE ROUTERS = MORE INTERNET BROWNOUTS >As businesses and Internet operators keep adding routers to speed electronic >content on its way, the proliferation of routing devices actually begins to >slow traffic, causing Internet "brownouts" -- when the response time slows >to a crawl. The solution could be an updated Internet, redesigned for >fewer, more powerful routers, so that data packets need fewer hops. "The >U.S. Internet is about as reliable these days as the phone system in >Russia," says NetStar's VP for sales and marketing. (Business Week 8 Apr 96 >p82) From Adam_Pingitore at alli.wnyric.org Tue Apr 16 16:19:30 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Wed, 17 Apr 1996 07:19:30 +0800 Subject: List of reliable remailers Message-ID: <9603168296.AA829685917@ccmail.wnyric.org> GET ME OFF THIS DAMN LIST From llurch at networking.stanford.edu Tue Apr 16 16:38:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 17 Apr 1996 07:38:33 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) In-Reply-To: <ad987d0e0002100459cc@[205.199.118.202]> Message-ID: <Pine.ULT.3.92.960416110237.22275A-100000@Networking.Stanford.EDU> On Mon, 15 Apr 1996, Timothy C. May wrote: > At 12:51 AM 4/16/96, Declan B. McCullagh wrote: > > >In this update: Ducks on the Net! > > More on BYU's Dan Olsen's censorhappy boondoggle > > Grey Flannel Suit wears Blue Pinstripe, surfs for porn > > > ???? > > Apparently "The Netly News" has given up on simple, straightforward > reporting in favor of "Pop Journalism." Cute headlines instead of > informative ones. You say that as if it's something new. -rich From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 16 17:02:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 17 Apr 1996 08:02:15 +0800 Subject: Email address for Comments on Internet Phone Petition Message-ID: <01I3M2BGU3QC8Y52YJ@mbcl.rutgers.edu> I haven't seen it here before, so I'll inform you that the address for comments on the ACTA petition is rm8775 at fcc.gov. All such comments should reference RM No. 8775 in the subject. (I'm not sure why, since it's in the address, but this is the government...) -Allen From markm at voicenet.com Tue Apr 16 17:26:39 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 17 Apr 1996 08:26:39 +0800 Subject: El Gamal In-Reply-To: <2.2.32.19960416070406.00a8a95c@mail.teleport.com> Message-ID: <Pine.LNX.3.92.960416143624.178B-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Tue, 16 Apr 1996, Alan Olsen wrote: > At 01:15 AM 4/16/96 -0500, K00l Secrets wrote: > >> If the Diffie-Hellmann patent covers all kind of public key crypto, > >> you need a license from Cylink, i.e. BSAFE is not enough, and if it > >> doesn't you can use El Gamal without a license. > > > >Are there any freely available implementations of El Gamal? > > From what I remember, RSA had made various legal threats to anyone using El > Gamal. (They claimed it was covered under their patents.) Since the > Cylink/PKP blowup, I am not certain of the status of this algorithm. > > Does anyone have more information on the current status of El Gamal? Last I heard, El Gamal was not considered to be covered under the D-H patent. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMXPpKbZc+sv5siulAQGi0AP/fOfXEu80ifJqVaa5IQZYrZ1MATJjfXCL QEJC4BC/6KbPxrXubLO8a/l5GtbgAZ7N3CLo5ANkKL/BHNG0yrEaaPmbtWD0cx9G o6BU2Kd+PAC6zSf5hMJjri6x7zKBPATO+Sxb67NT75sB5LwJJD0FOyTGGcCzrIYi XApaDOTaeNA= =FqbA -----END PGP SIGNATURE----- From sjb at universe.digex.net Tue Apr 16 19:22:24 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 17 Apr 1996 10:22:24 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <Pine.BSF.3.91.960413133800.18548A-100000@kirk.edmweb.com> Message-ID: <199604162053.QAA10650@universe.digex.net> Steve Reid writes: >Really, the apropriate place for content filtering is at the application >layer. It *could* be done at the transport layer, but that's really not >the place for it. Izzat so? So explain to me what the difference between the PICS type ratings and security classifications is. If something is labelled "Top Secret" with some compartments, it means "do not deliver this to a principal which hasn't been authorized to receive it". If something is labelled "Not suitable for minors", it means "do not deliver this to a minor". "Age of majority" is really no different than a security clearance to receive certain information in the CDA context. Clearly the IETF believed that the network layer was an appropriate place for general classification when they developed IPv4. I haven't verified it, but I suspect that IPv6 has (or will have) an appropriate mechanism for indicating security classification. The identical mechanism may be used for packet labelling, with the broad classification indicating the distinctions between "G", "PG", "PG-13", "R", and "NC-17", and the compartments available for such things as "violence", "nudity", "adult language", "sexual content", "advertising", and so forth. >Analogy: It would be like putting a license plate on the engine of a car. >It *could* be done that way, if you redesign the car so that the engine >protrudes out from the back with a place for the license plate (let the >technical people handle the technical details of that). But the best place >for a license plate is on the outside body of the car, and the best place >for content filtering is at the application layer. Of course, putting it at the application layer is like requiring that every driver create his own license plate and hold it out the window while driving. From perry at piermont.com Tue Apr 16 19:39:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 10:39:24 +0800 Subject: Money supply is fake anyway In-Reply-To: <Pine.SUN.3.91.960416114925.6156C-100000@kolo.isr.umd.edu> Message-ID: <199604162053.QAA15518@jekyll.piermont.com> Thomas Grant Edwards writes: > If the Fed was the only organization that create or destroyed money > (through sales and purchases of federal securities), then the money supply > could be finely controlled. The reality is that the money supply can only > be slightly controled by the Fed. You are confusing "Money Supply" with "Money". "Money Supply" is a technical term and it doesn't even have a single definition -- there are M1, M2, M3... If you meant the activities of banks lead to expansion of the amount of demand deposits in the world, yes, you are correct. However, at no time do commercial banks loan out money that they do not have on hand. If they give you a loan for $100, they have $100 available and they can expect that if you don't deposit the $100 with them, that they will have the $100 to give to the bank that you deposit the check in. Now, because of fractional reserve banking, a bank will only have a fairly small percentage of deposits in cash, but that is different from a bank loaning out money that it doesn't have or creating money. Only the fed gets to create money. Perry From perry at piermont.com Tue Apr 16 19:42:22 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 10:42:22 +0800 Subject: List of reliable remailers In-Reply-To: <9603168296.AA829685917@ccmail.wnyric.org> Message-ID: <199604162100.RAA15552@jekyll.piermont.com> Adam Pingitore writes: > GET ME OFF THIS DAMN LIST No. I categorically refuse to take you off this mailing list. I will not lift a finger. Perry From Adam_Pingitore at alli.wnyric.org Tue Apr 16 20:15:41 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Wed, 17 Apr 1996 11:15:41 +0800 Subject: on corporations and subpoenas Message-ID: <9603168296.AA829685776@ccmail.wnyric.org> GET ME OFF THE DAMN LIST From Adam_Pingitore at alli.wnyric.org Tue Apr 16 20:36:16 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Wed, 17 Apr 1996 11:36:16 +0800 Subject: GPS privacy/ECM Message-ID: <9603168296.AA829685760@ccmail.wnyric.org> STOP SENDING ME THIS SHIT From perry at piermont.com Tue Apr 16 22:24:14 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 13:24:14 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604161843.LAA19508@toad.com> Message-ID: <199604162134.RAA15579@jekyll.piermont.com> rick hoselton writes: > At 10:07 AM 4/16/96 -0400, Perry E. Metzger wrote: > > >...Usually, random > >sequences are non-compressable, but it is possible (though very > >improbable) for Hamlet to appear out of a random number generator, > >and it is of course quite compressable... > > But even if it came from a completely random source, it would > still make a bad one-time pad. No it wouldn't. There is a tiny but nonzero probability that xoring your one time pad with your text will result in a cyphertext equal to, say, the Bible. Big deal. If the key is really random, the cryptanalyst has no way to tell what the underlying text was. > In the context of "fair coin flips" the text of Hamlet is NOT compressible. Huh? There is only one context in which things are compressable or not -- is there a smaller representation for them. > Because no string is more likely than any other. Any algorithm that could > compress that string, will, on the average INCREASE the length of > "fair coin flip" strings it tries to compress. True enough, but the claim was that a random string has no representation which is smaller than itself. .pm From nyap at mailhub.garban.com Tue Apr 16 22:44:14 1996 From: nyap at mailhub.garban.com (Noel Yap) Date: Wed, 17 Apr 1996 13:44:14 +0800 Subject: No Subject Message-ID: <9604162156.AA13666@mailhub.garban.com> From: Duncan Frissell <frissell at panix.com> > The denizens of the DDR had to overcome the Stasi, barbed wire, mines, > walls, tank traps, etc to adopt an open systems architecture. Learning to > use a few TCP/IP tricks (or building them into applications and using those > applications) is much easier than breaching the Berlin Wall. Knowledge about TCP/IP is alot easier to control than knowledge about the Berlin Wall (ie, how many Chinese will even know of the existence of TCP/IP -- in the US, where this is freely available, how many citizens know of it's existence)? From perry at piermont.com Tue Apr 16 22:50:28 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 13:50:28 +0800 Subject: on corporations and subpoenas In-Reply-To: <9603168296.AA829685776@ccmail.wnyric.org> Message-ID: <199604162215.SAA00208@jekyll.piermont.com> "Adam Pingitore" writes: > GET ME OFF THE DAMN LIST I will never take you off. You might as well give up asking me now. I have no intention of doing anything for you. You can rot so far as I'm concerned. Perry From frantz at netcom.com Tue Apr 16 23:18:50 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 17 Apr 1996 14:18:50 +0800 Subject: [IRS] Elvis in Escrow Message-ID: <199604162254.PAA01128@netcom9.netcom.com> At 4:40 AM 4/16/96 -0700, Dave Del Torto wrote: >[from SF Examiner somewhere around 12-14 April 96] > >.............................................................................. > >"IRS Worker Took Peek at Celebrities' Records" >[Associated Press] > Memphis - A former IRS employee who said boredom had led him to peek at >the tax records of President Clinton, Elvis Presley and other famous people >has been acquitted of federal charges. > > > >Hmmm. _We_ do it, it's "malicious cracking/hacking" and they toss us in the >clink... _they_ do it, and it's "practice" (and they get acquitted). And >_these_ are the people who want to escrow _my_ keys? As IF! I wonder, how much is NSA's secret key worth? You know, the one they use to grab the extra key bits that Lotus Notes sends them. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ssalgaller at CCGATE.HAC.COM Wed Apr 17 00:06:31 1996 From: ssalgaller at CCGATE.HAC.COM (ssalgaller at CCGATE.HAC.COM) Date: Wed, 17 Apr 1996 15:06:31 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? Message-ID: <9603168296.AA829695326@CCGATE.HAC.COM> Dear Concerned Citizens, Re: Subject, what is Dan Olsen going to be in charge of at CMU ? (ref: CDA debate; expert witness for the CDA) The title could refer to net censorship, or to bio-medical implantation of control computers inside human brains. So which is it ? Or is this not an exclusive or answer ? Stephen S. salgaller at ccgate.hac.com or try: salgaller at aol.com PS: If anyone can tell me the name of the 1965 movie starring Michael Renee that dealt with the above two issues, please tell me. If you were not aware, the movie dealt with a plan, initially, to link all humanity directly to each other. One could "download" data directly into your brain ! You could also have "mental telepathy" and communicate with others. Michael Renee's character escapes to the past to try to end research done by a scientist, that lead up to the inevitable a totalitarian world government takes control of everyone; even your thoughts are no longer private. You get the idea. This was also done as part of the movie "Terminator 2"; I wonder if the writer of the 1965 movie got any screen credit or royalties for T2 ??? I'm worrying too much, right ? It can't happen here ??? Tim Mc Veigh said he had a bio chip implant. Nah... From steve at edmweb.com Wed Apr 17 00:07:47 1996 From: steve at edmweb.com (Steve Reid) Date: Wed, 17 Apr 1996 15:07:47 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604162053.QAA10650@universe.digex.net> Message-ID: <Pine.BSF.3.91.960416155004.1639A-100000@kirk.edmweb.com> > >Really, the apropriate place for content filtering is at the application > >layer. It *could* be done at the transport layer, but that's really not > >the place for it. > Clearly the IETF believed that the network layer was an appropriate > place for general classification when they developed IPv4. I haven't > verified it, but I suspect that IPv6 has (or will have) an appropriate > mechanism for indicating security classification. The identical > mechanism may be used for packet labelling, with the broad Security classification and "decent/indecent" ratings are rather different, IMHO. With security, the author of the data has to decide the best rating for his/her own security. With decent/indecent filtering, the author has to decide what is best for _other_people_. I suppose it's not as bad as that with the third-party ratings in PICS, but there will still be inconsistancies. The main reason I think decent/indecent filtering should be done at the application level is, if they create a ratings system and later decide that they've screwed up and another system would be better (which is quite possible, if you understand the previous paragraph), all that's really required is re-writing the application software. OTOH, if they did it at the transport layer and later decided to switch to something else, they would have to change the protocol, which is very difficult. And, depending on the changes, they may have to re-write the apps again anyways. Also, at the application layer, ANYONE could create their own ratings system, and the market could decide which is best. (The downside of that is that there would be nonstandardized chaos for a while). Just My Humble Opinion. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From frantz at netcom.com Wed Apr 17 00:22:28 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 17 Apr 1996 15:22:28 +0800 Subject: PICS required by laws Message-ID: <199604162331.QAA05370@netcom9.netcom.com> At 6:02 PM 4/16/96 -0500, Scott Brickner wrote: >"E. ALLEN SMITH" writes: >>From: IN%"frantz at netcom.com" 6-APR-1996 16:21:56.32 >> >>>I am less worried about this possibility than most. PICS scrubbers will be >>>as easy to produce as any other web intermediary. (e.g. The one which >>>replaces "bad" words with "censored".) >> >> Quite... as will ones that flip-flop the various packet bits that >>people are discussing. > >This is a bit naive. The "packet bits" I've discussed are added by the >content provider (since he doesn't want to open himself to charges of >"contributing to the delinquency of a minor", which exist regardless of >the CDA) and packets with the "bits" are never delivered to the >minors. To think that someone along that path would subvert the system >is ridiculous. You are asuming that the (underage) user wouldn't route his packets thru an offshore packet bit scrubber that some freedom-loving student set up to do the bit scrubbing. It is not even clear that any of the parties is violating the law: The content provider is correctly labeling his packets. The transport agents are correctly passing them along. The bit scribber is running where such activities aren't illegal The further you move the control from the home/school into the internet the easier it is to subvert because there are more places to subvert it, more people motivated to subvert it, and less control of the environment. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From hoz at univel.telescan.com Wed Apr 17 00:27:09 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Wed, 17 Apr 1996 15:27:09 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604162331.QAA23163@toad.com> At 05:34 PM 4/16/96 -0400, Perry E. Metzger wrote: >> ...it is possible ... for Hamlet to appear out of a random number generator, >> But even if it came from a completely random source, it would >> still make a bad one-time pad. >No it wouldn't. Are you sure you want to claim that the text of Hamlet would make a good key for a one-time pad? >There is a tiny but nonzero probability that xoring >your one time pad with your text will result in a cyphertext equal to, >say, the Bible. Big deal. Most unusual, and you're right, its inconsequential. But if you use the text of Hamlet or the text of the Bible for your KEY to a one-time-pad, you're very likely to get broken. I think any pad that is likely to get broken is a bad pad. >If the key is really random, the >cryptanalyst has no way to tell what the underlying text was. But that silly cryptanalyst might not know that you got Hamlet from your random number generator. He might think you copied it out of a book! Then, Hamlet stops being a random number. The context changes. >> In the context of "fair coin flips" the text of Hamlet is NOT compressible. >There is only one context in which things are compressable or not -- >is there a smaller representation for them. Suppose that somewhere on the web is an archive of "The Encyclopedia"(tm). I could add a preprocessor to zip that would compare the input file to "The Encyclopedia". If it finds a match, it outputs a zero-byte. If it doesn't find a match, it outputs a one-byte followed by an ordinary zip file. The decompressor compares the compressed file to a single zero, and if it is equal, accesses "The Encyclopedia" and sends it to the output file. Otherwise it just unzips the rest of the file normally. I now have a one-byte representation for "The Encyclopedia". (by the way, this will work with 6 and 7 and 8 and 9 and 12-bit bytes!) That's not really fair. I took advantage of a particular situation. But that's what ALL compressors do. They take advantage of particular patterns. And patterns are determined by context. This is where it gets interesting. The "randomness" of "The Encyclopedia" depends on whether some archive is online! If someone deletes "The Encyclopedia" archive, or disconnects my communications, my special compressor stops working, and the smallest (reversable) representation jumps many orders of magnitude. When the context changes, the smallest representation changes. As you point out, when the Hamlet comes out of a good random number generator, it is just as random as any other number. But I contend that when Hamlet can XOR with your ciphertext to reveal your plaintext, then Hamlet is NOT a random number. When did it stop being random? When then context changed. > >> Because no string is more likely than any other. Any algorithm that could >> compress that string, will, on the average INCREASE the length of >> "fair coin flip" strings it tries to compress. > >True enough, but the claim was that a random string has no >representation which is smaller than itself. > >.pm > From anonymous-remailer at shell.portal.com Wed Apr 17 00:46:08 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 17 Apr 1996 15:46:08 +0800 Subject: [Noise] Amusing keyboard slip Message-ID: <199604162223.PAA00113@jobe.shell.portal.com> Discovered accidentally this morning: Type 'logout' on a QUERTY keyboard with the right hand too far right and get ';pgpit'. Words to live by... From llurch at networking.stanford.edu Wed Apr 17 01:20:08 1996 From: llurch at networking.stanford.edu (Richard Charles Graves) Date: Wed, 17 Apr 1996 16:20:08 +0800 Subject: [Non-Bell Yadda Yadda Yadda] Re: Money supply is fake anyway Message-ID: <199604170228.TAA26008@Networking.Stanford.EDU> Those interested in this topic will be pleased to know that a solution is in the works, in the form of Russell Gregory Thatcher's campaign for the US Presidency. http://www.alaska.net/~schoedel/thatcher/proposal.html -rich From dlv at bwalk.dm.com Wed Apr 17 01:31:53 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 17 Apr 1996 16:31:53 +0800 Subject: List of reliable remailers In-Reply-To: <199604162100.RAA15552@jekyll.piermont.com> Message-ID: <104JmD148w165w@bwalk.dm.com> "Perry E. Metzger" <perry at piermont.com> writes: > > Adam Pingitore writes: > > GET ME OFF THIS DAMN LIST > > No. I categorically refuse to take you off this mailing list. I will > not lift a finger. I won't do anything either, and urge others to just ignore these rude people. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From cmca at alpha.c2.org Wed Apr 17 01:50:11 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Wed, 17 Apr 1996 16:50:11 +0800 Subject: on corporations and subpoenas In-Reply-To: <199604162215.SAA00208@jekyll.piermont.com> Message-ID: <199604170234.TAA10971@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: perry at piermont.com] [cc: "Adam Pingitore" <Adam_Pingitore at alli.wnyric.org>,] cypherpunks at toad.com [Subject: Re: on corporations and subpoenas ] [In-reply-to: Your message of Tue, 16 Apr 96 18:15:06 D.] <199604162215.SAA00208 at jekyll.piermont.com> Perry intoned: >"Adam Pingitore" writes: >> GET ME OFF THE DAMN LIST >I will never take you off. You might as well give up asking me now. I >have no intention of doing anything for you. You can rot so far as I'm >concerned. 1. Is that rot with a key of 13? (ObCrypto) 2. More importantly, has anyone seen the "clueless" mailing list recently? This is the one where you forge subscriptions for other people, (who need to be qualified first, refer to the name of the mailing list) then send it obvious trolls and watch it go super-critical. Endless hours of fun. Chris McAuliffe <cmca at alpha.c2.org> (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMXRRDIHskC9sh/+lAQHR5wP9G/uAwitozfQ2Zlc4EXRfuAMxhF14ouyn 9S/nRYPiBiGOOUJRDWMGsMNUfLg+a3pqeg6m1poI2fGomIrJDvbw8cupJq75XVUo eosjY0vMZXSeX2Ck+3c+Use/hyDZQ2AdsMTns4KMsWF3kuHDKqrwAhMBdepkhbWh TYPqps8v8GU= =io4U -----END PGP SIGNATURE----- From perry at piermont.com Wed Apr 17 01:51:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 16:51:08 +0800 Subject: GPS privacy/ECM In-Reply-To: <9603168296.AA829685760@ccmail.wnyric.org> Message-ID: <199604162215.SAA00216@jekyll.piermont.com> "Adam Pingitore" writes: > STOP SENDING ME THIS SHIT Sorry. You will just have to suffer. You are the only one who can help yourself. Perry From mellman at niia.net Wed Apr 17 01:51:31 1996 From: mellman at niia.net (Mathew Ellman) Date: Wed, 17 Apr 1996 16:51:31 +0800 Subject: i want off Message-ID: <199604170041.TAA18169@silver.niia.net> can someone help me off this mailing list Mathew Ellman (DEAL WITH IT) 15 N WASHINGTON ST APT 1 VALPARAISO IN 46383 HAVE A VERY GREAT DAY FROM ME TO YOU. From eck at panix.com Wed Apr 17 01:55:02 1996 From: eck at panix.com (Mark Eckenwiler) Date: Wed, 17 Apr 1996 16:55:02 +0800 Subject: What can the judge do to me? (fwd) In-Reply-To: <199604122346.TAA17990@netcom13.netcom.com> Message-ID: <199604162044.QAA02937@panix.com> + From: Black Unicorn <unicorn at schloss.li> + + "Contempts such as failure to comply with document discovery, for + example, while occurring outside the court's presence, impede the + court's ability to adjudicate the proceedings before it and thus touch + upon the core justification for the contempt power.... Similarly, + indirect contempts involving discrete, readily ascertainable acts, + _such as turning over a key_ or payment of a judgment, properly may be + adjudicated through civil proceedings since the need for extensive, + impartial fact-finding is less pressing." International Union, supra + (emphasis added). ... + I think it's clear, the court literally spells this out, that holding + a witness indefinitely until he complies with court orders is within + the discretion of a judge. Compelling through sanctions the + production of a "key" (though I'm not sure a crypto key is directly + contemplated) is likewise clearly permitted. Producing a physical key may or may not be testimonial under the "production privilege" doctrine established by the Supreme Court in Fisher and the Doe cases. Producing a *crypto* key -- if it exists only in one's mind -- is indisputably full-fledged Fifth Amendment testimony. I refer you to the language in Doe II (joined by all 9 Justices) distinguishing between "the key to a safe and the combination to a safe" -- the latter enjoying full Fifth Amendment protection from forced disclosure. (The message to which I'm responding was forwarded to me, as I do not subscribe to c-punks. If you want me to see a reply, cc me.) From jlasser at rwd.goucher.edu Wed Apr 17 02:16:08 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Wed, 17 Apr 1996 17:16:08 +0800 Subject: [NOISE] Is this getting through? Message-ID: <Pine.SUN.3.91.960416184409.20974B-100000@rwd.goucher.edu> I seem to have stopped getting CP mail... is there a problem with the list, or is it just my machine? (Right now, it's 4/16 at 7:00pm; reply accordingly) Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From frantz at netcom.com Wed Apr 17 02:16:42 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 17 Apr 1996 17:16:42 +0800 Subject: PICS [LONG] Message-ID: <199604161912.MAA13991@netcom9.netcom.com> Since PICS seems to be getting favorable comment in the CDA lawsuit, and it has cypherpunks relevance, I thought I would post some its most relevant features. From http://www.w3.org/pub/WWW/PICS/iacwc.htm >Labels can include two optional security features. The first is a message >integrity check on the content of the resource that is labeled, in the form of >an MD5 message digest... The second is a digital signature on the contents of >the label itself... > >... PICS specifies three ways to distribute labels. The first is to embed >labels in HTML documents. This method will be helpful for those who wish to >label content they have created. > >The second method is for a client to ask an http server to send labels along >with the documents it requests. The server would most likely offer the >publishers' labels, but a server could also redistribute labels from third >parties that it cooperates with. [Client sends URL of label service to browser >which responds with that service's label. bf] > >The third way to distribute labels is through a label bureau that dispenses >only labels. A bureau could distribute labels created by one or more labeling >services. A client asks the bureau for certain services' labels of specific >resources. This is most likely to be used for third-party labels. > >... PICS-compatible software can implement selective blocking features in >various ways. ...[In] a browser ...On each computer, as part of the network >protocol stack. ... Somewhere in the network, for example at a proxy server >used in combination with a firewall. ... > >PICS specifies very little about how to run a labeling service, beyond the >format of the service description and the labels. Services can provide simple >permission/prohibition labels, or provide information about any dimensions >that they choose, from sex to coolness to literary quality. ... Third party >labelers are likely to use a wide range of other dimensions. ... An >interesting intermediate offering may be to label the resources that >subscribers ask about: while there are thousands of sites and millions of >resources available on the Internet, any particular set of users is likely to >ask for access to a much smaller set. This approach could be particularly >effective for a cooperative service formed by a number of like-minded parents >or teachers. > >While the primary goal of PICS is to facilitate the use of labels by selection >software, PICS-compatible labels can also be used in other ways. For example, >a labeling service might rate based on quality or classify resources by >subject, ... Browsers could incorporate the contents of labels into visual >displays that aid browsing, perhaps highlighting in green links to >particularly popular or high-quality items or striking a red line through >links to resources that are not recommended. It has even been suggested that >labels could convey copyright ownership, distribution rights, and requested >payments. Software could check for such labels and demand payment before >distributing the labeled items. >One particularly promising application is collaborative filtering, where >everyone can contribute ratings, and those ratings are used to guide others >toward interesting materials. Guidance can be personalized by matching >end-users with others who have similar tastes, as reflected in their ratings >of resources that both have examined. A browser add-in feature would enable >end-users to submit PICS rating labels to a labeling service. Obviously, to get the full benefit of the technology, we will need more sophisticated browser support than just "access denied". If you contract with an outside service, one question to ask is, "Are you logging my accesses?" ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ab756 at freenet.toronto.on.ca Wed Apr 17 02:25:17 1996 From: ab756 at freenet.toronto.on.ca (Graham Bullers) Date: Wed, 17 Apr 1996 17:25:17 +0800 Subject: MORE ON MONEY Message-ID: <m0u9JDK-0000hpC@queen.torfree.net> TURMEL: Mathematics of how Interest works GREENDOLLAR AND TIMEDOLLAR LETSYSTEM ENGINEERING The problem of debt is created within the banking system and therefore a thorough understanding of the banking system is helpful. The money system is the only mechanical system not under the jurisdiction of engineers. Control has been usurped by economists. All others systems improve, the only one controlled by economists is failing. It's time scientists regain control of this errant system from which come all the financial woes of the world. As an electrical engineer specialized in banking systems, I will endeavor to explain the inner workings of this mysterious system at every possible level and its effects on users and debt. Though this might sound daunting, I think I can present an easy way of handling subjects such as - plumbing analogy with pipes for flows of money - simple algebra - exponential functions - differential equations - Laplace transformations - control system circuitry FALLACIES The two Big Lies of Economics and Banking are that: 1) Banks lend their depositors' savings. 2) Interest rates fight inflation; Banks do not lend out their depositors' funds, they lend out brand new money. Interest does not fight inflation, it causes it. HOW BANKS CREATE MONEY The inner workings of the engineering design of the Canadian "fractional reserve" banking system are mysterious to many but no matter how complex the actual process of creating money is, it can accurately be simplified to "HAVING THE MONEY PLATES," whether they be plates for changing metal to coins, plates for changing paper to notes, or plates inside a bank's computer changing electrical blips to bank deposits on which checks may be written. Since changes in the money supply are regularly reported, money must enter the supply from a source and leave through sink. Our liquidity system has both a tap and a drain. Since the government borrows money itself, it does not have control of the tap. Who controls the tap and the drain of the money supply? The easiest way to model our system of financial liquidity is with plumbing. All banking systems have the same exterior connections to the economy. Draw two squares side by side each. Title the first a "Piggy Bank" and the second "Chartered Bank." For both, draw three arrows going in at the top labelled "Deposits," "Interest paid," "Loans paid." Draw three arrows coming out from the bottom labelled "Withdrawals," "Expenses," Loans made." In the Piggy Bank, draw a rectangle wide enough to accept all three input flows and all three output flows. Label it "Reservoir." PIGGY BANK Deposits Interest(paid) Loans Paid | | | | | | |------------|-------------|-------------|--------------| | | | | | | | | | | | |----|-------------|-------------|----| | | | | | | | | | | | RESERVOIR | | | | | | | | | | | |----|-------------|-------------|----| | | | | | | | | | | | |------------|-------------|-------------|--------------| | | | | | | Withdrawals Expenses Loans Made The interior plumbing of a piggy bank reservoir system shows that a deposit is first made into the reservoir and a loan is then taken out of the reservoir which causes no increase in money supply. Conversely, when a loan is paid, it goes into the reservoir and there is no decrease in the money supply. A reservoir piggy bank system does not affect the money supply because there is no tap and no drain. Though the Bank of Canada operates a tap and adds a small amount of "high-powered" money to the money supply, Graham Towers, a former Governor of the Bank of Canada, pointed out that "The banks do not lend out the money of their depositors. Each and every time a bank makes a loan, new bank credit is created, new deposits, brand new money." So a chartered bank has a tap and is not the pure reservoir system like a piggy bank model! In the Chartered Bank, draw a rectangle wide enough to accept only the first two input flows and first two output flows. Label it "Reservoir." Draw a circle above the "Loans Out" flow, put a positive sign within, and draw the line to the circle. Label it the "Tap." Draw a circle below the "Loans in" flow, put a negative sign within, and draw the line to the circle. Label it the Drain. FRACTIONAL RESERVE BANK Deposits Interest(in) Loan Payments | | | | | | |------------|-------------|--------------|-------------| | | | | | | | | |---|---| | | |----|-------------|----| | DRAIN | | | | | |-------| | | | | | | | RESERVOIR | | | | | | | | | |-------| | | |----|-------------|----| | TAP | | | | | |---|---| | | | | | | |------------|-------------|--------------|-------------| | | | | | | Withdrawals Bank Expenses Loans Out The interior plumbing of a chartered bank shows that the loans do not come out of the savings reservoir but come out of the tap of new money. When a chartered bank makes a loan, the amount of money in circulation goes up. When a loan is repaid, it goes down. In the textbook Economics by Lipsey, Sparks, Steiner, it states "The banking system as a whole can create deposit money." Therefore, the banks all have their very own tap, their very own set of electronic money plates. This power to refuse to turn on the tap for one businessman and foreclose while turning it on for another so that other can buy out the first businessman at auction is not fully appreciated. The injection of new money from their taps has been well hidden from the public view because the Bank Act insists that before any new money may be loaned into circulation, old money must be deposited into their reservoirs. It's just as if a casino were to insist on old chips being put into the safety deposit section before it would issue new chips. By merely matching new loans to deposits, this brilliant cover for the turning on of the tap misleads observers into falsely concluding that a chartered bank operates like a piggy bank. With a lawful reason to seek deposits before they can lend, there is no outward difference between chartered bank and a piggy bank. Yet, banks do not seek deposits to lend to other people. They seek them to lawfully turn on the tap. The famous "reserve ratio" of a "fractional reserve system" simply means that a fraction of all deposits is sent to the Bank of Canada's reservoir and the bank is then allowed to turn on the tap to match the deposits remaining in their reservoir. Banks create most of the money in circulation. To go step by step through the plumbing with a 10% reserve ratio, let the Bank of Canada turn on its tap and put $100 of "high-powered" new money into circulation: Depositing $100 into bank reservoirs turns on the tap for $90 more. These $90 end up deposited turning on the tap for $81 more. Depositing $81 into bank reservoirs turns on the tap for $72 more. Etc. until $10 into bank reservoirs turns on tap for $9 more. Etc. until $1 into bank reservoirs turns on tap for $.90 more. Etc. until the total deposits reaches a maximum of $1,000 with $900 newly created dollars added to the system by the chartered banks for every $100 issued by the Bank of Canada. This limit is the inverse of the reserve ration. A reserve ratio of 5% would generate total new money of 1/.05 = 20 times the initial high-powered Bank of Canada money. The demonstrates that the problem with the money system is that the amount of mass put into circulation is not a function of the production possible but of past savings of money. The major difference between a casino bank and a chartered bank is that the liquidity from a casino bank never suffers inflation while the liquidity from a chartered bank always suffers inflation. Since the hardware of a casino bank, chips of different colors and denominations, is functionally identical to the hardware of a chartered bank, computer credit pulses and coins or paper of different colors and denominations, inflation is not a hardware problem. It is a software problem. There is something wrong with the program which regulates how money is put into and taken out of circulation. There is nothing wrong with the hardware of our tap and drain system. It is the operators of the taps who are improperly restricting the flows. To fully appreciate our present predicament, consider a train- master in a wartime situation who, when he was ordered to ensure that an invading army did not capture the system in operating condition, burned all of the railroad tickets. Our failure to use our manpower, materials and tools because there are insufficient monetary tickets puts us in the same category as the invading army who failed to use the captured railway because they couldn't find any railway tickets. To get out of this silly predicament, public control of the money tap must be regained. HOW "MORT-GAGE" INTEREST CREATES A DEATH-GAMBLE The word "mort-gage" is derived from the French word "mort" meaning "death" and "gage" meaning "gamble". Bankers create the money supply when they make loans. Producers are forced to gamble by borrowing newly created Principal(P) to pay for production costs and then inflating their prices to earn back the Principal and Interest(P+I) in sales. Because total goods priced at (P+I) can never be sold when consumers only have P dollars available, a minimum amount of goods must remain unsold and a minimum number of producers must fail and suffer foreclosure. The economist Keynes likened the mort- gage death-gamble to the game of musical chairs. Just as there are insufficient chairs for all to survive the musical chairs death- gamble, so too, there is insufficient money for all to repay (P+I) and survive the mort-gage death-gamble. P < principle, I < Interest, i < Interest Rate, t < Time PERCENT ALGEBRA EXP. FUNC Production costs (principal) 100 P 1 Production prices (Debt) 100+i P+I exp(it) Purchasable Value 100 P 1 or ratio of money to prices ----- ----- ------- or survivors 100+i P+I exp(it) Unpurchasable value i I 1 or forced unemployment U= ----- ----- 1 - -------- or non-survivors 100+i P+I exp(it) For U=0, let i=0 I=0 i=0 or t=0 The odds of survival are always set by the interest rate(i). P/(P+I) survive, I/(P+I) do not. INFLATION The equation for the minimum inflation (J) we must suffer is the same as the equation for unemployment (U) because the fraction of the people foreclosed on is the fraction of collateral confiscated. Draw a large H and label the first left line as "$" and the right line "Collateral." Draw a small arrow up from the left axis. Label it "Shift A." Draw another arrow down from the right axis labelled "Shift B." Draw a line from the tip of the "Shift A" arrow to the base of the "Shift B" arrow and vice versa. Dollars Assets | | ________ | | |\ | | \ | Shift A | \ | | \ | | \ | ________ |__________\|________ |\ | | \ | | \ | Shift B | \ | | \ | | \| ________ | | | | | | Though we are led to believe that inflation is caused by an increase in the money chasing the goods (Shift A), actually, due to foreclosures, it is caused by a decrease in the collateral backing up the money (Shift B). Though both inflations shifts feel the same, the graph shows inflation is the direct function of interest, not the inverse exposing the Big Lie that interest fights inflation. Most people who have not studied economics, if asked whether interest fights or causes inflation, are quick to agree that a merchant must pass on increased interest costs in his prices and therefore it is evident that increased interest costs will result in increased prices. After a thorough brainwashing, economists have been convinced that increased interest costs will result in decreased prices as they constantly explain that "interest fights inflation." DIFFERENTIAL EQUATIONS The differential equation dB/dt = iB states that the increase or decrease of a bank balance (dB/dt), whether credit or debt, is equal to the interest rate (i) times the old balance (B). The solution to the differential equation is exp(it) where t = time. We can now examine the problem, not over one cycle with algebra, but over time with exponential functions. Exp(it) is a non-linear function, crooked. Draw an X axis labelled "Time" with units of 0, 1T, 2T, 3T.. Draw a Y axis labelled "$" with units of 0 to 16. At Y=1, draw a line to the right. At Y= -1, draw another to the right. At X=1T, make a point at Y=2 and Y=(-2). At X=2T, make a point at Y=4 and Y=(-4). At X=3T, make a point at Y=8 and Y=(-8). At X=4T, make a point at Y=16 and Y=(-16). Join the points. Label the curve going up +B*exp(it) and the curve going down as -B*exp(it). GRAPH#2 1600| B*exp(it) $1600 | $ 1400| $ | $ 1200| $ | $ 1000| $ | $ 800| $800 | $ 600| $ | $ 400| $400 | $ 200| $200 +B $-------------------------------------> time Yrs 0---------1---------2---------3---------4------- -$-------------------------------------> -200| -$200 -B | $ -400| -$400 | $ -600| $ | $ -800| -$800 | $ -1000| $ | $ -1200| $ | $ -1400| $ | -B*exp(it) $ -1600| -$1600 Consider that if two men are in a car accident and one owes the other money, if there there is no interest, the debt stays friendly, social and Christian like the two straignt lines for one owing -100 and the other being owed $100. The two straight lines from at +100 and -100 represent the growth of the debt and credit. Zero. If there is interest, the balances start to grow with time and double in time T, then again in time and again and again. Follow the $ curves to see how interest makes balances grow exponentially. For the record, the differential equation for inflation (J) can be described as: dJ^2/dt^2 + (i)dJ/dt = 0 or j'' + (i)j' = 0 LAPLACE TRANSFORMATIONS The Laplace transform of the balance B is 1/(s-i) where "s" is the Laplace constant. The moment the debt passes through the usury filter in banking system accounts, (1/(s-i)), it starts to grow. For the record, the Laplace transformation of the inflation (J) whose solution is (1-exp(-it)) is: 1 / s(s+i) CONTROL SYSTEMS With the Laplace transform, it is also possible to draw the electrical blueprint of a bank account in the usury banking system: |---------| | 1 | CONTROL SYSTEM FOR -------> ----- |---------> | s-i | |---------| |----------------| | Interest = 10% | |<---| Rate |<---------| | |----------------| | | | Old | |<-----------| Balance | | | + | + | | |------------| |------------| | Input + | Addition | + | Addition | New | ---------->| Node |------>| Node |---------------> |------------| |------------| Balance Draw two circles about two inches apart with a plus sign within both. These are addition nodes. Draw arrows from left to right right through both. Where all arrowheads touch a circle, draw a little plus sign. Label the left arrow "Input," the middle arrow "Total Input," and the right arrow "New Balance." Draw a small rectangle labelled "Interest Rate" above and between the two circles. Draw a line up to the right of the circles, an arrow to the rectangle, a line out stopping over the first circle and an arrow down to the first circle. Label the arrow "Interest." Draw another arrow to the left and down to the second circle but not through the rectangle. Label this arrow "Old Balance." This is the control system of the usury banking system. This blueprint of a usury bank account shows that added to any input is the feedback of the interest rate times the previous balance which can be positive or negative. This net amount is added to the previous balance to produce the new balance. This positive feedback makes the system unstable and the root of bad vibrations. Your $100 volt pulse is the input to the first addition node. Added to it is the interest voltage from the last balance which, to start, was 10% of zero. The new net $100 pulse enters the second addition node where it also is added to the old balance, still zero, to push the new balance up to $100 volts. Next year, with no new pulse at the input, added to this zero voltage is 10% interest, a pulse of 10 volts. The 10 volt pulse goes into the second addition node where it is added to the old balance, 100, to push the new balance to 110. Cycle after cycle with no new inputs, you have the exponential growth exp(it) which grows as the above series. It acts just like bringing a microphone up to a speaker. The sound from the speaker is picked up by the microphone and fed back to make the sound out of the speaker louder which is picked up and fed back to make it louder until you blow your speaker. Having an unstable positive feedback loop built into a system makes that system unstable. Negative feedback loops where the feedback from the previous balance is subtracted are very useful in stabilizing systems away from error but positive feedback always makes the error grow. A physical example of negative feedback, positive feedback and no feedback follows: If you have a bowl and you put a ball in it and then give the ball a little shove, it will travel up one side, gravity will bring it down and it will rock back and forth until it settles back to the middle. That's how engineers use negative feedback to bring back things which have been pushed out of normal operation back to normal. If you turn the bowl upside down and put the ball at the top, one small push and the gravity will make the ball fall faster and faster. That's unstable. If you put the ball on a platform and give it a push, without friction, it will just continue in rolling steady state. Both zero and negative feedback are acceptable while positive feedback is always unacceptably unstable. Engineers say that systems are stable if the pole of the system is in the left-hand plane or on the origin but unstable if the pole is in the right-hand plane. Knowing that the Laplace Transform of the system is 1/(s-i), the denominator is zero when s=+i and therefore, the pole is on the right-hand side of the origin, hence unstable. Eliminating the bad vibrations is as simple as making the interest feedback loop in the bank's computer programs zero and using only the simple interior circuit known as an "integrator." Currency systems presently using these simple "integrator" accounts are now known internationally as Greendollar systems of the Local Employment Trading System (LETS). We know that the LETSystem is an interest-free system and so we cut the positive feedback loop to get 1/(s-0). |---------| | 1 | CONTROL SYSTEM FOR -------> ----- |---------> | s | |---------| /\ \ |----------------| \ | Interest = 10% | \ |<---| Rate | | | |----------------| | | | Old | |<-----------| Balance | | Balance | + | + | | |------------| |------------| | Input + | Addition | + | Addition | | New ---------->| Node |------>| Node |---------------: |------------| |------------| Balance This leaves us with only the interior circuit: 1/s |---------| | 1 | CONTROL SYSTEM FOR -------> ----- |---------> | s | |---------| |<-----------| Old | | Balance | | |------------| | Input + | Addition | New | ---------->| Node |---------------> |------------| Balance This is the mathematical circuitry behind all interest-free systems and how Greendollars work. Instead of an output which is exponential, crooked, we have an output which is linear, straight. Your $100 volt pulse is the input to the addition node. Added to it is old balance, starting at zero, to push the new balance up to $100 volts. Next year, with no new pulse at the input, and with interest voltage to add, the balance stays at $100 volts. If another deposit comes in, it's added to the old balance to create a new balance. A negative coming in will reduce the old balance. But the system is always in balance. Positives equal negatives. This analysis shows that unemployment and inflation must go to zero if the banks' computers, which are now permitted to charge both interest and service charges, are restricted to only the service charge. Note that the exponential derivation shows that there are two solutions to the mort-gage (death-gamble). The software solution is interest rate(i) = 0 by restricting the banks computers to a pure service charge and abolishing the interest charge. The hardware solution is time(t) = 0 by installing an instantaneous electronic cashless marketplace. GAME MODEL: SERVICE CHARGE VS. INTEREST In his book `The Theory of Games and Economic Behavior', John Von Neumann, one of this century's top mathematicians, stated that "important questions in economics arise in a more elementary fashion in the theory of games." In the business war for markets, the economy decides who sells their goods and who fails to. Models used by economists are flawed by guesses and approximations about what the economy will choose. The only way to perfectly model the economy is to use fair chance to pick the winners and losers. TO PLAY MORT-GAGE: The necessary game equipment for "mort-gage" is 1) a box to represent the market economy); 2) 3 types of tokens to represent food, shelter, and energy (the tokens can be mints, napkins, cutlery); 3) a fair chance mechanism like a coin, cards, dice, straws, etc.; 4) matches or tokens to represent currency. In the Interest Game, all owe the bank 11 for every 10 tokens they borrow and have to inflate their prices to repay both the principal and the interest. Step 1) Have all the players wishing to get into business pledge their watches to borrow 10 matches from the bank at an interest rate. Step 2) Have all players spend 10 matches into the market box in exchange for a token representing the product of the economy's labor. Step 3) Have pairs of players, those with similar tokens first, use chance to decide which will win a market share out of the box large enough to pay the principal and the interest necessary to survive the bank's demand. Step 4) When the market runs out of currency, let the bank seize the tokens and watches of the losers. Step 5) Record the percent of those knocked into unemployment and the collateral seized. In the Service Charge Game, all owe 11 for every 11 they borrow with the 11th paid immediately to the bank employees as a service charge. Step 1) Have all the players wishing to get into business pledge their watches to borrow 11 matches from the bank. Step 2) Have all players spend 11 matches into the market box in exchange for a product token, 10 for the services of those who produce the goods like on Interest Island, but also 1 for the services of the bank employees who facilitated the transactions. Follow Step 3), 4) and 5) and note that in the Service Charge Game, unlike in the Interest Game, everybody can sell all their goods because the 11th unit of money entered the market through the bank employees. The very subtle difference between systems is that in the Interest Game, the bank demands payment of money it did not create while in the Service Charge Game, the bank demands payment of money it did create. With exactly enough markets to match the prices of goods produced, there can be no foreclosures. I hope this analysis has helped clear up many of the formerly misrepresented and misunderstood aspects of the usury banking system as well as explain why usury has been condemned throughout history as the greatest crime against humanity. It's the only thing standing between mankind and abundant salvation. I welcome any questions on any aspects of how the banking systems engineering. -- John C. "The Engineer" Turmel, Leader, Abolitionist Party of Canada, 2918 Baseline Rd., Nepean, ON, K2H 7B7, Canada,Tel/Fax: 613-820-8656 All TURMEL topics cross-posted to newsgroup: can.politics -- =-GRAHAM-JOHN BULLERS=-=AB756 at FREENET.TORONTO.ON.CA=-=ALT.2600.MODERATED-= Lord grant me the serenity to accept the things I cannot change.The courage to change the things I can.And the wisdom to hide the bodies of the people =-=-=-=-=-=-=-=-=I had to kill because they pissed me off=-=-=-=-=-=-=-=-=-= From sjb at universe.digex.net Wed Apr 17 02:50:03 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 17 Apr 1996 17:50:03 +0800 Subject: PICS required by laws In-Reply-To: <01I3GRMTAVBQ8Y510B@mbcl.rutgers.edu> Message-ID: <199604162302.TAA16890@universe.digex.net> "E. ALLEN SMITH" writes: >From: IN%"frantz at netcom.com" 6-APR-1996 16:21:56.32 > >>I am less worried about this possibility than most. PICS scrubbers will be >>as easy to produce as any other web intermediary. (e.g. The one which >>replaces "bad" words with "censored".) > > Quite... as will ones that flip-flop the various packet bits that >people are discussing. This is a bit naive. The "packet bits" I've discussed are added by the content provider (since he doesn't want to open himself to charges of "contributing to the delinquency of a minor", which exist regardless of the CDA) and packets with the "bits" are never delivered to the minors. To think that someone along that path would subvert the system is ridiculous. As an example, the path for packets from playboy.com to me is entirely controlled by two entities: MCI (Playboy's provider) and DigEx (my provider). This will generally be true, and though the number of entities may be larger, the "kinds" of entities will be the same. Even if we're discussing a mom & pop porno shop instead of playboy, the general picture is the same: the content provider will hand off the labelled data to someone with "network common carrier" status, who will not jeopardize that status by delivering the packets to a minor's connection. The sorts of organizations that form the core of the internet, and are involved in this network layer censorship scheme, just *aren't* the sort of "subversives" (or "patriots", take your pick) that would try to bypass the system. From perry at piermont.com Wed Apr 17 03:08:31 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 18:08:31 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? In-Reply-To: <9603168296.AA829695327@CCGATE.HAC.COM> Message-ID: <199604170019.UAA00756@jekyll.piermont.com> ssalgaller at CCGATE.HAC.COM writes: > Am I the only one worrying about the use of technology to > implement a "New World Order" ??? Yes. The rest of us are all part of the attempt to create such a world order, and thus aren't worried about it because we will be in control of the puny little lives of people such as yourself. > A similar concern could be made about biotechnology: with > gene splicing, it would be possible to create a race of "sub > humans" to do slave labor and fight wars. Even now, my armies of genetic slaves are out there searching for human blood... Vlad "Genex" Metzger From ssalgaller at CCGATE.HAC.COM Wed Apr 17 03:19:51 1996 From: ssalgaller at CCGATE.HAC.COM (ssalgaller at CCGATE.HAC.COM) Date: Wed, 17 Apr 1996 18:19:51 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? Message-ID: <9603168296.AA829695327@CCGATE.HAC.COM> Dear Concerned Citizen, Am I the only one worrying about the use of technology to implement a "New World Order" ??? If not, where else can I post this message ??? Yes, AOL has a movie trivia board, but I'm serious ! A similar concern could be made about biotechnology: with gene splicing, it would be possible to create a race of "sub humans" to do slave labor and fight wars. This has been done in several Sci-Fi movies, but it's not going to stay fiction much longer. Stephen S. PS: Shouldn't these be the questions that CMU worries about? Which is worse, genetic slavery or "dirty duck" photos ? From tcmay at got.net Wed Apr 17 03:25:02 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 17 Apr 1996 18:25:02 +0800 Subject: "STOP SENDING ME THIS SHIT" Message-ID: <ad99852e0a02100467c6@[205.199.118.202]> At 12:12 PM 4/16/96, Adam Pingitore wrote: > STOP SENDING ME THIS SHIT As this is one of several such messages this clown has sent us, despite unsubscribe instructions having been posted several times in the last few weeks, I am bouncing all of his inappropriate messages back to him (though I am being careful--and I urge you all to be careful, too--to cut out any cc:ing of others). If you feel this jerk's posts are inappropriate, you might decide to do the same as I am doing. (Again, be careful to review the To: and cc: fields before sending, to ensure that the list does not get spammed by your actions.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cp at proust.suba.com Wed Apr 17 03:32:10 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 17 Apr 1996 18:32:10 +0800 Subject: Bidzos Holds Key / A hacker's paradise In-Reply-To: <199604161938.VAA10239@utopia.hacktic.nl> Message-ID: <199604162318.SAA01218@proust.suba.com> Someone just asked me if it would be possible for the NSA to use a front company to buy crypto patents (or companies that own lots of crypto patents), then simply pull them off the market. When I thought about it I couldn't understand why they haven't done it already. Can whoever ends up with the rsa patent pull rsaref off the market, and retroactively make software that uses it illegal? Or would they just be able to prevent people from writing new code with rsaref? From vznuri at netcom.com Wed Apr 17 03:39:40 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 17 Apr 1996 18:39:40 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <Pine.BSI.3.91.960416090319.2962C-100000@wichita.fn.net> Message-ID: <199604170014.RAA07011@netcom3.netcom.com> > >On Mon, 15 Apr 1996, Vladimir Z. Nuri wrote: > >> I have been wondering about malicious hackers getting into these >> pools. would it be possible for them to contribute false data >> that screws up the end results? or are such anomalies easily >> discarded or disregarded by the final processes? > >> future implementors of these programs might amuse themselves with >> trying to create such safeguards or anticipate such "attacks" which >> are pretty significant the more the processes become distributed. > > I guess I would have to ask you why you think hackers would be >interested in these projects in the first place? Your typical hacker >would care very little about such a project and in fact may be interested >in seeing it succeed. the malicious type of hacker has the psychology of taking great glee in tearing anything meaningful down. they don't necessarily need a plausible reason. the purpose of destruction alone can be a powerful motivating force. those who destroy carefully constructed things for fun obtain a sense of power from it. > However, I do feel that you may have a valid point when switching >"hackers" to "opponents of the research." Anyone with an interest in >preventing or slowing down the progress in such a project would be more >dangerous in my mind than your average hacker. the point is, when you are sharing your project among a lot of elements "out there" on a network, you have to worry more and more about "safe computing". when you are working on a purely voluntary basis, what is your guarantee that everyone who volunteers is actually on your side? again, a bigger problem the more a task is decentralized. one interesting argument in favor of centralized computing (I'm not saying it is a definitive argument, quite far from that of course-- just pointing out that Distribution is not necessarily the Panacea to All Problems). From merriman at arn.net Wed Apr 17 03:52:23 1996 From: merriman at arn.net (David K. Merriman) Date: Wed, 17 Apr 1996 18:52:23 +0800 Subject: (mailbomb request) Message-ID: <2.2.32.19960416145355.006a094c@arn.net> At 05:08 PM 04/16/96 -0800, bharper at customcpu.com (Harper, Bill) wrote: >I am very interested in cryptography and all related subjects but I cannot >find enough info about it, and am wondering if anyone can please email me >anything you know and the basics. Thanks! > Is this begging for mailbombs, or what? Let's see, we could email him the plain-ascii version of the cyphernomicon (no zipping allowed :-), for starters..... Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From froomkin at law.miami.edu Wed Apr 17 03:52:38 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 17 Apr 1996 18:52:38 +0800 Subject: Decision in ITAR challenge case Message-ID: <Pine.SUN.3.91.960416192153.28185E-100000@viper.law.miami.edu> I understand from an AP reporter that the judge in the Bernstein challenge to the ITAR refuesed the motion to dismiss and -- if the reporter is correct -- held that source code is First amendment speech. This appears to conflict with the Karn decision that dismissed a somewhat similar challenge to the ITAR on political question grounds. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From shamrock at netcom.com Wed Apr 17 03:56:54 1996 From: shamrock at netcom.com (Lucky Green) Date: Wed, 17 Apr 1996 18:56:54 +0800 Subject: [IRS] Elvis in Escrow Message-ID: <v02120d7ead9a4b576a52@[192.0.2.1]> At 15:56 4/16/96, Bill Frantz wrote: >I wonder, how much is NSA's secret key worth? You know, the one they use >to grab the extra key bits that Lotus Notes sends them. Probably a lot more that your tax return. The IRS leaking confidential information is one thing. The NSA losing secret keys quite another. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From bharper at customcpu.com Wed Apr 17 04:08:34 1996 From: bharper at customcpu.com (Harper, Bill) Date: Wed, 17 Apr 1996 19:08:34 +0800 Subject: No Subject Message-ID: <19960417010838988.AAA157@[198.70.210.125]> I am very interested in cryptography and all related subjects but I cannot find enough info about it, and am wondering if anyone can please email me anything you know and the basics. Thanks! From jlasser at rwd.goucher.edu Wed Apr 17 04:11:39 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Wed, 17 Apr 1996 19:11:39 +0800 Subject: [NOISE] Desubscribed (Was Re: [NOISE] Is this getting through?) In-Reply-To: <ad99af8a0d0210045bd1@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960416230153.18663A-100000@rwd.goucher.edu> On Tue, 16 Apr 1996, Timothy C. May wrote: > At 10:45 PM 4/16/96, Moltar Ramone wrote: > >I seem to have stopped getting CP mail... is there a problem with the > >list, or is it just my machine? [ ... ] > You didn't say over what interval the mail has stopped for you, so this may > not help. It helped; thank you. It was several days before I figured out which list I was not receiving mail from :-) I'm forwarding this to the list because I would like to note that, after checking with majordomo (which I _should_ have done beforehand, but didn't think to) that I was unsubscribed from the list. I didn't ask to be unsubscribed from the list; if (which I doubt) the user list was restored from a backup, I would almost certainly have been on it, as I've been on the list for a while now. This leads me to believe that somebody else unsubscribed me. *sigh* Is there any way to find out for certain (ie does the majordomo at toad.com keep logs)? Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From stewarts at ix.netcom.com Wed Apr 17 04:13:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 17 Apr 1996 19:13:43 +0800 Subject: rc4 speeds Message-ID: <199604170744.AAA28455@toad.com> >>That 164 mb/sec figure for RC4's speed better be a typo, because I >>can't even come close to that. I wrote an Assembler subroutine that >>encrypts a 32,768 byte block, and called it 65536 times on a >>486/DX2-66, without doing any disk reads or writes. First of all, is that megabytes, or megabits? I've forgotten how many instructions it takes to do RC4, but RC5 takes 8-10 per round per pair of words encrypted, so it should do about 1/2 bit per instruction for 16-round. Some processors can do more than one instruction per clock cycle, though loads and stores are usually a bit slower. But you only need to load two words every 128-160 clocks, which is easy on a pipelined machine. So maybe it's a typo, but it should be far faster than 164 kB/s. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From perry at piermont.com Wed Apr 17 04:15:18 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 19:15:18 +0800 Subject: MORE ON MONEY In-Reply-To: <m0u9JDK-0000hpC@queen.torfree.net> Message-ID: <199604170145.VAA00926@jekyll.piermont.com> Graham Bullers writes: > > > TURMEL: Mathematics of how Interest works > > > GREENDOLLAR AND TIMEDOLLAR LETSYSTEM ENGINEERING Exquisitely badly written and conceived of bullshit. .pm From tcmay at got.net Wed Apr 17 04:15:20 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 17 Apr 1996 19:15:20 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <ad998fe00b021004eaf9@[205.199.118.202]> At 9:34 PM 4/16/96, Perry E. Metzger wrote: >True enough, but the claim was that a random string has no >representation which is smaller than itself. If by "the claim" you mean what I said, as I presume from context you do, then this is a serious misstatement of what I said. I already have elaborated on this, so I won't again here. Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Wed Apr 17 04:35:38 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 17 Apr 1996 19:35:38 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? In-Reply-To: <9603168296.AA829695326@CCGATE.HAC.COM> Message-ID: <Pine.SOL.3.91.960416220537.2629B-100000@chivalry> ER... one other possibilty could be Computer/Human Interaction (CHI), which is what he's published in before. Your buttocks are quite safe Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From fulano at usa.pipeline.com Wed Apr 17 04:47:08 1996 From: fulano at usa.pipeline.com (German E. Hayles) Date: Wed, 17 Apr 1996 19:47:08 +0800 Subject: UNSUVSCRIVE Broken - Film last week (fwd) Message-ID: <199604170158.BAA24263@pipe14.h1.usa.pipeline.com> Mean? Heck I'm taking notes. Good to here from you {{{{{{{ --<-<-@ }}}}}}}}} -- German E. Hayles From perry at piermont.com Wed Apr 17 04:47:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 19:47:24 +0800 Subject: Bidzos Holds Key / A hacker's paradise In-Reply-To: <199604162318.SAA01218@proust.suba.com> Message-ID: <199604170230.WAA00997@jekyll.piermont.com> Alex Strasheim writes: > Can whoever ends up with the rsa patent pull rsaref off the market, and > retroactively make software that uses it illegal? No. > Or would they just be able to prevent people from writing new code > with rsaref? No, they couldn't do that either. .pm From jf_avon at citenet.net Wed Apr 17 04:54:43 1996 From: jf_avon at citenet.net (jf_avon at citenet.net) Date: Wed, 17 Apr 1996 19:54:43 +0800 Subject: Article on PGP flaws Message-ID: <9604170333.AB17685@cti02.citenet.net> David Lesher <wb8foz at nrk.com> Says if > someone gets your randseed.bin they can infer the PRNG output sequence > and your IDEA key. Doesn't develop in any detail. Says the IDEA key > should be chosen from _truly_ random numbers. I fed the result of pgp +makerandom=2000 rnd.pgp into noisesphere.exe Every times, it gives a distribution that looks like a zebra from the top view. Any comments? JFA From unicorn at schloss.li Wed Apr 17 05:02:35 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 17 Apr 1996 20:02:35 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <ad99852e0a02100467c6@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960417042451.14115A-100000@polaris.mindport.net> On Tue, 16 Apr 1996, Timothy C. May wrote: > At 12:12 PM 4/16/96, Adam Pingitore wrote: > > STOP SENDING ME THIS SHIT > > > As this is one of several such messages this clown has sent us, despite > unsubscribe instructions having been posted several times in the last few > weeks, I am bouncing all of his inappropriate messages back to him (though > I am being careful--and I urge you all to be careful, too--to cut out any > cc:ing of others). > > If you feel this jerk's posts are inappropriate, you might decide to do the > same as I am doing. > > (Again, be careful to review the To: and cc: fields before sending, to > ensure that the list does not get spammed by your actions.) I think the "clueless" mailing list is a must at this point. > > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Wed Apr 17 06:10:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 17 Apr 1996 21:10:42 +0800 Subject: That All.net loon... Message-ID: <Pine.ULT.3.92.960416202041.26011B-100000@Networking.Stanford.EDU> Think of this as an interesting experiment in reputation building, where the bad guys won, and got a lot of business from the ignorant. Remember Fred Cohen, the lunatic who had his telnet port booby-trapped to fire off complaints to root and postmaster? http://www.atria.com/People/dawson/tbtf/archive/04-14-96.html http://www.dhp.com/amusement.html http://all.net/journal/netsec/top.html http://all.net/journal/netsec/9603.html http://all.net/journal/netsec/9604.html I feel so sorry for Keith. He was trolled in a big way. I also found this AMAZING BREAKTHROUGH in preventing IP spoofing very amusing: http://all.net/journal/netsec/9606.html -rich From salgak at dcez.com Wed Apr 17 07:03:15 1996 From: salgak at dcez.com (Keith A. Glass) Date: Wed, 17 Apr 1996 22:03:15 +0800 Subject: The Electronic Freedom March needs YOUR Help !!! Message-ID: <31742F90.4D2F@dcez.com> Friends of Free Speech on the Net: On June 30th, 1996, a large anti-CDA rally, the Electronic Freedom March, is planned for the Ellipse, in front of the White House. But without your help, it won't happen. We need volunteers to help us plan the EFM and the logistics required for it, people to help us raise funds to pay the expenses (the Park Service has required us to provide 80 porta-potties, at a cost of nearly $4500.00 alone, and that's not our only requirement. . .), and people to help us run the March on June 30th. Not to mention publicity, etc. We need your help. **I** need your help. I've posted this to the DC area groups, as well as to a few groups that I feel might be useful in gathering more volunteers and interested people. But I need your committment to help NOW, or we won't be able to run the EFM, or as it's been called, the "Million Geek March". Come on, out there: help us out !!! -- * Keith A. Glass, Annandale, Virginia, USA, Filker/punster at large * * Washington Coordinator, Electronic Freedom March * * 30 June 1996, Washington DC URL: http://www.efm.org * * Note: the following line is an intentional act of Civil Disobedience: * * FUCK THE TELECOMMUNICATIONS DECENCY ACT--DEFEND THE FIRST AMENDMENT ! * From frissell at panix.com Wed Apr 17 07:13:03 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 17 Apr 1996 22:13:03 +0800 Subject: Knowledge of TCP/IP Message-ID: <2.2.32.19960417103657.00cd100c@panix.com> At 05:56 PM 4/16/96 -0400, Noel Yap wrote: >Knowledge about TCP/IP is alot easier to control than knowledge about the Berlin Wall (ie, how many Chinese will even know of the existence of TCP/IP -- in the US, where this is freely available, how many citizens know of it's existence)? > Applications software distributed commercially or on a "free" basis allows people who know nothing about TCP/IP or C++ or Visual Basic to use all of these things to get work done. They need not understand completely what they are doing. DCF From holovacs at styx.ios.com Wed Apr 17 07:17:23 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Wed, 17 Apr 1996 22:17:23 +0800 Subject: math patents In-Reply-To: <m0u8Ysr-0008yhC@pacifier.com> Message-ID: <Pine.3.89.9604150603.A29831-0100000@styx.ios.com> On Sun, 14 Apr 1996, jim bell wrote: > . . . However, I don't see the > basis for patenting what is just about pure mathematics, and RSA is very > close to pure math. The fact that there is a practical use for it is > almost a secondary consideration. ... > Had mathematics always been patentable, the patent on that math would have > expired at least decades, and possibly centuries ago. > > In any case, I don't think it's unrealistic to suspect that the government > was playing games with the patent system due to RSA. > That's right, the patent system was actuallly > denying the public this system. > This falls into the same category as software patents. According to an ATT patent attorney, the ALGORITHM is not patented, however building a virtual machine to implement it is covered by the patent. This is the same as chemical processes which have been patented historically, you use public domain chemicals, and normal laboratory procedures in appropriate sequence, apply an algorithm to create something new. The patent covers use of this process (algorithm). As such it is not new. Crypto is a very TINY part of the picture. General software patents (where the big money is) had been submitted for years, and these financial considerations apparently drove the picture. Not that this makes much sense, but then the whole concept of intellectual property law is littered with absurdities. > ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 From perry at piermont.com Wed Apr 17 07:29:40 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 22:29:40 +0800 Subject: No Subject In-Reply-To: <19960417010838988.AAA157@[198.70.210.125]> Message-ID: <199604171117.HAA05051@jekyll.piermont.com> Harper, Bill writes: > I am very interested in cryptography and all related subjects but I cannot > find enough info about it, and am wondering if anyone can please email me > anything you know and the basics. Thanks! Read the book "Applied Cryptography" by Bruce Schneier. It is unfair to expect people to spend lots of time personally tutoring you when there are good books available and the subject is large. Perry From holovacs at styx.ios.com Wed Apr 17 07:29:42 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Wed, 17 Apr 1996 22:29:42 +0800 Subject: [NOISE] Is this getting through? In-Reply-To: <Pine.SUN.3.91.960416184409.20974B-100000@rwd.goucher.edu> Message-ID: <Pine.3.89.9604170627.A4609-0100000@styx.ios.com> Obviously your mail is going to Adam Pingitore... ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 On Tue, 16 Apr 1996, Moltar Ramone wrote: > I seem to have stopped getting CP mail... is there a problem with the > list, or is it just my machine? > > (Right now, it's 4/16 at 7:00pm; reply accordingly) > Jon > ---------- > Jon Lasser (410)494-3072 - Obscenity is a crutch for > jlasser at rwd.goucher.edu inarticulate motherfuckers. > http://www.goucher.edu/~jlasser/ > Finger for PGP key (1024/EC001E4D) - Fuck the CDA. > > From perry at piermont.com Wed Apr 17 07:33:51 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 22:33:51 +0800 Subject: i want off In-Reply-To: <199604170041.TAA18169@silver.niia.net> Message-ID: <199604171119.HAA05067@jekyll.piermont.com> Mathew Ellman writes: > can someone help me off this mailing list > Mathew Ellman > (DEAL WITH IT) > 15 N WASHINGTON ST APT 1 > VALPARAISO IN 46383 > > HAVE A VERY GREAT DAY FROM ME TO YOU. Try the same address you used to get on. The people reading the list are not the same as the people who run the list. There is NEVER a reason to send mail to a list to try to unsubscribe. .pm From perry at piermont.com Wed Apr 17 08:23:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 17 Apr 1996 23:23:37 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604162331.TAA22836@linet02.li.net> Message-ID: <199604170012.UAA00724@jekyll.piermont.com> rick hoselton writes: > At 05:34 PM 4/16/96 -0400, Perry E. Metzger wrote: > > >> ...it is possible ... for Hamlet to appear out of a random number generato r, > > >> But even if it came from a completely random source, it would > >> still make a bad one-time pad. > > >No it wouldn't. > > Are you sure you want to claim that the text of Hamlet would make > a good key for a one-time pad? If the text of Hamlet were produced by a truly random number generator, then it would make a fine one time pad. A cryptanalyst seeing patterns in it would have no way of knowing that the patterns were caused by the input being "Hamlet" -- he would have no way to demonstrate that just because the first five hundred words of the key appear to have been "Hamlet" that the rest would be -- and indeed, there would be far more cases where the rest wouldn't be. If, on the other hand, what you are doing is using books as keys for ciphers, then "Hamlet" is a very poor one. > >There is a tiny but nonzero probability that xoring > >your one time pad with your text will result in a cyphertext equal to, > >say, the Bible. Big deal. > > Most unusual, and you're right, its inconsequential. But if you use the > text of Hamlet or the text of the Bible for your KEY to a one-time-pad, > you're very likely to get broken. IF you are using a one time pad system that truly has a random source of keying material, AND the 1 in 2^1460536 event of the key being Hamlet occurred, THEN no, you aren't likely to get broken. Note that the probability of having this happen is astronomically low, but then again, the probability of ANY given one time pad being generated is astronomically low. If you are just picking books off the shelf and playing one time pad with them, yes, you are correct, you will likely be broken. > >If the key is really random, the > >cryptanalyst has no way to tell what the underlying text was. > > But that silly cryptanalyst might not know that you got Hamlet from > your random number generator. He might think you copied it out of a > book! Then, Hamlet stops being a random number. The context changes. I don't think you are considering this clearly. It is far, far more probable for the cryptanalyst, thinking the key was "Hamlet", to get out a plausible but totally bogus text, than it is for the key to actually be "Hamlet". Of course, it is also far, far more probable for you to be stupid than for a random number generator to put out "Hamlet", but if you go around getting rid of RNGs that produce "Hamlet" or anything close, you have in theory given information to the attacker that gives them a slightly better chance of attacking you since your pads are no longer purely random. The reason all this isn't stupid to discuss and actually has some importance is just this fact. If you build a system that discards things that "don't look like they have enough entropy" (which certain people around here have proposed), you are giving the cryptanalyst a very strong piece of information about the key, so your key is no longer totally unpredictable. An irony, but something important to keep in mind. Every once in a while (once in every four billion bits, or so) your random number generator will put out 32 1's in a row if it is functioning properly. Any given small segment of the output of a good RNG might not look "random", but "random" isn't a property of a given number -- it is the property of the infinite sequence itself. Perry From wombat at mcfeely.bsfs.org Wed Apr 17 08:23:59 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 17 Apr 1996 23:23:59 +0800 Subject: [NOISE] was Re: Re[2]: What's the "Human Interaction Institute" at CMU For ??? In-Reply-To: <9603168296.AA829695327@CCGATE.HAC.COM> Message-ID: <Pine.BSF.3.91.960417073447.4979A-100000@mcfeely.bsfs.org> On Tue, 16 Apr 1996 ssalgaller at CCGATE.HAC.COM wrote: > Dear Concerned Citizen, > > Am I the only one worrying about the use of technology to > implement a "New World Order" ??? > No. Check this out. Very scary stuff. These people are too wierd: Send e-mail addressed to listproc at internex.net with "Dilbert" as the subject and the words "subscribe Dilbert_List Joe Blow" in the body of the message (be sure to replace the words "Joe Blow" with your name!). Don't include any other information (your e-mail address will be picked up automatically). NOTE: To unsubscribe, follow these same steps but use "unsubscribe Dilbert_List" in the body of the message. > If not, where else can I post this message ??? > > Yes, AOL has a movie trivia board, but I'm serious ! > Nothing serious over at ol' AOL. > A similar concern could be made about biotechnology: with > gene splicing, it would be possible to create a race of "sub > humans" to do slave labor and fight wars. > Been done. These are called Induhviduals. > This has been done in several Sci-Fi movies, but it's not > going to stay fiction much longer. > A certain author, who shall remain nameless, seems to imply that such dastardly creatures can be found at PacBell. > Stephen S. > > PS: Shouldn't these be the questions that CMU worries about? > Which is worse, genetic slavery or "dirty duck" photos ? > Um, what's the duck doing? From trei at process.com Wed Apr 17 09:39:17 1996 From: trei at process.com (Peter Trei) Date: Thu, 18 Apr 1996 00:39:17 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? Message-ID: <199604171319.GAA01301@toad.com> > > The title could refer to net censorship, or to bio-medical > implantation of control computers inside human brains. > Stephen S. > salgaller at ccgate.hac.com > or try: > salgaller at aol.com > > PS: If anyone can tell me the name of the 1965 movie > starring Michael Renee that dealt with the above two issues, > please tell me. > > If you were not aware, the movie dealt with a plan, > initially, to link all humanity directly to each other. One > could "download" data directly into your brain ! You could > also have "mental telepathy" and communicate with others. > Michael Renee's character escapes to the past to try to end > research done by a scientist, that lead up to the inevitable > > a totalitarian world government takes control of everyone; > > even your thoughts are no longer private. > > You get the idea. This was also done as part of the movie > "Terminator 2"; I wonder if the writer of the 1965 movie got > any screen credit or royalties for T2 ??? > > I'm worrying too much, right ? It can't happen here ??? > Tim Mc Veigh said he had a bio chip implant. Nah... I strongly suspect that you are refering to "Cyborg 2087" aka "The Man from Tomorrow" a 1966 film starring Micheal Rennie (note spelling). It took about 2 minutes to track this down on the net. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From m5 at vail.tivoli.com Wed Apr 17 09:52:22 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 18 Apr 1996 00:52:22 +0800 Subject: Clinton blathering about Internet terror Message-ID: <3174E9EC.4087@vail.tivoli.com> See http://www.yahoo.com/headlines/960417/news/stories/internet_1.html. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From brucem at wichita.fn.net Wed Apr 17 10:45:05 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Thu, 18 Apr 1996 01:45:05 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <199604170014.RAA07011@netcom3.netcom.com> Message-ID: <Pine.BSI.3.91.960417083229.17657A-100000@wichita.fn.net> On Tue, 16 Apr 1996, Vladimir Z. Nuri wrote: > >On Mon, 15 Apr 1996, Vladimir Z. Nuri wrote: > > I guess I would have to ask you why you think hackers would be > >interested in these projects in the first place? Your typical hacker > >would care very little about such a project and in fact may be interested > >in seeing it succeed. > > the malicious type of hacker has the psychology of taking > great glee in tearing anything meaningful down. they don't > necessarily need a plausible reason. the purpose of destruction > alone can be a powerful motivating force. those who destroy > carefully constructed things for fun obtain a sense of power from it. True. Yet, my estimate as to the number of 'malicious hackers' that would take interest in disturbing such a project (and have the ability to do so) is very low. That number would increase though if you were the NSA or any other agency perceived as Big Brother, since the hackers would probably see your efforts as a threat. > > However, I do feel that you may have a valid point when switching > >"hackers" to "opponents of the research." Anyone with an interest in > >preventing or slowing down the progress in such a project would be more > >dangerous in my mind than your average hacker. > the point is, when you are sharing your project among a lot of > elements "out there" on a network, you have to worry more and > more about "safe computing". when you are working on a purely > voluntary basis, what is your guarantee that everyone who volunteers > is actually on your side? again, a bigger problem the more a > task is decentralized. one interesting argument in favor of centralized > computing (I'm not saying it is a definitive argument, quite far > from that of course-- just pointing out that Distribution is > not necessarily the Panacea to All Problems). In every aspect of life we have to deal with the threat of someone working to counteract our efforts. However, to continue functioning we rate these threats as probable or inprobable and deal with them accordingly. I don't see skewed results, due to falsifying or tampering with records, as being a very probable threat in the present especially when you are dealing with volunteers. That threat would increase in magnitude when you start paying people for computer time (as they typically have less of a loyalty bond to you than volunteers would) or if a person would benefit by corrupting the data (such as in the case of a competition). Bruce Marshall From Adam_Pingitore at alli.wnyric.org Wed Apr 17 10:56:10 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Thu, 18 Apr 1996 01:56:10 +0800 Subject: on corporations and subpoenas Message-ID: <9603178297.AA829755045@ccmail.wnyric.org> Um, well, then I'm going to have to spam your ass. From declan+ at CMU.EDU Wed Apr 17 11:33:58 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 18 Apr 1996 02:33:58 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? In-Reply-To: <9603168296.AA829695326@CCGATE.HAC.COM> Message-ID: <clRDn1u00YUv83cLd5@andrew.cmu.edu> Excerpts from internet.cypherpunks: 16-Apr-96 What's the "Human Interacti.. by ssalgaller at CCGATE.HAC.CO > Re: Subject, what is Dan Olsen going to be in charge of at > CMU ? (ref: CDA debate; expert witness for the CDA) > > The title could refer to net censorship, or to bio-medical > implantation of control computers inside human brains. Olsen's expertise seems to lie in the area of user interfaces. Though you never know what those kooky geeks are thinking of over in Wean Hall... -Declan From perry at piermont.com Wed Apr 17 11:36:42 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Apr 1996 02:36:42 +0800 Subject: on corporations and subpoenas In-Reply-To: <9603178297.AA829755045@ccmail.wnyric.org> Message-ID: <199604171420.KAA05284@jekyll.piermont.com> "Adam Pingitore" writes: > Um, well, then I'm going to have to spam your ass. Not a finger raised. I will do nothing whatsoever to take you off this mailing list. Have fun. .pm From declan+ at CMU.EDU Wed Apr 17 11:44:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 18 Apr 1996 02:44:45 +0800 Subject: on corporations and subpoenas In-Reply-To: <9603178297.AA829755045@ccmail.wnyric.org> Message-ID: <0lRDrmC00YUv83cMoK@andrew.cmu.edu> Excerpts from internet.cypherpunks: 17-Apr-96 Re[2]: on corporations and .. by "Adam Pingitore"@alli.wn > Um, well, then I'm going to have to spam your ass. My dearest Adam: If I tell you to rot and die, will you "spam my ass" too? Sincerely, A friend From anonymous-remailer at shell.portal.com Wed Apr 17 12:24:48 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 18 Apr 1996 03:24:48 +0800 Subject: Fascist takes another bite Message-ID: <199604171436.HAA24624@jobe.shell.portal.com> Reuters, 4/17/96: Clinton worried Internet may help arm terrorists TOKYO, April 17 (Reuter) - U.S. President Bill Clinton said on Wednesday he was worried the Internet was aiding international terrorism by making it too easy for sinister forces to learn how to make bombs or produce nerve gas. "Are people learning, for example, from the Internet how to make the same sort of trouble in the United States that was made in Japan with sarin gas?" Clinton said at a news conference with Japanese Prime Minister Ryutaro Hashimoto in Tokyo. "Isn't it a concern that anybody, anywhere in the world, can pull down off the Internet the information about how to build a bomb like the bomb that blew up the Federal Building in Oklahoma City?" he added. Clinton said Japan and the United States, both victims of home-grown terrorism last year, should learn from each other about how to deal with the issue. In the United States anti-government groups are linked "like no rebel force has ever been" by the Internet and fax, the Southern Poverty Law Center, a group which campaigns for civil rights, said in a report released last week. Anti-government right-wing activism has been linked to the Oklahoma blast in which a truck bomb destroyed a federal building and killed 168 people on April 19, 1995. Information on how to construct a similar bomb is available to anyone around the world with Internet access. Meanwhile in Japan, the doomsday cult Aum Shinri Kyo (Supreme Truth Sect) was able to download from the Internet a formula for synthesising green-mamba snake venom, according to a recent magazine report. The sect is also believed to have been looking to procure samples of the lethal ebola virus. Cult leader Shoko Asahara goes on trial on April 24 charged with the murder of 25 people, including 11 who died in a sarin nerve gas attack on the Tokyo subway on March 20, 1995. About 5,000 other commuters where taken ill in the incident. Clinton also told the news conference that in the next 20 years "every great nation will have to face" the question of terrorist access to the Internet. Clinton called acts of terrorism, whether home-grown or international, "a genuine threat not only to the lives of the innocent civilians who may be killed in them, but to the whole idea of an open, civilised society in a global economy." Clinton's comments on the Internet were in response to a question about his thoughts on terrorism. He said nations must ask "how can we work together to learn with each other about how to prevent these things before they occur, when they're purely domestically driven, as well as sharing information and technology and law enforcement about the international terrorist networks that are out there?" REUTER From ben.rothke at citicorp.com Wed Apr 17 12:38:20 1996 From: ben.rothke at citicorp.com (Ben Rothke) Date: Thu, 18 Apr 1996 03:38:20 +0800 Subject: Spaces in passwords Message-ID: <199604171502.AA17527@egate.citicorp.com> Do spaces (ASCII 20) in passwords make them less secure? I was speaking with a security admin who feels that spaces decrease the effectiveness of passwords. I thought that they would actually do the opposite & increase password efficacy, as most password dictionary attacks do not attempt to attack embedded spaces. An attack trying to penetrate embedded spaces would seem to make the dictionary orders or magnitude larger. Any comments? Ben ------------------------------------------------------------ The views expressed are exclusively my own & not that of my employer ----------------------------------------------------------- From jeffb at sware.com Wed Apr 17 12:40:14 1996 From: jeffb at sware.com (Jeff Barber) Date: Thu, 18 Apr 1996 03:40:14 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604162053.QAA10650@universe.digex.net> Message-ID: <199604171526.LAA30813@jafar.sware.com> Scott Brickner writes: > > Steve Reid writes: > >Really, the apropriate place for content filtering is at the application > >layer. It *could* be done at the transport layer, but that's really not > >the place for it. > > Izzat so? So explain to me what the difference between the PICS type > ratings and security classifications is. > Clearly the IETF believed that the network layer was an appropriate > place for general classification when they developed IPv4. I haven't > verified it, but I suspect that IPv6 has (or will have) an appropriate > mechanism for indicating security classification. That's not at all clear. The IETF did not sit down in committee and "develop IPv4" (thank god). And I've not seen any evidence that it was designed with support for security labels in mind. Personally, I agree with Steve that, even though IP *may* be used to propagate security options, it isn't the "right" place. One problem with labeling things at the transport level is that this requires support for the labels throughout the operating system(s) on which the "content" is generated (at least for a "real" multi-user system with a potentially mixed adult/child user base) or through which it flows. The operating system has to carry labels around in conjunction with each and every process and file on the system in order that the low-level software will be able to accurately label IP datagrams. And this OS support is both difficult to implement and onerous to the users and applications running on that platform -- otherwise, we'd all be running on TCSEC B-level operating systems right now. Fundamentally, the decision boils down to whether you want the labeling to be mandatory (as with DoD security labels) or voluntary as with PICS. -- Jeff From bdavis at thepoint.net Wed Apr 17 12:41:28 1996 From: bdavis at thepoint.net (Brian Davis) Date: Thu, 18 Apr 1996 03:41:28 +0800 Subject: [IRS] Elvis in Escrow In-Reply-To: <199604162254.PAA01128@netcom9.netcom.com> Message-ID: <Pine.BSF.3.91.960417105233.5781F-100000@mercury.thepoint.net> On Tue, 16 Apr 1996, Bill Frantz wrote: > At 4:40 AM 4/16/96 -0700, Dave Del Torto wrote: > >[from SF Examiner somewhere around 12-14 April 96] > > > >.............................................................................. > > > >"IRS Worker Took Peek at Celebrities' Records" > >[Associated Press] > > Memphis - A former IRS employee who said boredom had led him to peek at > >the tax records of President Clinton, Elvis Presley and other famous people > >has been acquitted of federal charges. > >^^^^^^^^^^^^^^^^^^ "acquitted" here may mean that cypherpunks were on the trial jury. If the "fix" was in, as Dave seems to imply, there never would've been a trial. EBD > > > >Hmmm. _We_ do it, it's "malicious cracking/hacking" and they toss us in the > >clink... _they_ do it, and it's "practice" (and they get acquitted). And > >_these_ are the people who want to escrow _my_ keys? As IF! > > I wonder, how much is NSA's secret key worth? You know, the one they use > to grab the extra key bits that Lotus Notes sends them. > > > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From jimbell at pacifier.com Wed Apr 17 12:50:54 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 18 Apr 1996 03:50:54 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? Message-ID: <m0u9ZdY-00092lC@pacifier.com> At 09:28 AM 4/17/96 -6, Peter Trei wrote: >> PS: If anyone can tell me the name of the 1965 movie >> starring Michael Renee that dealt with the above two issues, >> please tell me. >> >> If you were not aware, the movie dealt with a plan, >> initially, to link all humanity directly to each other. One >> could "download" data directly into your brain ! You could >> also have "mental telepathy" and communicate with others. >> Michael Renee's character escapes to the past to try to end >> research done by a scientist, that lead up to the inevitable >> >> a totalitarian world government takes control of everyone; >> >> even your thoughts are no longer private. >I strongly suspect that you are refering to "Cyborg 2087" aka >"The Man from Tomorrow" a 1966 film starring Micheal Rennie >(note spelling). >It took about 2 minutes to track this down on the net. >Peter Trei A different (and rather funny) treatment of a similar concept was done in the 1967 (?) movie, "The President's Analyst," with James Coburn, Godfrey Cambridge, Severn Darden. From perry at piermont.com Wed Apr 17 12:52:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Apr 1996 03:52:24 +0800 Subject: Spaces in passwords In-Reply-To: <199604171502.AA17527@egate.citicorp.com> Message-ID: <199604171543.LAA05427@jekyll.piermont.com> Ben Rothke writes: > Do spaces (ASCII 20) in passwords make them less secure? Of course not. In a normal Unix password, adding spaces to the password search space increases the search space, so it necessarily makes the search harder. .pm From jimbell at pacifier.com Wed Apr 17 12:52:33 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 18 Apr 1996 03:52:33 +0800 Subject: Clinton blathering about Internet terror Message-ID: <m0u9ZZf-00092EC@pacifier.com> At 07:54 AM 4/17/96 -0500, Mike McNally wrote: >See http://www.yahoo.com/headlines/960417/news/stories/internet_1.html. But he's still dishonestly trying to make it look like the danger is to ordinary individuals, rather than government functionaries. >From the news item addressed above: >In the United States anti-government groups are linked ``like no rebel force >has ever been'' by the Internet and fax, the Southern Poverty Law Center, a >group which campaigns for civil rights, said in a report released last week. So what's wrong with this? Jim Bell jimbell at pacifier.com From froomkin at law.miami.edu Wed Apr 17 12:55:23 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 18 Apr 1996 03:55:23 +0800 Subject: Bernstein case decisision (fwd) Message-ID: <Pine.SUN.3.91.960417115643.1932M-100000@viper.law.miami.edu> reposted with permission. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) ---------- Forwarded message ---------- Date: Wed, 17 Apr 1996 05:23:47 -0400 >From: Mike Godwin <mnemonic at well.com> To: Multiple recipients of list <cyberia-l at warthog.cc.wm.edu> Subject: Re: Bernstein case decisision [...] The following summary is from my colleague Shari Steele: What Judge Patel said. First, the judge ruled that Bernstein could bring his case even though the Arms Export Control Act specifically precludes judicial review, because what we are asking the judge to review (i.e., the constitutionality of the statute and its regulations) was not what had been precluded (i.e., the government's determination in a particular instance whether or not something was exportable). "With respect to constitutional questions, the judicial branch not only possesses the requisite expertise to adjudicate these issues, it is also the best and final interpreter of them." Next, the judge determined that only the source code was at issue here, not Bernstein's academic paper describing the source code. Bernstein tried to get the government to rule separately on the paper and the code back in 1993 by filing separate CJ requests. The State Department merged the requests and rejected them all. On June 29, 1995, after we filed this suit, the government sent Dan a letter saying that the paper could be published and never had been forbidden. While Judge Patel claimed that the issue of the paper now appeared to be moot, she commented, "It is disquieting than an item defendants now contend could not be subject to regulation was apparently categorized as a defense article and subject to licensing for nearly two years, and was only reclassified after plaintiff initiated this action." Finally, the key ruling in the case. "This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French....Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it....Thus, even if Snuffle source code, which is easily compiled into object code for the computer to read and easily used for encryption, is essentially functional, that does not remove it from the realm of speech....For the purposes of First Amendment analysis, this court finds that source code is speech." This is the first time that we know of that a court has ruled that source code is speech for First Amendment analysis. This is a Big Deal - a very important precedent. The judge drew an analogy to copyright law, which treats computer software as a "literary work" and offers it copyright protection, to help her come to her conclusion. The judge, therefore, did not throw out any of our claims (the ITAR acts as a prior restraint on speech, the ITAR is overbroad, and the ITAR is vague). She looked at each of them one by one and determined that each of them had merit. What this decision means. Most directly, it means that we can continue on with our lawsuit. The government had brought a motion to dismiss the case, contending that the court lacked jurisdiction to hear this matter because it was a matter of national security. The judge struck that down and said that we can go forward with our suit. More indirectly, the judge's ruling sets the stage for us winning at trial. She clearly "gets it," and isn't intimidated by the government's use of precedential cases that aren't on point. From mattt at microsoft.com Wed Apr 17 13:01:00 1996 From: mattt at microsoft.com (Matt Thomlinson) Date: Thu, 18 Apr 1996 04:01:00 +0800 Subject: COQ_tal Message-ID: <c=US%a=_%p=msft%l=RED-77-MSG-960417155912Z-8177@red-06-imc.itg.microsoft.com> damn, that's the second time I've done that this week! dang 'R' key.. apologies, mattt > From ses at tipper.oit.unc.edu Wed Apr 17 13:08:56 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 18 Apr 1996 04:08:56 +0800 Subject: [NOISE] Bizdos / A hacker's paradise In-Reply-To: <199604170230.WAA00997@jekyll.piermont.com> Message-ID: <Pine.SOL.3.91.960417085958.2935A-100000@chivalry> 1) Wasn't hacker's paradise the theme to Dangerously Mindless? Tell me why are we so blind to see That the code we need is on ftp 2) I keep getting wierd mental pictures of Jim Bizdos in that Saturday Night Live sketch "You likea the source? It's a good source. Hey, he no likea the source" --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From mattt at microsoft.com Wed Apr 17 13:10:06 1996 From: mattt at microsoft.com (Matt Thomlinson) Date: Thu, 18 Apr 1996 04:10:06 +0800 Subject: COQ_tal Message-ID: <c=US%a=_%p=msft%l=RED-77-MSG-960417155817Z-8170@red-07-imc.itg.microsoft.com> From hwh6k at fulton.seas.virginia.edu Wed Apr 17 13:14:24 1996 From: hwh6k at fulton.seas.virginia.edu (Henry Huang) Date: Thu, 18 Apr 1996 04:14:24 +0800 Subject: Protocols at the Point of a Gun Message-ID: <199604171546.LAA67558@fulton.seas.Virginia.EDU> On Apr 16, 16:22, Steve Reid wrote: > Security classification and "decent/indecent" ratings are rather > different, IMHO. With security, the author of the data has to decide the > best rating for his/her own security. With decent/indecent filtering, the > author has to decide what is best for _other_people_. I suppose it's not > as bad as that with the third-party ratings in PICS, but there will still > be inconsistancies. "As bad"?!? Actually, it's a good deal worse. See below. > The main reason I think decent/indecent filtering should be done at the > application level is, if they create a ratings system and later decide > that they've screwed up and another system would be better (which is quite > possible, if you understand the previous paragraph), all that's really > required is re-writing the application software. OTOH, if they did it at > the transport layer and later decided to switch to something else, they > would have to change the protocol, which is very difficult. And, depending > on the changes, they may have to re-write the apps again anyways. > > Also, at the application layer, ANYONE could create their own ratings > system, and the market could decide which is best. (The downside of that > is that there would be nonstandardized chaos for a while). Well good. Better nonstandardized chaos than a single, arbitrarily defined and applied system. (Ref: "Parental Advisory" stickers, which were IMHO totally useless, and a doomed concept from the start.) I think that if there's going to be ratings, better to have lots of different organizations reflecting different tastes and mores than one organization reflecting political pressures and prejudices. (No real crypto relevance in the concept per say, but perhaps in the application (as Bill pointed out with the PICS excerpt).) -H From jya at pipeline.com Wed Apr 17 13:17:23 1996 From: jya at pipeline.com (John Young) Date: Thu, 18 Apr 1996 04:17:23 +0800 Subject: COQ_tal Message-ID: <199604171546.LAA20232@pipe3.nyc.pipeline.com> 4-17-96. Fint: "When rocket scientists crash out of orbit." Barry Riley essays on the impact of physicists and mathematicians on finance and economics, while reporting on a recent article by three physicists critiquing the shortcomings of the Black-Scholes formula for pricing options. The Bouchaud-Iori-Sornette formula for "real world" options attempts to minimise these residual risks, especially by applying a more sophisticated mathematical treatment to the "tails" of the distribution. If the risks cannot be hedged out, at least they can be reduced via diversification. A bracing cocktail for the recent cpunks bar-slappers on funny-money and unscriving and eye-grit quackers. COQ_tal From maldrich at grctechs.va.grci.com Wed Apr 17 13:18:05 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Thu, 18 Apr 1996 04:18:05 +0800 Subject: i want off In-Reply-To: <199604170041.TAA18169@silver.niia.net> Message-ID: <Pine.SCO.3.91.960417114234.13968D-100000@grctechs.va.grci.com> On Tue, 16 Apr 1996, Mathew Ellman wrote: > can someone help me off this mailing list > Mathew Ellman > (DEAL WITH IT) > 15 N WASHINGTON ST APT 1 > VALPARAISO IN 46383 Smooth move. You just published your home address to about 1000 people, all of whom are suspected of being involved in a nation-wide moon pie theft clique. Expect weirdness. Ignore the knocks on your door late at night. Do not feed or water the on-going Cypherpunks meeting and party that is about to manifest itself in your front yard. If you do, they'll never go away. Enjoy being in the archives for all time. Impress your friends by doing a WWW search on your name and actually having a hit returned by the search engine. > > HAVE A VERY GREAT DAY FROM ME TO YOU. Well, thanks very much. You, too. And remember, DO NOT OPEN THE DOOR FOR STRANGERS! ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From hoz at univel.telescan.com Wed Apr 17 13:45:08 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 18 Apr 1996 04:45:08 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604171558.IAA02972@toad.com> At 08:12 PM 4/16/96 -0400, Perry E. Metzger wrote: >> Are you sure you want to claim that the text of Hamlet would make >> a good key for a one-time pad? ... much deleted .... >It is far, far more probable for the cryptanalyst, thinking the >key was "Hamlet", to get out a plausible but totally bogus text, than >it is for the key to actually be "Hamlet". I can agree with this. >Of course, it is also far, >far more probable for you to be stupid than for a random number >generator to put out "Hamlet". I agree here too. I've been stupid many times, but I never expect to see a fair random number generator produce Hamlet. (I should live so long!) >but if you go around getting rid of >RNGs that produce "Hamlet" or anything close, you have in theory given >information to the attacker that gives them a slightly better chance >of attacking you since your pads are no longer purely random. And I could agree with this too, except that cryptanalysts do not consider every string to be equally likely. If they did, they would never even bother to look at XORing a bitstream with ciphertext to produce plaintext. >The reason all this isn't stupid to discuss and actually has some >importance is just this fact. If you build a system that discards >things that "don't look like they have enough entropy" (which certain >people around here have proposed), you are giving the cryptanalyst a >very strong piece of information about the key, so your key is no >longer totally unpredictable. This is true. But it is also unavoidable. Actually, I'm pleased to give up one-percent of my keyspace, if that's the one-percent that an analyst will check first. Another example: What if I selected a nonsense passphrase, "Dagmar shaved Howard's cocker spaniel" Not great, but adequate for my needs. If, by some wild coindence, a book by that title became a best seller, I would change my passphrase. A cryptanalyst who knew that was my feeling could simplify his cracking by not bothering to search for best selling book titles. On the other hand, a cryptanalyst who was not so convinced of my paranoia, and who DID check book titles, would not find my passphrase. I assume that BOTH philosophies would be used in a serious attack. When I do the math, it says that, assuming BOTH types of attack are done, it is better to have a passphrase that is not the title of a book. >An irony, but something important to >keep in mind. Every once in a while (once in every four billion bits, >or so) your random number generator will put out 32 1's in a row if it >is functioning properly. Agreed. And if that produces a "weak key" for your cipher, you'll get broken. >Any given small segment of the output of a >good RNG might not look "random", but "random" isn't a property of a >given number -- it is the property of the infinite sequence itself. I agree here too. But the analyst doesn't see the infinite sequence, only the number itself. I am enjoying this discussion, but I feel like I'm running out of useful new ways to try to express this idea. If I don't reply, it doesn't mean you have convinced me. :) From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 17 13:56:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 18 Apr 1996 04:56:55 +0800 Subject: Clinton blathering about Internet terror Message-ID: <01I3ND8BMOQ88Y53TS@mbcl.rutgers.edu> From: IN%"m5 at vail.tivoli.com" "Mike McNally" 17-APR-1996 11:19:57.56 >Subject: Clinton blathering about Internet terror >See http://www.yahoo.com/headlines/960417/news/stories/internet_1.html. Also at http://www.nando.net/newsroom/ntn/info/041796/info11_8930.html. The listing of sites outside of the US might encourage people to realize that this information can't be stopped. -Allen From sameer at c2.org Wed Apr 17 14:35:28 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 18 Apr 1996 05:35:28 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <Pine.SUN.3.91.960417042451.14115A-100000@polaris.mindport.net> Message-ID: <199604171641.JAA26692@atropos.c2.org> > > I think the "clueless" mailing list is a must at this point. clueless at c2.org/majordomo at c2.org subscribe idiots as necessary. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From tcmay at got.net Wed Apr 17 14:56:27 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 05:56:27 +0800 Subject: Clinton worried books may help arm terrorists Message-ID: <ad9a6f90120210047913@[205.199.118.202]> Roiters, 4/17/96: Clinton worried books may help arm terrorists TOKYO, April 17 (Roiter) - U.S. President Bill Clinton said on Wednesday he was worried that books are aiding international terrorism by making it too easy for sinister forces to learn how to make bombs or produce nerve gas. "Are people learning, for example, from reading how to make the same sort of trouble in the United States that was made in Japan with sarin gas?" Clinton said at a news conference with Japanese Prime Minister Ryutaro Hashimoto in Tokyo. "Isn't it a concern that anybody, anywhere in the world, can find books and encyclopedia articles about how to build a bomb like the bomb that blew up the Federal Building in Oklahoma City?" he added. Clinton said Japan and the United States, both victims of home-grown terrorism last year, should learn from each other about how to deal with the dangerous issue of unauthorized reading. >From Tokyo, President Clinton is to fly to North Korea to discuss North Korea's successful campaign to limit access to books and reading. From jya at pipeline.com Wed Apr 17 15:08:12 1996 From: jya at pipeline.com (John Young) Date: Thu, 18 Apr 1996 06:08:12 +0800 Subject: Bernstein case decisision (fwd) Message-ID: <199604171634.MAA26903@pipe3.nyc.pipeline.com> Thanks much , Michael. Shows what a scary cpunk-packed courtroom can do to tip the scales of blind justice. From JonWienke at aol.com Wed Apr 17 15:08:37 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 18 Apr 1996 06:08:37 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <960417131542_274184240@mail04> In a message dated 96-04-16 15:51:46 EDT, Perry Metzger writes: >There is no reason you can't have a string of 20 1 bits in >a row in a perfectly random sequence, for example. Usually, random >sequences are non-compressable, but it is possible (though very >improbable) for Hamlet to appear out of a random number generator, >and it is of course quite compressable... Of course, if that happened, the odds of it happening from a Trojan Horse or other type of attack are overwhelming... From JonWienke at aol.com Wed Apr 17 15:10:25 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 18 Apr 1996 06:10:25 +0800 Subject: No Subject Message-ID: <960417131551_274184307@emout08.mail.aol.com> In a message dated 96-04-17 02:35:51 EDT, you write: >Knowledge about TCP/IP is alot easier to control than knowledge about the >Berlin Wall (ie, how many Chinese will even know of the existence of TCP/IP >-- in the US, where this is freely available, how many citizens know of it's >existence)? I bet this would change if people saw knowledge of TCP/IP as the "key to the Berlin Wall." From llurch at networking.stanford.edu Wed Apr 17 15:17:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 18 Apr 1996 06:17:56 +0800 Subject: Clinton blathering about Internet terror In-Reply-To: <3174E9EC.4087@vail.tivoli.com> Message-ID: <Pine.ULT.3.92.960417101323.29708C-100000@Networking.Stanford.EDU> On Wed, 17 Apr 1996, Mike McNally wrote: > See http://www.yahoo.com/headlines/960417/news/stories/internet_1.html. To be fair, I don't see any blathering, just "expressions of concern." The blathering quote comes from the SPLC, not Clinton. Clinton, though, is pushing the unconstitutional "anti-terrorism" bill, which is all blather, and worse, he's letting the Republicans add an unrelated rider that emasculates habeus corpus. -rich From abostick at netcom.com Wed Apr 17 15:41:39 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 18 Apr 1996 06:41:39 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604161843.LAA19508@toad.com> Message-ID: <l3Qdx8m9L0IU085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604161843.LAA19508 at toad.com>, rick hoselton <hoz at univel.telescan.com> wrote: > At 10:07 AM 4/16/96 -0400, Perry E. Metzger wrote: > > >...Usually, random > >sequences are non-compressable, but it is possible (though very > >improbable) for Hamlet to appear out of a random number generator, > >and it is of course quite compressable... > > But even if it came from a completely random source, it would > still make a bad one-time pad. When people say "compressable" > or "algorithmic complexity" or "random", a context is always implied. > > In the context of "fair coin flips" the text of Hamlet is NOT compressible. > Because no string is more likely than any other. Any algorithm that could > compress that string, will, on the average INCREASE the length of > "fair coin flip" strings it tries to compress. > > Under the context of "pads that might be used for cryptographic purposes" the > text of Hamlet is quite compressible. An attacker is much more likely to > test for such a stream than one that appears more random. So, even if you > got "Hamlet" from a perfectly random source, you should reject it for crypto > purposes. This thread is becoming isomorphic to one that took place on the Coderpunks list. Jonathan Wienke was promoting an idea to make the output of a PRNG "more" random by throwing away output whose statistics didn't match the ideal statistics of an ideal RNG. Critics of this scheme (including Perry) argued along these lines: Suppose you think that quotes from Hamlet don't belong in your OTP keystream, and so you filter them out. In doing so, you are making your keystream *less* random, not more, because you are making some bit sequences more likely than others. Given that Hamlet quotes aren't very likely, you aren't making your keystream very much weaker, but you *are* weakening it. See the Coderpunks archives for more details on this argument. - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMXUQuuVevBgtmhnpAQHZpgMApBbI3CPieZc/V/vQt5vAqHX/XcRqWjg3 Rilta9XizlIfq7BYS4NKefov7t2kAW+cgsWESC17rJ7gkXCYIsdvaGg4q1uunDG+ 0MXhL406zQbcsPy3iUROGHFIz+IRvkNY =qjiR -----END PGP SIGNATURE----- From tcmay at got.net Wed Apr 17 15:44:27 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 06:44:27 +0800 Subject: Protocols at the Point of a Gun Message-ID: <ad9a78940002100474f5@[205.199.118.202]> At 3:46 PM 4/17/96, Henry Huang wrote: >Well good. Better nonstandardized chaos than a single, arbitrarily >defined and applied system. (Ref: "Parental Advisory" stickers, which >were IMHO totally useless, and a doomed concept from the start.) These stickers on CDs were actually very useful. Kids could spot more quickly the juicy stuff. The taste of forbidden fruit is so much better. Likewise, the "age bit" that some are talking about will be similarly useful. Minors will be unambiguously identified--no more "is she or isn't she?"--and actions taken accordingly. (Several years from now, I see a great hue and cry over the fact that the "age bit" mandated by "The Children's Internet Protection Act of 1997" will be used to deny the protection of adult-seeming personnas to children. Pedophiles and the like will find their tasks easier, and the Act's supporters will say "But that's not what we intended!!") I saw a reference to this in the archives of the Cyberia list, though I am no longer subscribed to it. Not sure who first pointed it out, but it's a valid point. --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From tcmay at got.net Wed Apr 17 16:14:57 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 07:14:57 +0800 Subject: META: Having the last word Message-ID: <ad9a7e9d02021004dfd9@[205.199.118.202]> At 3:58 PM 4/17/96, rick hoselton wrote: >I am enjoying this discussion, but I feel like I'm running out of >useful new ways to try to express this idea. If I don't reply, >it doesn't mean you have convinced me. :) I have long used this principle. All discussions have to end at some point, and I have no problems with others having "the last word." If they think that by having the last word, or by my non-response to their points, that they have "won," or that I am speechless before their eloquence, then of course they were not worth arguing with in the first place. No point in arguing with the preterite. (My neo-Calvinist stoicism showing.) Recall the recent absurdity of one of our list members repeatedly saying "I see that Joe Blow has still not responded to my arguments, so I guess he has conceded defeat! Hee Hee." The more likely explanation is that his opponent simply realized what he was dealing with. --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From abostick at netcom.com Wed Apr 17 16:22:29 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 18 Apr 1996 07:22:29 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) In-Reply-To: <Pine.SOL.3.91.960415222001.679A-100000@chivalry> Message-ID: <OJRdx8m9L0KT085yn@netcom.com> In article <Pine.SOL.3.91.960415222001.679A-100000 at chivalry>, Simon Spero <ses at tipper.oit.unc.edu> wrote: > Dash it Declan, I spent a hard day up to my eyeballs in ASN.1. When I > get home I want something cute to look at. Where are the darn ducks? > > Simon ME T00!!!!1! PUT ME ON THE L1ST111!1 SUBSCRIVE -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick From jimbell at pacifier.com Wed Apr 17 16:47:04 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 18 Apr 1996 07:47:04 +0800 Subject: A possible problem with more regulation possible? Message-ID: <m0u9bA6-0008xzC@pacifier.com> At 02:17 PM 4/16/96 EDT, E. ALLEN SMITH wrote: > This proposal would appear to increase vulnerability to regulation. > -Allen > >From: IN%"educom at elanor.oit.unc.edu" 7-APR-1996 18:42:00.83 > >>MORE ROUTERS = MORE INTERNET BROWNOUTS >>As businesses and Internet operators keep adding routers to speed electronic >>content on its way, the proliferation of routing devices actually begins to >>slow traffic, causing Internet "brownouts" -- when the response time slows >>to a crawl. The solution could be an updated Internet, redesigned for >>fewer, more powerful routers, so that data packets need fewer hops. "The >>U.S. Internet is about as reliable these days as the phone system in >>Russia," says NetStar's VP for sales and marketing. (Business Week 8 Apr 96 >>p82) I'd like to hear of some estimates of the cost (total, and per-user) of installing the system, and running Internet on a daily basis. They are spread out over a large number of entities, but I'd think they could be estimated with at least a factor-of-two precision. What are the costs of laying fiber? Switching equipment? etc. From frantz at netcom.com Wed Apr 17 17:15:33 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 18 Apr 1996 08:15:33 +0800 Subject: "STOP SENDING ME THIS SHIT" Message-ID: <199604171857.LAA14761@netcom9.netcom.com> This rash of postings reminds me of a technique to harass someone by telephone. You note that pager companies are usually assigned a block of telephone numbers. So you program your auto-dialer to dial each in turn and then send your target's number. Result: your target gets a lot of, "Why did you page me?" calls. (My collage roommate had fun in high school by dialing two "random" numbers on his two line phone and then connecting them together and listening to the result.) The analogy here is to spoof mail addresses to subscribe your target to high-volume mailing lists. If you want to attack the list as well, even better. Can someone be subscribed to cypherpunks and not get the welcome message? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From wendigo at gti.net Wed Apr 17 17:37:27 1996 From: wendigo at gti.net (Mark Rogaski) Date: Thu, 18 Apr 1996 08:37:27 +0800 Subject: Fascist takes another bite In-Reply-To: <199604171436.HAA24624@jobe.shell.portal.com> Message-ID: <199604171914.PAA11223@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be anonymous-remailer at shell.portal.com wrote: : : Information on how to construct a similar bomb is available to anyone : around the world with Internet access. ... or US Gov't training manuals or _Still Life With Woodpecker_ by Tom Robbins. : : The sect is also believed to have been looking to procure samples of the : lethal ebola virus. Context-type: virus/lethal ??? : : About 5,000 other commuters where taken ill in the incident. : Clinton also told the news conference that in the next 20 years "every : great nation will have to face" the question of terrorist access to the : Internet. http://www.batf.gov/ anyone? - -- Mark Rogaski | Why read when you can just sit and | Member System Admin | stare at things? | Programmers Local GTI GlobalNet | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXVC+w0HmAyu61cJAQGPDQP9Euet3ZGT//9BILD0X7ZuUIYD3fraZ/Qr LSVxcBC8fnfatMxU6Xg3I6obv4cpA55lK9R/LURoi32X+rbN3hZKawTWi15tk9dX K8O7v9++d21bM0736HW8k0SEBCmqqtlGwP/dP5B1R65DPo2bL23e17bitFlPhIUK gTmAKTcz2TQ= =Mvdb -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Wed Apr 17 17:51:04 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 18 Apr 1996 08:51:04 +0800 Subject: CDA Court Challenge: Update #7 (Ducks on the Net) In-Reply-To: <OJRdx8m9L0KT085yn@netcom.com> Message-ID: <Pine.SOL.3.91.960417123757.3025D-100000@chivalry> On Wed, 17 Apr 1996, Alan Bostick wrote: > Simon Spero <ses at tipper.oit.unc.edu> wrote: > > > Dash it Declan, I spent a hard day up to my eyeballs in ASN.1. When I > > get home I want something cute to look at. Where are the darn ducks? > > > ME T00!!!!1! > PUT ME ON THE L1ST111!1 > SUBSCRIVE You need to send a message to majordomo at tree-frog.com with the body subscrive cypherducks (tree-frogs are much cuter than toads) Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From mpd at netcom.com Wed Apr 17 18:06:36 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 18 Apr 1996 09:06:36 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <ad9a78940002100474f5@[205.199.118.202]> Message-ID: <199604171914.MAA14893@netcom3.netcom.com> tcmay at got.net (Timothy C. May) writes: > These stickers on CDs were actually very useful. Kids could > spot more quickly the juicy stuff. The taste of forbidden > fruit is so much better. > Likewise, the "age bit" that some are talking about will be > similarly useful. Minors will be unambiguously > identified--no more "is she or isn't she?"--and actions > taken accordingly. This is just another great example of the Law of Unintended Consequences. One of the nice things about the Internet is that kids can explore all sorts of subjects in the safety of their living room, providing they follow a few simple rules about not giving out personal information like their age, name, address, and phone number, and don't arrange meetings or use information they obtain without checking first with a well-clued caregiver. An "age bit" definitely qualifies as the disclosure of "personal information" about the user. > (Several years from now, I see a great hue and cry over the > fact that the "age bit" mandated by "The Children's Internet > Protection Act of 1997" will be used to deny the protection > of adult-seeming personnas to children. Pedophiles and the > like will find their tasks easier, and the Act's supporters > will say "But that's not what we intended!!") I think the "age bit" will solve a lot of problems we have now with 50 year old wankers posing as 12 year olds on pedo IRC channels. :) From Adam_Pingitore at alli.wnyric.org Wed Apr 17 18:29:36 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Thu, 18 Apr 1996 09:29:36 +0800 Subject: "STOP SENDING ME THIS SHIT" Message-ID: <9603178297.AA829764813@ccmail.wnyric.org> I've got news for you all. This 'jerk' was spammed by some ass out there. I've canceled by subscription so would you all quit whining already. Sorry if I sent you people inappropriate mail, but I just wasn't very happy getting 2000 e-mails a day. From sjb at universe.digex.net Wed Apr 17 18:54:59 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 18 Apr 1996 09:54:59 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604171526.LAA30813@jafar.sware.com> Message-ID: <199604172021.QAA01638@universe.digex.net> Jeff Barber writes: >Scott Brickner writes: >> Steve Reid writes: >> >Really, the apropriate place for content filtering is at the application >> >layer. It *could* be done at the transport layer, but that's really not >> >the place for it. >> >> Izzat so? So explain to me what the difference between the PICS type >> ratings and security classifications is. > >> Clearly the IETF believed that the network layer was an appropriate >> place for general classification when they developed IPv4. I haven't >> verified it, but I suspect that IPv6 has (or will have) an appropriate >> mechanism for indicating security classification. > >That's not at all clear. The IETF did not sit down in committee and >"develop IPv4" (thank god). And I've not seen any evidence that it was >designed with support for security labels in mind. Nevertheless, security labels *already* exist in IPv4. >Personally, I agree with Steve that, even though IP *may* be used to >propagate security options, it isn't the "right" place. > >One problem with labeling things at the transport level is that this Actually, we're talking about the network level. The transport level is where TCP and UDP reside, not IP, which has the security labels. >requires support for the labels throughout the operating system(s) on >which the "content" is generated (at least for a "real" multi-user system >with a potentially mixed adult/child user base) or through which it flows. >The operating system has to carry labels around in conjunction with each >and every process and file on the system in order that the low-level >software will be able to accurately label IP datagrams. And this OS >support is both difficult to implement and onerous to the users and >applications running on that platform -- otherwise, we'd all be running >on TCSEC B-level operating systems right now. I'm beginning to agree with the CDA supporter who claimed that "you're just trying to protect your pornography by saying it's impossible when we all know otherwise." Of course, that person really didn't know otherwise, but I do. The abstract model of the Internet network layer thinks of all transport entities as equivalent, as are all link entities. In the real world, such mixed user bases are unusual. If my scheme were implemented, service providers would probably have to segregate shell account access onto "childproof" and "adult" machines, or acquire a TCSEC B level system. Either approach works, and most would likely choose the former, since its cheaper. It's still not really that many machines. >Fundamentally, the decision boils down to whether you want the labeling >to be mandatory (as with DoD security labels) or voluntary as with PICS. I don't want the labelling to exist at all. But I note that even PICS labelling is not strictly voluntary. A content provider who fails to label adult material as "unsuitable for minors" is fully liable for legal penalties should such material be transmitted to a minor. The CDA has nothing to do with it. It's the same situation as when a bookstore sells Playboy to a minor or a liquor store sells him beer. As I outlined the scheme, network layer labels are just as "voluntary". They really are in the DoD security world, too. If you create a file in an editor, you're responsible for making sure the right classification goes on it, and *you're* going to be held accountable if the information is leaked because you put the wrong label on it. From perry at piermont.com Wed Apr 17 19:00:48 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Apr 1996 10:00:48 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <9603178297.AA829764813@ccmail.wnyric.org> Message-ID: <199604172053.QAA05596@jekyll.piermont.com> "Adam Pingitore" writes: > I've got news for you all. This 'jerk' was spammed by some > ass out there. I've canceled by subscription so would you > all quit whining already. Sorry if I sent you people > inappropriate mail, but I just wasn't very happy getting > 2000 e-mails a day. Remedial english composition courses are available at virtually all community colleges, and are a great help in making yourself understood in writing. From droelke at rdxsunhost.aud.alcatel.com Wed Apr 17 19:16:29 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 18 Apr 1996 10:16:29 +0800 Subject: i want off Message-ID: <9604172011.AA11295@spirit.aud.alcatel.com> > > > can someone help me off this mailing list > > Mathew Ellman > > (DEAL WITH IT) > > 15 N WASHINGTON ST APT 1 > > VALPARAISO IN 46383 > > Smooth move. You just published your home address to about 1000 people, > all of whom are suspected of being involved in a nation-wide moon pie > theft clique. Expect weirdness. Ignore the knocks on your door late at > night. Do not feed or water the on-going Cypherpunks meeting and party > that is about to manifest itself in your front yard. If you do, they'll > never go away. > > [...] Check out http://catalog.savvy.com/ for added juvenile fun with this person. ;-) Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From jimbell at pacifier.com Wed Apr 17 19:24:23 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 18 Apr 1996 10:24:23 +0800 Subject: Bernstein case decisision (fwd) Message-ID: <m0u9eAs-00092WC@pacifier.com> At 12:00 PM 4/17/96 -0400, Michael Froomkin wrote: >reposted with permission. > >A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) >---------- Forwarded message ---------- >Date: Wed, 17 Apr 1996 05:23:47 -0400 >>From: Mike Godwin <mnemonic at well.com> >The following summary is from my colleague Shari Steele: > >What Judge Patel said. >First, the judge ruled that Bernstein could bring his case even though the >Arms Export Control Act specifically precludes judicial review, because what >we are asking the judge to review (i.e., the constitutionality of the >statute and its regulations) was not what had been precluded (i.e., the >government's determination in a particular instance whether or not something >was exportable). "With respect to constitutional questions, the judicial >branch not only possesses the requisite expertise to adjudicate these >issues, it is also the best and final interpreter of them." [stuff deleted] >The judge, therefore, did not throw out any of our claims (the ITAR acts as >a prior restraint on speech, the ITAR is overbroad, and the ITAR is vague). >She looked at each of them one by one and determined that each of them had >merit. > >What this decision means. >Most directly, it means that we can continue on with our lawsuit. The >government had brought a motion to dismiss the case, contending that the >court lacked jurisdiction to hear this matter because it was a matter of >national security. The judge struck that down and said that we can go >forward with our suit. > >More indirectly, the judge's ruling sets the stage for us winning at trial. >She clearly "gets it," and isn't intimidated by the government's use of >precedential cases that aren't on point. It looks like this judge is well on her way to throwing out the portion of ITAR which deals with software of all kinds, not merely digitized source code originally from books. That's progress, of a sort. I'm still waiting to see what that "Burns bill" will be all about. Since that bill is supposed to deal directly with the issues this judge has already shown sense on, I think that this bill ought to be no less generous with computer software exports than an anticipated court decision WRT ITAR will be. Jim Bell jimbell at pacifier.com From wendigo at gti.net Wed Apr 17 19:35:28 1996 From: wendigo at gti.net (Mark Rogaski) Date: Thu, 18 Apr 1996 10:35:28 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604171558.IAA02972@toad.com> Message-ID: <199604172037.QAA17212@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be rick hoselton wrote: : : Another example: What if I selected a nonsense passphrase, : "Dagmar shaved Howard's cocker spaniel" Not great, but adequate for my needs. : If, by some wild coindence, a book by that title became a best seller, I would : change my passphrase. A cryptanalyst who knew that was my feeling could : simplify : his cracking by not bothering to search for best selling book titles. On : the other : hand, a cryptanalyst who was not so convinced of my paranoia, and who DID check : book titles, would not find my passphrase. I assume that BOTH philosophies : would be used in a serious attack. When I do the math, it says that, assuming : BOTH types of attack are done, it is better to have a passphrase that is not : the title of a book. By the same token, if an admin runs crack on /etc/passwd to weed out poor passwords isn't going to be faulted for reducing the key space for user's passwords. The question is, how much of the keyspace should be eliminated as "obviously a poor choice"? Also, how much of this falls under "security through obscurity"? If an attacker knows what you omit .. his/her job is a bit easier. Is it possible to find a percentage of the key space to eliminate that will optimize security assuming that the attacker will try the easy stuff first (and is it possible to quantify "easy stuff")? - -- Mark Rogaski | Why read when you can just sit and | Member System Admin | stare at things? | Programmers Local GTI GlobalNet | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXVWfQ0HmAyu61cJAQHltwP8Coe0i13a7NtFRYlCBdt1AEVEbz9jQhLp 6WPqGc80ETo8knHZAPVFP6ae1MmHYfbWhOY0y7I/Cv4kN8Smmu6mwIeYsuPRjCl9 ODK6qDUX1CcQX74t4ZvkTL2Umsnvwchvl1wHnaINGtud9C6nVREf34880vmJsYrl 5vsRJ1wo5Ng= =zY9A -----END PGP SIGNATURE----- From blancw at microsoft.com Wed Apr 17 19:37:31 1996 From: blancw at microsoft.com (Blanc Weber) Date: Thu, 18 Apr 1996 10:37:31 +0800 Subject: "STOP SENDING ME THIS SHIT" Message-ID: <c=US%a=_%p=msft%l=RED-81-MSG-960417212313Z-12717@red-06-imc.itg.microsoft.com> >From: Perry E. Metzger > >Remedial english composition courses are available at virtually all >community colleges, and are a great help in making yourself understood >in writing. ....................................................................... Suvcrivers, Look Out - Perry is on a roll!!! (as he smiles quietly to himself.........) .. Blanc > From lzirko at isdn.net Wed Apr 17 19:43:40 1996 From: lzirko at isdn.net (Lou Zirko) Date: Thu, 18 Apr 1996 10:43:40 +0800 Subject: Fw: CWD-Pool Cool Message-ID: <199604172138.QAA22793@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thought some of you might enjoy this. I sure some of you have already read it, and if so, sorry for the excess noise. - -----Begin Included Message ----- Date: Wed, 17 Apr 1996 05:34:40 -0700 From: "Brock N. Meeks" <brock at well.com> To: cwd-l at cyberwerks.com Cc: CyberWire Dispatch // Copyright (c) 1996 // Note: This is a re-issue of Dispatch. An earlier attempt to send to the CWD list was tanked by a glitch in the software. You may have seen this as reposted from another Newsgroup. If so, disregard and accept our apologies for the redundency; however, lots of CWD list subscribers have asked for this reposting and we are compl=07=01=D46=82 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMXVkqRKvccEAmlQ9AQHihwf7BItG4dpM564IQAUtbaQzFfjkJcfLvnrn 4OVJ98LgWEKa1mjqU728hp4g32lBfjYqcHC1Teh1vs4KTWSSM+Oz9fHA6NUNrgdX MgZkNqSqOx7J+QRfssIb9GgBoh/WA51cjU3r6LZcI4vviuTBx/+tBXkvmpDs3txS DJYKejwwKorOc3rq0Ro3BrSRDcC2aQdgkyetOwDA26uSC0tqp0OX2FLGi7XTmmqX mdE5gIs+OflImRBV23L+bTGy47C5qOQ5MaqYiSw5ka7360O1g5PHXZ/yCguyHCwd Dnx2hr4L7PbHi91Dg0EdYHUhyhRH9CFAm9xJ4Few5znrqI6kCqKAiw== =AcaM -----END PGP SIGNATURE----- From ssalgaller at CCGATE.HAC.COM Wed Apr 17 19:53:09 1996 From: ssalgaller at CCGATE.HAC.COM (ssalgaller at CCGATE.HAC.COM) Date: Thu, 18 Apr 1996 10:53:09 +0800 Subject: Oklahoma City - One Year Later - The Coverup Continues ! Message-ID: <9603178297.AA829776269@CCGATE.HAC.COM> Suggested Reading: Oklahoma City - The Suppressed Truth By Jon Rappoport Blue Ocean Press 2633 Lincoln Blvd., Suite #256 Santa Monica, CA 90405 (213) 243-9005 copyright 1995 $12 (post paid) At 9:02 AM on April 19, 1995, the Murrah Federal Building in Oklahoma City was damaged in an explosion that also left 168 dead and 600 injured. If you look closer at this case, as investigative reporter Jon Rappoport has, you start asking some questions about the "official' story: The damage was supposedly caused when thousands of pounds of a fuel oil and fertilizer mixture was ignited in a truck parked near the building. Talk about "oil and water never mixing". This mixture would have to be either stirred or mixed just before use. It would also have to be detonated without any air spaces, such as the gaps between the fuel drums, in order to work. Even if the mixture detonated, it should leave traces of oil. none was found. Even if it detonated perfectly, the explosion was 3 times too weak to damage the building's reinforced concrete support columns. Especially column "B3". This column was sheared off at the 3rd floor level. Only a shaped charge placed directly on the column at that level would be able to cause this to happen. That section of the column was cut out and removed as evidence. Will we ever see it again at the trial ? Local seismometers noted *two* explosions, 10 seconds apart. This was "explained away" as reflections of the explosion by underlying rock strata. Ask a geologist if this sort of time delay has ever been observed before you decide if someone is "underlying". What ever happened to "John Doe #2", seen with Tim Mc Veigh that morning ? What happened to John Doe's #3 and #4, seen leaving the area soon after the explosion? Speaking of Tim, why (if the official story is true) did he advise the officer who stopped him that he had a concealed weapon ? Supposedly, he just killed 168 people, including 19 children. What's one more if it means he could get away ? And what about Terry Nichols ? He was advocating killing Federal employees at a public meeting in Estes, CO a year before the bombing. The FBI is very efficient, yet no one seems to have paid any attention to Terry to prevent loss of life. What about the reported financial links to the bombing, not from right wing causes, but from the Brittish Government ? Finally, what happens if and when the truth comes out in open court at Tim and Terry's trial ? One could guess that the real suppressed story will be one more casualty of the bombing. Unless we demand that someone explains column "B3". It *can* happen here - and it *did* a year ago ! Book "review" by Stephen S. salgaller at aol.com From ddt at lsd.com Wed Apr 17 19:55:05 1996 From: ddt at lsd.com (Dave Del Toasto) Date: Thu, 18 Apr 1996 10:55:05 +0800 Subject: [NOISE] Toast Fishing in America Message-ID: <v03006320ad9b009da98c@[192.187.167.52]> [from "If _____ Made Toasters" ...my edits] If The Rand Corporation made toasters... They would be large, perfectly smooth, seamless black cubes. Each morning, exactly as much toast as you could eat would appear on top of your toaster. Their service department would have an unlisted phone number and the cube's blueprints would be highly-classified government documents, but the "X-Files" would have an episode with a partially disassembled toaster remarkably similar to it visible in the background. If the NSA made toasters... Your toaster would have a secret crumb-door on the back that only the NSA could open in case they needed to inspect your toast for breakfasts of a national security nature. From gnu at toad.com Wed Apr 17 20:18:42 1996 From: gnu at toad.com (John Gilmore) Date: Thu, 18 Apr 1996 11:18:42 +0800 Subject: EFF/Bernstein Press Release Message-ID: <199604172154.OAA06645@toad.com> FEDERAL COURT DENIES GOVERNMENT'S MOTION TO DISMISS BERNSTEIN CASE, ACKNOWLEDGES SOURCE CODE AS SPEECH April 17, 1996 Electronic Frontier Foundation Contacts: Shari Steele, Staff Counsel 301/375-8856, ssteele at eff.org Lori Fena, Executive Director 415/436-9333, lori at eff.org Denying the government's motion for dismissal in mathematician Daniel Bernstein's suit against the State Department, Judge Marilyn Patel in the Northern District of California ruled Monday that source code in Bernstein's cryptographic algorithm, "Snuffle," is speech that is protected from prior restraint by the First Amendment. LANDMARK RULING This is the first time a U.S. court has ruled that source code is speech under First Amendment analysis. Previously, courts have held that software is speech for copyright law only. The decision states in part: "This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French....Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it....Thus, even if Snuffle source code, which is easily compiled into object code for the computer to read and easily used for encryption, is essentially functional, that does not remove it from the realm of speech....For the purposes of First Amendment analysis, this court finds that source code is speech." (The full text of the decision can be found at http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/Decision_041596/) Judge Patel's acknowledgment that source code enjoys Constitutional protection has implications that reach far beyond cases involving the export of cryptography. The decision holds importance to the future of secure electronic commerce and lays the groundwork needed to expand First Amendment protection to electronic communication. Because of its far-reaching implications, the Bernstein case is being watched closely not only by privacy advocates, but by the entire computer industry, the export and cryptography communities and First Amendment advocates. CASE WILL PROCEED The decision allows Bernstein to continue with his lawsuit that the International Traffic in Arms Regulation (ITAR) acts as a prior restraint on speech and that the ITAR is overbroad and vague. EFF is very pleased with Judge Patel's ruling and believes that it bodes well for Bernstein's ultimate success in trial, which is now scheduled to proceed with the normal pre-trial and trial sequence of events. The court drew an important distinction between the Bernstein case and other cases involving export controls on cryptography. The government has cited several cases involving the Export Administration Act as reasons why the Bernstein case should be dismissed. Judge Patel recognized that the Constitutional questions being raised by Bernstein differ significantly from the policy questions raised in the cases introduced by the government. Judge Patel also ruled that Bernstein could bring his case even though the Arms Export Control Act specifically precludes judicial review, because what Bernstein is asking the court to review (i.e., the constitutionality of the statute and its regulations) was not what had been precluded (i.e., the government's determination in a particular instance whether or not something was exportable). "With respect to constitutional questions, the judicial branch not only possesses the requisite expertise to adjudicate these issues, it is also the best and final interpreter of them." CASE BACKGROUND As part of her decision, Judge Patel determined that only the source code was at issue in the case, not Bernstein's academic paper describing the source code. Bernstein tried to get the government to rule separately on the paper and the code back in 1993 by filing separate commodity jurisdiction requests. The State Department merged the requests and rejected them all. On June 29, 1995, after Bernstein and EFF filed suit, the government sent Bernstein a letter saying that the paper could be published and never had been forbidden. While Judge Patel claimed that the issue of the paper now appeared to be moot, she commented, "It is disquieting than an item defendants now contend could not be subject to regulation was apparently categorized as a defense article and subject to licensing for nearly two years, and was only reclassified after plaintiff initiated this action." THE ELECTRONIC FRONTIER FOUNDATION EFF, a non-profit civil liberties organization working in the public interest to protect privacy, free expression, and access to online resources and information, is a primary sponsor of the Bernstein case. EFF helped to find Bernstein pro bono legal counsel, is a member of the Bernstein legal team, and organized amicus briefs from members of the academic community and computer industry to support this case. ### From dsmith at midwest.net Wed Apr 17 20:23:10 1996 From: dsmith at midwest.net (David E. Smith) Date: Thu, 18 Apr 1996 11:23:10 +0800 Subject: on corporations and subpoenas Message-ID: <199604172214.RAA14200@cdale1.midwest.net> Perry Metzger wrote... > "Adam Pingitore" writes: > > Um, well, then I'm going to have to spam your ass. > > Not a finger raised. I will do nothing whatsoever to take you off this > mailing list. > > Have fun. > Oooh, oooh, can I have some Spam (TM) too? From alex at crawfish.suba.com Wed Apr 17 20:41:35 1996 From: alex at crawfish.suba.com (Alex Strasheim) Date: Thu, 18 Apr 1996 11:41:35 +0800 Subject: java crypto packages Message-ID: <199604172310.SAA00571@crawfish.suba.com> The last time I looked, the coderpunks were talking about java crypto packages. Can anyone on that list tell me if any code has been made available? Unfortunately the archive is dead... From lpease at netcom.com Wed Apr 17 20:44:34 1996 From: lpease at netcom.com (Lisa Pease) Date: Thu, 18 Apr 1996 11:44:34 +0800 Subject: Oklahoma City - One Year Later - The Coverup Continues ! In-Reply-To: <9603178297.AA829776269@CCGATE.HAC.COM> Message-ID: <Pine.3.89.9604171551.A25609-0100000@netcom14> And don't forget, if you haven't already - to read Rappoport's interview with an ex-juror from the OKC Bombing case, on my website (url below.) Lisa Pease ==================================================================== One person, one vote. Not one dollar, one vote. End private government. Ban corporate donations. Check out the Real History Archives http://www.webcom.com/lpease Read Contemporary Real History at http://www.webcom.com/ctka On Wed, 17 Apr 1996 ssalgaller at CCGATE.HAC.COM wrote: > Suggested Reading: > > Oklahoma City - The Suppressed Truth > By Jon Rappoport > Blue Ocean Press > 2633 Lincoln Blvd., Suite #256 > Santa Monica, CA 90405 > (213) 243-9005 > copyright 1995 > $12 (post paid) > > At 9:02 AM on April 19, 1995, the Murrah Federal Building in Oklahoma > City > was damaged in an explosion that also left 168 dead and 600 injured. > If you > look closer at this case, as investigative reporter Jon Rappoport has, > you > start asking some questions about the "official' story: > > The damage was supposedly caused when thousands of pounds of a fuel > oil and > fertilizer mixture was ignited in a truck parked near the building. > Talk > about "oil and water never mixing". This mixture would have to be > either > stirred or mixed just before use. It would also have to be detonated > without > any air spaces, such as the gaps between the fuel drums, in order to > work. > > Even if the mixture detonated, it should leave traces of oil. none was > found. > > Even if it detonated perfectly, the explosion was 3 times too weak to > damage > the building's reinforced concrete support columns. > > Especially column "B3". This column was sheared off at the 3rd floor > level. > Only a shaped charge placed directly on the column at that level would > be > able to cause this to happen. That section of the column was cut out > and > removed as evidence. Will we ever see it again at the trial ? > > Local seismometers noted *two* explosions, 10 seconds apart. This was > "explained away" as reflections of the explosion by underlying rock > strata. > Ask a geologist if this sort of time delay has ever been observed > before you > decide if someone is "underlying". > > What ever happened to "John Doe #2", seen with Tim Mc Veigh that > morning ? > > What happened to John Doe's #3 and #4, seen leaving the area soon > after the > explosion? > > Speaking of Tim, why (if the official story is true) did he advise the > officer who stopped him that he had a concealed weapon ? Supposedly, > he just > killed 168 people, including 19 children. What's one more if it means > he > could get away ? > > And what about Terry Nichols ? > He was advocating killing Federal employees at a public meeting in > Estes, CO > a year before the bombing. The FBI is very efficient, yet no one seems > to > have paid any attention to Terry to prevent loss of life. > > What about the reported financial links to the bombing, not from right > wing > causes, but from the Brittish Government ? > > Finally, what happens if and when the truth comes out in open court at > Tim > and Terry's trial ? One could guess that the real suppressed story > will be > one more casualty of the bombing. > > Unless we demand that someone explains column "B3". > > It *can* happen here - and it *did* a year ago ! > > Book "review" by > Stephen S. > salgaller at aol.com > > From ericande at cnw.com Wed Apr 17 21:10:18 1996 From: ericande at cnw.com (Eric Anderson) Date: Thu, 18 Apr 1996 12:10:18 +0800 Subject: Anonymous Remailer threat: Scientologists may subpoena anonymous remailer records? Message-ID: <01BB2BAC.D6DD0980@king1-18.cnw.com> ---------- "Scamizdat" has never used anon.penet.fi, and his (their?) identity is still unknown. >>If A.R.S. is archived by one of those services, than all of those Scamidat postings are still available. Or is the CO$ going to sue them too? Can they retrieve any data from the cypherpunk/mixmaster remailers? From tcmay at got.net Wed Apr 17 22:10:12 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 13:10:12 +0800 Subject: COQ_tal--comment Message-ID: <ad9a7b1f010210040dc6@[205.199.118.202]> At 3:59 PM 4/17/96, Matt Thomlinson wrote: >damn, that's the second time I've done that this week! dang 'R' key.. > >apologies, > >mattt By the way, Matt, thanks for mentioning this on the list. As this was the second time I'd seen this, I was about to send you a short note mentioning that your requests to John's bot were also going to the list (in case you didn't know). I suspect at least 5 or maybe 10 others were thinking about doing the same thing. So, your acknowledgement helps. (This is the same reason I think most replies ought to be public, as this one will be: it signals others that a reply has been made. Standard game theory arguments.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From merriman at arn.net Wed Apr 17 22:26:43 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 18 Apr 1996 13:26:43 +0800 Subject: [NOISE] Toast Fishing in America Message-ID: <2.2.32.19960417111001.0068736c@arn.net> At 01:30 PM 04/17/96 -0700, Dave Del Toasto <ddt at lsd.com> wrote: >[from "If _____ Made Toasters" ...my edits] > > If The Rand Corporation made toasters... > They would be large, perfectly smooth, seamless black cubes. > Each morning, exactly as much toast as you could eat would > appear on top of your toaster. Their service department would > have an unlisted phone number and the cube's blueprints would > be highly-classified government documents, but the "X-Files" > would have an episode with a partially disassembled toaster > remarkably similar to it visible in the background. > > If the NSA made toasters... > Your toaster would have a secret crumb-door on the back that > only the NSA could open in case they needed to inspect your > toast for breakfasts of a national security nature. > If RSA made toasters... They'd tell you the price *only* after finding out how much toast you wanted to make and how badly you wanted the toast; then they'd insist on you making a piece of toast for them every time you used the toaster. If cypherpunks made toasters... Jim B and Black Unicorn would argue about whether toast should be buttered, and what the appropriate flavor of jam/jelly should be; TC May would point out that it wasn't really toast, but rather, sliced and slightly-burned bread; Perry would kvetch about the lack of crypto-relevance of toasters; and a few others would form a new listserver for toasterpunks. The service department would be flooded with calls from newbies, asking how to make toast. If Netscape made toasters... They'd beta-test the toasters for months, then make one slot too wide and the other too narrow. It wouldn't be until a cook in a diner pointed out that the toast wasn't coming out right that they'd have their design reviewed by a 3rd-party Toaster Engineer. If Microsoft made toasters... They'd put the slots on the side, the actuator on top, make the cord too short, and design it to only run properly on 177V, 41Hz. Then they'd declare the toaster to be the new industry standard. Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From rah at shipwright.com Wed Apr 17 22:37:27 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 18 Apr 1996 13:37:27 +0800 Subject: on corporations and subpoenas Message-ID: <v02120d01ad9b43b87f69@[199.0.65.105]> At 9:42 AM 4/17/96, Adam Pingitore wrote: > Um, well, then I'm going to have to spam your ass. Your metaphor escapes me... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From tcmay at got.net Wed Apr 17 22:38:16 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 13:38:16 +0800 Subject: LolitaWatch Message-ID: <ad9ae3ef05021004ae11@[205.199.118.202]> Sunnyvale, CA. Nubility, Inc. is pleased to announce the availability of "LolitaWatch," a filter program for the Web and Net which alerts users about the presence of nubile, young teens (and even younger!). LolitaWatch operates by checking the federally-mandated "age bit." No longer will you be frustrated in trying to contact that 12-year-old girl, only to eventually learn she's a 44-year-old male playing mind games. The President of Nubility, Pete Ofeil, said "Hey, the government says that they have to wear a sign announcing their age...all we're doing is offering a service to our customers." (There is still the problem that the girl may be a boy, or vice versa, depending on your preferences, but this is likely to be solved as the "Fairness to Women and Other People of Color Protection Act," which mandates that a "gender bit" be set.) "LolitaWatch allows me to cut quickly to the chase, screening out the hags," says Roy G. Biv, appreciator of young girls. "I've even rigged up my copy of LolitaWatch to automatically alert me when one of these nubile young things enters an IRC chat room!," he added with a sly grin. LolitaWatch is available immediately for Windows and Macintosh. No Unix version is planned because Unix users are, well, unix. From leslie at koalas.com Wed Apr 17 23:04:06 1996 From: leslie at koalas.com (Leslie Farnsworth) Date: Thu, 18 Apr 1996 14:04:06 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <Pine.BSI.3.91.960417083229.17657A-100000@wichita.fn.net> Message-ID: <Pine.LNX.3.91.960417180811.3310E-100000@koalas.com> take me of your emailing list From roger at coelacanth.com Wed Apr 17 23:07:23 1996 From: roger at coelacanth.com (Roger Williams) Date: Thu, 18 Apr 1996 14:07:23 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <Pine.SUN.3.91.960417042451.14115A-100000@polaris.mindport.net> Message-ID: <9604180127.AA1750@sturgeon.coelacanth.com> >>>>> "Uni" == Black Unicorn <unicorn at schloss.li> writes: > I think the "clueless" mailing list is a must at this point. Here you go (*all* the instructions you need)--- ---------------------------------------------------------------------- Return-Path: <listserv-manager at ucsd.edu> Date: Wed, 17 Apr 1996 18:21:28 -0700 From: Listserv at ucsd.edu (Mailing List Processor) To: foo at coelacanth.com Subject: Re: your LISTSERV request "subscribe clueless" X-Loop: Listserv at UCSD.EDU Welcome to the Clueless Users Network Test System, an intelligence test for the ignorant and impolite. You have been automatically added to this mailing list because you sent a subscription request like "UNSUB ME" out to the entire readership of a mailing list, instead of sending it to the list server or list maintainer. There is nobody of worth reading this mailing list. The only way you can become unsubscribed is to figure out the standard way of unsubscribing from an Internet mailing list. Until that time, you will get these messages regularly. If you made an innocent mistake in sending your "UNSUB ME" out to the entire list, then you will know how to unsubscribe from this list immediately and no harm will be done. If, on the other hand, you simply have no clue how to deal with mailing lists, you'd better start reading up on the subject before you go blundering around again. Your attention is cordially drawn to the newsgroups news.announce.newusers, news.newusers.questions, and news.answers. Final hint: the mailing list address is clueless at ucsd.edu Have fun. ---------------------------------------------------------------------- Return-Path: <listserv-manager at ucsd.edu> Date: Wed, 17 Apr 1996 18:21:21 -0700 From: Listserv at ucsd.edu (Mailing List Processor) To: foo at coelacanth.com Subject: Re: your LISTSERV request "subscribe clueless" X-Loop: Listserv at UCSD.EDU Per your request "subscribe clueless" 'foo at coelacanth.com' was ADDED to the 'clueless' mailing list. To remove yourself from this list, send the command 'unsub foo at coelacanth.com clueless' to clueless-request at ucsd.edu or listserv at ucsd.edu. Listserv problems requiring human intervention should be addressed to clueless-relay at ucsd.edu. ---------------------------------------------------------------------- Return-Path: <listserv-manager at ucsd.edu> Date: Wed, 17 Apr 1996 18:21:00 -0700 From: Listserv at ucsd.edu (Mailing List Processor) To: foo at coelacanth.com Subject: Re: your LISTSERV request "subscribe clueless foo bar" X-Loop: Listserv at UCSD.EDU You may subscribe or unsubscribe to any of the various campus mailing lists and the local redistributions of global mailing lists by sending email to "listserv at ucsd". The commands understood by the listserver program are: HELP lists this file. This is also sent whenever a message to listserv is received from which no valid command could be parsed. HELP listname lists a brief description of the maillist requested. INDEX lists all the maillists available for subscription. LONGINDEX lists all the maillists and their descriptions. ADD listname DELETE listname ADD address listname DELETE address listname adds or deletes the given address to or from the list specified. Mail is sent to the address given to confirm the add or delete operation. For on-campus users, we strongly recommend that you use your campus registered mailname when subscribing (i.e., use the second form of the command which includes a specification of the address). If you omit the 'address', the command will assume the mailbox that is in the From: line of the message. Note that SUBSCRIBE is a synonym for ADD; UNSUBSCRIBE for DELETE. DELETE-ALL UNSUBSCRIBE-ALL DELETE-ALL address UNSUBSCRIBE-ALL address unsubscribes given address from all mailing lists. Mail is sent the address given to confirm the deletions. If you omit the 'address' the command will assume the mailbox that is in the From: line of the message. LIST LIST address lists all mailing lists to which the given address is subscribed. If you omit the 'address' the command will assume the mailbox is in the from line. FAQ FAQ listname sends a list of "Frequently Asked Questions" for the appropriate mailing list. The command "FAQ" by itself sends an index of available FAQ's. A command must be the first word on each line in the message. Lines which do not start with a command word are ignored. If no commands were found in the entire message, this help file will be returned to the user. A single message may contain multiple commands; a separate response will be sent for each. Please note that it IS possible to add or delete someone else's subscription to a mailing list. This facility is provided so that subscribers may alter their own subscriptions from a new or different computer account. There is therefore some potential for abuse; we have chosen to limit this by mailing a confirmation notification of any addition or deletion to the address added or deleted including a copy of the message which requested the operation. At least you can find out who's doing it to you. Examples: add sunusers add ewombat foodlovers delete wombat at cyberpunk.ucsd.edu connectionists help eggbeaters Note that although you would mail submissions to a campus mailing list by addressing mail to e.g., sunusers at ucsd.edu. In a subscription request you specify the name of the list simply (without the @ucsd part) as in the first example above. -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From leslie at koalas.com Wed Apr 17 23:15:27 1996 From: leslie at koalas.com (Leslie Farnsworth) Date: Thu, 18 Apr 1996 14:15:27 +0800 Subject: What's the "Human Interaction Institute" at CMU For ??? In-Reply-To: <199604171319.GAA01301@toad.com> Message-ID: <Pine.LNX.3.91.960417180722.3310D-100000@koalas.com> please take me off your emailing list From cmca at alpha.c2.org Wed Apr 17 23:25:08 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Thu, 18 Apr 1996 14:25:08 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604171641.JAA26692@atropos.c2.org> Message-ID: <199604180232.TAA17738@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: sameer at c2.org] [cc: cypherpunks at toad.com] [Subject: Re: "STOP SENDING ME THIS SHIT" ] [In-reply-to: Your message of Wed, 17 Apr 96 09:41:05 MST.] <199604171641.JAA26692 at atropos.c2.org> Sameer helpfully wrote: >TCM: >> I think the "clueless" mailing list is a must at this point. > clueless at c2.org/majordomo at c2.org > subscribe idiots as necessary. Well, I suggested it, but in any case I'm glad to see that it has been created! Thanks to Sameer for yet another innovative network service... I'll watch it occasionally and post summaries? Chris McAuliffe <cmca at alpha.c2.org> (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMXWfUYHskC9sh/+lAQFClQQAq3L3D0nIlK0QN3Dqy1KhmbzQrSpChWRM GJg0hoDRBshn/FYYQqGzuddZfeNGfqqzpW5xqxhvl4VXl1nKopvrsMncr3EoYez8 Lwe8jhFz8M/opBssDhA6Nzq/z4E9HjqGICUqUvk5VnkNVDesGkW6pMzLyO9JUDlZ owPxntrJ/sc= =6vEv -----END PGP SIGNATURE----- From foodie at netcom.com Wed Apr 17 23:29:50 1996 From: foodie at netcom.com (Jamie Lawrence) Date: Thu, 18 Apr 1996 14:29:50 +0800 Subject: COQ_tal Message-ID: <v02140b02ad9b10a39d5c@[10.0.2.15]> -- Jamie foodie at netcom.com ________________________________________________________________ Our cat is a dog. From jpb at miamisci.org Wed Apr 17 23:34:35 1996 From: jpb at miamisci.org (Joe Block) Date: Thu, 18 Apr 1996 14:34:35 +0800 Subject: on corporations and subpoenas Message-ID: <v02130524ad9b57387f8e@[192.168.69.70]> re: > GET ME OFF THE DAMN LIST Read the damn directions you got when you signed on. You know, that first message that told you to save the damn message in case you ever wanted to sign off the list in the future. Your cluelessness does not create any obligation in me to fix your problem. Perhaps if you were a little less rude someone might be inspired to give you useful information. Joseph Block <jpb at miamisci.org> "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From remailer at 2005.bart.nl Wed Apr 17 23:45:13 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Thu, 18 Apr 1996 14:45:13 +0800 Subject: cluelessness Message-ID: <199604180304.FAA10866@spoof.bart.nl> On Wed, 17 Apr 1996 sameer at c2.org wrote: > > > > I think the "clueless" mailing list is a must at this point. > > clueless at c2.org/majordomo at c2.org > > subscribe idiots as necessary. is this the original clueless list or a new one just created? From perry at piermont.com Wed Apr 17 23:57:48 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Apr 1996 14:57:48 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604172256.SAA09641@universe.digex.net> Message-ID: <199604180335.XAA05998@jekyll.piermont.com> Scott Brickner writes: > "Perry E. Metzger" writes: > >> In the context of "fair coin flips" the text of Hamlet is NOT compressible From perry at piermont.com Thu Apr 18 00:03:21 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 18 Apr 1996 15:03:21 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research In-Reply-To: <Pine.LNX.3.91.960417180811.3310E-100000@koalas.com> Message-ID: <199604180356.XAA06056@jekyll.piermont.com> Leslie Farnsworth writes: > take me of your emailing list I will do nothing to take you off this mailing list. From ddt at lsd.com Thu Apr 18 00:09:16 1996 From: ddt at lsd.com (Dave Del Torto) Date: Thu, 18 Apr 1996 15:09:16 +0800 Subject: LolitaWatch v1.1 Message-ID: <v03006607ad9b5e4aabab@[192.187.167.52]> [ Newt Gingrich and his ilk being the mensches they are, I expect v2.0 may ] [ add support for the "Jew," "Nigger," "Kike," "Fag," "Nerd" and "Wop" bits ] [ -dave ] Date: Wed, 17 Apr 1996 18:55:42 -0700 To: cypherpunks at toad.com From: tcmay at got.net (Timothy C. May) Subject: LolitaWatch Sunnyvale, CA. Nubility, Inc. is pleased to announce the availability of "LolitaWatch," a filter program for the Web and Net which alerts users about the presence of nubile, young teens (and even younger!). LolitaWatch operates by checking the federally-mandated "age bit." No longer will you be frustrated in trying to contact that 12-year-old girl, only to eventually learn she's a 44-year-old male playing mind games. The President of Nubility, Pete Ofeil, said "Hey, the government says that they have to wear a sign announcing their age...all we're doing is offering a service to our customers." (There is still the problem that the girl may be a boy, or vice versa, depending on your preferences, but this is likely to be solved as the "Fairness to Women and Other People of Color Protection Act," which mandates that a "gender bit" be set.) "LolitaWatch allows me to cut quickly to the chase, screening out the hags," says Roy G. Biv, appreciator of young girls. "I've even rigged up my copy of LolitaWatch to automatically alert me when one of these nubile young things enters an IRC chat room!," he added with a sly grin. LolitaWatch is available immediately for Windows and Macintosh. No Unix version is planned because Unix users are, well, unix. From tcmay at got.net Thu Apr 18 00:16:46 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 18 Apr 1996 15:16:46 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? Message-ID: <ad9b0ca80f0210043f65@[205.199.118.202]> At 1:08 AM 4/18/96, Leslie Farnsworth wrote: >take me of your emailing list She (or he) can't even spell "off." This clown also sent me the same message privately, so anything done to her or him is only fair.. The Cypherpunks Death Penalty? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From secret at secret.alias.net Thu Apr 18 00:32:55 1996 From: secret at secret.alias.net (K00l Secrets) Date: Thu, 18 Apr 1996 15:32:55 +0800 Subject: CDA Court Challenges Message-ID: <199604172315.SAA12354@paulsdesk.phoenix.net> Are Declan's CDA reports numbers 1 and 2 available anywhere? I seemed to have missed them on the mailing list, and the web site also starts at 3. Thanks. From sjb at universe.digex.net Thu Apr 18 00:42:45 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 18 Apr 1996 15:42:45 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604162134.RAA15579@jekyll.piermont.com> Message-ID: <199604172256.SAA09641@universe.digex.net> "Perry E. Metzger" writes: >> In the context of "fair coin flips" the text of Hamlet is NOT compressible. > >Huh? > >There is only one context in which things are compressable or not -- >is there a smaller representation for them. Then I propose the following compression algorithm to compress your "random" one-time pad of 2 million bits with value k. The algorithm will decompress the input bit "1" to k, and decompress the input bit "0" to the bit-string "10101010". Therefore your "random" pad is compressible to exactly one bit, and is not "random" as you supposed. "Smaller representation" indeed. The decompression *algorithm* must be accounted for in the "representation" of the compressed text, otherwise an arbitrary amount of information may be stored in the algorithm itself. Hamming codes offer a way to compress any bit stream. They move whatever patterns they can find in independent 8-bit segments into the coding alphabet, and replace them with shorter strings. If you don't save the alphabet, you can't decompress the stream, and have lost information that was originally in the stream. If an OTP generator accidentally chooses "Hamlet", big deal. As long as your opponent believes that you have a good OTP generator he has no reason to try "Hamlet" before any other pad, so Hamlet's compressibility as english text is irrelevant. From llurch at networking.stanford.edu Thu Apr 18 00:43:20 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 18 Apr 1996 15:43:20 +0800 Subject: ILF, SAC chapter [was Yadda Yadda Re: Oklahoma City- One Year Later] In-Reply-To: <9603178297.AA829776269@CCGATE.HAC.COM> Message-ID: <Pine.ULT.3.92.960417154149.2026E-100000@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- On Wed, 17 Apr 1996 ssalgaller at CCGATE.HAC.COM spammed: > Suggested Reading: [...] > copyright 1995 > $12 (post paid) Wrong. Information longs to be FREE. You don't need to pay money for right-wing paranoid rants anymore. You can now get this title, and many other random wacko publications, for postal and duplication costs only from the copyright terrorists of the Sub-Aryan Corps, in loose cooperation with Not_By_Me_Not_My_Views Publishing. I believe the referenced piece goes for $2.25. Send cleartext inquiries and offers to The Hare <hare at alias.alias.net>. Please note that Hare cannot accept messages larger than 32K. For a partial listing of materials available from the SAC/NP, send $2 to National Vanguard Books, PO Box 330, Hillsboro WV 24946. All materials in the National Vanguard Catalog are immediately available from SAC/NP for 75% off the price quoted by National Vanguard Books. SAC/CP charges no sales tax. Discussion of possibly illegal activities should be sent PGP-encrypted to Presidente Dante <alighieri at alpha.c2.org> ONLY. Dante's public key is available on all the keyservers. Coming attractions from the Sub-Aryan Corps: * Audiocassettes from the latest private meetings of the Michigan Militia, National Alliance, and Knights of the KKK. * Communication between Neo-Nazi leader Willis Carto and various front groups, such as the Institute for Historical Review and the Liberty Lobby. * Detailed financial disclosure statements from Ernst Zundel, Willis Carto, William Pierce, Ingrid Rimland, the White Aryan Resistance, Milton Kleim, Don Black, "Reverend" Schoedel, and Samisdat Publishing. - -rich no longer a member of the SAC, but a big fan -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXV9b43DXUbM57SdAQGZngQAskHU7Gvv1F66i4rGPK4xEXyhN33pa5Ns meVUeZqdViWv+gIIj1sgHX6KLj9h7pZ+YAI/+vNrrMZ2aZkyJniwDWYhLJCODlxM Jy9I38XYq+CbMaraliNvkuanzYjbNG7vbuKSCnetTAlQySBILdtOvxceBBUA6soX JTtt/VwxBWc= =W89G -----END PGP SIGNATURE----- From sameer at c2.org Thu Apr 18 01:19:47 1996 From: sameer at c2.org (sameer at c2.org) Date: Thu, 18 Apr 1996 16:19:47 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? In-Reply-To: <ad9b0ca80f0210043f65@[205.199.118.202]> Message-ID: <199604180512.WAA09220@atropos.c2.org> could we please dispense with the posts cc'ing the list about these idiots? I already never read posts by idiots because they aren't in my list of people I read, but I have to read these replies. The proper steps to take when someone makes such a posting: A) Flame them privately B) Subscribe them to clueless at c2.org > At 1:08 AM 4/18/96, Leslie Farnsworth wrote: > >take me of your emailing list > > She (or he) can't even spell "off." > > This clown also sent me the same message privately, so anything done to her > or him is only fair.. > > The Cypherpunks Death Penalty? > > > --Tim May > > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From abostick at netcom.com Thu Apr 18 01:20:09 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 18 Apr 1996 16:20:09 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <Pine.LNX.3.91.960417182818.3310o-100000@koalas.com> Message-ID: <+iadx8m9LMsQ085yn@netcom.com> On Wed, 17 Apr 1996 18:28:27 -0700 (PDT), Leslie Farnsworth <leslie at koalas.com> wrote: > take me off your mailing list > Okay . . . <clickclickclicketyclicketyclick> There, that did it! You are now deleted from every mailing list over which I have control. Hope this helps. -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick From ses at tipper.oit.unc.edu Thu Apr 18 02:02:09 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 18 Apr 1996 17:02:09 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604172037.QAA17212@apollo.gti.net> Message-ID: <Pine.SOL.3.91.960417173232.3025G-100000@chivalry> On Wed, 17 Apr 1996, Mark Rogaski wrote: > > Is it possible to find a percentage of the key space to eliminate that > will optimize security assuming that the attacker will try the easy > stuff first (and is it possible to quantify "easy stuff")? Hmmm- I think this could be interesting to study; if we treat the space of possible passwords as a non-uniform probability distribution (Zipfian?), and then transform it in such a way to be uniform (by having the probability of certain passwords being disqualified be based on their relative probability it should be possible to get a situation where all passwords are possible, and all have equal probability. This gives optimum security ( I think). Of course there's then the game theory assumption that the attacker will know about this and try paswords randomly; if they instead attack passwords with a non-random approach, the optimum passwords will be tuned to their attack strategy, unless they know you're tuning to their attack in which case they will tune their attack to your [stack overflow - bus error, core dumped] Interesting exercise. > Mark Rogaski | Why read when you can just sit and | Member > System Admin | stare at things? | Programmers Local > GTI GlobalNet | Any expressed opinions are my own | # 0xfffe > wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO "There is power in a packet, power in a LAN Power in the hands of the hacker, But it all amounts to nothing if together we don't stand There is power in a UNIX From nobody at REPLAY.COM Thu Apr 18 02:14:15 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 18 Apr 1996 17:14:15 +0800 Subject: GNU Version 0.01 (alpha) of KiddieFind is now available Message-ID: <199604180610.IAA27184@utopia.hacktic.nl> I am going ahead and releasing an alpha version of KiddieFind a free Unix implementation of LolitaWatch. Everything is under the GPL, so the source code is free, hack on it all you want ... KiddieFind is an enhanced free version of Nubility Inc.'s LolitaWatch for Unix. It works by locating network packets that have the US federally mandated Under18 bit set, and then uses publicly accessible databases to map them into a street address and phonenumber. The networked version works as follows, using the provided plug in module (a version is provided in 0.01 for AOL, I'm working on a CompuServe version and will have it ready in a week or so) to connect to a major online service. Once connected it goes into the equivalent of promiscuous mode and scans all traffic for the age bit, and forwards the information back to your system. After collecting all this information, it scans a number of publicly accessible databases to turn the information into a street address. The geographical location can be approximated by running a traceroute on the IP address of the originating packet and works backwards until a host with reliable geographic data can be located. KiddieFind only requires state-wide granularity, and this only to narrow the later phonebook search. Once a geographic location has been determined, it's not likely that the child has her own phone. Therefore the parents must be found. A search is done through the any number of the available on-line telephone books. By this stage KiddieFind should have a manageable number of candidate numbers. If real names are being used, than it's easy to isolate the correct phone number. Hopefully the Denning geographic information will be mandated soon, thus eliminating nearly all sources of error isolating the correct neighborhood. If there are still too many candiate numbers a number of other mostly automated searches can be done. The parents' home web pages can be searched for personal information, etc. Once you have the system tuned, all you merely have to do to locate a street address and phone number for any number of children is just login and poke around a bit. Everything else is done in the background. You don't even have to think about it. I've obtained the address and phone numbers of over 5,000 children so far, but I expect this will become easier after all the kinks in the system are worked out. GNU archives are located throughout the world, pick the one closest to you for downloading. From remailer at 2005.bart.nl Thu Apr 18 02:31:39 1996 From: remailer at 2005.bart.nl (Senator Exon) Date: Thu, 18 Apr 1996 17:31:39 +0800 Subject: cluelessness Message-ID: <199604180321.FAA11032@spoof.bart.nl> On Wed, 17 Apr 1996 sameer at c2.org wrote: > > > > I think the "clueless" mailing list is a must at this point. > > clueless at c2.org/majordomo at c2.org > > subscribe idiots as necessary. is this the original clueless list or a new one just created? stevwint198.JBFaa238aloalui at cs.usfablcwadamaimarlemncognniala@x.pyroceania-passport-lpapresssmstetink.comwwhijndwerner@ amonacomsumlfotzollne@ pcia.orq at c2.org mmyahe�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�1�xFrom: nobody at shinobi.alias.net (Anonymous) Comments: Please report misuse of this automated remailing service to <remailer-admin at shinobi.alias.net> Request-Remailing-To: jmurphy at gcnnet.com -----BEGIN PGP MESSAGE----- Version: 2.6.2 pgAAAUN/sA6maQUP4iU2FshtU88rLdmNe7obn+IqRA5b8ND7ukA0mL5Fo4h6MFjm +QY2lrmB7oE/TqecOM0+hUHBFmbJaWCQHZJK+3haDNwbja4MM6QTPgpwRRB/qEr0 QmQkPOiHByJyFnirQxE6gBOezhyxi+2EqkY4lBYKpzGVgbigBCHU/DgtXVB8Vt5T mn/EK6qkoF2spCsG1+ljpnwGtwYKWKLA7/DzSpjQqvhs87JJJrimduo6nOO2tqrS Fsm/5nWoXx17w4cSfUtVsdd2W9rZxtCXC2iCJodfyC8VH5WAvo358jz3setonvH5 CVQR9aCTzSw5NEZzwGeeOOg5TSyOSBrKoJe1p/PNrFKx1MdCx0LCbX3Et0xsQ+lw s/qDmOulZsfRJnHZjGf7HWCv6w81MweiJImldRrIlT/SpYc9VMGiow== =axvc -----END PGP MESSAGE----- KEJ HPOBAJKLCGHNJBOP IBBABHKFEMMFBHCA IJGKAIMHHCJCCEMI IKDFBJDPKAANINLL JBOFECLPLKJGLEOK JDLCJPLHCBCBCPEJ JIKAJOLFFLNOEKFP JLJHLEEOEHBGAJBD JPFIDAMBCLFHDFIJ MAKAOFICEKCLDLOI v� �w��v�v�,�v�<�x<(�x<L�w�`�w�d�w�h�w���w���x<P�v���v�x�v�\�v���v�l�x��v���v���x<��v���v���v���w���x=��x>T�x>X�x=T�x=P�v���v���x��v���v��v���x��v�$�v�,�v���w���w���w���x,�x8�x@�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w���w��w��w�$�w�0�w�C�w�O�w�y�v�\�xL�xP�xT�w�d�v�`�x>h�x>q�v�x�v�l�xx��vc��w���xB��va�v�4�w���w��u�,�w�8�w�`�xB��xB��xB��v��v���v�L�vx��w��v�D�xw�t�w��w�,�v �0����W�0��X;ܩ��bl��0��}0��z 0��w,0��t80��qD0��nP0��k\0��hh0��et0��b�0��_�0��\�0��Y�0��V�0��S�;�t��b��;�s��c��0��J�0��G�;ܶ��b��0��A����0������F�ڸ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~var/adm/utmpxv��v��v��v��v��v��v��v��v��v�%�v�,�v�6�v�I�v�Y�v�e�v�q�v�|�v���v���v���v���v���v���v���v� �v��v�$�v�8�v�M�v�c�v�{�v���v���v���v��v��v��v��v��v��v��v��v��v�%�v�,�v�6�v�I�v�Y�v�e�v�q�v�|�v���v���v���v���v���v���v���v� �v��v�$�v�8�v�M�v�c�v�{�v���v���v���v�4�v�H�v�X�v�p�v���v���v���v���v���v� �w���x��v�hS0�v���v���v���v���v� �v� �v�,�v�D�v�P�v�\�v�p�v���v���v���v���v���v���v���v� �v��v�4�v�D�v�\�v�l�v�x�v���v���v���v���v���v� �v��v�,�v�H�v�h�v���v���v���v���v���v���v���v��v�(�v�<�v�T�v�h�v�x�v���v���v���v���v���v���v���v��v�0�v�H�v�\�v�t�v���v���v���v���v���v���v���v���v��v��v�,�v�T�v�p�v���v���v���v���v��v�X�v���v���v���v���v��v��v�! (�v�8�v�X�v�x�v���v���v���v���v���v���v��v���v���v���v���v�3456789abcdef/%d/%yccess from libc routinesn error: value 0x%x overflows %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�8is one of/����w�x�w�a�������88888����~��~�8JPFIDAMBCLFHDFIJ�s %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�is one of/�����w�x�w�a����a{@�'��w�x�������}J��.du.edu seacell-l-outgoing at oceania.org seacell-l at oceania.org soc.culture.sri-lanka ssmegma at aol.com steiner at netcom.com tink.com ursula at cyberspace.org wainc@ warep at wabash.edu warep at wally2.wabash.edu web-l-outgoing at oceania.org web-l at oceania.org whitehouse whitehouse.gov jgroby@ nbelck@ dwerner@ kneher@ cstrack@ amonaco@ hbengts@ rbollin@ msumner@ lfoster@ tzollne@ pentagon.dgsys.com cia.org internic.net q at c2.org remailer at yap.pactitle.com remailer at ee.siue.edu mix at black-ice.gateway.com rebel at espresso.myaFrom: nobody at shinobi.alias.net (Anonymous) Comments: Please report misuse of this automated remailing service to <remailer-admin at shinobi.alias.net> :: Anon-To: cypherpunks at toad.com Subject: Re: cluelessness On Wed, 17 Apr 1996 sameer at c2.org wrote: > > > > I think the "clueless" mailing list is a must at this point. > > clueless at c2.org/majordomo at c2.org > > subscribe idiots as necessary. is this the original clueless list or a new one just created? 3mail.3com.com may at cyberstation.net mriddell at netcom.com ncognito at gate.net niala at x.pyramid.com oceania-l-outgoing at oceania.org oceania-l at oceania.org passport-l-outgoing at oceania.org passport-l at oceania.org president@ raylc at teleport.com rperkins at nyx.cs.du.edu seacell-l-outgoing at oceania.org seacell-l at oceania.org soc.culture.sri-lanka ssmegma at aol.com steiner at netcom.com tink.com ursula at cyberspace.org wainc@ warep at wabash.edu warep at wally2.wabash.edu web-l-outgoing at oceania.org web-l at oceania.org whitehouse whitehouse.gov jgroby@ nbelck@ dwerner@ kneher@ cstrack@ amonaco@ hbengts@ rbollin@ msumner@ lfoster@ tzollne@ pentagon.dgsys.com cia.org internic.net q at c2.org remailer at yap.pactitle.com remailer at ee.siue.edu mix at black-ice.gateway.com rebel at espresso.cafe.uqam.ca myan at gpu.srv.ualberta.ca henningk at powertech.no murso at fnalv.fnal.gov j-urso at district86.k12.il.us brennan at demon.co.uk zapyo at aol.com ,�x8�x@�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w���w��w��w�$�w�0�w�C�w�O�w�y�v�\�xL�xP�xT�w�d�v�`�x>h�x>q�v�x�v�l�xx��vc��w���xB��va�v�4�w���w��u�,�w�8�w�`�xB��xB��xB��v��v���v�L�vx��w��v�D�xw�t�w��w�,�v �0����W�0��X;ܩ��bl��0��}0��z 0��w,0��t80��qD0��nP0��k\0��hh0��et0��b�0��_�0��\�0��Y�0��V�0��S�;�t��b��;�s��c��0��J�0��G�;ܶ��b��0��A����0������F�ڸ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~vae fileion now in progressOST_OSLIBw�vz0�vz8�vz@�vzH�vzP�x�x �x�w�X�w�\�w�`�w�d�w܀�w�|�w�x�w�t�w�p�w�l�w�h�w܄�w܈�vzX�v���wܨ�wܐ�wܬ�r���v���v���w�(�x0�w���v���v���w�8�v���v���x��x��v���v��v� �v��w�@�w�<�x ��v{(�vz��v{@�vz��x }�x a�x 1�x ��v}��v{��x ��w�`�x /�v{�vz��vz`�x a�w�H�v{X�x ��x ��v��v�4�v�L�w�h�w��w��w��w��v}��v}��x ��v���v���v�|�v���v���v�t�v���w��w��v�(�v���x��v���x��x��v��v�,�v�<�v���v��x��v�d�v� �v���v�t�v�0�v�@�v��x��w��w���w���w��w���w���v}��v}��v}��w� �w�8�x��v���x��v�x�v���v���x��v���v���v�|�w�P�x ��x ��x ��x ��x ��x ��w�\�w�|�x�v���x��x�v���x�x ��w�`�x ��w�X�x ��x ��x ��x ��w�x�x ��x ��x ��w��x ��v���w��v���v}��x ��w��v}��v���v���v���w��w��x��x�x�w���x�v�4�v�@�x �x�w�<�w�,�w�4�v�$�v���v���v�l�v� �v���x$�v���v���v�p�v���w�@�v���v���v�t�v���v���v�x�v�v���v���w�L�x.l�w�H�xL�v}��w��Return-Path: remail at hypereality.co.uk Received: from pangaea.hypereality.co.uk (pangaea.hypereality.co.uk [194.129.42.2]) by shiva.ee.siue.edu (8.6.9/8.6.12) with ESMTP id VAA17577 for <remailer at shinobi.alias.net>; Tue, 16 Apr 1996 21:02:53 -0500 Received: (from remail at localhost) by pangaea.hypereality.co.uk (8.6.9/8.6.9) id DAA00447 for remailer at shinobi.alias.net; Wed, 17 Apr 1996 03:01:01 +0100 Hypereality Systems : <WWW: http://www.hypereality.co.uk/> Date: Wed, 17 Apr 1996 03:01:01 +0100 Message-Id: <199604170201.DAA00447 at pangaea.hypereality.co.uk> To: remailer at shinobi.alias.net From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Remailed-By: ECafe Anonymous Remailer Complaints-To: complaints at remail.ecafe.org X-WWW: http://www.ecafe.org/~remail/ X-Notice: The contents of this message are neither appoved or X-Notice: condoned by ecafe.org or our host Hypereality Systems. X-Notice: We bear no liability for misuse of this system. X-Warn: *** This message was remailed through an anonymous remailer *** X-Warn: *** Replying to it will not send your reply to the sender *** :: Request-Remailing-To: ncognito at gate.net :: Request-Remailing-To: jmurphy at gcnnet.com -----BEGIN PGP MESSAGE----- Version: 2.6.2 pgAAAUN/sA6maQUP4iU2FshtU88rLdmNe7obn+IqRA5b8ND7ukA0mL5Fo4h6MFjm +QY2lrmB7oE/TqecOM0+hUHBFmbJaWCQHZJK+3haDNwbja4MM6QTPgpwRRB/qEr0 QmQkPOiHByJyFnirQxE6gBOezhyxi+2EqkY4lBYKpzGVgbigBCHU/DgtXVB8Vt5T mn/EK6qkoF2spCsG1+ljpnwGtwYKWKLA7/DzSpjQqvhs87JJJrimduo6nOO2tqrS Fsm/5nWoXx17w4cSfUtVsdd2W9rZxtCXC2iCJodfyC8VH5WAvo358jz3setonvH5 CVQR9aCTzSw5NEZzwGeeOOg5TSyOSBrKoJe1p/PNrFKx1MdCx0LCbX3Et0xsQ+lw s/qDmOulZsfRJnHZjGf7HWCv6w81MweiJImldRrIlT/SpYc9VMGiow== =axvc -----END PGP MESSAGE----- ��v���v���v���v��v�(�v�<�v�T�v�h�v�x�v���v���v���v���v���v���v���v��v�0�v�H�v�\�v�t�v���v���v���v���v���v���v���v���v��v��v�,�v�T�v�p�v���v���v���v���v��v�X�v���v���v���v���v��v��v�(�v�8�v�X�v�x�v���v���v���v���v���v���v��v���v���v���v���v�3456789abcdef/%d/%yccess from libc routinesn error: value 0x%x overflows %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�8is one of/����w�x�w�a�������88888����~��~�8JPFIDAMBCLFHDFIJ�s %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�is one of/�����w�x�w�a����a{@�'��w�x�������}J��.du.edu seacell-l-outgoing at oceania.org seacell-l at oceania.org soc.culture.sri-lanka ssmegma at aol.com steiner at netcom.com tink.com ursula at cyberspace.org wainc@ warep at wabash.edu warep at wally2.wabash.edu web-l-outgoing at oceania.org web-l at oceania.org whitehouse whitehouse.gov jgroby@ nbelck@ dwerner@ kneher@ cstrack@ amonaco@ hbengts@ rbollin@ msumner@ lfoster@ tzollne@ pentagon.dgsys.com cia.org internic.net q at c2.org remailer at yap.pactitle.com remailer at ee.siue.edu mix at black-ice.gateway.com rebel at espresso.cafe.uqam.ca myan at gpu.srv.ualberta.ca henningk at powertech.no murso at fnalv.fnal.gov j-urso at district86.k12.il.us brennan at demon.co.uk zapyo at aol.com �v��v�P�v�@�v�0�v� �v�D�v�4�v�$�v�H�v�8�v�(�v�L�v�<�v�,�x��v�T�x��x5t�w�P�v�|�v���v�d�v�p�w�H�w�h�v���v���v���v���w�p�x5��x5��x5��x5��w��x��w��w�D�x5��v�,�x;��v�(�w�@�v�0�x;��x;��t/D�x;��w��w���v�h�v�H�x<�v��v��x(�v�P�v� �w��v�v�,�v�<�x<(�x<L�w�`�w�d�w�h�w���w���x<P�v���v�x�v�\�v���v�l�x��v���v���x<��v���v���v���w���x=��x>T�x>X�x=T�x=P�v���v���x��v���v��v���x��v�$�v�,�v���w���w���w���x,�x8�x@�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w�ailer at remailer.nl.com From: nobody at shinobi.alias.net (Anonymous) Comments: Please report misuse of this automated remailing service to <remailer-admin at shinobi.alias.net> :: Anon-To: cypherpunks at toad.com Subject: Re: cluelessness On Wed, 17 Apr 1996 sameer at c2.org wrote: > > > > I think the "clueless" mailing list is a must at this point. > > clueless at c2.org/majordomo at c2.org > > subscribe idiots as necessary. is this the original clueless list or a new one just created? ��v���v��v�(�v�<�v�T�v�h�v�x�v���v���v���v���v���v���v���v��v�0�v�H�v�\�v�t�v���v���v���v���v���v���v���v���v��v��v�,�v�T�v�p�v���v���v���v���v��v�X�v���v���v���v���v��v��v�(�v�8�v�X�v�x�v���v���v���v���v���v���v��v���v���v���v���v�3456789abcdef/%d/%yccess from libc routinesn error: value 0x%x overflows %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�8is one of/����w�x�w�a�������88888����~��~�8JPFIDAMBCLFHDFIJ�.du.edu seacell-l-outgoing at oceania.org seacell-l at oceania.org soc.culture.sri-lanka ssmegma at aol.com steiner at netcom.com tink.com ursula at cyberspace.org wainc@ warep at wabash.edu warep at wally2.wabash.edu web-l-outgoing at oceania.org web-l at oceania.org whitehouse whitehouse.gov jgroby@ nbelck@ dwerner@ kneher@ cstrack@ amonaco@ hbengts@ rbollin@ msumner@ lfoster@ tzollne@ pentagon.dgsys.com cia.org internic.net q at c2.org remailer at yap.pactitle.com remailer at ee.siue.edu mix at black-ice.gateway.com rebel at espresso.cafe.uqam.ca myan at gpu.srv.ualberta.ca henningk at powertech.no murso at fnalv.fnal.gov j-urso at district86.k12.il.us brennan at demon.co.uk zapyo at aol.com ,�x8�x@�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w���w��w��w�$�w�0�w�C�w�O�w�y�v�\�xL�xP�xT�w�d�v�`�x>h�x>q�v�x�v�l�xx��vc��w���xB��va�v�4�w���w��u�,�w�8�w�`�xB��xB��xB��v��v���v�L�vx��w��v�D�xw�t�w��w�,�v �0����W�0��X;ܩ��bl��0��}0��z 0��w,0��t80��qD0��nP0��k\0��hh0��et0��b�0��_�0��\�0��Y�0��V�0��S�;�t��b��;�s��c��0��J�0��G�;ܶ��b��0��A����0������F�ڸ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~vae fileion now in progressOST_OSLIBw�vz0�vz8�vz@�vzH�vzP�x�x �x�w�X�w�\�w�`�w�d�w܀�w�|�wrobo at c2.org BoneDancer at aol.com heavnleigh at aol.com guidewow at aol.com guidefox at aol.com stevwint at ix.netcom.com stevwint at cris.com prime.org 198.137.240.100 3com.com JBFREUDE at law.vill.edu aa238 at freenet.buffalo.edu alo at webcom.com alt.clearing.technology alt.religion.scientology alui at cs.usfca.edu aso6 at columbia.edu blind-l-outgoing at oceania.org blind-l at oceania.org buseyp@ cicese.mx@ cwainri@ davidg at netcom.com dnash at cs.lynx.usfca.edu dnashe at lynx.cs.usfca.edu jgomez at umiami.ir.miami.edu lailert at rohan.sdsu.edu lkasday at acad.bryant.edu lpease at netcom.com mail2news at demon.co.uk marlena_djukich at 3mail.3com.com may at cyberstation.net mriddell at netcom.com ncognito at gate.net niala at x.pyramid.com oceania-l-outgoing at oceania.org oceania-l at oceania.org passport-l-outgoing at oceania.org passport-l at oceania.org president@ raylc at teleport.com rperkins at nyx.cs.du.edu seacell-l-outgoing at oceania.org seacell-l at oceania.org soc.culture.sri-lanka ssmegma at aol.com steiner at netcom.com tink.com ursula at cyberspace.org wainc@ warep at wabash.edu warep at wally2.wabash.edu web-l-outgoing at oceania.org web-l at oceania.org whitehouse whitehouse.gov jgroby@ nbelck@ dwerner@ kneher@ cstrack@ amonaco@ hbengts@ rbollin@ msumner@ lfoster@ tzollne@ pentagon.dgsys.com cia.org internic.net q at c2.org remailer at yap.pactitle.com remailer at ee.siue.edu mix at black-ice.gateway.com rebel at espresso.cafe.uqam.ca myan at gpu.srv.ualberta.ca henningk at powertech.no murso at fnalv.fnal.gov j-urso at district86.k12.il.us brennan at demon.co.uk zapyo at aol.com @�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w���w��w��w�$�w�0�w�C�w�O�w�y�v�\�xL�xP�xT�w�d�v�`�x>h�x>q�v�x�v�l�xx��vc��w���xB��va�v�4�w���w��u�,�w�8�w�`�xB��xB��xB��v��v���v�L�vx��w��v�D�xw�t�w��w�,�v �0����W�0��X;ܩ��bl��0��}0��z 0��w,0��t80��qD0��nP0��k\0��hh0��et0��b�0��_�0��\�0��Y�0��V�0��S�;�t��b��;�s��c��0��J�0��G�;ܶ��b��0��A����0������F�ڸ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~var/adm/utIs a name fileOST_OSLIBw�vz0�vz8�vz@�vzH�vzP�x�x �x�w�X�w�\�w�`�w�d�w܀�w�|�w�x�w�t�w�p�w�l�w�h�w܄�w܈�vzX�v���wܨ�wܐ�wܬ�r���v���v���w�(�x0�w���v���v���w�8�v���v���x��x��v���v��v� �v��w�@�w�<�x ��v{(�vz��v{@�vz��x }�x a�x 1�x ��v}��v{��x ��w�`�x /�v{�vz��vz`�x a�w�H�v{X�x ��x ��v��v�4�v�L�w�h�w��w��w��w��v}��v}��x ��v���v���v�|�v���v���v�t�v���w��w��v�(�v���x��v���x��x��v��v�,�v�<�v���v��x��v�d�v� �v���v�t�v�0�v�@�v��x��w��w���w���w��w���w���v}��v}��v}��w� �w�8�x��v���x��v�x�v���v���x��v���v���v�|�w�P�x ��x ��x ��x ��x ��x ��w�\�w�|�x�v���x��x�v���x�x ��w�`�x ��w�X�x ��x ��x ��x ��w�x�x ��x ��x ��w��x ��v���w��v���v}��x ��w��v}��v���v���v���w��w��x��x�x�w���x�v�4�v�@�x �x�w�<�w�,�w�4�v�$�v���v���v�l�v� �v���x$�v���v���v�p�v���w�@�v���v���v�t�v���v���v�x�v�v���v���w�L�x.l�w�H�xL�v}��w���x4��x4,�x4��x4�x4(�x4��x4��v~�v~ �v~(�v~0�v~8�v~@�v~H�v~P�v~X�w��x4��v�x�v�p�v���xx�v���v�|�v~`�w�4�x4��x4��x4��v~h�v~��v���v���w�8�w�@�x4��x4��v���v���v���v���x4��x4��x4��x4��x��x��x��x��x��x4��w�X�x��x��x��v���v���v���x��x��x��x��x��w��w� �w�(�w�0�w�$�v�4�v�D�v�d�v�t�v���v���v���v���v���v��v���v���v���v��x��v��v�P�v�@�v�0�v� �v�D�v�4�v�$�v�H�v�8�v�(�v�L�v�<�v�,�x��v�T�x��x5t�w�P�v! �|�v���v�d�v�p�w�H�w�h�v���v���v���v���w�p�x5��x5��x5��x5��w��x��w��w�D�x5��v�,�x;��v�(�w�@�v�0�x;��x;��t/D�x;��w��w���v�h�v�H�x<�v��v��x(�v�P�v� �w��v�v�,�v�<�x<(�x<L�w�`�w�d�w�h�w���w���x<P�v���v�x�v�\�v���v�l�x��v���v���x<��v���v���v���w���x=��x>T�x>X�x=T�x=P�v���v���x��v���v��v���x��v�$�v�,�v���w���w���w���x,�x8�x@�x�x�x �x�x�x0�x$�x<�xD�x(�x4�x�x �xH�v�`�w���w���w��w��w�$�w�0�w�C�w�O�w�y�v�\�xL�xP�xT�w�d�v�`�x>h�x>q�v�x�v�l�xx��vc��w���xB��va�v�4�w���w��u�,�w�8�w�`�xB��xB��xB��v��v���v�L�vx��w��v�D�xw�t�w��w�,�v �0����W�0��X;ܩ��bl��0��}0��z 0��w,0��t80��qD0��nP0��k\0��hh0��et0��b�0��_�0��\�0��Y�0��V�0��S�;�t��b��;�s��c��0��J�0��G�;ܶ��b��0��A����0������F�ڸ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~var/adm/utmpxv��v��v��v��v��v��v��v��v��v�%�v�,�v�6�v�I�v�Y�v�e�v�q�v�|�v���v���v���v���v���v���v���v� �v��v�$�v�8�v�M�v�c�v�{�v���v���v���v��v��v��v��v��v��v��v��v��v�%�v�,�v�6�v�I�v�Y�v�e�v�q�v�|�v���v���v���v���v���v���v���v� �v��v�$�v�8�v�M�v�c�v�{�v���v���v���v�4�v�H�v�X�v�p�v���v���v���v���v���v� �w���x��v�hS0�v���v���v���v���v� �v� �v�,�v�D�v�P�v�\�v�p�v���v���v���v���v���v���v���v� �v��v�4�v�D�v�\�v�l�v�x�v���v���v���v���v���v� �v��v�,�v�H�v�h�v���v���v���v���v���v���v���v��v�(�v�<�v�T�v�h�v�x�v���v���v���v���v���v���v���v��v�0�v�H�v�\�v�t�v���v���v���v���v���v���v���v���v��v��v�,�v�T�v�p�v���v���v���v���v��v�X�v���v���v���v���v��v��v�! (�v�8�v�X�v�x�v���v���v���v���v���v���v��v���v���v���v���v�3456789abcdef/%d/%yccess from libc routinesn error: value 0x%x overflows %d bits at 0x%x: referenced in %s find library=%s; searching 9abcdefithin any mapped object recreate profile buffer find file %s!��(� ��$�,�%��!��~��X�x�~��~����~����������������~������~��~t�~��~\�~H�~��~��~���~h���~��~�~4�~��~����~P�~�~��~��~�~��~��~��~��~��~h�~4�& �&�~l�&�&�&����� �&�& �~��~��&�~�����~d�&$�~x���~\�}�����~����&4�~��~��~������~�~�������~4�&8�T����~ h�&L�P���L��8� �(�|�}s쌿���}X|�}H4�}IH�}D��}K4�}���0�@�@�X�~$  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~'��}@4'`�}e<�p�H�)�(X�'`��Є�p �� ٰ� �u������c�)޳�*�E�+���,�bp-�w�.�Dp/~Y�0�&p1gve>�fR�g��g�4�h���i��jݨ�k���l��pm�ڀn��poq��p��pqZ�is one of/�����w�x�w�a����ap�������}J�� From nobody at c2.org Thu Apr 18 02:31:50 1996 From: nobody at c2.org (Anonymous User) Date: Thu, 18 Apr 1996 17:31:50 +0800 Subject: No Subject Message-ID: <199604180605.XAA23981@infinity.c2.org> "add leslie at koalas.com clueless" 'leslie at koalas.com' was ADDED to the 'clueless' mailing list. From jpb at miamisci.org Thu Apr 18 02:48:27 1996 From: jpb at miamisci.org (Joe Block) Date: Thu, 18 Apr 1996 17:48:27 +0800 Subject: on corporations and subpoenas Message-ID: <v02130525ad9b5ba388d0@[192.168.69.70]> Adam, re: At 9:42 AM 4/17/96, Adam Pingitore wrote: > Um, well, then I'm going to have to spam your ass. Um, well, then I'm going to have to notify your postmaster of your threat to spam the cypherpunks at toad.com mailing list. I'm certain he has better things to do than reply to several hundred irate cypherpunks copying your spam to him and will take appropriate steps. Grow up. Joseph Block <jpb at miamisci.org> "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From JonWienke at aol.com Thu Apr 18 03:16:50 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 18 Apr 1996 18:16:50 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <960418025428_377757492@emout17.mail.aol.com> >Is it possible to find a percentage of the key space to eliminate that >will optimize security assuming that the attacker will try the easy >stuff first (and is it possible to quantify "easy stuff")? If you eliminate all repeating byte sequences, such as 00 00 or 7F 7F, you will reduce your possible entropy by .07058% (7.99435 bits per byte), and eliminate the (astronomically remote) possibility of Hamlet or some other English text popping out of your RNG/PRNG. As long as your key is long enough to withstand this slight entropy reduction, you are still OK. From accessnt at ozemail.com.au Thu Apr 18 04:05:06 1996 From: accessnt at ozemail.com.au (Mark Neely) Date: Thu, 18 Apr 1996 19:05:06 +0800 Subject: EFF/Bernstein Press Release Message-ID: <199604180731.RAA09977@oznet02.ozemail.com.au> Well, that puts legislation making virus authoring a crime into a new (and difficult) position. Mark ___ Mark Neely - accessnt at ozemail.com.au Lawyer, Internet Consultant, Professional Cynic Author: Australian Beginner's Guide to the Internet Work-in-Progress: Australian Business Guide to the Internet WWW: http://www.ozemail.com.au/~accessnt From alano at teleport.com Thu Apr 18 04:05:27 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 18 Apr 1996 19:05:27 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" Message-ID: <2.2.32.19960418070811.00a81010@mail.teleport.com> At 10:37 PM 4/17/96 -0700, Patrick May wrote: > I run a small mailing list that has been subject to problems >similar to the recent spate of "unscrives". Apparently there is a >list of mailing lists circulating the warez boards along with scripts >for spoofing subscription requests. Over the past few months my list >has periodically received batches of bogus subscriptions for accounts >ranging from Fidonet sysops to Al Gore to random AOL users. Email >from other mailing list admins indicates that these same accounts, >perhaps two hundred in all, were subscribed to several hundred lists. Teleport has been having the same problems. They have a modification to majordomo that sends a confirm message to the intended victim^H^H^H^H^H^Hrecipient asking if he/she/it really wanted to subscribe and request that they send back a passphrase to confirm the subscription. This has two benificial effects... It keeps the unwilling from being subscribed to lists that they do not want. It also keeps the incredibly clueless from subscribing in the first place since they can never figure how to get the confirm message back to majordomo without botching it. I will find from the "powers that be" at teleport if the patch is publically released for use. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From pjm at spe.com Thu Apr 18 05:21:35 1996 From: pjm at spe.com (Patrick May) Date: Thu, 18 Apr 1996 20:21:35 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" Message-ID: <199604180537.WAA01617@gulch.spe.com> -----BEGIN PGP SIGNED MESSAGE----- Perry E. Metzger writes: > "Adam Pingitore" writes: > > I've got news for you all. This 'jerk' was spammed by some > > ass out there. I've canceled by subscription so would you > > all quit whining already. Sorry if I sent you people > > inappropriate mail, but I just wasn't very happy getting > > 2000 e-mails a day. [ Mr. Metzger's amusing flame elided. ] I run a small mailing list that has been subject to problems similar to the recent spate of "unscrives". Apparently there is a list of mailing lists circulating the warez boards along with scripts for spoofing subscription requests. Over the past few months my list has periodically received batches of bogus subscriptions for accounts ranging from Fidonet sysops to Al Gore to random AOL users. Email from other mailing list admins indicates that these same accounts, perhaps two hundred in all, were subscribed to several hundred lists. Crypto relevance: This attack will be eliminated when more mail agents support public key crypto and the mailing list software can be modified to check signatures on subscription requests. pjm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMXXU22AA81GB0e9dAQEjowf9EpmBXt3smBCduo3QF6/FLRRsC7NX65Ew 7jDI48XO9BWCOTXwwsFgibGgvefjtRKosB77SgeOy0q8QbukWjO8SXzqmQBSH3hK MBbP6Z1HVlP29KkyVpuWf9RAdsFMYGRuUjrFBNsc+ohpztW75MXvBkqHX7jGEk9K fpmTfQv8TRyygjNR8bqiAXGWMP3OWq/gIO27ydCDG8+7czzqcCX6/JiGsYdH8ns5 sBAPe5oJsm15at4i8khNtpNbf/+JTm6cS+TTAhQLaBTxmdxUDAa/zQlxeevSsrfl sBo9fRF+IgU4v9Zw7BSDcc4E3FKCjpZ39PXLfW+QPH7WBPu9hRjQVw== =4GcH -----END PGP SIGNATURE----- From express at xor.com Thu Apr 18 05:24:25 1996 From: express at xor.com (Express) Date: Thu, 18 Apr 1996 20:24:25 +0800 Subject: Welcome to Express! Message-ID: <199604180841.CAA04544@billygoat.xor.com> Dear Guest: Merci! and thank you for registering. At Express Online, your user name is "cypherpu" and your password is "cypherpunks". To enter the world of Express, use this user name/password combination. Please save this record for future reference, so you can always download the latest news from Express on fashion, shopping, travel, music and more. From JonWienke at aol.com Thu Apr 18 06:34:08 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 18 Apr 1996 21:34:08 +0800 Subject: [Noise] Unsubrscive $$$ Message-ID: <960418025429_377757515@emout18.mail.aol.com> Wanna make lotsa money? Just charge $20 for instructions whenever the clueless want off the list. When they email you with their pathetic "unsubscrive" pleas, get their MasterCard / Visa / AmEx / Discover number and expiration date. Call it a "spamming fee" to compensate you for the time it takes to download and respond to their iggorant [sick] requests. See you on the Riviera! From ericm at lne.com Thu Apr 18 07:28:47 1996 From: ericm at lne.com (Eric Murray) Date: Thu, 18 Apr 1996 22:28:47 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? In-Reply-To: <ad9b0ca80f0210043f65@[205.199.118.202]> Message-ID: <199604180607.XAA02282@slack.lne.com> Timothy C. May writes: > > At 1:08 AM 4/18/96, Leslie Farnsworth wrote: > >take me of your emailing list > > She (or he) can't even spell "off." > > This clown also sent me the same message privately, so anything done to her > or him is only fair.. > > The Cypherpunks Death Penalty? There's lately been a spate of l00sers subscribing unsuspecting people to various hugh-traffic mailing lists. I'd be willing to bet that a number of the 'unsubscrive' people we have been seeing lately have been subscrived by their "friends" and have never seen the "welcome to cypherpunks" list message, or probably any mailing lists welcome message for that matter. One list admin I know of has to manually unsubscribe president at whitehouse.gov from a motorcycle racing list three or more times a week. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From holovacs at styx.ios.com Thu Apr 18 08:04:27 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Thu, 18 Apr 1996 23:04:27 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <Pine.3.89.9604180640.A22694-0100000@styx.ios.com> Perhaps keyspace analysis and randomness analysis should be done from a Bayesian technique, with the the potential perspective of the cracker, or your estimate of the potental prospective of the cracker as a priori conditions. Hamlet could well qualify as a random string, however if your cracker was using 'Great Books of Western Civ' as a dictionary source, it would not be so good. ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 On Wed, 17 Apr 1996, Simon Spero wrote: > On Wed, 17 Apr 1996, Mark Rogaski wrote: > > > Is it possible to find a percentage of the key space to eliminate that > > will optimize security assuming that the attacker will try the easy > > stuff first (and is it possible to quantify "easy stuff")? > > Hmmm- I think this could be interesting to study; if we treat the space > of possible passwords as a non-uniform probability distribution > (Zipfian?), and then transform it in such a way to be uniform (by > having the probability of certain passwords being disqualified be > based on their relative probability it should be possible to get a > situation where all passwords are possible, and all have equal probability. From jya at pipeline.com Thu Apr 18 08:21:10 1996 From: jya at pipeline.com (John Young) Date: Thu, 18 Apr 1996 23:21:10 +0800 Subject: NYT on Bernstein Suit Message-ID: <199604181201.IAA05671@pipe4.nyc.pipeline.com> http://www.nytimes.com/library/cyber/week/0418suit.html From dlv at bwalk.dm.com Thu Apr 18 09:04:38 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 19 Apr 1996 00:04:38 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604180537.WAA01617@gulch.spe.com> Message-ID: <w1ukmD168w165w@bwalk.dm.com> Patrick May <pjm at spe.com> writes: > I run a small mailing list that has been subject to problems > similar to the recent spate of "unscrives". Apparently there is a > list of mailing lists circulating the warez boards along with scripts > for spoofing subscription requests. ... > > Crypto relevance: This attack will be eliminated when more mail > agents support public key crypto and the mailing list software can be > modified to check signatures on subscription requests. Eric Thomas's LISTSERV has had a feature for 4 or 5 years that prevents spoofed subscription requests. The list owner can configure the mailing list so that whenever a subscription request is received, LISTSERV e-mails the apparent sender and asks to e-mail it 'OK nnnn', where 'nnnn' is a pseudo-random string uniquely identifying this request. If the confirmation isn't received within 48 hours, LISTSERV ignores the command. Similar confirmations can be requested for other commands, like unsubcribe. Works like a charm without any public key crypto or digital signatures. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From s1113645 at tesla.cc.uottawa.ca Thu Apr 18 10:04:56 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Fri, 19 Apr 1996 01:04:56 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <199604180731.RAA09977@oznet02.ozemail.com.au> Message-ID: <Pine.3.89.9604180825.A31115-0100000@tesla.cc.uottawa.ca> On Thu, 18 Apr 1996, Mark Neely wrote: > Well, that puts legislation making virus authoring a crime > into a new (and difficult) position. For that matter, is issuing unix and tcp/ip commands an act of speech even when cracking into someone else's computer? (I realize this might be made moot by having to read the output and violating the target's privacy, but then the act of cracking, in itself, might only require commands standard on all machine, that also have standard and therefore predictable responses, entailing no privacy loss.) From s1113645 at tesla.cc.uottawa.ca Thu Apr 18 10:05:54 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Fri, 19 Apr 1996 01:05:54 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <199604180731.RAA09977@oznet02.ozemail.com.au> Message-ID: <Pine.3.89.9604180813.A31138-0100000@tesla.cc.uottawa.ca> On Thu, 18 Apr 1996, Mark Neely wrote: > Well, that puts legislation making virus authoring a crime > into a new (and difficult) position. On the other hand, a virus is malicious speech, no? Sorta like libel or fraud. You said bad and untrue things to the victim's computer and the dimwitted OS believed it. Also this is impersonation. You spoke words that led the OS to think that you were a legit user and, having its gained trust on false grounds, it lets you do malicious things. So is misrepresentation also constitutional? (Not like I need this answered ;-> ) From john at loverso.southborough.ma.us Thu Apr 18 10:07:50 1996 From: john at loverso.southborough.ma.us (John Robert LoVerso) Date: Fri, 19 Apr 1996 01:07:50 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? In-Reply-To: <ad9b0ca80f0210043f65@[205.199.118.202]> Message-ID: <199604181257.IAA19331@loverso.southborough.ma.us> Ah, the new way to spam somebody. Just forge an "unsubsrive" or "take me of" messsage to cypherpunks. John From declan+ at CMU.EDU Thu Apr 18 10:52:21 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 19 Apr 1996 01:52:21 +0800 Subject: CDA Court Challenges In-Reply-To: <199604172315.SAA12354@paulsdesk.phoenix.net> Message-ID: <ElRYkLG00YUvQ4oCF8@andrew.cmu.edu> Excerpts from internet.cypherpunks: 17-Apr-96 CDA Court Challenges by K00l Secrets at secret.alia > Are Declan's CDA reports numbers 1 and 2 available anywhere? I seemed > to have missed them on the mailing list, and the web site also starts > at 3. Thanks. Yeah, I should make sure they're all up on the fight-censorship archive site (http://fight-censorship.dementia.org/top/). Until then, you can find them at: http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/ -Declan From m5 at vail.tivoli.com Thu Apr 18 10:55:15 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Fri, 19 Apr 1996 01:55:15 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <Pine.3.89.9604180813.A31138-0100000@tesla.cc.uottawa.ca> Message-ID: <317649B1.3AD7@vail.tivoli.com> s1113645 at tesla.cc.uottawa.ca wrote: > On the other hand, a virus is malicious speech, no? Sorta like libel or > fraud. You said bad and untrue things to the victim's computer and the > dimwitted OS believed it. Not when I wrote the virus I didn't. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From perry at piermont.com Thu Apr 18 10:58:29 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 01:58:29 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <199604180731.RAA09977@oznet02.ozemail.com.au> Message-ID: <199604181404.KAA08249@jekyll.piermont.com> Mark Neely writes: > Well, that puts legislation making virus authoring a crime > into a new (and difficult) position. Its not in any worse a position than laws outlawing conspiracy to commit murder. The crime is not (and must not be!) in writing the virus, which can be a perfectly innocent act -- the crime is in writing and taking active steps to use it as a weapon. > > Mark > ___ > Mark Neely - accessnt at ozemail.com.au > Lawyer, Internet Consultant, Professional Cynic > Author: Australian Beginner's Guide to the Internet > Work-in-Progress: Australian Business Guide to the Internet > WWW: http://www.ozemail.com.au/~accessnt > > From perry at piermont.com Thu Apr 18 11:13:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 02:13:07 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? In-Reply-To: <199604180607.XAA02282@slack.lne.com> Message-ID: <199604181341.JAA08196@jekyll.piermont.com> Eric Murray writes: > There's lately been a spate of l00sers subscribing > unsuspecting people to various hugh-traffic mailing lists. > > I'd be willing to bet that a number of the 'unsubscrive' people > we have been seeing lately have been subscrived by their "friends" > and have never seen the "welcome to cypherpunks" list message, No. If you are subscribed against your will you DO see the "Welcome to Cypherpunks" message. .pm From perry at piermont.com Thu Apr 18 11:13:25 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 02:13:25 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <Pine.3.89.9604180825.A31115-0100000@tesla.cc.uottawa.ca> Message-ID: <199604181421.KAA08296@jekyll.piermont.com> s1113645 at tesla.cc.uottawa.ca writes: > For that matter, is issuing unix and tcp/ip commands an act of speech > even when cracking into someone else's computer? Standing in front of a voice activated gun pointed at someone and shouting "fire" is still an act of murder. The issue is whether you have intent to kill, or break in, or whatever, not whether or not you speak. Pulling on my index finger isn't a crime either, unless there is a trigger in front of the finger, and the trigger is attached to a gun aimed at someone, and I know what I'm doing. Normally, however, pulling back on my index finger is no crime at all. This is why it can be a crime to conspire to commit murder even though speech is protected. .pm From perry at piermont.com Thu Apr 18 11:15:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 02:15:01 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <960418025428_377757492@emout17.mail.aol.com> Message-ID: <199604181352.JAA08215@jekyll.piermont.com> JonWienke at aol.com writes: > >Is it possible to find a percentage of the key space to eliminate that > >will optimize security assuming that the attacker will try the easy > >stuff first (and is it possible to quantify "easy stuff")? > > If you eliminate all repeating byte sequences, such as 00 00 or 7F 7F, you > will reduce your possible entropy by .07058% (7.99435 bits per byte), and > eliminate the (astronomically remote) possibility of Hamlet or some other > English text popping out of your RNG/PRNG. As long as your key is long > enough to withstand this slight entropy reduction, you are still OK. Before making pronouncements like "You are still OK" you ought to learn a bit more about cryptanalysis. Its tiny little statistical toeholds like that which permit breaks. I don't know for sure, but my intuition says that there may very well be instances in which a couple of little nicks like that into the entropy of a key are sufficient to radically lower the time to crack something. Since there are far better techniques available (hash distillation, for instance) for assuring the quality of a random stream, Jon's suggested techniques should be regarded as unnecessary and dangerous. PUBLIC SERVICE ANNOUNCEMENT: For the benefit of everyone reading, I've become increasingly convinced that Jon really doesn't understand the topic he's working on well enough to trust, and he doesn't have the sense to know that he doesn't understand it well enough. I know enough to know that I'm extremely ignorant -- he's ignorant enough to think that he knows more than he does. I don't mean to insult Jon -- I'm sure that in his own field whatever it is he's a smart enough guy, and he seems like a nice enough fellow -- but cryptography is a dangerous business -- bad technique KILLS, literally. Until Mr. Wienke loses his bad case of hubris I would suggest not taking his technical suggestions. Perry From tcooper at wwa.com Thu Apr 18 11:32:13 1996 From: tcooper at wwa.com (Tom Cooper) Date: Fri, 19 Apr 1996 02:32:13 +0800 Subject: Clinton blathering about Internet In-Reply-To: <Pine.ULT.3.92.960417101323.29708C-100000@Networking.Stanford.EDU> Message-ID: <Pine.BSD.3.92.960418093626.2368O-100000@sashimi.wwa.com> > > To be fair, I don't see any blathering, just "expressions of concern." The > blathering quote comes from the SPLC, not Clinton. > Get real dude. Of course it's blathering. Either he really is that stupid or he's trying to appeal to people's ignorant fears about the Net as some sort of Satanic gathering place, just to get reelected. Personally, I think that his intelligence is way over rated. He's turning out to be just another hillbilly redneck in the White House. First Clipper, then censorship, now fear mongering. I can't believe that a former pot smoking, philandering, draft dodger could be such a dupe. Or is it dope. > > Clinton, though, is pushing the unconstitutional "anti-terrorism" bill, > which is all blather, and worse, he's letting the Republicans add an > unrelated rider that emasculates habeus corpus. > > -rich > > Letting the Republicans? Clinton's on their side all the way. From SBinkley at atitech.ca Thu Apr 18 11:32:32 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Fri, 19 Apr 1996 02:32:32 +0800 Subject: [NOISE] Suscrive toasterpun In-Reply-To: <029C983A02502C79@-SMF-> Message-ID: <039C983A01502C79@-SMF-> >> If cypherpunks made toasters... >> Jim B and Black Unicorn would argue about whether toast should be >> buttered, and what the appropriate flavor of jam/jelly should be; TC May >> would point out that it wasn't really toast, but rather, sliced and >> slightly-burned bread; Perry would kvetch about the lack of crypto-relevance >> of toasters; and a few others would form a new listserver for toasterpunks. >> The service department would be flooded with calls from newbies, asking how >> to make toast. >> >> If Netscape made toasters... >> They'd beta-test the toasters for months, then make one slot too >> wide and the other too narrow. It wouldn't be until a cook in a diner >> pointed out that the toast wasn't coming out right that they'd have their >> design reviewed by a 3rd-party Toaster Engineer. >> >and during daylight savings time, you wouldn't be able to reload the >toaster for an hour unless you set your toaster to standard time or >created a timezone variable. And newbies would start crying when the forgot how to get off the list!! From fletch at ain.bls.com Thu Apr 18 12:11:09 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Fri, 19 Apr 1996 03:11:09 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604180537.WAA01617@gulch.spe.com> Message-ID: <9604181451.AA26234@outland.ain_dev> > I run a small mailing list that has been subject to problems > similar to the recent spate of "unscrives". Apparently there is a > list of mailing lists circulating the warez boards along with scripts > for spoofing subscription requests. Over the past few months my list Ah, KaNN3d t00Lz: the incompitent kRak3r'z best friend. :) > Crypto relevance: This attack will be eliminated when more mail > agents support public key crypto and the mailing list software can be > modified to check signatures on subscription requests. But you're presupposing a public key distribution mechanism such that the list software can get a key for that user. And that that's a valid key for that user, not a key that J Random kRak3r didn't just send in for his clueless AOL victim before said victim established a public key. At any rate, has something like this been put into the current PGPdomo? I don't think that it would be too hard to hack in a query to a web keyserver to grab a key. If the initial request's not signed, maybe include a note about how to go about getting PGP and putting a key on the keyserver (or a pointer to instructions on the web). --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From ddt at lsd.com Thu Apr 18 12:23:22 1996 From: ddt at lsd.com (Dave Del Torto) Date: Fri, 19 Apr 1996 03:23:22 +0800 Subject: [CDA] "Million Geek March" on Washington Message-ID: <v0300660bad9bcad52cc9@[192.187.167.52]> [fwd from: Keith A. Glass <salgak at dcez.com>] >Friends of Free Speech on the Net: > >On June 30th, 1996, a large anti-CDA rally, the Electronic Freedom March, >is planned for the Ellipse, in front of the White House. But without your >help, it won't happen. > >We need volunteers to help us plan the EFM and the logistics required for >it, people to help us raise funds to pay the expenses (the Park Service >has required us to provide 80 porta-potties, at a cost of nearly $4500.00 >alone, and that's not our only requirement. . .), and people to help us >run the March on June 30th. Not to mention publicity, etc. > >We need your help. **I** need your help. I've posted this to the DC area >groups, as well as to a few groups that I feel might be useful in >gathering more volunteers and interested people. But I need your >committment to help NOW, or we won't be able to run the EFM, or as it's >been called, the "Million Geek March". Come on, out there: help us out!!! > >-- >* Keith A. Glass, Annandale, Virginia, USA, Filker/punster at large * >* Washington Coordinator, Electronic Freedom March * >* 30 June 1996, Washington DC URL: http://www.efm.org * >* Note: the following line is an intentional act of Civil Disobedience: * >* FUCK THE TELECOMMUNICATIONS DECENCY ACT--DEFEND THE FIRST AMENDMENT ! * From wombat at mcfeely.bsfs.org Thu Apr 18 12:36:55 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 19 Apr 1996 03:36:55 +0800 Subject: [NOISE] Suscrive toasterpunks In-Reply-To: <2.2.32.19960417111001.0068736c@arn.net> Message-ID: <Pine.BSF.3.91.960418071849.7085B-100000@mcfeely.bsfs.org> On Wed, 17 Apr 1996, David K. Merriman wrote: > > If cypherpunks made toasters... > Jim B and Black Unicorn would argue about whether toast should be > buttered, and what the appropriate flavor of jam/jelly should be; TC May > would point out that it wasn't really toast, but rather, sliced and > slightly-burned bread; Perry would kvetch about the lack of crypto-relevance > of toasters; and a few others would form a new listserver for toasterpunks. > The service department would be flooded with calls from newbies, asking how > to make toast. > > If Netscape made toasters... > They'd beta-test the toasters for months, then make one slot too > wide and the other too narrow. It wouldn't be until a cook in a diner > pointed out that the toast wasn't coming out right that they'd have their > design reviewed by a 3rd-party Toaster Engineer. > and during daylight savings time, you wouldn't be able to reload the toaster for an hour unless you set your toaster to standard time or created a timezone variable. - r.w. From hwh6k at fulton.seas.virginia.edu Thu Apr 18 12:44:36 1996 From: hwh6k at fulton.seas.virginia.edu (Henry Huang) Date: Fri, 19 Apr 1996 03:44:36 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? Message-ID: <199604181515.LAA35228@fulton.seas.Virginia.EDU> On Apr 17, 21:38, Timothy C. May wrote: > >take me of your emailing list > > She (or he) can't even spell "off." > > This clown also sent me the same message privately, so anything done to her > or him is only fair.. > > The Cypherpunks Death Penalty? Someone suggested that certain people were being signed up on Cypherpunks as part of a two-fold spam attack: 1.) in order to flood victim's mailbox with Cypherpunks' Welcome messages, and list postings, 2.) to re-direct victim's ire at the Cypherpunks list, thereby killing 2 birds with 1 stone. Hence, the "Death Penalty" may be jumping the gun, so to speak. ;) Not sure how one would go about looking into this, though. -H From jleonard at divcom.umop-ap.com Thu Apr 18 12:50:45 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Fri, 19 Apr 1996 03:50:45 +0800 Subject: Spaces in passwords In-Reply-To: <199604171543.LAA05427@jekyll.piermont.com> Message-ID: <9604181538.AA16305@divcom.umop-ap.com> > Ben Rothke writes: > > Do spaces (ASCII 20) in passwords make them less secure? > > Of course not. In a normal Unix password, adding spaces to the > password search space increases the search space, so it necessarily > makes the search harder. The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space. So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many? > .pm Jon Leonard From rah at shipwright.com Thu Apr 18 13:13:17 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 19 Apr 1996 04:13:17 +0800 Subject: e$: The CDA and Mrs. G vs. the MTB and Mr. T. -- SINless DBCs? Message-ID: <v02120d00ad9c0028b86f@[199.0.65.105]> --- begin forwarded text Comments: Authenticated sender is <rah at shipwright.com> From: rah at shipwright.com (Robert Hettinga) To: "e$" <e$@thumper.vmeng.com> Date: Wed, 17 Apr 1996 19:47:19 -0400 Subject: e$: The CDA and Mrs. G vs. the MTB and Mr. T. -- SINless DBCs? Reply-to: rah at shipwright.com CC: Priority: normal Sender: postmaster at thumper.vmeng.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- e$ Robert Hettinga The CDA and Mrs. G vs. the MTB and Mr. T. -- SINless DBCs? 4/17/96 Recently, Mark Twain Bank (MTB, for short) of St. Louis, Missouri, cancelled the ecash accounts of known pornographers. We haven't heard anything about this from Frank Trotter (Mr. T, for short), the bond trader who runs MTB's ecash program, or anybody else at the bank, for that matter, and it dawns on me today that we shouldn't really expect to. MTB is completely within its rights, as any bank is, to refuse an account to anyone, for any reason whatsoever, except where required *not* to do so by statute. Now, there's a paradox, yes? Fortunately, we don't have to do too much tweaking to get an underwriting system for digital bearer certificates (DBCs, for short) which gets us around around the current unpleasantness, one which scales nicely into a totally anonymous system, and which still allows heavily regulated (and censored) banks of deposit like MTB to profit quite well from cash-settled digital commerce on the internet. An interesting thing about this particular epsiode of self-censorship is that MTB did this *before* the Communications Decency Act (CDA) made offensive discourse -- of any kind, anywhere on the net -- illegal in the United States. As an aside, the CDA reminds me of the old chestnut about politically correct Cambridge (Massachusetts) during the first convulsions of second-hand-smoke mania: "In Cambridge, it's illegal to smoke in Boston." MTB, or its antecedants, has probably *always* cancelled a pornographer's bank account upon discovery, and has been doing this since long before *computers* existed, much less geodesic public networks. Rather than excoriate Mr. Trotter and company for bobbling the future, we should remember that Robert Heinlein's famous nosy-spinster next-door neighbor, Mrs. Grundy (Mrs. G, for short), *also* lives in Missouri. I spent middle-to-late adolescence there, and believe me, having moved late one July in the mid-1970's from Anchorage, AK to Ballwin, MO -- which I once likened to going from Haight-Ashbury to Happy Days in a single plane ride - -- I have first-hand knowlege. Mrs. Grundy, god bless her whalebone corset, is a pivotal fact of the universe in Missouri, which, also from personal experience, is a great place to be, er, from. Don't get me wrong. I mean, some of my best friends are from Missouri. I just wouldn't let my daughter move there. Anyway, as a bank of deposit, MTB does *lots* of business with Mrs. Grundy, thank you very much, and, frankly, it does a *lot* more business with Mrs. Grundy than it does with the net. Frank is following the imperatives of his market, and, he is no fool. Lots of moneypunks out there would say that this only highlights the need for more issuers of ecash, in locations safe from government interference, where they can issue digital cash certificates to whomever they choose. This is, of course, the concept of jurisdiction-shopping, or, as Eric Hughes likes to call it, "regulatory arbitrage". I've been giving this some thought, lately. Advocates of jurisdiction shopping forget, of course, that there is no real bandwith, much less competitive free-market bandwidth, in places like Vanuatu, or the Cayman Islands, or probably even Leichtenstein. *.li domains are more likely to get bandwidth faster than the Small Island Nation (SIN, of course ;-)) of one's dreams. If we lived here, we'd be home now. The market, in it's current state, is efficient. Big drag. On the other hand, statists argue that nation-states should pass legislation (so, what else is new...) saying that issuers of digital cash should not be liable for the acts of people using their product. After all, we don't restrict the sale of cars to known bank-robbers, do we? Actually, I've used a straw man here, though a necessary one, as there are more f*ckingstatists out there than there are eL33t mone$ypunk d00ds. Almost by definition, there's no legislative constituency for digital cash, so legislation mandating its liberal issuance sounds more than a little silly. Ecash is under the regulatory radar for the moment, probably because the market is virtually nonexistant. Regulatory stipulation of ecash non-liability actually puts yet another's camel's nose under the tent of banking freedom, which is what we're really fighting for here, right? No need to put one nose there before its time... What moneypunks and (imaginary) statists fail to realize is something that lots of cypherpunks, particularly Eric -- and Tim May -- have been saying all along. The problem should be solved, not by laws, or even regulatory arbitrage, but by cryptographic protocol. That way, it doesn't matter *where* the bank is, or *who* its customers are. Unfortunately, even though we have Eric's great open books idea, so that we might be able to anonymously audit an anonymous bank's books, and we have good hope of location-blinding someday, with things like web-proxies and maybe even IP-spoofing, it doesn't seem like we're really there yet. There's another problem, though. What happens when a previously-secret bank is exposed for the feelthy porno-grubbing perverts that they really are? Enter Mrs. Grundy. We're back to square one, or, more properly, in a low-bandwidth SIN (heh...). Someday, when we have truly anonymous banks, probably through some combination of SINs-with-bandwidth and strong two-way anonymity, legal or not, all of what I'm about to say will be moot. In the meantime, I have a quick-and-dirty fix, using what we have now. The trick is to use the right kinds of organizational entities to do the right things, and stay under the regulatory radar as long as possible. That is, until SINs-with-bandwidth exist and force the issue. By then, the digital bearer certificate market will be too big to control by state-sanctioned force, we hope. To do this, I will, for the final time (Really. Honest to god. I'll include it by URL-reference next time. ;-)), trot out my current world-according-to-Hettinga market model for digital bearer certificates. This won't hurt a bit. Really. Well, maybe just a *little*... Remember, we're talking about a many-to-many relationship between each type of entity below. In addition, anyone who sells something is assumed to have competition. In fact, the more there are of any given entity, the more robust a given DBC market would be. Finally, there's nothing new here to anyone who knows how securities are presently issued, except that the intermediaries (like exchanges, market makers, etc.) can be much smaller and more decentralized, because lower net-borne transaction processing and distribution costs reduce barriers to entry. It ain't rocket science, folks. 1. Protocol Designers. People like Chaum, Shamir (MicroMint), etc., who develop cryptographic e$ protocols. 2. Underwriters. Markets, issues, and validates the DBCs they issue, in this case, ecash. Charges fees to ecash buyers, redeems ecash certificates at "par". Exchanges for other denominations or expired cash are probably free. In addition, underwriters should have some kind of cross-issuer clearing arrangement, so that certificates of the same type issued by different underwriters would look all the same to the user. This should be peer-to-peer, with their trustee (below) acting as trusted intermediary, settling exchanges off the net. They could also all agree to use a central clearinghouse, but that becomes a major failure-point for the entire system, and a possible target of Mrs. Grundy, or worse, her more er, avuncular, associate, the nation state, sometime in the future. Cross-issuer clearing could also be a non-issue with inter-certificate standards, enough bandwidth and the right kind of client software. 3. Trustees. Real-live banks of deposit. Each one has wire connections to SWIFT, probably to the ATM system, and holds the collateral account for the funds on the net. Responsible to the users of ecash, even though the users are anonymous. Pays seignorage (interest on the collateral account) to underwriters, maybe protocol designers. Charges account, transaction fees to same. Insert MTB, or an equivalent, here. 4. Buyers/Sellers. People who buy and sell stuff using ecash, on- or off- line. Merchants can be called a high-volume subclass of on-line users, and they probably have special software and relationships to issuers. 5. Software Developers. Develop and sell software to underwriters, trustees, buyers/sellers under license to designers, where necessary. My favorite transaction model for purchasing and redeeming ecash involves a waterb^h^h^h^h^h^h, er, secure web-page, a card-swiper, a trustee bank with a SWIFT and ATM link, and an underwriter. By the way, Goldberg, Shostack, Parekh(?), and the hardware guy who does HP-XXX crypto -- forgot your name, very sorry -- have some king-hell ideas for card-swipers that emulate floppy disks, both in hardware and software, and output an encrypted DOS-readable file to be read by whatever application needs it. They figured all this out, right there in front of me, between trips to the nosh table at the trade-show section of CFP96. I was so impressed, I bought their dinner later on. Talk to them about development rights. ;-). Anyway, the buyer goes to the underwriter's web-page, punches in the amount desired, swipes his ATM card and punches in his PIN. This information is read and encrypted by the card swiper, and is sent through the underwriter and the trustee, ala Cybercash, to the buyer's bank. The trustee gets a transaction confirmation to issue cash from the buyer's bank on the ATM network, just like an ATM machine does, to be settled on SWIFT later. The trustee then issues a confirmation to the underwriter, who issues the ecash, which is stored by the buyer until use. Redemption does the same thing in reverse. The neat thing about this business model is that it's not only robust -- Metcalfe's law talks about the value of a network being directly proportional to the numbers of nodes connected to it, and that certainly maps well to financial networks like this -- but *every one* of the players in it can eventually be anonymous on the net side. The relationship between the buyer of ecash and his off-net bank is probably biometrically identified, but that's what we have over there anyway, and it certainly that can be changed someday, SIN-wise, as soon as some fiber is pulled or the sattelites fly. The trustee bank cannot see who the buyer/redeemer is, because the transaction can be blinded through to the buyer's off-net bank. The underwriter certainly doesn't need to know anyone's identity on the net side, because of the blind signature protocol, or on the trustee side, because it can only get its financial ability to issue certificates from its trustee, who we've shown doesn't know who the money's from, either. To repeat, this can scale into a system where *nobody* has to know *anybody* to reliably transact business on a cash basis. Trustees, underwriters, protocol designers, buyers/sellers (transactants?), software developers: No one. The real beauty of this in the present environment, where Mrs. Grundy is such a "pivotal fact of the universe", is that the trustee bank, a bank of deposit like Mark Twain Bank, is abstracted completely away from transaction events. The only account Mark Twain has to deal with is a trustee account, one for each underwriter, and, if the underwriters have any sense about protecting their liability against key theft (Hello, Mr. Borenstein...), one for each underwriter's DBC issue, each issue with its own expiration date. This account sees nothing but debits and credits, irrespective of their pornographic content, for the day's traffic on and off the net. The bank can be in any current legal jurisdiction, for the time being, anyway, because it's just taking money on and off its books based on SWIFT and ATM transactions, just like any normal bank would do. The only difference is its network connections to its DBC underwriters, which are no different from it's other on-line connections, analog and digital, with all its other customers. Now, the ability to do this may change, especially if the volume of cash business on the net gets high enough for nation states to begrudge the seignorage being made by the bank and its customers this way, or, more likely, if the local Mrs. Grundy is FUDded by the media into banning cash-settled internet commerce on, heh, principal. Hopefully, by that time, maybe small island nations will have enough bandwidth. Or, better yet, utter two-way anonymity will allow banks to become invisable, at least as far their contacts with other entities on the net are concerned, which means they could again be anywhere, and functionally out of the reach of the law. Finally, as much as I'm rooting for Mr. T at MTB, he is still stuck doing business with Mrs. G, who may actually be on his board or management, and not just in his customer base. And, don't forget the legal consequences of a creatively-applied CDA. There is even a silly sod or two on the ecash email list at the moment, talking seriously about age-differentiated ecash, god help us all, not to mention the Mormon-from-hell who wants to us to include a minor-flag in IP packets, of all places. (I really suppose I *should* talk, as I'm all for sticking micromoney on packets to pay for routing them someday...) The point is, unless Mr. T can figure a way to financially unwind his underwriting role now, he's probably stuck as a combination underwriter/trustee, which actually has some advantages, one being the innecessity to report any information to the ecash userhood about actual contents of the ecash "mint" collateral account (Backed by the Full Faith and Credit of the Mark Twain Bank, of course...). But, it does him absolutely no good with regard to the aforementioned "grundiness": in his client base, on his board, or management heirarchy, or maybe even in his own moral paradigm, god bless *him*. However, it doesn't mean that somebody, or, better, lots of somebodies, can't step in and implement either side (but not both!), of the trustee / underwriter model, sidestepping the problem of Mrs. G completely. It also seems to me that doing this would be much easier if someone was a trustee exclusively, from scratch, but I may be wrong. So, I guess I'm hoping, possibly in vain, that someone at Digicash will wake up one morning and do what they did on the software side: get out of the manger with the other monopoly dogs like Microsoft, and break up the functionality of their business model some more, so that the more prosaic bovine entities of the banking world, i.e., institutional trustees (sorry, ladies...) can have their breakfast. I bet there are whole bunches of successful institutional trustee banks out there, who could hold hold the money while it's on the net, and, as long as they don't have to do much else with it except communicate electronic transaction confirmations back and forth to an underwriter, would love to do so. This kind of business is something they already understand quite thoroughly. If not, I bet there are more than a few pioneers out there who actually understand ecash and other DBC technologies, and would get into the business of being a trustee as their primary focus of business. Certainly Mr. T himself is an existence proof of that, his adventures in Grundyland notwithstanding. Also, turning scads of independent underwriters loose on the net to bash away at the problem of marketing cash-settlement digital commerce might do wonders for David Chaum's mortgage payments on that brand-new Digicash building. So, even though Mrs. Grundy currently has her bloomers in a bunch, CDA or no, and is letting Mr. T and MTB know all about it, Mr. T, or someone like him, can still save the day, for a while, anyway, with SINless DBCs. .....Which is the plaintext of the title, I believe... w5 ;-). Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXWCGvgyLN8bw6ZVAQFLrQP9EDRjyYuafbzjEhLOEk/BKDRUQD+Ucf4+ oS2JYV4ooVzBDjIwQxrKH2+RH4SbEMIEpq2+pPpRMin0PJEol5XP5QxtOsYZz37I U6J1qpvk4v+LkA+8v+9oIQSuXAynN6Lagn5I8ZTLf2eZY/bWDVezEbEwKHYrmluw WKYASgw3B64= =/Ojq -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From rah at shipwright.com Thu Apr 18 13:32:35 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 19 Apr 1996 04:32:35 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" Message-ID: <v02120d0bad9c18862796@[199.0.65.105]> At 1:37 AM 4/18/96, Pat May wrote: > > Crypto relevance: This attack will be eliminated when more mail > agents support public key crypto and the mailing list software can be > modified to check signatures on subscription requests. In my ongoing quest for net.buckyness I sent a subscribe message to the synergetics-l list, and got back a password, which I had to use to actually subscribe. It looked like a majordomo hack of some kind... Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From declan+ at CMU.EDU Thu Apr 18 13:33:24 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 19 Apr 1996 04:33:24 +0800 Subject: GNU Version 0.01 (alpha) of KiddieFind is now available In-Reply-To: <199604180610.IAA27184@utopia.hacktic.nl> Message-ID: <IlRa1kG00YUv4Au5Np@andrew.cmu.edu> Excerpts from internet.cypherpunks: 18-Apr-96 GNU Version 0.01 (alpha) of.. by Anonymous at REPLAY.COM > I am going ahead and releasing an alpha version of KiddieFind a free > Unix implementation of LolitaWatch. Everything is under the GPL, so > the source code is free, hack on it all you want ... I forwarded this to my fight-censorship list with a comment prepended saying that this showed how dangerous the government's proposal was. I've already received on query from an editor at a respected magazine asking me for more information, saying that KiddieFind and the Under18 bit "looks like a good story." :) -Declan From gnu at toad.com Thu Apr 18 13:54:26 1996 From: gnu at toad.com (John Gilmore) Date: Fri, 19 Apr 1996 04:54:26 +0800 Subject: auto-spam of c'punks list Message-ID: <199604181635.JAA27485@toad.com> Someone or something bogusly subscribed a bunch of people to the cypherpunks list. Please don't post any more messages running down the "newbies". None of these people subscribed; they were victims of a nasty prank. I just removed 237 people from the c'punks and c'punks-announce lists who appear to have been subscribed by email forgery. I probably missed a few. For the folks who are getting this message and who don't want to be on the cypherpunks list(s), it's easy to unsubscribe. Send email to: majordomo at toad.com that contains these lines: unsubscribe cypherpunks unsubscribe cypherpunks-announce Sorry for any hassle, John From lzirko at isdn.net Thu Apr 18 14:09:53 1996 From: lzirko at isdn.net (Lou Zirko) Date: Fri, 19 Apr 1996 05:09:53 +0800 Subject: Clueless Newbee Problems Fw: Re: Fw: CWD-Pool Cool Message-ID: <199604181631.LAA04089@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit This included message was sent to me privately from one of your accounts. It was a reply from a message that I sent to the cypherpunks list, which resides on toad.com. Do you think that you might `instruct` your user on proper netiquette in these areas. I have included all headers for you benefit. Looking forward to your prompt action. Thanks, Lou Zirko - -----Begin Included Message ----- X-POP3-Rcpt: lzirko at rex Return-Path: dvallance at InfoAve.Net Received: from pacs02.infoave.net (pacs02.InfoAve.Net [165.166.0.12]) by rex.isdn.net (8.7.5/8.7.3) with ESMTP id IAA01191 for <lzirko at isdn.net>; Thu, 18 Apr 1996 08:43:53 -0500 From: dvallance at InfoAve.Net Received: from dial-4.r3.scsumt.InfoAve.Net by InfoAve.Net (PMDF V5.0-5 #4800) id <01I3OJ118HTC90SSUA at InfoAve.Net> for lzirko at isdn.net; Thu, 18 Apr 1996 08:47:44 -0400 (EDT) Date: Thu, 18 Apr 1996 08:47:44 -0400 (EDT) Date-warning: Date header was inserted by InfoAve.Net Subject: Re: Fw: CWD-Pool Cool X-Sender: dvallance at mail.infoave.net To: Lou Zirko <lzirko at isdn.net> Message-id: <01I3OJ11RLCY90SSUA at InfoAve.Net> MIME-version: 1.0 X-Mailer: Windows Eudora Version 1.4.4 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT PLEASE REMOVE ME FROM YOUR MAILING LIST. THANK YOU - ---- End of forwarded message ---- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMXZuSxKvccEAmlQ9AQG28wf+KRidWaEUkakCKI+KNaCfUZa49Ftjsdb+ MO5/HlcjQ/LjaKgTKs54NOJBO5yYtkELngHUU5gLK3BlsUiCljRqTI5Fvt0ozA2B aXJNU8MVJsXZbM8D1RWFQuWhhhsl1OpVfJsZVqCVy74jhPd59iB44FaEy6bW1Oup z9OZdANyxZdtayNAWacVAjq2QT68LL1M9uPrnl3PFUQu6Hqg5RJlOh1WYWsBvyjQ 1jjxvPBuc4fV0wxJe1UQ20BpscaRQVbw6f1NhSrgPBEsXYTtGDcMi0z6dRxtJUOd xEZpsJDQt9gAGka8ysSoapL8Dh0f2xeg6TQ1r/Y3J72dPo7wIYrZbA== =i9D5 -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Thu Apr 18 14:18:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Apr 1996 05:18:17 +0800 Subject: Cypherpunks Death Penalty for "take me of" messages? In-Reply-To: <199604181341.JAA08196@jekyll.piermont.com> Message-ID: <Pine.ULT.3.92.960418093925.9454A-100000@Networking.Stanford.EDU> On Thu, 18 Apr 1996, Perry E. Metzger wrote: > Eric Murray writes: > > > > I'd be willing to bet that a number of the 'unsubscrive' people > > we have been seeing lately have been subscrived by their "friends" > > and have never seen the "welcome to cypherpunks" list message, > > No. If you are subscribed against your will you DO see the "Welcome to > Cypherpunks" message. ...which they disregard as unsolicited spam. On my discussion lists, I put unsubscribe instructions in the message X-Headers (which the clueless won't see, but which non-clueless targets and their more clueful friends/administrators will); and on digests, they're prepended. -rich From jya at pipeline.com Thu Apr 18 14:31:46 1996 From: jya at pipeline.com (John Young) Date: Fri, 19 Apr 1996 05:31:46 +0800 Subject: ERR_not Message-ID: <199604181712.NAA02270@pipe2.nyc.pipeline.com> 4-12-96. Science: "Error-Correcting Codes Keeps Quantum Computers on Track" Commentary by Barry Cipra on Peter Shor's error-correction scheme for quantum systems (published last year in Phys Rev A) and his subsequent work with Rob Calderbank at AT&T Research on "quantum analogs of other more powerful codes that can correct multiple errors in long strings of bits." And cites work of others who are following Shor's lead -- Seth Lloyd at MIT, IBM, LANL, Oxford: "Quantum computers may be getting closer to reality." ERR_not From alex at crawfish.suba.com Thu Apr 18 14:42:35 1996 From: alex at crawfish.suba.com (Alex Strasheim) Date: Fri, 19 Apr 1996 05:42:35 +0800 Subject: plaugue of unsubscribes Message-ID: <199604181716.MAA00534@crawfish.suba.com> I've started sending mail to postmasters when I get one of those "take me off your list!" messages. I explain that the user is on a high volume list, that he wants off, but that he seems unwilling or unable to do it himself. He's harassing the members of the list, who don't have the ability to remove him, and he doesn't seem to be reading our replies to his "take me off!" messages, which tell him how to solve his problem. Then I ask the postmaster to explain how to get off the list to the user. These guys are abusing email, and since they don't read our mail, the postmaster is the only solution. Perhaps if a few of us start writing to the postmasters, they'll help the user figure out how to get off. From llurch at networking.stanford.edu Thu Apr 18 15:01:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Apr 1996 06:01:37 +0800 Subject: Clinton blathering about Internet In-Reply-To: <Pine.BSD.3.92.960418093626.2368O-100000@sashimi.wwa.com> Message-ID: <Pine.ULT.3.92.960418095309.9454D-100000@Networking.Stanford.EDU> [By the way, that ILF/SAC rant WAS a joke. It's disappointing how many people were trolled, but on the other hand, it taught me something about how I come across, and to be more careful.] On Thu, 18 Apr 1996, Tom Cooper wrote: > > To be fair, I don't see any blathering, just "expressions of concern." The > > blathering quote comes from the SPLC, not Clinton. > > > Get real dude. Of course it's blathering. Either he really is that stupid > or he's trying to appeal to people's ignorant fears about the Net as some > sort of Satanic gathering place, just to get reelected. You have extrapolated this from a sentence fragment taken from an off-the-cuff answer to a question from a Japanese reporter? Either you have a subtle mind indeed, or you're blathering, too. Remember that speech Clinton gave to the Association of Community Colleges where he blamed the Oklahoma bombing on talk radio hosts and called for censorship? Didn't happen. My friends in the NRA, and the occasional fund raising letter (I've been a member of the NRA for years), keep bringing up this speech for propaganda purposes, but it's much more a legend than a truth. http://docs.whitehouse.gov/white-house-publications/1995/04/1995-04-24-president-to-association-of-community-colleges.text | In this country we cherish and guard the right of free | speech. We know we love it when we put up with people saying things we | absolutely deplore. And we must always be willing to defend their right | to say things we deplore to the ultimate degree. But we hear so many | loud and angry voices in America today whose sole goal seems to be to try | to keep some people as paranoid as possible and the rest of us all torn | up and upset with each other. They spread hate. They leave the | impression that, by their very words, that violence is acceptable. You | ought to see -- I'm sure you are now seeing the reports of some things | that are regularly said over the airwaves in America today. | | Well, people like that who want to share our freedoms must | know that their bitter words can have consequences, and that freedom has | endured in this country for more than two centuries because it was | coupled with an enormous sense of responsibility on the part of the | American people. | | If we are to have freedom to speak, freedom to assemble, | and, yes, the freedom to bear arms, we must have responsibility as well. | And to those of us who do not agree with the purveyors of hatred and | division, with the promoters of paranoia, I remind you that we have | freedom of speech, too. And we have responsibilities, too. And some of | us have not discharged our responsibilities. It is time we all stood up | and spoke against that kind of reckless speech and behavior. This sounds like "fight speech you disagree with with more speech" to me. > > Clinton, though, is pushing the unconstitutional "anti-terrorism" bill, > > which is all blather, and worse, he's letting the Republicans add an > > unrelated rider that emasculates habeus corpus. I'd like to retract that "Republicans" bit. There are good Republicans and bad Republicans, as with any other group of people. I meant "pro-death penalty, anti-civil liberties wackos," of which there are a few in the Republican Party, but which do not represent the rank & file or even the balance of the GOP Congressional delegation. > Letting the Republicans? Clinton's on their side all the way. Not on habeus corpus. To refresh your memory, I'm talking about the amendment that seeks to curtail death-row appeals. Clinton has condemned it as irrelevant to the "anti-terrorism" bill, but that it's a compromise he can accept. He's wrong. -rich From frantz at netcom.com Thu Apr 18 15:05:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 19 Apr 1996 06:05:30 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604181813.LAA14894@netcom9.netcom.com> I suspect, that all of us, Perry included, will react the same way if we find that our one time pads read like "Hamlet", or equally likely, "The Comedy of Errors". That is, we will tear the source of the pad apart to find out why it isn't working. If we find that it IS working correctly, we will wish we had used that one truly magic[*] moment to buy tickets in as many lotteries as possible. * Probability much less than 10 ** -50 in the life of the universe. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stewarts at ix.netcom.com Thu Apr 18 15:16:48 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 19 Apr 1996 06:16:48 +0800 Subject: Spaces in passwords Message-ID: <199604181759.KAA29832@toad.com> >Ben Rothke writes: >> Do spaces (ASCII 20) in passwords make them less secure? > >Of course not. In a normal Unix password, adding spaces to the >password search space increases the search space, so it necessarily >makes the search harder. Depends on the space of ideas that are leading to your passwords. If the reason you're adding spaces is to separate an n-character word from the dictionary from a 7-n character word from the dictionary, this reduces the search space for a cracker considerably. At least pick random punctuation instead. On the other hand, if your password is a bunch of randomly chosen characters, having another character in the space doesn't hurt. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From SBinkley at atitech.ca Thu Apr 18 15:24:47 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Fri, 19 Apr 1996 06:24:47 +0800 Subject: EFF/Bernstein Press Release In-Reply-To: <60A0983A02502C79@-SMF-> Message-ID: <6BA0983A01502C79@-SMF-> >On the other hand, a virus is malicious speech, no? Sorta like libel or >fraud. You said bad and untrue things to the victim's computer and the >dimwitted OS believed it. > >Also this is impersonation. You spoke words that led the OS to think that >you were a legit user and, having its gained trust on false grounds, it lets >you do malicious things. Does this mean that an OS is legally considered an entity??? /sb From john at loverso.southborough.ma.us Thu Apr 18 15:41:46 1996 From: john at loverso.southborough.ma.us (John Robert LoVerso) Date: Fri, 19 Apr 1996 06:41:46 +0800 Subject: Unsubsrive Message-ID: <9876543210.ABCDEF@loverso.southborough.ma.us> Unsubsrive me! From andrew_loewenstern at il.us.swissbank.com Thu Apr 18 15:52:05 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 19 Apr 1996 06:52:05 +0800 Subject: NSA/Lotus public key (was Re: [IRS] Elvis in Escrow) In-Reply-To: <199604162254.PAA01128@netcom9.netcom.com> Message-ID: <9604181801.AA01102@ch1d157nwk> > I wonder, how much is NSA's secret key worth? You know, the > one they use to grab the extra key bits that Lotus Notes sends > them. Does anyone know how many bits it is? If it is 512 or less it may be a good candidate for a public key factoring. andrew From richieb at teleport.com Thu Apr 18 16:54:22 1996 From: richieb at teleport.com (Rich Burroughs) Date: Fri, 19 Apr 1996 07:54:22 +0800 Subject: plaugue of unsubscribes In-Reply-To: <199604181716.MAA00534@crawfish.suba.com> Message-ID: <Pine.SUN.3.92.960418115320.22861A-100000@linda.teleport.com> On Thu, 18 Apr 1996, Alex Strasheim wrote: > I've started sending mail to postmasters when I get one of those "take me > off your list!" messages. [snip] See John's message about the forged subscribes. It sounds like these folks may have never used a mailing list and didn't want to. Can't really blame them for being upset at receiving hundreds of pieces of email that they didn't ask for. What still confuses me is the number of people who asked to be "unsubscrived." Seems like an odd coincidence that all those folks would miss the B key. Some had done it severeal times in the same message. I wonder if they were totally set up -- if they got mail telling them to "unsubscrive." Some people's idea of fun boggles me... Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From frantz at netcom.com Thu Apr 18 17:28:03 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 19 Apr 1996 08:28:03 +0800 Subject: Spaces in passwords Message-ID: <199604181945.MAA22450@netcom9.netcom.com> >Ben Rothke writes: >> Do spaces (ASCII 20) in passwords make them less secure? > >Of course not. In a normal Unix password, adding spaces to the >password search space increases the search space, so it necessarily >makes the search harder. I used to recommend that passwords be a phrase of at least 15 characters. Spaces fall naturally into that model. If your spelling is as bad as mine, then your password is resistant to dictionary attacks. However, then I discovered that there are many brain damaged systems which restrict passwords to 8 characters. (e.g. IBM's VM/ESA, Netcom's UNIX) For those systems, I can only parrot the conventional wisdom, no words, include numbers and/or punctuation, no acronyms, include both upper and lower case, etc. etc. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From daw at cs.berkeley.edu Thu Apr 18 17:40:12 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Fri, 19 Apr 1996 08:40:12 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <960418025428_377757492@emout17.mail.aol.com> Message-ID: <4l660q$167@joseph.cs.berkeley.edu> In article <199604181352.JAA08215 at jekyll.piermont.com>, Perry E. Metzger <perry at piermont.com> wrote: > > If you eliminate all repeating byte sequences, such as 00 00 or 7F 7F, you > > will reduce your possible entropy by .07058% (7.99435 bits per byte), and > > eliminate the (astronomically remote) possibility of Hamlet or some other > > English text popping out of your RNG/PRNG. [...] > > Before making pronouncements like "You are still OK" you ought to > learn a bit more about cryptanalysis. [...] Then I propose the following scheme. (I've proposed it before.) My entropy cruncher takes in random noise from a number of diverse sources (some possibly of dubious quality). I take *all* the noise and run it through a hash function to distill entropy. Now I need to have some method to estimate when I have enough entropy in the random noise I'm crunching. First rule: be conservative. One can never have too much entropy in the input to the hash function. Therefore, I suggest making a *copy* of the input noise stream, running it through Jon Wienke's "this shouldn't happen" filter, and feeding the result to some entropy estimator. When the entropy estimator says "I've got 1000 bits of entropy", I stop crunching. This is conservative design, folks. Using Wienke's filter in this manner can't be any weaker than not using it at all. (agreed?) Now, you can go argue whether the extra design complexity is worth it, if you like. <shrug> P.S. To forestall confusion, let me be explicit about what I'm *not* proposing: I *don't* want you to apply Wienke's filter to the input or output of the hash function. Applying Wienke's filter to the random noise stream, to the input to the hash function, or to the output to the hash function, is clearly a bad idea. (The mathematician says "clearly", knowing full well that, unfortunately, some small part of the audience probably doesn't get it... <sigh>) This is what the "POTP" snake oil folks were proposing-- they had some "quality control" process they applied to the one-time pads they generated. I think they said they regularly eliminated 70% of the pads as "defective". This was supposed to be encouraging :-) If you don't understand why the POTP "quality control" process was laughable, let someone else design the entropy cruncher!!! From declan+ at CMU.EDU Thu Apr 18 17:42:08 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 19 Apr 1996 08:42:08 +0800 Subject: CDA Court Challenge: Update #8 (Last Day of Testimony) Message-ID: <AlRdBxW00YUvMAuDVT@andrew.cmu.edu> ----------------------------------------------------------------------------- The CDA Challenge, Update #8 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this update: BYU/CMU's Olsen testifies that "-L18" won't harm the Net Judges realize Olsen is a weasel Chief Judge Sloviter's incisive questions Who is Donna Rice? A DoJ attorney can't stop laughing... Closing arguments now set for May 10 April 18, 1996 PHILADELPHIA -- The U.S. Department of Justice doesn't like the way the Communications Decency Act is written. During the the testimony that ended April 15 in Philadelphia's Federal court, we've started to see the DoJ's legal strategy emerge -- and it includes attempts to redefine the CDA. The DoJ's star witness was the amazingly prudish Dan "I'm offended by four-letter words" Olsen, who said that his plan to have service providers card users and tag 'em as adults or minors is a fabulous way to go. But this shifts the burden of protecting kids from smut onto ISPs, a proposal that Congress rejected when they included "good faith" defenses in the law. Olsen, who will fit in just fine when he takes a job this summer as an administrator at censorhappy Carnegie Mellon University, also kept pushing the other half of his plan that would require all "patently offensive" online content be tagged "-L18." On Monday, the DoJ's very own attack-ferret Jason Baron asked Olsen: "Your proposal would not have an adverse effect on the Net as a whole? Olsen deadpanned: "Absolutely not!" This isn't surprising. To Olsen, the Internet is just a bunch of geeks who want to keep everyone else out of their own little world. When U.S. Third Circuit Court of Appeals Chief Judge Dolores Sloviter asked him if his "-L18" system would develop side-by-side with PICS, Olsen replied: "If technical people were left to themselves, it would be likely to happen. I don't think this is true here. Internet people don't like other people telling them what to do. They're afraid of the FCC. They don't want anyone else messing in their pond." +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ JUDGES REALIZE OLSEN IS A WEASEL +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Even the judges could tell that Olsen is a weasel. The three judges hearing our challenge to the CDA were unsympathetic to the Brigham Young University computer scientist and pinned him down for almost an hour as he tried to slime away from direct questions. Judge Stewart Dalzell is the most net-savvy judge on the panel and the only one with young kids, so I'm guessing they're helping him to grok the Net. He asked Olsen what would happen if U.S. citizens automatically cache overseas material, including "indecent" files. Again Olsen tried to weasel away from the hypothetical, but Dalzell would have none of it: "You assumed away my question." The DoJ witness grumpily admitted: "I'd turn the cache off." Some of Dalzell's questions were stellar: "Assume a chat group is talking about the CDA -- students from 13 to 18. In the course of the chat, an 18-year-old is exasperated and types in 'Fuck the CDA.' Is it your proposal that he should tag that '-L18?'" Not hesitating, Olsen said: "Yes." On the fight-censorship mailing list I maintain, Mark Stein writes: Judge Dalzell was paraphrasing closely from Cohen v. California, a seminal case in which the Supreme Court overturned the conviction of a man who was arrested for wearing a jacket with "Fuck The Draft" painted on the back. This Olsen fellow's a government witness, you say? Sounds like he's working for us. Some of Dalzell's other questions were equally fab: "If in one issue of the Economist the word 'fuck' appears, the library [putting it online] would have to go through the entire text of the issue?" Olsen replied: "Somebody would have to make this screening. Somebody would have to make this judgement." (Later he invented the idea of libraries banding together to pool resources to make these decisions. I could feel the hackles of the American Library Association folks rising. I swear, Olsen makes up these mind-fucks on the fly.) Remember Judge Buckwalter? I wrote about him in my first CDA Update, saying that he was the least comfortable with our cybersuit: In an incomprehensible decision last month, Judge Ronald Buckwalter granted us only a _partial_ restraining order preventing the Feds from enforcing the CDA. Now he's justifying his original mistake by taking a critical stance during this hearing... Buckwalter has come around. Last Friday his comments indicated he was starting to understand the issue. His questions to Olsen on Monday showed that he finally "gets it": Q: If the creator of the material doesn't buy into your system, it creates a big problem... Does this mean plaintiff's proposal makes more sense? A: No. There are different types of proposals... Q: On your declaration, determining which are adults, you don't address economic claims? A: I only address if it's technically possible. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ CHIEF JUDGE SLOVITER'S INCISIVE QUESTIONS +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Chief Judge Sloviter's questions were the most incisive -- like Dalzell, she admitted to doing a bit of out-of-court net surfing. She asked Olsen if "children would be blocked from accessing parts of museum collections?" Olsen admitted they would. Some other questions from Sloviter: Q: Would [your -L18 proposal] contain the seeds that the government can do the blocking? Once everything is tagged as -L18, would that facilitate any one entity saying this material should not go out on the Internet? A: Possibly. Q: Can you think of any time in our history where we have blocked material in advance? A: Yes, every editor in every newspaper does this every day. Q: But in an organized manner? A: Every editor in every newspaper does this every day. The EFF's Mike Godwin says: That Sloviter asked this question is incredibly important -- it shows that she recognizes that compliance with the Communications Decency Act would amount to a complex system of prior restraints. Even among those who disagree strongly about the scope of the First Amendment, there is little disagreement about the general prohibition of prior restraints on publication -- the only generally acknowledged exception to this prohibition is the "national security" exception (publication of troop movements during time of war and the like). In previous obscenity/indecency cases, it has long been established that prior restraints on publication are impermissible. The strangest point of the day came after Olsen testified that a PICS-style third-party rating system would "slow the flow." (This was a snide reference to Vanderbilt Professor Donna Hoffman's testimony about how uninterrupted "flow" was important while web-surfing.) Sloviter then asked him how an adult would show -L18 tagged materials to a mature child. Olsen replied that a "teacher or parent could log on." Sloviter parried: "Wouldn't that slow the flow?" At this point, Olsen began to discharge a series of short, staccato bursts of high-pitched giggles, sounding like a rabbit being tortured to death. Damnedest thing I ever saw. The audience stared in horror. Basically, the DoJ fucked up with this witness. Olsen was such a censorhappy nut and so delighted with his "-L18" scheme that the court realized it went too far -- that it was obviously unconstitutional. In other words, he was our best witness. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ WHO IS DONNA RICE? A DOJ ATTORNEY CAN'T STOP LAUGHING... +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ I would have loved to have been in Washington, DC when Grey Flannel Suit -- AKA AFSADAFOSICCI* Howard Schmidt -- was deposed on April 1. Imagine an entire business day filled with nothing but talk of cyberporn, with everyone trying to be serious and lawyerly. Some representative samples, from page 244 of Grey Flannel's deposition: A: The next one, the same [screen] with panties.jpg reflects the image that appears on the screen after clicking on Panties. A: The next one, the same [screen] with boobs.jpg reflects the image that appears on the screen after clicking on Boobs. A: And the next one is cunnilingus.jpg, which reflects the image that comes onto the screen by clicking on Cunnilingus. But my fave part was when former party girl and ex-No Excuses jeans model Donna Rice-Hughes was mentioned. In the past year, Rice-Hughes has leveraged her fame from the Gary Hart presidential campaign into a budding career as a morality crusader at the anti-porn group "Enough is Enough!" Read on for an excerpt from page 282 of Grey Flannel's deposition... Q: Are you acquainted with Kathleen Cleaver? A: No, I'm not. Q: Have you ever heard that name? A: It does not ring a bell, no. Q: Are you acquainted with Bruce Taylor? A: Not that I'm aware of, no. Q: Are you acquainted with Donna Rice? A: The name Donna Rice rings a bell it seems, but I don't know from what. [The ACLU attorneys and Pat Russotto from the DoJ can't stop laughing.] DoJ's Tony Coppolino: "I'll explain later." ACLU's Margorie Heins: "It's a honest answer." ACLU's Chris Hansen: "Even Pat couldn't remain serious through that." DoJ's Tony Coppolino, trying again: "I'll explain later!" * AFSADAFOSICCI = Air Force Special Agent, Director of the Air Force Office of Special Investigations, Computer Crime Investigations +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ CLOSING ARGUMENTS NOW SET FOR MAY 10 +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ The closing arguments for our case now are scheduled for May 10, with April 29 as the deadline for submitting our findings of fact and conclusions of law -- a lengthy collection of documents that will include everything we believe we've proved in our case. (Closing arguments were pushed up to early May since we didn't feel a need to call any rebuttal witnesses. After all, we had Olsen!) Our attorneys and the DoJ each will present two hours of closing arguments on May 10, though the timeframe is flexible. The three-judge panel likely will issue a decision three or four weeks later, and appeals will go directly to the Supreme Court. What will the Philly court decide? Bruce Taylor, the president of the National Law Center for Children and Families, told me that he's "confident" the court will uphold the indecency portions of the CDA. However, the former Federal prosecutor said he's "worried that the court may accept some of the technical or infeasibility arguments" against the law. I'm sure we'll talk more about it on May 9, when I'll be on a panel at the University of Pennsylvania with Taylor and Cathy Cleaver. Fortunately, one of the strongest aspects of our case is that we're correct. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on May 10 for closing arguments. Quote of the Day: "We teach them proper principles and let them govern themselves." -Prophet Joseph Smith Mentioned in this CDA update: CDA Update #6, with details on Dan Olsen's "-L18" proposal: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2143> Brock Meeks on 4/12 and 4/15 hearings: <http://www.hotwired.com/netizen/96/16/index1a.html> Mark Eckenwiler's report on the recent CDA forum at Cornell University: <http://fight-censorship.dementia.org/fight-censorship/dl?num=2226> CDA forum at the University of Pennsylvania, scheduled for May 9: <http://dolphin.upenn.edu/~fatf/cda-forum.html> IETF draft of "Internet Philosophy" article: <ftp://ds.internic.net/internet-drafts/draft-iab-principles-02.txt> Net-Guru David Reed's article: "CDA may pervert Internet architecture": <http://fight-censorship.dementia.org/fight-censorship/dl?num=2093> Censored by the CDA <http://www.iuma.com/Cyborgasm/> Dan Olsen at BYU <http://www.cs.byu.edu/info/drolsen.html> Fight-Censorship list <http://fight-censorship.dementia.org/top/> BYU's censorship policy <http://advance.byu.edu/pc/releases/guidelines.html> Rimm ethics critique <http://www.cs.cmu.edu/~declan/rimm/> Int'l Net-Censorship <http://www.cs.cmu.edu/~declan/zambia/> CMU net-censorship <http://www.cs.cmu.edu/~kcf/censor/> University censorship <http://joc.mit.edu/> Grey Flannel Suit <howardas at aol.com> Carl Kadie's CAF site <http://www.eff.org/CAF/> Blue Ribbon T-Shirts <http://www.fqa.com/romana/blueribbon.html> This report and previous CDA Updates are available at: <http://fight-censorship.dementia.org/top/> <http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/> <http://www.epic.org/free_speech/censorship/lawsuit/> To subscribe to the fight-censorship mailing list for future CDA updates and related discussions, send "subscribe" in the body of a message addressed to: fight-censorship-request at andrew.cmu.edu Other relevant web sites: <http://www.eff.org/> <http://www.aclu.org/> <http://www.cdt.org/> <http://www.ala.org/> ----------------------------------------------------------------------------- From jimbell at pacifier.com Thu Apr 18 17:49:52 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 19 Apr 1996 08:49:52 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <m0u9zGu-0008yfC@pacifier.com> At 09:52 AM 4/18/96 -0400, Perry E. Metzger wrote: > Its tiny little statistical toeholds like that which permit breaks. True, as far as it goes. But I see an even bigger threat to password security. Yesterday, I subscribed to the New York Times Net News service. It asked me to select a username, and a password. Obviously, smart people are not going to the same password on multiple systems that they expect might be exchanging information, but we all know that reality is that people DO this, especially on systems they don't initially expect a great deal of security on. The problem is that a service like that (or a BBS operator, etc) at least as a passing chance of figuring out a person's password, or the password itself is a clue as to what kind of keyspace to search. (Upper case only? mixed? Only text? Spaces used? Etc.) Besides that, the password is probably passed in the clear. I think what is needed is a system to transform a password (perhaps by hashing, then perhaps encryption) so that the BBS/other service receives no useful information as to the password, or the method used to select the password, or for that matter the length of the password. Jim Bell jimbell at pacifier.com From trask at goodnet.com Thu Apr 18 17:53:10 1996 From: trask at goodnet.com (Christian Odhner) Date: Fri, 19 Apr 1996 08:53:10 +0800 Subject: Cybercash vs Mark Twain Digicash? Message-ID: <Pine.SOL.3.91.960418123002.2012A-100000@goodguy> Hello. I've been off the list for quite a while now, so I'm not up to date on the current ecash schemes. My company (a major internet service provider with a lot of web advertising clients) is looking into which digital cash method would be best to support for use on our customer's web pages. The head of the web department has taken a look at several, and is torn between Mark Twain's stuff and Cybercash. I was wondering if people who have looked at these systems could give me a rundown on the major differences. I know that Mark Twain is nice and secure (or at least I *think* I know that) but Cybercash is signifigantly easier to use. Any comments would be welcome, and to keep list volume down (I assume it's still as busy as ever) I'd be happy to recieve replies via direct email, and sumarize for the list. Happy Hunting, -Chris Odhner - GoodNet - From jad at dsddhc.com Thu Apr 18 18:08:18 1996 From: jad at dsddhc.com (John Deters) Date: Fri, 19 Apr 1996 09:08:18 +0800 Subject: EFF/Bernstein Press Release Message-ID: <2.2.32.19960418195209.00393610@labg30> >On Thu, 18 Apr 1996, Mark Neely wrote: > >> Well, that puts legislation making virus authoring a crime >> into a new (and difficult) position. My understanding is that it isn't illegal to author a virus, but it certainly would be to release it. Preventing someone from writing a virus would be prior restraint, which is a big no-no with lots of precedent. See the excellent page at EFF for a discussion on prior restraint: http://www.eff.org/pub/Legal/Cases/sjg_neidorf_eff.summary (Oooh, how's that you net.legal.beagles, citing web pages instead of cases?) So, you'd be able to write all the viruses you wanted. Turn 'em loose? Well, then you've stepped in it. -- J. Deters >From our _1996_Conflict_of_Interest_Statement_, re: our No Gift policy: "If you receive any alcoholic beverages, for example, a bottle of wine, you must give the gift to your location Human Resources Manager." This memo is from the Senior V.P. of Human Resources. +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From stewarts at ix.netcom.com Thu Apr 18 18:15:25 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 19 Apr 1996 09:15:25 +0800 Subject: math patents Message-ID: <199604181959.MAA02651@toad.com> At 09:46 AM 4/16/96 -0800, jim bell <jimbell at pacifier.com> wrote various amusing paranoid conspiracy theory :-) about software patents. I tend to agree that the concept is bogus, and it's further aggavated by the Patent Office's technical incompetence in the area which has led to granting of patents for things that are well covered by prior art and obviousness to skilled practitioners. However. The first software patent, AFAIK, was Dennis Ritchie's setuid patent from Unix. I'm not sure when it was granted, but it must have been applied for a couple years before Diffie-Hellman was developed. Unlike RSA, where it's fun to talk about RSA/PKP/etc.'s evil conspiracy with the government (in spite of the foreign citizenship of one of them and some amusing uncooperativeness that's let them pull off when threatened) but it's way bogus to argue that in the case of Whit Diffie (I don't know Hellman.) While PKP did acquire the Stanford patents for a while, they weren't the ones who applied for them and didn't form for a while after they were granted. Remember that RSA was developed a couple of years after DH. >I am still mystified, however! If I understand the thrust of the legal >cases you cited, purely mathematical algorithms are still not patentable, >yet the patents on public-key cryptography are about the most purely >mathematical ones that could be imagined. They are not an element in the >process, they ARE the process. The patents are carefully written to make it clear that the process is "protecting private data" rather than "Crunching numbers in some mathematically interesting way." >Patents would not have prevented the Russians from using RSA, nor any other >foreigners, so as far as I can see the only group of people impaired by the >RSA patent were American citizens as a group. (Other than Canadians..) The reason that RSA isn't patentable in other countries isn't because the US is the only place that permits algorithm patents (many countries do, and even provide more than US; e.g. IDEA is patented in Switzerland.) It's because most other countries don't grant patents after publication, and because of the major FUD that the NSA cast over cryptographic research in the 70s and 80s, it's been necessary to publish the theory before applying for patents - if you do it the other way around, the NSA can slam patent secrecy orders on your patent applications, like they did even for a wimpy analog scrambler for CB radio in the late 70s (which _was_ clearly done to impair American access to crypto..) > # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From sfarr.SAF at worldnet.att.net Thu Apr 18 18:21:43 1996 From: sfarr.SAF at worldnet.att.net (steven farr) Date: Fri, 19 Apr 1996 09:21:43 +0800 Subject: No Subject Message-ID: <199604182010.UAA03402@mailhost.worldnet.att.net> unscribe sfarr.SAF at worldnet.com Steven A Farr From sfarr.SAF at worldnet.att.net Thu Apr 18 18:22:00 1996 From: sfarr.SAF at worldnet.att.net (steven farr) Date: Fri, 19 Apr 1996 09:22:00 +0800 Subject: unscribe Message-ID: <199604182010.UAA03407@mailhost.worldnet.att.net> unscribe sfarr.SAF at worldnet.att.net please take me off your mailing list Steven A Farr From wulf at horvendile.getty.edu Thu Apr 18 19:36:18 1996 From: wulf at horvendile.getty.edu (Wulf Losee) Date: Fri, 19 Apr 1996 10:36:18 +0800 Subject: [NOISE] Toast Fishing in America Message-ID: <199604182054.NAA01475@horvendile.Getty.EDU> On Wed, 17 Apr 1996, David K. Merriman wrote: > If Microsoft made toasters... > They'd put the slots on the side, the actuator on top, make the > cord too short, and design it to only run properly on 177V, 41Hz. Then > they'd declare the toaster to be the new industry standard. and the toasters would download your toasting habits and preferences to Microsoft HQ... --Wulf From adam at lighthouse.homeport.org Thu Apr 18 20:13:19 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 19 Apr 1996 11:13:19 +0800 Subject: NSA/Lotus public key (was Re: [IRS] Elvis in Escrow) In-Reply-To: <9604181801.AA01102@ch1d157nwk> Message-ID: <199604182150.QAA04527@homeport.org> Andrew Loewenstern wrote: | > I wonder, how much is NSA's secret key worth? You know, the | > one they use to grab the extra key bits that Lotus Notes sends | > them. | | Does anyone know how many bits it is? If it is 512 or less it may | be a good candidate for a public key factoring. Legally, I don't know that they can export software that handles keys longer than 512 bits. Wait! I forgot! They are the brute squad. More seriously, if they did export an API (even a private one) that can handle keys longer than 512 bits, perhaps we could find that out and publish information on using the NSA-strength crypto from Notes applications. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From ses at tipper.oit.unc.edu Thu Apr 18 20:49:54 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 19 Apr 1996 11:49:54 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604181813.LAA14894@netcom9.netcom.com> Message-ID: <Pine.SOL.3.91.960418160244.3843E-100000@chivalry> On Thu, 18 Apr 1996, Bill Frantz wrote: > I suspect, that all of us, Perry included, will react the same way if we > find that our one time pads read like "Hamlet", or equally likely, "The > Comedy of Errors". That is, we will tear the source of the pad apart to > find out why it isn't working. If we find that it IS working correctly, we > will wish we had used that one truly magic[*] moment to buy tickets in as > many lotteries as possible. Much the same feeling I had when I got a royal flush playing for matchsticks :-) --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From inetannc at microsoft.com Thu Apr 18 20:53:46 1996 From: inetannc at microsoft.com (Microsoft Internet Announcements) Date: Fri, 19 Apr 1996 11:53:46 +0800 Subject: Announce: new Microsoft CryptoAPI mailing list Message-ID: <c=US%a=_%p=msft%l=RED-89-MSG-960418231845Z-2436@tide21.microsoft.com> CryptoAPI on listadmin at lists.msn.com CryptoAPI is a mailing list (discussion list) for Microsoft Cryptographic API (CryptoAPI), which provides services that enable application developers to add cryptography to their Win32 applications. For more information about CryptoAPI, see <http://www.microsoft.com/intdev/>. You can subscribe to the regular mailing list or a digest version. To subscribe, send e-mail to listAdmin at lists.msn.com with the following text in the message body (not subject line): subscribe CryptoAPI your at email.address or digest CryptoAPI your at email.address where <your at mail.address is your actual e-mail address. To unsubscribe, send e-mail to listAdmin at lists.msn.com with the following text in the message body (not subject line): unsubscribe CryptoAPI your at email.address To send a message to the subscribers of the list, send e-mail to CryptoAPI at lists.msn.com. From hfinney at shell.portal.com Thu Apr 18 21:11:33 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 19 Apr 1996 12:11:33 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604182255.PAA13373@jobe.shell.portal.com> From: daw at cs.berkeley.edu (David Wagner) > My entropy cruncher takes in random noise from a number of diverse > sources (some possibly of dubious quality). I take *all* the noise > and run it through a hash function to distill entropy. > > Now I need to have some method to estimate when I have enough entropy > in the random noise I'm crunching. First rule: be conservative. > One can never have too much entropy in the input to the hash function. > > Therefore, I suggest making a *copy* of the input noise stream, > running it through Jon Wienke's "this shouldn't happen" filter, and > feeding the result to some entropy estimator. When the entropy > estimator says "I've got 1000 bits of entropy", I stop crunching. > > This is conservative design, folks. Using Wienke's filter in this manner > can't be any weaker than not using it at all. (agreed?) I see two problems with this. The first is whether this mysterious black box, the entropy estimator, is really possible. In practice the only way to know how much entropy you've gotten is to have a model for how the data is being generated, and to deduce from that an estimate of the entropy rate. So the entropy estimator can't be a general-purpose calcluation, but it must be one which is specifically chosen, developed and tuned for the specific source of entropy you are dealing with. Given this, what is the point of filtering? You already have a model. If you want to be conservative, why not just take 50% more bits than your model says you needed? The other problem is the functioning of this filter. I haven't followed Jon's proposals closely, but at one point he was talking about histogramming the input and throwing out data which he had seen too often. Now this is an implicit model as well - it assumes that the data is supposed to be uniformly distributed on a per-byte (or whatever the data elements are) basis. Suppose your random noise from dubious sources includes some timing values which vary in the range 90-110, roughly normally distributed. You have good reason to believe that it actually is a normal distribution, and that there are 2 or 3 good bits of entropy per sample. If you didn't use Jon's filter you could just collect data, hash it, and figure that each datum gave you this much entropy. But now if you throw Jon's filter in there, it may start throwing out all the values in the range 90-110. Where are the 0-80's?, it wonders. Where are the 120's and up? There are way too many 100's here! If the filter isn't smart about the data like your model is, it could end up throwing the whole data set out. Your entropy counter would be spinning its wheels waiting for more data, and you'd think you never got enough. So I think the lesson is that there is only one way to estimate entropy, and that is to study your source. I have to agree with Perry that this filtering concept is not the way to go. It is a red herring that lures you in the direction of automatic entropy estimation, and that is really not safe. Hal Finney From grafolog at netcom.com Thu Apr 18 21:15:00 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Fri, 19 Apr 1996 12:15:00 +0800 Subject: [Explanation] Re: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604180537.WAA01617@gulch.spe.com> Message-ID: <Pine.3.89.9604182348.A4671-0100000@netcom8> On Wed, 17 Apr 1996, Patrick May wrote: > Crypto relevance: This attack will be eliminated when more mail > agents support public key crypto and the mailing list software can be > modified to check signatures on subscription requests. Isn't that what PGPDomo does? xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From unicorn at schloss.li Thu Apr 18 21:18:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 19 Apr 1996 12:18:20 +0800 Subject: Unsubsrive In-Reply-To: <9876543210.ABCDEF@loverso.southborough.ma.us> Message-ID: <Pine.SUN.3.91.960418194153.14355D-100000@polaris.mindport.net> On Thu, 18 Apr 1996, John Robert LoVerso wrote: > Unsubsrive me! > > Per request by unicorn at schloss.li "add john at loverso.southborough.ma.us clueless" 'john at loverso.southborough.ma.us' was ADDED to the 'clueless' mailing list. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From wombat at mcfeely.bsfs.org Thu Apr 18 21:18:37 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 19 Apr 1996 12:18:37 +0800 Subject: [NOISE]Re: Welcome to Express! In-Reply-To: <199604180841.CAA04544@billygoat.xor.com> Message-ID: <Pine.BSF.3.91.960418192815.603E-100000@mcfeely.bsfs.org> Please unsuscrive toasterpunks On Thu, 18 Apr 1996, Express wrote: > Dear Guest: > > Merci! and thank you for registering. At Express Online, your user > name is "cypherpu" and your password is "cypherpunks". > Merde. Vat ist dis? Mein dachshund ist kaput. > To enter the world of Express, use this user name/password combination. > Please save this record for future reference, so you can always > download the latest news from Express on fashion, shopping, travel, > music and more. > Please to send 5000 bass-o-matics to Adam's house. See archive for address. From andrew_loewenstern at il.us.swissbank.com Thu Apr 18 21:48:19 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 19 Apr 1996 12:48:19 +0800 Subject: (Fwd) RE: Noise Sphere in Java In-Reply-To: <199604182239.SAA27684@unix.asb.com> Message-ID: <9604182348.AA00455@ch1d157nwk> Deranged Mutant writes: > Noise spheres will show certain correlations in the data. It > doesn't mean that the RNG is crypto-usable if it looks good. > But if it looks bad then you know to be suspicious.... "Statistical tests cannot find good (P)RNG's, only bad ones." This has been said before in various ways on the list, but it is worth repeating... andrew From jleonard at divcom.umop-ap.com Thu Apr 18 22:00:07 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Fri, 19 Apr 1996 13:00:07 +0800 Subject: Spaces in passwords In-Reply-To: <Pine.BSF.3.91.960418190151.603B-100000@mcfeely.bsfs.org> Message-ID: <9604182350.AA16910@divcom.umop-ap.com> Rabid Wombat wrote: > On Thu, 18 Apr 1996, Jon Leonard wrote: > > > > The exception to this is when you may be overheard typing a password. > > The space bar sounds different, and an attacker who knows you've used > > a space has a significantly smaller search space. > > > > So I usually recommend avoiding space, @, #, and control characters > > when generating passwords. Have I missed any or gotten too many? > > Why would you want to avoid #, @, etc. ? Space sounds different, # is sometimes backspace, @ is sometimes kill-line, and control characters often do strange things. Those are the only characters I avoid, though. For example, if you're using a teletype to change your password on a UNIX system (or it _thinks_ you _might_ be using one), and use a password of "O&]z at d#4", you've just set your password to "4". Control characters are worse: ^S to lock your terminal, ^D to disconnect -- no fun. > I have a hard enough time getting lusers to choose non-dictionary > passwords that they can *remember* - one technique is to teach sub-100 > i.q. types to use two words, seperated by a #,@, etc., with a number > tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of > being remembered without writing it on a sticky note and pasting it to > the @#%&ing monitor. It's hard. I'd really rather have longer pass{words,phrases} so that there's the potential for lots of entropy without requiring line-noise for passwords. Jon Leonard From perry at piermont.com Thu Apr 18 22:05:40 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 13:05:40 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <960418184409_378088479@emout09.mail.aol.com> Message-ID: <199604190035.UAA08733@jekyll.piermont.com> JonWienke at aol.com writes: > [Slightly ad hominem PSA deleted] > > 1. If "cooking" a byte sequence in a manner that reduces its maximum entropy > by less than 1% allows an attacker to break your cryptosystem, then it is > crap to begin with. With only a little more effort, he could break it > anyway. I would suggest that you look at differential and linear cryptanalysis to learn what a tiny little statistical toehold will give you. My "ad hominem PSA" stands. I suggest people not trust Mr. Wienke's pronouncements. He appears to be suffering from significant hubris. Perry From jimbell at pacifier.com Thu Apr 18 22:10:59 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 19 Apr 1996 13:10:59 +0800 Subject: math patents Message-ID: <m0uA47y-00091hC@pacifier.com> At 12:54 PM 4/18/96 -0700, Bill Stewart wrote: From blancw at microsoft.com Thu Apr 18 22:34:28 1996 From: blancw at microsoft.com (Blanc Weber) Date: Fri, 19 Apr 1996 13:34:28 +0800 Subject: FW: EARN $350 PER DAY!!! Message-ID: <c=US%a=_%p=msft%l=RED-81-MSG-960419011341Z-18898@tide21.microsoft.com> I received the message below today, addressed to me. Notice the info at the bottom. I didn't follow the instructions. But this could be what some people are receving which prompts them to send "unsuvscrive messages". .. Blanc >---------- >From: communicate at earthlink.net[SMTP:communicate at earthlink.net] >Sent: Thursday, March 28, 1996 1:09 PM >Subject: EARN $350 PER DAY!!! > > If you would like to earn up to $350 per day... call >1-800-545-0341!! > > You can earn $350 per day giving away a product every business needs > and are paying up to $3,000 for. > > Help us expand our client base as the Corporation prepares to go >public > with the release of a State of the Art Software Program for the >Internet! > > This is a CAREER opportunity, not a get rich quick scheme or MLM > offer. If you are a career oriented bright professional, with a >desire to > become financially successful in the 90's, then we will provide you > with the product that No One can say no to. We Provide training; a > great support staff and average earnings of over $1,500 per week. > > Full and Part-time opportunities available! > > CALL TODAY > > 1-800-545-0341 > > ----------------------------------------------------------------------- >----------------------------- > Our records indicate that you may be qualified for this dynamic >position. If not, > just reply and type REMOVE in the SUBJECT heading and your name will > promptly be deleted from any future career opportunities with our >organization. > ----------------------------------------------------------------------- >----------------------------- > > From llurch at networking.stanford.edu Thu Apr 18 23:32:37 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Apr 1996 14:32:37 +0800 Subject: Announce: new Microsoft CryptoAPI mailing list (fwd) Message-ID: <Pine.ULT.3.92.960418163349.12497B-100000@Networking.Stanford.EDU> You read it here first. Or is this not really new? I'm approving three or four more MS announcements to comp.os.ms-windows.announce now. ---------- Forwarded message ---------- Date: Thu, 18 Apr 1996 16:15:06 -0700 From: Microsoft Internet Announcements <inetannc at microsoft.com> To: "'Comp.os.ms-windows.announce Moderator'" <win-announce at metrics.com> Cc: Microsoft Internet Announcements <inetannc at microsoft.com> Subject: Announce: new Microsoft CryptoAPI mailing list CryptoAPI on listadmin at lists.msn.com CryptoAPI is a mailing list (discussion list) for Microsoft Cryptographic API (CryptoAPI), which provides services that enable application developers to add cryptography to their Win32 applications. For more information about CryptoAPI, see <http://www.microsoft.com/intdev/>. You can subscribe to the regular mailing list or a digest version. To subscribe, send e-mail to listAdmin at lists.msn.com with the following text in the message body (not subject line): subscribe CryptoAPI your at email.address or digest CryptoAPI your at email.address where <your at mail.address is your actual e-mail address. To unsubscribe, send e-mail to listAdmin at lists.msn.com with the following text in the message body (not subject line): unsubscribe CryptoAPI your at email.address To send a message to the subscribers of the list, send e-mail to CryptoAPI at lists.msn.com. From unicorn at schloss.li Thu Apr 18 23:34:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 19 Apr 1996 14:34:40 +0800 Subject: your mail In-Reply-To: <199604182010.UAA03402@mailhost.worldnet.att.net> Message-ID: <Pine.SUN.3.91.960418194241.14355E-100000@polaris.mindport.net> On Thu, 18 Apr 1996, steven farr wrote: > unscribe sfarr.SAF at worldnet.com > Steven A Farr Per request by unicorn at schloss.li "add sfarr.saf at worldnet.att.net clueless" 'sfarr.saf at worldnet.att.net' was ADDED to the 'clueless' mailing list. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From JonWienke at aol.com Thu Apr 18 23:35:29 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 19 Apr 1996 14:35:29 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <960418184409_378088479@emout09.mail.aol.com> In a message dated 96-04-18 15:05:51 EDT, Perry Metzger writes: >Before making pronouncements like "You are still OK" you ought to >learn a bit more about cryptanalysis. Its tiny little statistical >toeholds like that which permit breaks. I don't know for sure, but my >intuition says that there may very well be instances in which a couple >of little nicks like that into the entropy of a key are sufficient to >radically lower the time to crack something. Since there are far >better techniques available (hash distillation, for instance) for >assuring the quality of a random stream, Jon's suggested techniques >should be regarded as unnecessary and dangerous. [Slightly ad hominem PSA deleted] 1. If "cooking" a byte sequence in a manner that reduces its maximum entropy by less than 1% allows an attacker to break your cryptosystem, then it is crap to begin with. With only a little more effort, he could break it anyway. 2. All I was trying to say was that applying cooking technique X to a byte sequence will reduce the maximum entropy of the sequence by a factor of Y; adjust entropy expectations accordingly. I said nothing about the origin of the byte sequence, the techniques used to generate it, or the exact method for "cooking" it. I did not recommend against using hash distillation, hardware RNG's, or any other commonly accepted method of generating cryptographically useful random or pseudo-random numbers. Jonathan Wienke From WlkngOwl at unix.asb.com Thu Apr 18 23:38:19 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 19 Apr 1996 14:38:19 +0800 Subject: (Fwd) RE: Noise Sphere in Java Message-ID: <199604182239.SAA27680@unix.asb.com> On 18 Apr 96 at 11:13, Hal wrote: [..] > There was a post on cypherpunks a few days ago claiming that the output > of "pgp +makerandom=2000 rand.pgp", which uses the PGP internal RNG, > showed visible structure in the output of a noise sphere program. I > tried modifying Chuck's Java version and ran it with data from pgp > +makerandom, and it looked fine to me. Hm. I didn't see that post... (I wonder if he plotted an ASCII file... or I suspect a troll?) > However, that isn't very meaningful, because I find the that program > output looks fine even with Chuck's version, which is using the Java > internal RNG, a LCM from Knuth. Specifically the Java code is: [..] A lot of bad PRNGs look good with noise spheres.... but what I found while experimenting with them was data based on timer drift samplings that passed a variety of randomness tests but showed up with very clear patterns on a noise sphere... so I made the original post to the list and sci.crypt about it. Noise spheres will show certain correlations in the data. It doesn't mean that the RNG is crypto-usable if it looks good. But if it looks bad then you know to be suspicious.... a visual image makes a clear point better than analyzing a lot of numbers on a page. By no means should it be relied upon as a sole test. [..] > see it. Oh, sometimes I can almost convince myself I'm seeing structure, > but it is never repeatable from run to run. And I see as much with the > output of pgp. Particularly when the graph is sparse you can see some > clumping, but I think it is just random noise. > If the noise sphere can't even reject an LCM RNG, it doesn't sound > that useful to me for crypto purposes. If you see definite spirals and loops then it's more than random noise. It doesn't pass or reject anything. It plots data. If the data shows *definite* patterns, you can reject the RNG. If not, use more sophisticated tests. [..] > at right angles to this. Because polar coordinates are not uniform in > space, the points are clustered along the north-south axis inside the > globe. You can see this in the views, where the upper right view should [..] That's probably what the poster to c'punks wrote about... *sigh* Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From wombat at mcfeely.bsfs.org Thu Apr 18 23:38:57 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 19 Apr 1996 14:38:57 +0800 Subject: Spaces in passwords In-Reply-To: <9604181538.AA16305@divcom.umop-ap.com> Message-ID: <Pine.BSF.3.91.960418190151.603B-100000@mcfeely.bsfs.org> On Thu, 18 Apr 1996, Jon Leonard wrote: > > Ben Rothke writes: > > The exception to this is when you may be overheard typing a password. > The space bar sounds different, and an attacker who knows you've used > a space has a significantly smaller search space. > > So I usually recommend avoiding space, @, #, and control characters > when generating passwords. Have I missed any or gotten too many? > Why would you want to avoid #, @, etc. ? I have a hard enough time getting lusers to choose non-dictionary passwords that they can *remember* - one technique is to teach sub-100 i.q. types to use two words, seperated by a #,@, etc., with a number tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of being remembered without writing it on a sticky note and pasting it to the @#%&ing monitor. - r.w. From brucem at wichita.fn.net Thu Apr 18 23:51:17 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Fri, 19 Apr 1996 14:51:17 +0800 Subject: plaugue of unsubscribes In-Reply-To: <199604181716.MAA00534@crawfish.suba.com> Message-ID: <Pine.BSI.3.91.960418223537.4560B-100000@wichita.fn.net> On Thu, 18 Apr 1996, Alex Strasheim wrote: > I've started sending mail to postmasters when I get one of those "take me > off your list!" messages. Yes, as you have probably already read, my postmaster received such a message from you about my supposed lack of knowledge when it comes to unsubscribing. He had quite a good laugh before asking me whether I had removed my brain while reading mail.. BTW, I returned the favor with the above mentioned response to your initial letter. Please be more careful in the future. Bruce Marshall From john at loverso.southborough.ma.us Thu Apr 18 23:56:59 1996 From: john at loverso.southborough.ma.us (John Robert LoVerso) Date: Fri, 19 Apr 1996 14:56:59 +0800 Subject: Unsubsrive In-Reply-To: <Pine.SUN.3.91.960418194153.14355D-100000@polaris.mindport.net> Message-ID: <199604190010.UAA03256@loverso.southborough.ma.us> > On Thu, 18 Apr 1996, John Robert LoVerso wrote: > Unsubsrive me! Ha ha. Very funny forgery. The fool who forged the "unsubsrive" in my name wasn't even clever. He left his calling card all over the message: Received: by sturgeon.coelacanth.com (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) for cypherpunks at toad.com; id AA0833; Thu, 18 Apr 96 14:23:07 -0400 Please undo your [collective] dirty work. John From mixmaster at remail.ecafe.org Thu Apr 18 23:57:03 1996 From: mixmaster at remail.ecafe.org (Ecafe Mixmaster Remailer) Date: Fri, 19 Apr 1996 14:57:03 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604171641.JAA26692@atropos.c2.org> Message-ID: <199604190345.EAA04240@pangaea.hypereality.co.uk> > From: sameer at c2.org > > > I think the "clueless" mailing list is a must at this point. > > clueless at c2.org/majordomo at c2.org > > subscribe idiots as necessary. But... will it have any traffic? How will people know they are on the list if they ignore the original subscription confirmation? From perry at piermont.com Fri Apr 19 00:07:33 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 15:07:33 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <4l660q$167@joseph.cs.berkeley.edu> Message-ID: <199604182325.TAA08657@jekyll.piermont.com> David Wagner writes: > Therefore, I suggest making a *copy* of the input noise stream, > running it through Jon Wienke's "this shouldn't happen" filter, and > feeding the result to some entropy estimator. When the entropy > estimator says "I've got 1000 bits of entropy", I stop crunching. > > This is conservative design, folks. Using Wienke's filter in this manner > can't be any weaker than not using it at all. (agreed?) Unfortunately, I think his filter puts too high a bound on the entropy. Put it this way: I think he's only giving you an upper bound. Furthermore, he's using his technique because he's using spinners as RNGs, which I have a substantial fear of. However, you are correct that this mechanism is no worse than not using it at all. However, it doesn't substitute for doing a thorough systems analysis to try to figure out how much entropy there actually is in your source. Thus, to summarize, yes, I agree with your strict statement that using the filter this way is not weaker than not using it at all, but I'm not sure it is worthwhile in this case because it isn't sufficient. > Applying Wienke's filter to the random noise stream, to the input to > the hash function, or to the output to the hash function, is clearly > a bad idea. Agreed. > (The mathematician says "clearly", knowing full well that, unfortunately, > some small part of the audience probably doesn't get it... <sigh>) Sad but true. Perry From stevenw at best.com Fri Apr 19 00:26:16 1996 From: stevenw at best.com (Steven Weller) Date: Fri, 19 Apr 1996 15:26:16 +0800 Subject: Eudora Mac Pro 3.0 Message-ID: <v01540b01ad9c8d2cb5d3@[206.86.1.35]> >From the list of new features: New Translation Services API: this is a programming interface that will make it easier for other software applications to simply plug into Eudora Pro software, opening up a whole new world of uses for e-mail. For example, natural language translation products that can translate a message from English to some other language. Another example is a security application that could automatically encrypt/decrypt your messages. Interesting.... http://www.qualcomm.com/quest/mac30B.html ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From perry at piermont.com Fri Apr 19 00:31:18 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 19 Apr 1996 15:31:18 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604182255.PAA13373@jobe.shell.portal.com> Message-ID: <199604190041.UAA08754@jekyll.piermont.com> Hal writes: > The first is whether this mysterious black box, the entropy estimator, > is really possible. In practice the only way to know how much entropy > you've gotten is to have a model for how the data is being generated, > and to deduce from that an estimate of the entropy rate. So the entropy > estimator can't be a general-purpose calcluation, but it must be one > which is specifically chosen, developed and tuned for the specific source > of entropy you are dealing with. I couldn't possibly say that better. Its the central point. > So I think the lesson is that there is only one way to estimate entropy, > and that is to study your source. I have to agree with Perry that this > filtering concept is not the way to go. It is a red herring that lures > you in the direction of automatic entropy estimation, and that is really > not safe. Thank you; you are making the point far better than I did. .pm From anonymous-remailer at shell.portal.com Fri Apr 19 00:49:23 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 19 Apr 1996 15:49:23 +0800 Subject: (Fwd) Message-ID: <199604190412.VAA12784@jobe.shell.portal.com> ------- Forwarded Message Follows ------- Date: Thu, 18 Apr 1996 10:01:03 -0500 From: Al Thompson <alt at iquest.net> To: Multiple recipients of list NEWS <NEWS at AEN.ORG> Subject: (Check out this excerpt from the recent committee report on S735. Here's the header info. -AT) [Congressional Record: April 17, 1996 (Senate)] [Page S3454-S3478] >From the Congressional Record Online via GPO Access [wais.access.gpo.gov] TERRORISM PREVENTION ACT--CONFERENCE REPORT The Senate continued with the consideration of the conference report. (A bunch deleted. Here's one of the interesting parts -AT) Mr. BIDEN. Mr. President, what I would like to speak to in an indirect way covers this. We have had several votes on wiretaps, and I know people are asking why am I introducing the other wiretap provision that was taken out of the Senate bill. The reason I am is I refuse to believe that, if you all hear this enough, you will not eventually decide to do the right thing on this. The provision that I have proposed is not original with me. It was in the Senate bill that we passed. The provision would add a number--the bill we have before us, the conference report--would add a number of terrorism-related offenses to the law. I will go into those in a minute. What I have sent to the desk, if adopted, would instruct the conferees to add the same number of offenses that we are adding to the bill, to the law, to those categories of things for which the Government, with probable cause, can get a wiretap. It was in the Senate bill as introduced by Senators Hatch and Dole. It was part of the terrorism bill reported out of Representative Hyde's Judiciary Committee. Unfortunately, by the time the bill had made it to the House, the provision was dropped. I think it is worth talking a moment about how a wiretap statute works, the one that is in place now in the law, for it seems there is a lot of misunderstanding about it these days. I am repeating myself again to eliminate the misunderstanding. As some people tell it, you would think the FBI and BATF and the local and State police are tapping our phones left and right, that they are riding down the streets in vans with electronic devices eavesdropping into our windows and houses--which they have the capacity to do, by the way. From brucem at wichita.fn.net Fri Apr 19 01:40:17 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Fri, 19 Apr 1996 16:40:17 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research (fwd) In-Reply-To: <Pine.LNX.3.91.960418150232.28138A-100000@leghorn.fn.net> Message-ID: <Pine.BSI.3.91.960418213846.27687B-100000@wichita.fn.net> Please tell your user (Alex Strasheim <cp at proust.suba.com>) to be more careful in responding to messages to ensure that they are received by the correct site postmaster. *I* was not the one requesting off the list. I was merely the person the original poster happened to reply to with their plea to remove *them* from the cypherpunks mailing list. > ---------- Forwarded message ---------- > Date: Thu, 18 Apr 1996 00:24:15 -0500 (CDT) > From: Alex Strasheim <cp at proust.suba.com> > To: postmaster at fn.net > Subject: Re: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research (fwd) > > Please tell your user that he can unsubscribe by sending the message > > unsubscribe cypherpunks > > to majordomo at toad.com > > Posting messages like the ones he's been posting to cypherpunks don't do > any good -- none of the people reading them can unsubscribe him. > > > Forwarded message: > > From cypherpunks-errors at toad.com Thu Apr 18 00:12:51 1996 > > Date: Wed, 17 Apr 1996 18:08:25 -0700 (PDT) > > From: Leslie Farnsworth <leslie at koalas.com> > > To: Bruce Marshall <brucem at wichita.fn.net> > > cc: cypherpunks at toad.com > > Subject: Re: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research > > In-Reply-To: <Pine.BSI.3.91.960417083229.17657A-100000 at wichita.fn.net> > > Message-ID: <Pine.LNX.3.91.960417180811.3310E-100000 at koalas.com> > > MIME-Version: 1.0 > > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Sender: owner-cypherpunks at toad.com > > Precedence: bulk > > > > take me of your emailing list From llurch at networking.stanford.edu Fri Apr 19 01:42:08 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 19 Apr 1996 16:42:08 +0800 Subject: DANGER! Baby-Food Bombs on the Internet! [was Re: (Fwd)] In-Reply-To: <199604190412.VAA12784@jobe.shell.portal.com> Message-ID: <Pine.ULT.3.92.960418213819.12497L-100000@Networking.Stanford.EDU> On Thu, 18 Apr 1996, the intrepid anonymous-remailer at shell.portal.com FUDded to cypherpunks: > [Congressional Record: April 17, 1996 (Senate)] > [Page S3454-S3478] [fascinating but probably out-of-context remarks from Biden, suggesting that we should all don our tin-foil hats in fear of the FBI rabdar vans, deleted] I cannot find the referenced remarks. Assuming the selection is accurate, it is abundantly clear that Binden continued speaking beyond where you so ominously chose to cut him off. Could you give me a *specific* URL? Or a way to get static page number URLs? I can only figure out how to search http://thomas.loc.gov/ and get temp URLs. I *did* read Biden's *highly entertaining* comments on the contentious Internet Baby Food Bomb Issue, from the conference report mentioned by the redoubtable Mr. Anonymous. Thanks so much for pointing me to this debate; it almost makes still being in my office worthwile. Does anyone know the documents that Senator Biden is quoting? I *must know* how to build The Dreaded Baby-Food Bomb. **I AM NOT MAKING THIS UP. THIS IS YOUR UNITED STATES SENATE AT WORK.** >From the April 17th Congressional Record, what page I unfortunately cant tell you, because Thomas and/or I suck: Mr. BIDEN. Mr. President, I yield myself such time as I may use within the limit of the time I have. This provision is very straightforward and simple. It is beyond me why it was taken out of the Senate version of the language that was sent to the House. I have heard many colleagues stand up on the floor here and rail against pornography on the Internet, and for good reason. Even when we thought we had corrected the language that Senator Exon introduced to comport with the first amendment, I still hear in my State, and I hear of people writing about how so and so is promoting pornography on the Internet because they will not ban pornography on the Internet. Yet, in the bill, we came along--all of us here--and the genesis of this came from Senator Feinstein, when it was initially offered. The majority leader, Senator Hatch, and I had some concerns with this, and we thought the language to ban teaching people how to make bombs on the Internet or engage in terrorist activities on the Internet might violate the first amendment. Senators Dole, Hatch, and I worked to tighten the language and came up with language that was tough and true to civil liberties. It was accepted by unanimous consent. We have all heard about the bone-chilling information making its way over the Internet, about explicit instructions about how to detonate pipe bombs and even, if you can believe it, baby food bombs. Senator Feinstein quoted an Internet posting that detailed how to build and explode one of these things, which concludes that `If the explosion don't get'em, the glass will. If the glass don't get'em, the nails will.' I would like to give you a couple of illustrations of the kinds of things that come across the Internet. This is one I have in my hand which was downloaded. It said, `Baby food bombs by War Master.' And this is actually downloaded off the Internet. It says: These simple, powerful bombs are not very well known, even though all of the materials can be obtained by anyone (including minors). These things are so-- I will delete a word because it is an obscenity. powerful that they can destroy a CAR. The explosion can actually twist and mangle the frame. They are extremely deadly and can very easily kill you and blow the side of a house out if you mess up while building it. Here is how they work. This is on the Internet now. It says: Go to Sports Authority or Herman's Sport Shop and buy shotgun shells. It is by the hunting section. At the Sports Authority that I go to you can actually buy shotgun shells without a parent or an adult. They don't keep it behind the glass counter, or anything like that. It is $2.96 for 25 shells. And then it says: Now for the hard part. You must cut open the plastic housing of the bullet to get to the sweet nectar that is the gun powder. The place where you can cut is CRUCIAL. It means a difference between it blowing up in your face or not. Then there is a diagram, which is shown as to how to do that on the Internet. Then it says: You must not make the cut directly where the gun powder is, or it will explode. You cut it where the pellets are. And then it goes through this in detail. And then it gets to the end, and it says: Did I mention that this is also highly illegal? Unimportant stuff that is cool to know. And then it rates shotgun shells by two numbers, gauge, pellet size, and goes into great detail. It is like building an erector set. It does it in detail. -rich From steve at edmweb.com Fri Apr 19 02:39:02 1996 From: steve at edmweb.com (Steve Reid) Date: Fri, 19 Apr 1996 17:39:02 +0800 Subject: Legality of Crypto in Canada? In-Reply-To: <199604181959.MAA02651@toad.com> Message-ID: <Pine.BSF.3.91.960418225122.2533A-100000@kirk.edmweb.com> > >Patents would not have prevented the Russians from using RSA, nor any other > >foreigners, so as far as I can see the only group of people impaired by the > >RSA patent were American citizens as a group. > (Other than Canadians..) The reason that RSA isn't patentable in other > countries isn't because the US is the only place that permits > algorithm patents (many countries do, and even provide more than US; "Other than Canadians"? Exactly what is the legal status of RSA and other crypto algorithms in Canada? My understanding of ITAR is, crypto software can be exported from the USA into Canada, but even in Canada, it remains under US ITAR laws. But what about the patent laws? Do RSA and/or IDEA have patent strings attached up here? Bottom line: Are there any potential problems with me using the international version of PGP (2.6.3i) up here in Canada? What about distributing it? Most of the legal info I see on the net about crypto in Canada only mentions Canada in the context of "US/Canada". :-/ ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From declan+ at CMU.EDU Fri Apr 19 04:10:53 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 19 Apr 1996 19:10:53 +0800 Subject: "STOP SENDING ME THIS SHIT" In-Reply-To: <199604171641.JAA26692@atropos.c2.org> Message-ID: <4lRliVy00YUv1nTLZr@andrew.cmu.edu> Excerpts from internet.cypherpunks: 19-Apr-96 Re: "STOP SENDING ME THIS S.. by Ecafe M. Remailer at remail > But... will it have any traffic? How will people know they are on > the list if they ignore the original subscription confirmation? I subscribed to Sameer's "clueless" list yesterday and haven't seen any posts so far. :( -Declan From pmonta at qualcomm.com Fri Apr 19 05:09:03 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Fri, 19 Apr 1996 20:09:03 +0800 Subject: why compression doesn't perfectly even out entropy Message-ID: <199604190607.XAA17848@mage.qualcomm.com> Perry Metzger writes: > > 1. If "cooking" a byte sequence in a manner that reduces its > > maximum entropy by less than 1% allows an attacker to break your > > cryptosystem, then it is crap to begin with. With only a little > > more effort, he could break it anyway. > > I would suggest that you look at differential and linear cryptanalysis > to learn what a tiny little statistical toehold will give you. > > My "ad hominem PSA" stands. I suggest people not trust Mr. Wienke's > pronouncements. He appears to be suffering from significant hubris. No, he's correct; cryptanalytic schemes like those you mention rely on statistical toeholds *in the context of a deterministic cipher algorithm*. For one-time pads that are "cooked" or "screened" (and I agree that it's a silly thing to do), the toehold is much weaker, infinitesimal in fact. For example, suppose we take 1024-bit blocks from a physical RNG (which we'll agree is "good", has entropy close to 1024 bits, whatever that means). There are 2^1024 such blocks. Obtain one and apply the magical test---if the block fails, toss it in the bit bucket. Suppose, conservatively, that half the sequences fail. The cryptanalyst now knows that the plaintext cannot be ( failed_pad xor ciphertext ) for any of the 2^1023 failed_pads. Thus, it must be one of the other 2^1023. This is the *only* toehold he gets. Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From raph at cs.berkeley.edu Fri Apr 19 05:39:11 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Fri, 19 Apr 1996 20:39:11 +0800 Subject: Eudora Mac Pro 3.0 In-Reply-To: <v01540b01ad9c8d2cb5d3@[206.86.1.35]> Message-ID: <317727E9.A3A2824@cs.berkeley.edu> Steven Weller wrote: > > From the list of new features: > > New Translation Services API: this is a programming interface that will make it > easier for other software applications to simply plug into Eudora > Pro software, > opening up a whole new world of uses for e-mail. For example, > natural language > translation products that can translate a message from English to > some other > language. Another example is a security application that could > automatically > encrypt/decrypt your messages. > > Interesting.... > > http://www.qualcomm.com/quest/mac30B.html Yep. This is the real thing. Qualcomm seems quite serious about making sure that real encryption is widely available in the Eudora world, without adversely affecting their ability to export Eudora itself. I've exchanged PGP/MIME messages with the people at Qualcomm who developed a plug-in for this API. It worked great the first try. I was impressed. The PGP/MIME plugin is based on Apple Events communicating with MacPGP, which isn't perfect, but it's probably the best that's possible until either PGP 3.0 gets its act together or someone else implements PGP message formats. Raph From steve at aztech.net Fri Apr 19 06:25:27 1996 From: steve at aztech.net (Steve Gibbons) Date: Fri, 19 Apr 1996 21:25:27 +0800 Subject: Spaces in passwords Message-ID: <009A110B.0F384760.631@aztech.net> # > I have a hard enough time getting lusers to choose non-dictionary # > passwords that they can *remember* - one technique is to teach sub-100 # > i.q. types to use two words, seperated by a #,@, etc., with a number # > tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of # > being remembered without writing it on a sticky note and pasting it to # > the @#%&ing monitor. # It's hard. I'd really rather have longer pass{words,phrases} so that there's # the potential for lots of entropy without requiring line-noise for passwords. One of the ideas that I've been kicking around in the back of my head for a while for stronger, easier to uses user authentication goes something like this: 1) User enters a pass-phrase. 2) System "tokenizes" the pass-phrase. The tokenization would probably include a normalization step: condensing white-space and punctuation, standardizing the casing of words, perhaps even going so far as converting 3133+ speak to something readable. Once normalized, the pass-phrase would be parsed, and tokenized. It would be useful to have a large system-wide dictionary, sorted by how common a given word or group of words is normally used in the most commonly used languages that the system's users speak/write. Any word or group of words found in the dictionary would be converted to a number, representing its position in the dictionary, and the significant bits of that number are concatenated to a running bit string. Words and tokens not found in the dictionary would pass through some other algorithm that I haven't thought too much about, yet. 3A) System examines the tokenized pass-phrase against another (probably _very_ large) dictionary of common phrases for acceptability. (maybe just comparing the hashes of the phrases [smaller dictionary]) System also examines the "length" of the tokenized pass-phrase for acceptability (for pass-phrase changes.) 3B) System hashes the tokenized pass-phrase, and compares it against the previously stored hash (for authentication.) [ Standard crypt(3) stuff ] Ignoring the fact that strong one-time-passwords are orders of magnitude better, what would something like this buy you? 0) "Good" pass-phases should be more difficult to brute-force or inteligently attack than simple (8 or 16 byte) passwords. [ rm /usr/local/bin/crack ] 1) Pass-phrases are generally easier to remember than system-generated passwords. [ no more post-its pasted to screens or hidden under keyboards with passwords written on them. ] 2) Pass-phrases can be a pain to type in correctly, the normalization step should help in this regard. [ happier users ] 3) Enforcement of selecting good pass-phrases is difficult. This scheme addresses _some_ of the issues involved. [ The next generation of 'crack' won't have a foothold - happier security officers. ] This message has been sponsored by off-the-cuff, back-of-the-brain, and poorly-thought-out; comments and suggestions/improvements are welcomed. -- Steve at AZTech.Net From ddt at lsd.com Fri Apr 19 11:34:53 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sat, 20 Apr 1996 02:34:53 +0800 Subject: no help for the clueless Message-ID: <v03006601ad9d2fc751ae@[192.187.167.52]> Sameer, I submit that the "info" command should be implemented with a little ReadMe for clueless "subscrivers"... this is part of the idea, right? dave ................................. cut here ................................. >Date: Fri, 19 Apr 1996 04:38:16 -0700 (PDT) >To: ddt at lsd.com >From: Majordomo at c2.org >Subject: Majordomo results: info clueless > >-- > >>>>> info clueless >#### No info available for clueless. >>>>> >>>>> From perry at piermont.com Fri Apr 19 11:42:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Apr 1996 02:42:08 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604190607.XAA17848@mage.qualcomm.com> Message-ID: <199604191221.IAA11773@jekyll.piermont.com> Peter Monta writes: > No, he's correct; cryptanalytic schemes like those you mention rely > on statistical toeholds *in the context of a deterministic cipher > algorithm*. For one-time pads that are "cooked" or "screened" (and > I agree that it's a silly thing to do), the toehold is much weaker, > infinitesimal in fact. Please learn what the context of the discussion was before commenting. It was not about using cooked streams for one time pads. Furthermore, I suggest you look up the Venona intercept work and tell me again about how far an advesary will go with a tiny toehold. .pm From MBSFT-0K at carraig.ucd.ie Fri Apr 19 11:50:14 1996 From: MBSFT-0K at carraig.ucd.ie (MBSFT-0K) Date: Sat, 20 Apr 1996 02:50:14 +0800 Subject: Unsubsrive Message-ID: <587A16036@carraig.ucd.ie> > Unsubsrive me! > > Lorca Kelly MBSFT-0K at carraig.ucd.ie From gnu at toad.com Fri Apr 19 12:08:41 1996 From: gnu at toad.com (John Gilmore) Date: Sat, 20 Apr 1996 03:08:41 +0800 Subject: Here's the judge's decision in the Bernstein case Message-ID: <199604190802.BAA11461@toad.com> [Forgive the scannos in the interest of speed. This is also at http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/960415.decision] UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA DANIEL J. BERNSTEIN, | No. C-95-0582 MHP | Plaintiff, | OPINION | vs. | | UNITED STATES DEPARTMENT OF STATE | et al., | Defendants. | ____________________________________| Plaintiff Daniel Bernstein brought this action against the Department of State and the individually named defendants seeking declaratory and injunctive relief from their enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C. � 2778, and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. Sections 120-30 (1994), on the grounds that they are unconstitutional on their face and as applied to plaintiff. Now before this court is defendants' motion to dismiss for lack of justiciability.1 Having considered the parties' arguments and submissions, and for the reason set forth below, the court enters the following memorandum and order. BACKGROUND 2 At the time this action was filed, plaintiff was a PhD candidate in mathematics at University of California at Berkeley working in the field of cryptography, an area of applied mathematics that seeks to develop confidentiality in electronic communication. A. Cryptography Encryption basically involves running a readable message known as "plaintext" through a computer program that translates the message according to an equation or algorithm into unreadable "ciphertext." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by common keys. The uses of cryptography are far-ranging in an electronic age, from protecting personal messages over the Internet and transactions on bank ATMs to ensuring the of military intelligence. As a graduate student, Bernstein developed an encryption algorithm he calls "Snuffle." He describes Snuffle as a zerodelay private-key encryption system. Complaint Exh. A. Bernstein has articulated his mathematical ideas in two ways: in an academic paper in English entitled "The Snuffle Encryption System," and in "source code" written in "C", a high-level computer programming language,3 detailing both the encryption and decryption, which he calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code is converted into "object code," a binary system consisting of a series of 0s and 1s read by a computer, the computer is capable of encrypting and decrypting data. 4 B. Statutory and Regulatory Background The Arms Export Control Act authorizes the President to control the import and export of defense articles and defense services by designating such items to the United States Munitions List ("USML"). 22 U.S.C. � 2778(a)(1). Once on the USML, and unless otherwise exempted, a defense article or service requires a license before it can be imported or exported. 22 U.S.C. � 2778(b)(2). The International Traffic in Arms Regulations, 22 C.F.R. Sections 120-30, were promulgated by the Secretary of State, who was authorized by executive order to implement the AECA. The ITAR is administered primarily within the Department of State by the Director of the Office of Defense Trade Controls ("ODTC"), Bureau of Politico-Military Affairs. The ITAR allows for a "commodity jurisdiction procedure" by which the ODTC determines if an article or service is covered by the USML when doubt exists about an item. 22 C.F.R. � 120.4(a). Categories of items covered by the USNL are enumerated at section 121.1. Category XIII, Auxiliary Military Equipment, includes "Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems .... __ _ � 121 XIII(b)(l). A number of applications of cryptography are excluded, such as those used in automated teller machines and certain mass market software products that use encryption. Id. C. Plaintiff's Commodity Jurisdiction Determinations On June 30, 1992 Bernstein submitted a commodity jurisdiction ("CJ") request to the State Department to determine whether three items were controlled by ITAR. Those items were Snuffle.c and Unsnuffle.c (together referred to as Snuffle 5.0), each submitted in C language source files, and his academic paper describing the Snuffle system. Complaint Exh. A. On August 20, 1992 the ODTC informed Bernstein that after consultation with the Departments of Commerce and Defense it had determined that the commodity Snuffle 5.0 was a defense article under Category XIII of the ITAR and subject to licensing by the Department of State prior to export. The ODTC identified the item as a "stand-alone cryptographic algorithm which is not incorporated into a finished software product." Complaint Exh. B. The ODTC further informed plaintiff that a commercial software product incorporating Snuffle 5.0 may not be subject to State Department control and should be submitted as a new commodity jurisdiction request. Plaintiff and ODTC exchanged copious and contentious correspondence regarding the licensing requirements during the spring of 1993. Still unsure if his academic paper had been included in the ODTC CJ determination of August 20, 1992, Bernstein submitted a second CJ request on July 15, 1993, asking for a separate determination for each of five items. According to plaintiff these items were 1) the paper, "The Snuffle Encryption System," 2) Snuffle.c, 3) Unsnuffle.c, 4) a description in English of how to use Snuffle, and 5) instructions in English for programming a computer to use Snuffle.5 On October 5, 1993 the ODTC notified Bernstein that all of the referenced items were defense articles under Category XIII(b)(1). Complaint Exh. E; Defendant Exh. 18. After plaintiff initiated this action, the ODTC wrote to plaintiff to clarify that the CJ determinations pertained only to Snuffle.c and Unsnuffle.c and not to the three items of explanatory information, including the paper. Defendant Exh. 21. Bernstein appealed the first commodity jurisdiction determination on September 22, 1993. That appeal is still pending. Plaintiff seeks to publish and communicate his ideas on cryptography. Because "export" under the ITAR includes "[d]isclosing . . . technical data to a foreign person, whether in the United States or abroad", Bernstein asserts that he is not free to teach the Snuffle algorithm, to disclose it at academic conferences, or to publish it in journals or online discussion groups without a license. LEGAL STANDARD A motion to dismiss will be denied unless it appears that the plaintiff can prove no set of facts which would entitle him or her to relief. Conlev v. Gibson, 355 U.S. 41, 45-46 (1957); Fidelity Financial Corp. v. Federal Home Loan Bank of San Francisco, 792 F.2d 1432, 1435 (9th Cir. 1986), cert. denied, 479 U.S. 1064 (1987). All material allegations in the complaint will be taken as true and construed in the light most favorable to the plaintiff. NL Industries. Inc. v. Kaplan, 792 F.2d 896, 898 (9th Cir. 1986). Although the court is generally confined to consideration of the allegations in the pleadings, when the complaint is accompanied by attached documents, such documents are deemed part of the complaint and may be considered in evaluating the merits of a Rule 12(b)(6) motion. Durning v. First Boston Corp., 815 F.2d 1265, 1267 (9th Cir.), cert. denied sub. nom. Wyomina Community Dev. Auth. v. Durning, 484 U.S. 944 (1987). DISCUSSION Plaintiff makes a number of allegations of unconstitutionality with respect to the AECA and ITAR. Specifically, plaintiff alleges that the act and accompanying regulations, both facially and as applied, are a content-based infringement on speech, act as an unconstitutional prior restraint on speech, are vague and overbroad, and infringe the rights of association and equal protection. Bernstein also alleges that the CJ request and registration processes as well as the licensing procedures are unconstitutional, although he does not state the basis of their unconstitutionality. Finally, plaintiff alleges that the actions of defendants are arbitrary and capricious and constitute an abuse of discretion under the Administrative Procedure Act, 5 U.S.C. Sections 701 et ~g Defendants move to dismiss on the grounds that these issues are nonjusticiable. I. Justiciability The AECA plainly states: The designation by the President (or by an official to whom the President's functions under subsection (a) of this section have been duly delegated), in regulations issued under this section, of items as defense articles or defense services for purposes of this section shall not be subject to judicial review. 22 U.S.C. � 2778(h). Defendants conclude that this language, as well as the Constitution, precludes review of commodity jurisdiction determinations by this court. Plaintiff does not dispute this assessment. Defendants characterize this action as an attempt to obtain judicial review of their CJ determinations to place plaintiff's cryptographic items on the USML; as such, they maintain the action is precluded. However, this characterization does not comport with either the complaint itself or plaintiff's repeated assertions that he is not seeking judicial review of defendants' CJ decision, but of the constitutionality of the statute and its regulations. It is well established under the political question doctrine that courts do not have the expertise to examine sensitive political questions reserved for the other branches of government. See Baker v. Carr, 369 U.S. 186 (1962). More to the point, as defendants note, the determination of whether an item should be on the USML "possesses nearly every trait that the Supreme Court has enumerated traditionally renders a question 'political."' United States v. Martinez, 904 F.2d 601, 602 (llth Cir. 1990) (finding the CJ determination nonjusticiable without deciding if the then recent amendment to the AECA precluding judicial review applied to that case). However, a review of a particular CJ decision is a distinctly different question from a constitutional challenge to a statute. In Martinez, the Eleventh Circuit noted that defendants had not alleged a constitutional violation.6 904 F.2d at 603. With respect to constitutional questions, the judicial branch not only possesses the requisite expertise to adjudicate these issues, it is also the best and final interpreter of them. Furthermore, as plaintiff points out, federal courts have consistently addressed constitutional issues in the context of national security concerns. See. e.q., New York Times Co. v. United States, 403 U.S. 713 (1971); Haia v. Aaee, 453 U.S. 280 (1981). Because the issues before this court do not necessitate a factual inquiry into the CJ determination, but a legal one into broader constitutional claims, the question is whether the statutory preclusion of judicial review of CJ decisions also embraces this court's review of the statute's constitutionality. 7 Defendants cite a number of Ninth Circuit cases that reject the reviewability of commodity designations under the analogous Export Administration Act, 50 U.S.C. App. Sections 2401 et seq., administered by the Commerce Department. Because this court is not reviewing the CJ determination itself, those cases miss the mark. Of those cases, however, United States v. Bozarov, 974 F.2d 1037 (9th Cir. 1992), cert. denied, 507 U.S. 917 (1993), is instructive. In Bozarov the defendant was charged with exporting items on the Commerce Control List ("CCL")--which is akin to the USML--without a license in violation of the statute. The items, which were computer disk manufacturing equipment, had been listed on the CCL for national security reasons. Bozarov challenged the constitutionality of the Act's preclusion of judicial review. In upholding the preclusion of review, however, the court noted its decision was "bolstered by the fact that certain limited types of judicial review are available under the EAA despite the Act's seemingly absolute preclusion of review. First, colorable constitutional claims may be reviewed by the courts even when a statute otherwise precludes judicial review." Id. at 1044 (citing Webster v. Doe, 486 U.S. 592, 602-05 (1988)). In fact, in order to reach the question of whether it was constitutional to preclude judicial review, the Ninth Circuit had to first find the issue justiciable. There, even the government conceded that Bozarov's nondelegation challenge amounted to a colorable constitutional claim. 974 F.2d at 1044 n.7. More definitive still is the Supreme Court's decision in Webster_, where it addressed whether employment decisions by the Director of the CIA were subject to judicial review. In Webster, plaintiff Doe was discharged from the CIA after informing the agency that he was a homosexual. He contested his termination partly on constitutional grounds. The Court held that the applicable statute bestowed so much discretion on the CIA Director in terminating employees that judicial review of those decisions was precluded under section 701(a)(2) of the APA. However, the Court made clear that such a holding did not preclude review of constitutional claims, noting that where Congress intends to preclude judicial review of constitutional claims its intent to do so must be clear.... We require this heightened showing in part to avoid the "serious constitutional question" that would arise if a federal statute were construed to deny any judicial forum for a colorable constitutional claim. 486 U.S. at 603 (citations omitted). 8 In the instant case, Congress has clearly precluded review of CJ determinations under the AECA, 22 U.S.C. � 2778(h). But it has just as clearly tailored the preclusion of review to the designation by the President or his delegate "of items as I defense articles or defense services for the purposes of this section." Id. Moreover, the language of section (h) indicates that it pertains only to delegations of the President's "functions under subsection (a) of this section." Those functions do not include constitutional determinations. As this court finds that the AECA does not preclude judicial review of colorable constitutional claims, it must determine if plaintiff's claims are colorable in order to decide the issue of justiciability. II. Colorability of Plaintiff's Constitutional Claims Defendants maintain that plaintiff has raised no colorable constitutional claim because this case does not concern "speech" protected by the First Amendment, and even if it does, the minimal infringement is excusable under O'Brien v. United U.S. 367 (1968). Defendant's further argue that plaintiff has not made a colorable claim that the CJ determinations constitute a prior restraint or that the AECA and ITAR are overbroad or vague.9 Plaintiff responds that the items that were subject to CJ determinations are speech of the most protected kind. A. Analytical Framework To determine if Bernstein states a "colorable constitutional claim," it is helpful to know what standard obtains. Colorability, a concept often employed by courts, is rarely defined. Not surprisingly, discussions of colorability appear to be highly specific to both the claim and context in which they arise. The Ninth Circuit has adopted the proposition that a constitutional claim is not colorable if it is clearly immaterial and made only for the purposes of jurisdiction, or "is wholly insubstantial or frivolous." Hoye v. Sullivan, 985 F.2d 990, 991-92 (9th Cir. 1993) (citing Boettcher v. Secretary of HHS, 759 F.2d 719, 722 (9th Cir. 1985)). On a number of occasions the Ninth Circuit has addressed whether constitutional claims were colorable in the context of national security decisions. These have been largely due process and equal protection challenges to revocations of a security clearance. Dorfmont v. Brown, 913 F.2d 1399 (9th Cir. 1990), cert. denied, 499 U.S. 905 (1991); High Tech Gays v. Defense Ind. Sec. Clearance Off., 895 F.2d 563 (9th Cir.), reh'a denied, en banc, 909 F.2d 375 (1990); Dubbs v. CIA, 866 F.2d 1114 (9th Cir. 1989). In Dorfmont the court held that there was no cognizable liberty or property interest in a security clearance that could give rise to a due process claim and therefore the claim was not colorable. The Dorfmont court noted, however, that it had found equal protection challenges to security clearance denials colorable in Hiah Tech Gays. 913 F.2d at 1403. In fact, in Hiah Tech Gays the court bypassed the issue of colorability altogether and concluded on the merits that homosexuals were not a suspect or quasi-suspect class for purposes of heightened equal protection scrutiny.10 Plaintiffs in High Tech Gays had also brought a First Amendment claim based on freedom of association. The court found that plaintiffs had failed to allege or show a security clearance had been denied solely by reason of their membership in a gay organization and, therefore, there was no case or controversy with respect to that claim. In Dorfmont the court described its disposition of the First Amendment claim in Hiah Tech Gays as failure "to allege sufficient facts to raise a justiciable First Amendment claim." 913 F.2d at 1403 n.2. It is unclear whether the court's discussion of justiciability in Dorfmont applies to lack of colorabilty, and if so, what standard it implies. As Hoye is the most recently and clearly articulated of the Ninth Circuit's attempts to define colorability, its standard will govern the court's analysis in this case. B. Analysis Neither party agrees on exactly which items are at issue in this case, which confounds the analysis of whether subjecting them to a licensing requirement raises a colorable First Amendment claim. Defendants claim that only Snuffle.c and Unsnuffle.c are controlled by the USML and subject to the I licensing requirement. This is based on the 1995 letter the ODTC sent to plaintiff after he had filed suit in which it clarified that the CJ determinations did not include any explanatory information, including the paper. This clarification would have been more appropriate in response to plaintiff's letter of July 15, 1993. Bernstein claims that his paper, "The Snuffle Encryption System," remains on the USML and that he has not been able to publish it without a license. It seems evident from the correspondence between Bernstein and the ODTC that the paper was indeed determined to be on the USML at the latest by October 5, 1993, but that as of June 29, 1995, the ODTC disavowed that decision. It is disquieting that an item defendants now contend could not be subject to regulation was apparently categorized as a defense article and subject to licensing for nearly two years, and was only reclassified after plaintiff initiated this action. Nonetheless, given defendants' reevaluation, the claims pertaining to the paper now appear moot.12 1. Speech The paper, an academic writing explaining plaintiff's scientific work in the field of cryptography, is speech of the most protected kind. See Sweezv v. New Hampshire, 354 U.S. 234, 249-50 (1957) (noting the importance of protecting scholarship and academic inquiry). Nor do defendants contest this. Rather, defendants contend that Snuffle.c and Unsnuffle.c--the source code for the encryption program--are not speech but conduct. Plaintiff argues that computer code inscribed on paper, like any non-English language, is speech protected by the First Amendment .13 Plaintiff further argues that even functional software is treated as protectable expression under copyright law. 14 Defendants urge this court to find the source code for Snuffle unprotected conduct rather than speech. They cite Texas v. Johnson, 491 U.S. 397 (1989), for the proposition that conduct must be "'sufficiently imbued with the elements of communication"' to fall within the protections of the First Amendment. Id. at 404 (quoting Spence v. Washington, 418 U.S. 405, 409 (1974)). In evaluating the communicative aspects of burning a flag in Texas v. Johnson, the Court framed the inquiry as whether the conduct entails an intent to convey a particular message and the likelihood of that message being understood. Id. According to defendants, the source code, as a functioning cryptographic product, is not intended to convey a particular message. It cannot be speech, they say, because its purpose is functional rather than communicative. However, the Court in both Johnson and Spence, the flag desecration case upon which Johnson relies, inquired into the communicative nature of conduct only after concluding that the act at issue was indeed conduct and not speech. Both cases strongly imply that a court need only assess the expressiveness of conduct in the absence of "the spoken or written word." Johnson, 491 U.S. at 404; see Spence, 418 U.S. at 409 ("To be sure, appellant did not choose to articulate his views through printed or spoken words. It is therefore necessary to determine whether his activity was sufficiently imbued with elements of communication to fall within the scope of the First and Fourteenth Amendments ...."). In the instant case, Bernstein's encryption system is written, albeit in computer language rather than in English. Furthermore, there is little about this functional writing to suggest it is more like conduct than speech. A computer program is so unlike flag burning and nude dancing that defendants' reliance on conduct cases is misplaced. It would be convoluted indeed to characterize Snuffle as conduct in order to determine how expressive it is when, at least formally, it appears to be speech. Recently the Ninth Circuit addressed the difference between speech and expressive conduct in assessing the constitutionality of the English-only provision amended to Arizona's constitution. Yniguez v. Arizonans for Official English, 69 F.3d 920, 934-36 (9th Cir. 1995) (en banc), cert. granted, 64 U.S.L.W. 3639 (U.S. Mar. 25, 1996) (No. 95-974). Defendants in Yniguez, like defendants here, sought to characterize one's choice of language as expressive conduct. The court was similarly "unpersuaded by the comparison between speaking languages other than English and burning flags." Id. at 934. The court further concluded that language was speech by definition: Of course, speech in any language consists of the ' expressive conduct' of vibrating one's vocal chords, moving one's mouth and thereby making sounds, or of putting pen to paper, or hand to keyboard. Yet the fact 16 that such 'conduct' is shaped by language--that is, a sophisticated and complex system of understood meanings--is what makes it speech. Language is by definition speech, and the regulation of any language is the regulation of speech. Id. at 934-35. Nor does the particular language one chooses change the nature of language for First Amendment purposes. This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French. All participate in a complex system of understood meanings within specific communities. Even object code, which directly instructs the computer, operates as a "language." When the source code is converted into the object code "language," the object program still contains the text of the source program. The expression of ideas, commands, objectives and other contents of the source program are merely translated into machine-readable code. 15 Whether source code and object code are functional is immaterial to the analysis at this stage. Contrary to defendants' suggestion, the functionality of a language does not make it any less like speech. The Yniguez court noted that "the choice to use a given language may often simply be based on a pragmatic desire to convey information to someone so that they may understand it." Id. at 935. Thus, even if Snuffle source code, which is easily compiled into object code for the computer to read and easily used for encryption, is essentially functional, that does not remove it from the realm of speech. Instructions, do-it-yourself manuals, recipes, even technical information about hydrogen bomb construction, see United States v. The Progressive. Inc., 467 F. Supp. 990 (W.D. Wisc. 1979), are often purely functional; they are also speech. Music, for example, is speech protected under the First Amendment. See Ward v. Rock Against Racism, 491 U.S. 781, 790 (1989). The music inscribed in code on the roll of a player piano is no less protected for being wholly functional. Like source code converted to object code, it "communicates" to and directs the instrument itself, rather than the musician, to produce the music. That does not mean it is not speech. Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it. 16 Defendants argue in their reply that a description of software in English informs the intellect but source code actually allows someone to encrypt data. Defendants appear to insist that the higher the utility value of speech the less like speech it is. An extension of that argument assumes that once language allows one to actually do something, like play music or make lasagne, the language is no longer speech. The logic of this proposition is dubious at best. Its support in First Amendment law is nonexistent. By analogy, copyright law also supports the "expressiveness" of computer programs. Computer software is subject to copyright protection as a "literary work." 17 U.S.C. Sections 101, 102(a)(1); accord Johnson Controls v. Phoenix Control Systems, 886 F.2d 1173, 1175 (9th Cir. 1989). For the purposes of copyright, literary works "are works, other than audiovisual works, expressed in words, numbers, or other verbal or numerical symbols or indicia, regardless of the nature of the material objects, such as books, periodicals, manuscripts, phonorecords, film, tapes, disks, or cards, in which they are embodied." 17 U.S.C. Section 101. A computer program is further defined under the copyright statute as "a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result." Id. (emphasis added). Source code is essentially a set of instructions that is used indirectly in a computer since it must first be translated into object code to achieve the desired result. The statutory language, along with the caselaw of numerous circuits, supports the conclusion that copyright protection extends to both source code and object code. See NLFC. Inc. v. Devcom Mid-America. Inc., 45 F.3d 231, 234-35 (7th Cir.), cert. denied, 115 S.Ct. 2249 (1995) ("Both the source and object codes to computer software are also individually subject to copyright protection.") (citations omitted); Johnson Controls, 886 F.2d at 1175 ("Source code and object code, the literal components of a program, are consistently held protected by a copyright on the program.") (citations omitted); Apple Computer. Inc. v. Franklin Computer Corp., 714 F.2d 1240, 1249 (3d Cir. 1983), cert. dismissed, 464 U.S. 1033 (1984). Copyright protection, designed to protect original expression, 17 U.S.C. Section 102(a), supports the likeness of a computer program to speech as defined by First Amendment law. The expression of an idea, a~ opposed to the idea itself, which is not afforded copyright protection under 17 U.S.C. Section 102(b), connotes the "speaking" of an idea. An encryption program expressed in source code communicates to other programmers and ultimately to the computer itself how to make the encryption algorithm (the idea) functional. Nor, under copyright law, does sheer functionality diminish the expressive quality of a copyrightable work. Apple Computer. Inc., 714 F.2d at 1252 (citing Mazer v. Stein, 347 U.S. 201, 218 (1954)); cf. Lotus Dev. Corp. v. Borland Int'l. Inc., 49 F.3d 807, 815 (lst Cir. 1995), judgment aff'd, 116 S.Ct. 804 (1996) (holding that a text describing how to operate something is subject to copyright protection while the method of operation itself is not). While copyright and First Amendment law are by no means coextensive, and the analogy between the two should not be stretched too far, copyright law does lend support to the conclusion that source code is a means of original expression. For the purposes of First Amendment analysis, this court finds that source code is speech. Having concluded that all the items at issue, including Snuffle.c and Unsnuffle.c are speech, this court must now briefly review the claims defendants contest for colorability. 2. O'Brien Defendants, relying on a characterization of Snuffle as conduct, argue that even if that conduct is expressive, the relatively mild O'Brien test should be employed. United States v. O'Brien, 391 U.S. 367 (1968), establishes the standard for assessing when a governmental regulation of conduct may nonetheless run afoul of the First Amendment's speech protections. Under O'Brien a regulation of conduct that incidentally restricts speech will be valid if 1) it is within the power of the government, 2) it furthers an important or substantial government interest, 3) the government interest is unrelated to the suppression of free expression and 4) the incidental restriction on speech is no greater than is essential to further that interest. Id. at 377. Given that Snuffle source code is speech and not conduct, O'Brien does not appear to provide the appropriate standard under which to evaluate plaintiff's claims.17 However, as the parties have not had an opportunity to brief the issue of what First Amendment standard obtains, the court will apply O'Brien for the limited purpose of determining colorability. Defendants make a strong case that the AECA and ITAR satisfy the first and second prongs of O'Brien--that they are within the government's power and further the important interest of national security. With respect to prongs three and four, however, this court cannot say that plaintiff~s contentions are frivolous. Both the technical data provision of the ITAR, 22 C.F.R. Section 120.10, and Category XIII of the USML, 22 C.F.R. Section 121.1, regulating cryptographic software appear to relate to the "suppression of free expression" and may reach farther than is justifiable. Defendants also argue that the Ninth Circuit's decision in United States v. Edler Industries Inc., 579 F.2d 516 (9th Cir. 1978), precludes a First Amendment attack under O'Brien on the AECA and its accompanying regulations. In Edler the court reviewed a conviction under the predecessor of the AECA for unlicensed exportation of technical data relating to a defense article on the USML. The technical data at issue in Edler related to a technique of tape wrapping with applications for missile components. After finding that "an expansive interpretation of technical data relating to items on the Munitions List could seriously impede scientific research and publishing and international scientific exchange," ~ at 519, the court went on to adopt a narrowing construction to save the statute. 18 Defendants urge that if Edler allows the government to legitimately restrict the export of technical data relating to a defense article, it can certainly restrict the defense article itself. Such an argument is an extension of Edler this court is unwilling to adopt. The validity of the of the munitions list was simply not at issue in that case. While Edler will be instructive to an analysis of the AECA under the First Amendment, it is sufficiently distinguishable on its facts that it cannot preclude plaintiff's challenge at this stage. While the court makes no judgment on the merits, it finds plaintiff alleges facts sufficient to state a nonfrivolous First Amendment claim and hence that claim is colorable. 3. Prior Restraint Plaintiff alleges that the AECA and ITAR act as an administrative licensing scheme for the publication of scientific papers, algorithms and computer programs related to cryptography, since publishing could release that information to foreign persons and would constitute exportation under the ITAR. 22 C.F.R. Section 120.17 .19 Governmental licensing schemes, such as the AECA and ITAR, come with a heavy presumption against their validity when they act as a prior restraint on speech. See Nebraska Press Assoc. v. Stuart, 427 U.S. 539 (1976); New York Times Co. v. United States, 403 U.S. 713 (1971) (per curiam); Near v. Minnesota, 283 U.S. 697 (1931). Prior restraints have even been struck down in the face of national security concerns. See e.a. New York Times, 403 U.S. at 714 (dissolving retraining order against newspaper publication of Pentagon Papers that included classified information). In New York Times the national security asserted was too vague a justification for prior restraints. Id. at 719 (Black, J., concurring), 725-26 (Brennan, J., concurring). In his concurrence to the per curiam decision, Justice Stewart suggested a stringent test for permissible prior restraints, allowing them only when "disclosure . . . will surely result in direct, immediate, and irreparable damage to our Nation or its people." Id. at 730 (Stewart J., concurring). In response to the prior restraint claim, defendants rely on the argument rejected above, that Snuffle is not speech and does not implicate the First Amendment. Since Snuffle is speech that is potentially subject to the prior restraint of licensing, and under the AECA that restraint is unreviewable, plaintiff's prior restraint claim is colorable. 20 4. Overbreadth Plaintiff alleges that the AECA and ITAR are overbroad with respect to their regulation of items with predominately civil applications, the definition of export, Category XIII of the USNL, and the definition of software. Defendants rely extensively on Edler to argue that any overbreadth challenge is foreclosed to plaintiff because the Ninth Circuit has provided a limiting construction to the technical data provision. They also cite the 1984 revisions to ITAR which they contend are even more solicitous of speech because they provide for certain exemptions from technical data for academic research and information in the "public domain." Defendant Exh. lA. However, plaintiff's overbreadth claim goes beyond the technical data provision and beyond those items classified as technical data. The complaint makes clear that the challenge is significantly broader than the scope of Edler and pertains to the defense articles themselves. Facial overbreadth is concededly "strong medicine" employed as a last resort when a limiting construction cannot be applied to a statute. Broadrick v. Oklahoma, 413 U.S. 601, 613 (1973). Defendants employ Broadrick to propose that when conduct as well as speech is regulated, the overbreadth must be substantial in relation to the statute's legitimate sweep. Id. at 615. However, in a subsequent Supreme Court decision relied upon by defendants, Members of the City Council of Los Angeles v. Taxpayers for Vincent, 466 U.S. 789 (1984), the Court noted that "where the statute unquestionably attaches sanctions to protected conduct, the likelihood that the statute will deter that conduct is ordinarily sufficiently great to justify an overbreadth attack." Id. at 801 n.l9 (citing Erznoznik v. City of Jacksonville, 422 U.S. 205 (1975)). In Taxpayers for Vincent the Court clarified the application of substantial facial overbreadth, saying there must be a "realistic danger that the statute itself will significantly compromise recognized First Amendment protections of parties not before the Court ...." Id. at 801. Merely being able to conceive of "some impermissible applications of a statute" is insufficient. Id. at 800. As this court has noted above, cryptographic source code is speech. Even if the statute aims at conduct as well as speech so as to invoke the "substantial overbreadth" doctrine, the court at this stage of the proceedings need only determine whether the claim is colorable. On the record before it at this time, the court cannot say that plaintiff's claim that enforcement of some provisions of the statute or regulations could significantly compromise the protected speech of third parties is frivolous. 5. Vagueness Plaintiff alleges that a number of terms and provisions within the AECA and ITAR are impermissibly vague in that they fail to give notice of the conduct they regulate and have a chilling effect on speech. These provisions include inter alia the meaning of software capable of maintaining secrecy under Category XIII of the USML, the exemptions for information taught in universities, the definition of public domain, and the "willful" requirement for criminal penalties. For a claim of facial vagueness to survive, the deterrent effect of the statute on protected expression must be "real and substantial" and not easily narrowed by a court. Young v. American Mini Theaters. Inc., 427 U.S. 50, 60 (1976). Defendants again rely heavily on Edler to argue that the Ninth Circuit has already resolved the problems plaintiff challenges. While this may be true of the technical data provision, it leaves unaddressed numerous other areas of concern. Defendants also conclude summarily that both the definition of cryptographic software and the exemptions from this definition are clear to a person of ordinary intelligence. This seems to be a bit of dissimulation, unless it is a confession, since the ODTC itself mistakenly classified Bernstein's academic paper as a defense article under Category XIII. Finally, defendants contest plaintiff's vagueness challenge to the "willful" requirement for criminal penalties, citing the Ninth Circuit's clarification that under the AECA willfulness requires a "voluntary, intentional violation of known legal duty ...." United States v. Lizarraga-Lizarraga, 541 F.2d 826, 828 (1976) (construing the predecessor to the AECA). According to Posters 'N' Things. Ltd. v. United States, _ U.S. _ , 114 S. Ct. 1747, 1754 (1994), such a scienter requirement helps to avoid the problem of vagueness a criminal statute might otherwise allow. With the exception of the claim against the willful standard for criminal violations of the AECA, this court does not find plaintiff's claims of vagueness frivolous. It should be emphasized that with the exception of its conclusions that source code is speech for the purposes of the First Amendment and that this case is justiciable, the court makes no other substantive holdings. CONCLUSION For the reasons set forth above, IT IS HEREBY ORDERED that defendants' motion to dismiss is DENIED. IT IS SO ORDERED. Dated: April 15, 1996 MARILYN HALL PATEL United States District Judge ENDNOTES 1. Defendants pose the justiciability issue as one of subject matter jurisdiction. As those questions are distinct and defendants arguments go to justiciability, this court addresses the motion as one pertaining to justiciability alone. See Baker v. Carr, 369 U.S. 186, 198 (1962). 2. Except where noted, these facts come from undisputed portions of the record. 3. Source code is the text of a source program and is generally written in a high-level language that is two or more steps removed from machine language which is a low-level language. High-level languages are closer to natural language than lowlevel languages which direct the functioning of the computer. Source code must be translated by way of a translating program into machine language before it can be read by a computer. The object code is the output of that translation. It is possible to write a source program in high-level language without knowing about the actual functions of the computer that carry out the program. Encyclopedia of Computer Science 962, 1263-64 (Anthony Ralston & Edwin D. Reilly eds., 3d ed. 1995) 4. The parties disagree about whether the computer code submitted by plaintiff to the State Department is technically "software." Defendants refer to the computer code as software even though it i8 not in object code on a disk. Plaintiff contests this characterization. In any event, in order to be software, which are instructions to the computer, the instructions must be in a form that can be easily altered as distinguished from firmware or hardware which cannot be readily altered, if it can be altered at all. The court notes that 22 CFR Section 121.8(f) defines "software" for the purposes of the AECA. That definition is descriptive of content, however, and does not define the actual format or physical form of the software. At this stage the court need not resolve this issue since whatever the program's form, the ODTC has subjected it to the licensing requirements. 5. The CJ request of July 15, 1993, refers to the items as W BCJF-2, W BCJF-3, DIBCJF-4, DJBCJF-5, and W BCJF-6 without distinguishing information. Complaint Exh. D. 6. This statement appears to be contradicted by that court's own reference to defendants' overbreadth claim on the preceding page of its opinion. Martinez, 904 F.2d at 601. It is not clear whether the overbreadth argument went to constitutionality or merely to statutory interpretation. 7. Plaintiff argues that this court has power to review his cause of action under a political question analysis. Even if that were so, he fails to consider the effect of a clear statement by Congress precluding judicial review in the context of the AECA. Furthermore, plaintiff dedicates nearly ten pages of his brief in opposition to this motion to arguing that review is proper under the Administrative Procedure Act ("APA"). However, as defendants note, to the extent judicial review is precluded by statute, it is also precluded by the APA. 5 U.S.C. Section 701(a)(1) ("This chapter applies . . . except to the extent that--(l) statutes preclude judicial review ...."). That does not necessarily mean plaintiff's allegation that defendants exceeded their lawful authority under the APA is unreviewable. Plaintiff is correct that U.S. v. Bozarov allows courts to exercise review, in the face of statutory preclusion, of "claims that the Secretary acted in excess of his delegated authority under the EAA." 974 F.2d at 1045. Nonetheless, defendants only argue nonjusticiability based on the First Amendment claim. This court declines to rule on the colorability of every one of plaintiff's claims without briefing on those issues. Currently before the court is simply the issue of the justiciability of plaintiff's First Amendment challenge. 8. The Court did not consider whether Doe presented a colorable constitutional claim because that question was not properly before the Court. 9. Defendants only argue in passing that plaintiff's claim that the CJ determinations were made in excess of statutory authority is not justiciable. 10. The discussion of Hiah Tech Gays in Dorfmont betrays the unusual procedural posture the Ninth Circuit adopted in order to reach the merits: "Without addressing whether the federal courts have jurisdiction to hear these claims, we ruled in favor of defendants on the merits of the equal protection attack." 913 F.2d at 1403 (emphasis added) (citation omitted). 11. Reading "colorable" to mean sufficient to state a claim, or even nonfrivolous, is supported by the Sixth Circuit's decision in Brooks v. Seiter, 7-79 F.2d 1177, 1181 (6th Cir. 1985), in which the court, using a frivolousness standard, held that plaintiff prisoners had alleged a First Amendment violation when they complained that prison officials withheld mail order publications. In the context of that holding, the court said that the state interest in deferring to prison officials did not bar courts from hearing a "colorable constitutional claim." Id. 12. If there is any uncertainty about this, defendants should state their determination without equivocation so that the mootness issue can be completely resolved as soon as possible. 13. Bernstein also contends that encryption software is important not only as speech, but as a tool to protect private speech. Plaintiff argues that cases protecting anonymous speech and prohibiting compelled speech support this novel proposition. However, certainly at this stage, the court need not reach the issue. 14. Plaintiff briefly argues that his encryption program, written in source code on paper, is not functional at all. Given the ease with which one can convert source code into object code, however, this argument is specious. More to the point is plaintiff's contention that source code and functioning software are both fully protected under the First Amendment. 15. The court does not employ the word "translate" as art thereby excluding the applicability of "compile", "interpret" or related terms. 16. Whether such "languages" as assembly language or low-level languages constitute speech, or may sometimes constitute speech, need not be addressed at this time in view of the court's ruling that the source code provides the basis for a colorable claim. 17. Plaintiff cites Justice Department memoranda that question the constitutionality of some of the ITAR provisions as well as the propriety of an O'Brien analysis. Plaintiff Exh. A at 60007, 60090. A 1978 memo from the DOJ Office of Legal Counsel addressing the constitutionality of the ITAR restrictions on public cryptography noted that "even a cursory reading of the technical data provisions reveals that those portions of the ITAR are directed at communication. A more stringent constitutional analysis than the O'Brien test is therefore mandated." Plaintiff Exh. A at 60084 n.16. While Snuffle was classified as a munition rather than as technical data, Category XIII of the USML also directly regulates public cryptography. 18. The court's narrowing construction mandates that the statute and regulations only prohibit the export of technical data "significantly and directly related to specific articles on the Munitions List. n 579 F.2d at 521. 19. Defendants continue to argue that plaintiff was mistaken about the inclusion of the academic paper in the CJ determinations made by the ODTC. As the court has noted, plaintiff had every reason to believe his paper had been determined to be a defense article until defendants' clarifying letter of June 29, 1995. Whether or not the prior restraint that may have been applied to the paper is still relevant or whether this confusion could happen again given the apparent applicability of the public domain exception to work of this kind, 22 C.F.R. Section 120.11(a)(8), is a matter the court declines to address at this time. 20. Defendants are correct that with respect to the two instructional items included in the second CJ determination and which ODTC subsequently identified as technical data, a prior restraint claim seems foreclosed by Edler, 579 F.2d at 521 ("So confined, the statute and regulations are not overbroad. For the same reasons the licensing provisions of the Act are not an unconstitutional prior restraint on speech."). [end] From trei at process.com Fri Apr 19 12:31:42 1996 From: trei at process.com (Peter Trei) Date: Sat, 20 Apr 1996 03:31:42 +0800 Subject: DANGER! Baby-Food Bombs on the Internet! [was Re: (Fwd)] Message-ID: <199604191321.GAA13317@toad.com> > From: Rich Graves <llurch at networking.stanford.edu> > > On Thu, 18 Apr 1996, the intrepid anonymous-remailer at shell.portal.com > FUDded to cypherpunks: > [Senatorial panic at the spread of knowledge deleted] > Does anyone know the documents that Senator Biden is quoting? I *must > know* how to build The Dreaded Baby-Food Bomb. As usual, altavista comes to the rescue. *A* baby food jar bomb is described at: http://studentweb.tulane.edu/~llovejo/explode.txt and echoed overseas at http://ps.cus.umist.ac.uk/~vivaldi/boom/original.txt I could not find the article on harvesting gunpowder from shotgun shells. Neat stuff in australia on making primary and secondary explosives however (neurocactus). With the Internet in place, government attempts to legislate the flow of ideas and knowledge are about as effective as attempts to legislate the migration routes of birds. Peter Trei trei at process.com From abostick at netcom.com Fri Apr 19 13:36:02 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 20 Apr 1996 04:36:02 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <199604172021.QAA01638@universe.digex.net> Message-ID: <OTwdx8m9LYbG085yn@netcom.com> In article <199604172021.QAA01638 at universe.digex.net>, Scott Brickner <sjb at universe.digex.net> wrote: > I'm beginning to agree with the CDA supporter who claimed that "you're > just trying to protect your pornography by saying it's impossible when > we all know otherwise." Of course, that person really didn't know > otherwise, but I do. The abstract model of the Internet network layer > thinks of all transport entities as equivalent, as are all link > entities. In the real world, such mixed user bases are unusual. If my > scheme were implemented, service providers would probably have to > segregate shell account access onto "childproof" and "adult" machines, > or acquire a TCSEC B level system. Either approach works, and most > would likely choose the former, since its cheaper. It's still not > really that many machines. Don't forget: There are lots of colleges and universities on the net, and most of these universities have undergraduates, and a significant fraction of these undergraduates are minors. The potential user base is going to be mixed and must be presumed to be so. (That, I'm told, is the chief justification of the Carnegie-Mellon ban on the alt.sex.* Usenet newsgroups.) *Lots* of systems are affected by this problem. (Remember, as far as the CDA is concerned, a seventeen-year-and-eleven- month-old downloading nekkid pictures is every bit as bad as a six-year-old doing so.) -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick From trei at process.com Fri Apr 19 13:37:32 1996 From: trei at process.com (Peter Trei) Date: Sat, 20 Apr 1996 04:37:32 +0800 Subject: (Fwd) Re: GPS-based authentication (response) Message-ID: <199604191446.HAA11803@cygnus.com> As many of you will remember, I wrote last week to Dorothy Denning and Peter McDoran, describing some of the reservations expressed on the cpunk list concerning their 'cyberlocator' scheme. They've both responded, but not in a terribly helpful form. Denning wrote back quickly to say that she was going out of town, and that her colleague would respond. MacDoran took 6 days to reply, and then only to say that if my employer entered into a non-disclosure agreement with ISR Inc, then all my concerns "would be addressed". I wrote back to MacDoran, suggesting that open disclosure of their techniques would build confidence in their product, and requesting permission to repost his letter to the cpunk list. He has not responded after 24 hours. Peter Trei ptrei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Fri Apr 19 13:48:14 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Sat, 20 Apr 1996 04:48:14 +0800 Subject: Spaces in passwords Message-ID: <9604191931.AA4559@> >>Of course not. In a normal Unix password, adding spaces to the >>password search space increases the search space, so it necessarily >>makes the search harder. > >Depends on the space of ideas that are leading to your passwords. >If the reason you're adding spaces is to separate an n-character word >from the dictionary from a 7-n character word from the dictionary, >this reduces the search space for a cracker considerably. >At least pick random punctuation instead. Huh? I don't follow your reasoning. If you use two random words, the search space for a dictionary attack with an N word dictionary is N^2. That's true whether you include a space or leave it out. If you use "random punctuation" and the punctuation character is unknown, you add perhaps a factor 20, which is so much smaller than N that it isn't worth arguing about. Two-word passphrases are pretty good, and if you feel uncomfortable with an N^2 work factor, use three words to get N^3. That's a much bigger win than talking about random punctuation characters. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From dwl at hnc.com Fri Apr 19 13:56:19 1996 From: dwl at hnc.com (David Loysen) Date: Sat, 20 Apr 1996 04:56:19 +0800 Subject: plaugue of unsubscribes Message-ID: <199604191618.JAA20702@spike.hnc.com> At 12:01 PM 4/18/96 -0700, you wrote: >On Thu, 18 Apr 1996, Alex Strasheim wrote: > >> I've started sending mail to postmasters when I get one of those "take me >> off your list!" messages. >[snip] > >See John's message about the forged subscribes. It sounds like these >folks may have never used a mailing list and didn't want to. Can't really >blame them for being upset at receiving hundreds of pieces of email that >they didn't ask for. > >What still confuses me is the number of people who asked to be >"unsubscrived." Seems like an odd coincidence that all those folks would >miss the B key. Some had done it severeal times in the same message. I >wonder if they were totally set up -- if they got mail telling them to >"unsubscrive." Some people's idea of fun boggles me... > >Rich > The firewalls list got a bunch of "signoff" requests over the last few days. Same gag I'd wager. The Firewalls list owner said he unsubscribed over 200 people who appeared to have been falsely subscribed. ===================================== dwl at hnc.com Zippity do da, zippity ah, my oh my what a wonderful day. Ya right, and here I am without time to finish a cup of coffee. From wombat at mcfeely.bsfs.org Fri Apr 19 14:28:15 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Sat, 20 Apr 1996 05:28:15 +0800 Subject: FW: EARN $350 PER DAY!!! In-Reply-To: <c=US%a=_%p=msft%l=RED-81-MSG-960419011341Z-18898@tide21.microsoft.com> Message-ID: <Pine.BSF.3.91.960419132041.2238C-100000@mcfeely.bsfs.org> On Thu, 18 Apr 1996, Blanc Weber wrote: > I received the message below today, addressed to me. Notice the info at > the bottom. I didn't follow the instructions. But this could be what > some people are receving which prompts them to send "unsuvscrive > messages". > .. > Blanc > > >---------- > >From: communicate at earthlink.net[SMTP:communicate at earthlink.net] > >Sent: Thursday, March 28, 1996 1:09 PM > >Subject: EARN $350 PER DAY!!! > > > > If you would like to earn up to $350 per day... call > >1-800-545-0341!! I love it when junk mail comes with "800" numbers or pre-paid return envelopes ... ;) Will they ever learn ? From reagle at MIT.EDU Fri Apr 19 14:31:15 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Sat, 20 Apr 1996 05:31:15 +0800 Subject: Nym Server Questions and Remailer Suggestion Message-ID: <9604191659.AA01571@rpcp.mit.edu> 1. Do the nym servers lie about the times of being sent? 2. Do they automatically latantize messages? I get an very quick response from a nym server, and a very quick response from the remailer, but a message to the nym identity (which goes through both) takes a long time *. For the purpose of mitigating traffic analysis, has anyone considered creating a "delete-me" redirect, hence I could send a few messages to a nym server that I know won't go anywhere, but I can hide my traffic in that stream. Also, nym servers could ping each other and send delete-me redirects admist all the jumble of the normal redirects. An easy solution is to send incorrectly encrypted messages which are thrown away regardless. _______________________ Regards, I am a creationist; I refuse to believe that I could have evolved from humans. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From wombat at mcfeely.bsfs.org Fri Apr 19 14:37:10 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Sat, 20 Apr 1996 05:37:10 +0800 Subject: Unsubsrive In-Reply-To: <199604190010.UAA03256@loverso.southborough.ma.us> Message-ID: <Pine.BSF.3.91.960419131610.2238B-100000@mcfeely.bsfs.org> On Thu, 18 Apr 1996, John Robert LoVerso wrote: > > On Thu, 18 Apr 1996, John Robert LoVerso wrote: > > Unsubsrive me! > > Ha ha. Very funny forgery. The fool who forged the "unsubsrive" in my > name wasn't even clever. He left his calling card all over the message: > > Received: by sturgeon.coelacanth.com (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) > for cypherpunks at toad.com; id AA0833; Thu, 18 Apr 96 14:23:07 -0400 > > Please undo your [collective] dirty work. > > John > Hmmmm, this could be interesting .... From andrew_loewenstern at il.us.swissbank.com Fri Apr 19 14:59:25 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Sat, 20 Apr 1996 05:59:25 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604191221.IAA11773@jekyll.piermont.com> Message-ID: <9604191736.AA00569@ch1d157nwk> Perry writes: > Furthermore, I suggest you look up the Venona intercept work > and tell me again about how far an advesary will go with a > tiny toehold. The Venona breaks came because the NSA had a lot of encrypted traffic and some pads were used more than once, which is hardly a tiny toehold. After years of dragging intercepted messages through each other, something finally popped out. Messages encrypted with pads that were only used once are still unbroken, AFAIK, even though the pads were simply generated by clerks banging on keyboards. Still, a tiny toehold is all a good analyist needs to break a non-OTP cryptosystem, which attempts to protect a lot of information with only a little bit entropy. andrew From cypherpunks at count04.mry.scruznet.com Fri Apr 19 15:31:10 1996 From: cypherpunks at count04.mry.scruznet.com (cypherpunks at count04.mry.scruznet.com) Date: Sat, 20 Apr 1996 06:31:10 +0800 Subject: Enough of this How do I get on coderpunks(Please reply via email only NOT to the list) Message-ID: <199604201839.LAA15496@count04.mry.scruznet.com> The noise level has finally gotten to me... can someone tell me how to get on coderpunks private email replies only please I will be unsubscribing from cypherpunks shortly... cheers kelly From alano at teleport.com Fri Apr 19 15:36:45 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 20 Apr 1996 06:36:45 +0800 Subject: EFF/Bernstein Press Release Message-ID: <2.2.32.19960419174615.00a65100@mail.teleport.com> At 02:52 PM 4/18/96 -0500, John Deters wrote: >>On Thu, 18 Apr 1996, Mark Neely wrote: >> >>> Well, that puts legislation making virus authoring a crime >>> into a new (and difficult) position. > >My understanding is that it isn't illegal to author a virus, but it >certainly would be to release it. I think there is a confusion here between source code and object code. I am sure that the lawyers on the list will correct me on this if I am wrong here... The way I read this ruling is that it would have not effect on the laws on releasing viruses in code. (i.e. putting a virus into an executable and letting it go out to infect the world.) What it would permit would be publication of virus source and information about viruses. Publication of information about viruses (including source code) has a useful purpose. How can people write anti-virus programs if they do not know how they work? If publication of techniques is stopped, the anti-virus people have to wait until they find a live copy before writing something to detect and/or remove the offending code. The virus writers are going to do this whether or not they can publish. Letting them brag makes them faster to stop. The "let them brag" principle also works with system hacks. Finding what techniques are used will let you plug holes that you may not know about. It is better to have information than not. On to another [rant]... I have been seening a surprising amount of rant from the forces of Government about keeping information out of "the hands of terrorists". I am wondering how this is going to be brought about. The books are there. They can be ordered from a number of mail order firms. They can also be found in used book stores across the country. The information is alos on the net, on cd-roms and other mediums of storage. How are they going to stuff the tentacles back into the can? Without imposing a very represive police state, they cannot. It would require sifting through all of the available data (books, magazines, libraries, etc.) and removing all "offending" information. Since weapons are so easy to make, they would have to remove knowlege relating to a wide variety of fields. Not possible without alot of cops and alot of guns. The results would not be pretty. The thing I have not determined is whether they understand the outcome of the ideas they are wanting to implement. A good case could be made either way for cluelessness or totalitarian mindsets. I am beginning to think it is a bit of both... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From perry at piermont.com Fri Apr 19 15:43:06 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Apr 1996 06:43:06 +0800 Subject: (Fwd) Re: GPS-based authentication (response) In-Reply-To: <199604191446.HAA11803@cygnus.com> Message-ID: <199604191817.OAA12107@jekyll.piermont.com> "Peter Trei" writes: > Denning wrote back quickly to say that she was going out of town, > and that her colleague would respond. > > MacDoran took 6 days to reply, and then only to say that if my > employer entered into a non-disclosure agreement with ISR Inc, > then all my concerns "would be addressed". > > I wrote back to MacDoran, suggesting that open disclosure of their > techniques would build confidence in their product, and requesting > permission to repost his letter to the cpunk list. He has not responded > after 24 hours. Perhaps they are worried about public disclosure adversely impacting their impending merger with the guys who make Power OTP. .pm From wombat at mcfeely.bsfs.org Fri Apr 19 15:45:23 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Sat, 20 Apr 1996 06:45:23 +0800 Subject: DANGER! Baby-Food Bombs on the Internet! [was Re: (Fwd)] In-Reply-To: <Pine.ULT.3.92.960418213819.12497L-100000@Networking.Stanford.EDU> Message-ID: <Pine.BSF.3.91.960419133540.2238F-100000@mcfeely.bsfs.org> You have to be pretty damn stupid if you need to go out and surf the 'net to find out that gunpowder can be found in shotgun shells. Big news flash: you can find fertilzer at the hardware store, rust on your daddy's Chevy, and bird doodoo in the back yard. Anybody who wants to figure out how to make explosives and CAN'T is too stupid to have graduated from high school (and probably too stupid to navigate the 'net). They're much more likely to go down to the local surplus store, and learn all this out of old U.S. military training manuals than to find it on the 'net. Who voted for these morons? They are only doing this because anything involving the 'net will get their NAMES IN THE NEWS. ---------------------------------------- Rabid Wombat wombat at mcfeely.bsfs.org ---------------------------------------- On Thu, 18 Apr 1996, Rich Graves wrote: > On Thu, 18 Apr 1996, the intrepid anonymous-remailer at shell.portal.com > FUDded to cypherpunks: > > > [Congressional Record: April 17, 1996 (Senate)] > > [Page S3454-S3478] > > [fascinating but probably out-of-context remarks from Biden, suggesting > that we should all don our tin-foil hats in fear of the FBI rabdar vans, > deleted] > > I cannot find the referenced remarks. Assuming the selection is accurate, > it is abundantly clear that Binden continued speaking beyond where you so > ominously chose to cut him off. Could you give me a *specific* URL? Or a > way to get static page number URLs? I can only figure out how to search > http://thomas.loc.gov/ and get temp URLs. > > I *did* read Biden's *highly entertaining* comments on the contentious > Internet Baby Food Bomb Issue, from the conference report mentioned by the > redoubtable Mr. Anonymous. Thanks so much for pointing me to this debate; > it almost makes still being in my office worthwile. > > Does anyone know the documents that Senator Biden is quoting? I *must > know* how to build The Dreaded Baby-Food Bomb. > > **I AM NOT MAKING THIS UP. THIS IS YOUR UNITED STATES SENATE AT WORK.** > > >From the April 17th Congressional Record, what page I unfortunately cant > tell you, because Thomas and/or I suck: > > > Mr. BIDEN. Mr. President, I yield myself such time as I may use within the > limit of the time I have. > > This provision is very straightforward and simple. It is beyond me why it > was taken out of the Senate version of the language that was sent to the > House. > > I have heard many colleagues stand up on the floor here and rail against > pornography on the Internet, and for good reason. Even when we thought we > had corrected the language that Senator Exon introduced to comport with > the first amendment, I still hear in my State, and I hear of people > writing about how so and so is promoting pornography on the Internet > because they will not ban pornography on the Internet. > > Yet, in the bill, we came along--all of us here--and the genesis of this > came from Senator Feinstein, when it was initially offered. The majority > leader, Senator Hatch, and I had some concerns with this, and we thought > the language to ban teaching people how to make bombs on the Internet or > engage in terrorist activities on the Internet might violate the first > amendment. Senators Dole, Hatch, and I worked to tighten the language and > came up with language that was tough and true to civil liberties. It was > accepted by unanimous consent. > > We have all heard about the bone-chilling information making its way over > the Internet, about explicit instructions about how to detonate pipe bombs > and even, if you can believe it, baby food bombs. Senator Feinstein quoted > an Internet posting that detailed how to build and explode one of these > things, which concludes that `If the explosion don't get'em, the glass > will. If the glass don't get'em, the nails will.' > > I would like to give you a couple of illustrations of the kinds of things > that come across the Internet. This is one I have in my hand which was > downloaded. It said, `Baby food bombs by War Master.' And this is actually > downloaded off the Internet. It says: > > These simple, powerful bombs are not very well known, even though all of > the materials can be obtained by anyone (including minors). These things > are so-- > > I will delete a word because it is an obscenity. > > powerful that they can destroy a CAR. The explosion can actually twist and > mangle the frame. They are extremely deadly and can very easily kill you > and blow the side of a house out if you mess up while building it. Here is > how they work. > > This is on the Internet now. It says: > > Go to Sports Authority or Herman's Sport Shop and buy shotgun shells. It > is by the hunting section. At the Sports Authority that I go to you can > actually buy shotgun shells without a parent or an adult. They don't keep > it behind the glass counter, or anything like that. It is $2.96 for 25 > shells. > I don't know where this might be - it is illegal in most states to sell ammunition to minors. I'm guessing that it is illegal in all states, (though Texas has some interesting views). I used to have to send my mother to the store for .38 wadcutters ... > And then it says: > > Now for the hard part. You must cut open the plastic housing of the bullet > to get to the sweet nectar that is the gun powder. The place where you can > cut is CRUCIAL. It means a difference between it blowing up in your face > or not. > > Then there is a diagram, which is shown as to how to do that on the > Internet. Then it says: > > You must not make the cut directly where the gun powder is, or it will > explode. You cut it where the pellets are. > Yeah, I think every kid I grew up with did this by the time they were 10 years old. Back when there were about 10 computers on the internet, and none of us had ever seen one. When we were younger, we used to spend hours extracting gunpowder from the paper strips used in toy cap pistols and cutting the heads off matches. I wouldn't want my kids playing with things like this, but your kid is an idiot if they need to surf the 'net to figure out that gunpowder can be found in ammunition. > And then it goes through this in detail. And then it gets to the end, and > it says: > > Did I mention that this is also highly illegal? Unimportant stuff that is > cool to know. > > And then it rates shotgun shells by two numbers, gauge, pellet size, and > goes into great detail. It is like building an erector set. It does it in > detail. > > -rich > > From richieb at teleport.com Fri Apr 19 15:57:56 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 20 Apr 1996 06:57:56 +0800 Subject: EFF/Bernstein Press Release Message-ID: <2.2.32.19960419185647.006e3944@mail.teleport.com> At 10:46 AM 4/19/96 -0700, Alan wrote: >The thing I have not determined is whether they understand the outcome of >the ideas they are wanting to implement. A good case could be made either >way for cluelessness or totalitarian mindsets. I am beginning to think it >is a bit of both... More likely, IMHO, it's an attempt by politicians to make the public think they're actually doing something. It's a lot easier to rant about terrorists and the Net than to address the root causes of terrorist violence (whatever they may be...). Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From alano at teleport.com Fri Apr 19 16:11:15 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 20 Apr 1996 07:11:15 +0800 Subject: EFF/Bernstein Press Release Message-ID: <2.2.32.19960419191046.00a8f984@mail.teleport.com> At 11:56 AM 4/19/96 -0700, Rich Burroughs wrote: >At 10:46 AM 4/19/96 -0700, Alan wrote: >>The thing I have not determined is whether they understand the outcome of >>the ideas they are wanting to implement. A good case could be made either >>way for cluelessness or totalitarian mindsets. I am beginning to think it >>is a bit of both... > >More likely, IMHO, it's an attempt by politicians to make the public think >they're actually doing something. It's a lot easier to rant about >terrorists and the Net than to address the root causes of terrorist violence >(whatever they may be...). I the long run, I think that they are making the problem worse. My theory as to the causes of disorder and "terrorism" have to do with a general distrust and disrespect for laws and governments. I see this as being caused by having laws and governments that are hard to respect. Even without conspiracy theories, what we know that the government of the US has done to its own citizens is pretty scary. Between the releasing of radiation on humans near Hanford "just to see what would happen", the misdeads of the FBI with Hoover and his cronies, support of various dictators, and on and on and on, the people are getting more and more distrustful of what they are told. Mix that with a War on Unauthorized Molecules that gets more extereme and more bizzare every day, law enforcement that seems to be more concerned with issues unconnected with any principles relating to justice, and lawmakers who are totally disconnected from the things that are making laws about. These things tend to generate an attitude of "Every being for themselves!". Why not try to grab a bit under the table when your leaders are doing likewise on a bigger scale? Or try to overthrow a system that looks more and more oppresive? The forces of "Law and Order" and the forces of "Chaos and Dissent" seem (to me) to be feeding off the actions of each other. Where it will end is anyones guess. I can imagine that it probibly not be very fun for the rest of us. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jleonard at divcom.umop-ap.com Fri Apr 19 16:12:23 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Sat, 20 Apr 1996 07:12:23 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604190607.XAA17848@mage.qualcomm.com> Message-ID: <9604191918.AA17670@divcom.umop-ap.com> Peter Monta wrote: > Perry Metzger writes: > > > > 1. If "cooking" a byte sequence in a manner that reduces its > > > maximum entropy by less than 1% allows an attacker to break your > > > cryptosystem, then it is crap to begin with. With only a little > > > more effort, he could break it anyway. > > > > I would suggest that you look at differential and linear cryptanalysis > > to learn what a tiny little statistical toehold will give you. > > > > My "ad hominem PSA" stands. I suggest people not trust Mr. Wienke's > > pronouncements. He appears to be suffering from significant hubris. > > No, he's correct; cryptanalytic schemes like those you mention rely > on statistical toeholds *in the context of a deterministic cipher > algorithm*. For one-time pads that are "cooked" or "screened" (and > I agree that it's a silly thing to do), the toehold is much weaker, > infinitesimal in fact. Perry's right: giving up any statistical information is too much. A slightly contrived example of why tossing out duplicated bytes is bad: Suppose that a military organization is using this almost one-time-pad system, and my spies tell my they've fallen into the habit of sending "attack" and "defend" as their only 6-byte messages. This isn't a problem with a real one-time pad (except for traffic analysis...), but this lets me determine the message 3.8% of the time! For example, if I see: 0xfce8e8c7f4f7 (cyphertext I see) which was generated by: d e f e n d (message) 0x646566656e64 (message in hex) 0x988d8ea29a93 (pad) Then I know that I'm not going to be attacked. Attack couldn't have had the e8e8, because they threw out those pads. > For example, suppose we take 1024-bit blocks from a physical RNG > (which we'll agree is "good", has entropy close to 1024 bits, > whatever that means). There are 2^1024 such blocks. Obtain one > and apply the magical test---if the block fails, toss it in the > bit bucket. Suppose, conservatively, that half the sequences fail. > The cryptanalyst now knows that the plaintext cannot be > ( failed_pad xor ciphertext ) for any of the 2^1023 failed_pads. > Thus, it must be one of the other 2^1023. This is the *only* > toehold he gets. That's plenty big to be a problem. Jon Leonard From richieb at teleport.com Fri Apr 19 16:35:38 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sat, 20 Apr 1996 07:35:38 +0800 Subject: DANGER! Baby-Food Bombs on the Internet! [was Re: (Fwd)] Message-ID: <2.2.32.19960419193027.006db95c@mail.teleport.com> At 09:30 AM 4/19/96 -6, Peter wrote: [snip] >With the Internet in place, government attempts to legislate the flow of ideas and >knowledge are about as effective as attempts to legislate the migration routes of birds. This is true, at least until governments make their outright attempts to control the flow of the Net itself. Don't get me wrong -- I'm not saying that such attempts will be successful or effective, but I have no doubt that they will be attempted. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From fstuart at vetmed.auburn.edu Fri Apr 19 17:08:08 1996 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Sat, 20 Apr 1996 08:08:08 +0800 Subject: DANGER! Baby-Food Bombs on the Internet! [was Re: (Fwd)] Message-ID: <199604192054.PAA02825@snoopy.vetmed.auburn.edu> Peter Trei (trei at process.com) writes: >As usual, altavista comes to the rescue. > >*A* baby food jar bomb is described at: > > http://studentweb.tulane.edu/~llovejo/explode.txt > >and echoed overseas at > > http://ps.cus.umist.ac.uk/~vivaldi/boom/original.txt > > >I could not find the article on harvesting gunpowder from shotgun shells. Neat stuff in [...] That's okay...it should be on Thomas in the Congressional Record courtesy of Senator Biden. | (Douglas) Hofstadter's Law: | It always takes longer than you expect, even Frank Stuart | when you take into account Hofstadter's Law. From grafolog at netcom.com Fri Apr 19 17:24:17 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Sat, 20 Apr 1996 08:24:17 +0800 Subject: Nym Server Questions and Remailer Suggestion In-Reply-To: <9604191659.AA01571@rpcp.mit.edu> Message-ID: <Pine.3.89.9604192037.A28716-0100000@netcom17> On Fri, 19 Apr 1996, Joseph M. Reagle Jr. wrote: > *. For the purpose of mitigating traffic analysis, has anyone considered > creating a "delete-me" redirect, hence I could send a few messages to a nym On a related note, has anybody thought about creating a remailer, that sends out two, or more messages for each one received. One message goes to the original, intended recipient, and the other does a loop thru the remailers, ending up at somebody's /dev/null, or something along those lines. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From perry at piermont.com Fri Apr 19 17:29:46 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Apr 1996 08:29:46 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <9604191918.AA17670@divcom.umop-ap.com> Message-ID: <199604192048.QAA12275@jekyll.piermont.com> "Jon Leonard" writes: > Perry's right: giving up any statistical information is too much. > > A slightly contrived example of why tossing out duplicated bytes is bad: > > Suppose that a military organization is using this almost one-time-pad > system, and my spies tell my they've fallen into the habit of sending > "attack" and "defend" as their only 6-byte messages. This isn't a problem > with a real one-time pad (except for traffic analysis...), but this lets > me determine the message 3.8% of the time! This could actually be used for traffic analysis in many instances; you could succeed in extracting small amounts of information from the passing data. Any amount of leakage can in some instances be too much... .pm From frantz at netcom.com Fri Apr 19 17:44:53 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 20 Apr 1996 08:44:53 +0800 Subject: TERRORISM PREVENTION ACT--CONFERENCE REPORT was: EFF/Bernstein PressRelease Message-ID: <199604192057.NAA03900@netcom9.netcom.com> At 10:46 AM 4/19/96 -0700, Alan Olsen wrote: >On to another [rant]... > >I have been seening a surprising amount of rant from the forces of >Government about keeping information out of "the hands of terrorists". ... [Much good rant deleted] Real terrorists receive instruction at terrorism schools run by organizations like the Iranians, the PLO, and even the US government (CIA, Special Forces etc.) The rate of technology transfer is much greater with hands-on teaching than it is with literature in e.g. libraries or the net. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Fri Apr 19 17:53:23 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 20 Apr 1996 08:53:23 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <9604191736.AA00569@ch1d157nwk> Message-ID: <199604191756.NAA12031@jekyll.piermont.com> Andrew Loewenstern writes: > Perry writes: > > Furthermore, I suggest you look up the Venona intercept work > > and tell me again about how far an advesary will go with a > > tiny toehold. > > The Venona breaks came because the NSA had a lot of encrypted traffic and > some pads were used more than once, which is hardly a tiny toehold. In general, they were used twice. Thats a pretty tiny toehold. .pm From shamrock at netcom.com Fri Apr 19 18:31:22 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 20 Apr 1996 09:31:22 +0800 Subject: [NOISE] Great line from Bernstein case Message-ID: <v02120d03ad9dc19e2126@[192.0.2.1]> This one had me laughing hard: >Defendants [The feds. Ed.]also >conclude summarily that both the definition of cryptographic software >and the exemptions from this definition are clear to a person of >ordinary intelligence. This seems to be a bit of dissimulation, unless >it is a confession, since the ODTC itself mistakenly classified >Bernstein's academic paper as a defense article under Category XIII. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From anonymous-remailer at shell.portal.com Fri Apr 19 18:34:36 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 20 Apr 1996 09:34:36 +0800 Subject: No Subject Message-ID: <199604192157.OAA07383@jobe.shell.portal.com> Black Unicorn wrote: >> > > Clever kidnappers make arrangement in advance to deposit this cash with > willing financial institutions who will hold it for several years before > mixing it into their cash withdrawl stream. Kidnappers are paid based > on a subtraction of interest for the period while the cash is undeposited > and earns no interest for the financial institution, plus a fee. > > BCCI was quite notorious for using this method to cool off hot money. > > When the money was only mildly hot, it was simply physically transported > to offshore banks in smaller lots and used for their cash payouts. > (While riskier, this allowed the payment of interest). > > The other option was simply to launder the money through enough > agitations so that two or three banking secrecy entities were between the > return of the currency to free circulation and the kidnappers. > christ. who the hell is this guy? From rschlafly at attmail.com Fri Apr 19 19:15:38 1996 From: rschlafly at attmail.com (Roger Schlafly) Date: Sat, 20 Apr 1996 10:15:38 +0800 Subject: 5th protect password? Message-ID: <rschlafly1102233230> >> From: Hal <hfinney at shell.portal.com> >> I have been quite appalled to read the various analyses on the net (URLs >> not handy, but they have been posted here before I think) which conclude >> that compelled disclosure of a cryptographic pass phrase would probably >> be OK despite the Fifth Amendment. This seems to be an area where there >> is widespread agreement based on recent precedent. >> from: --Tim May >> What about the Fifth Amendment? Scholars are addressing this issue of >> compelled disclosure of cryptographic keys. Note, of course, that diaries, >> business records, papers, and, indeed, the entire contents of a putative >> crime scene are accessible to crime investigators and the legal system. >> (Whether giving up a key constitutes "testifying against one's self" or not >> is undecided, so far as I know. My own inclination is that it will be >> decided to be no different than the key to a locked diary--by itself, it is >> not self-incrimination.) Is this really an issue? I am not an expert, but I just read a Supreme Court case: DOE v. United States, 487 U.S. 201; 108 S. Ct. 2341 (1988) It involved someone who was ordered by the court to consent to the Cayman Islands bank to turn over account records. The Supreme Court said yes, because it is "more like 'be[ing] forced to surrender a key to a strongbox containing incriminating documents' than it is like 'be[ing] compelled to reveal the combination to [petitioner's] wall safe.'" The quote refers to Stevens' dissent, which said: A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed. I conclude that in a criminal case, all of the supreme court justices agree that a criminal defendant cannot be forced to reveal the combination to a wall safe, or any other information in his mind, by the Fifth Amendment. An escrow agent can presumably be compelled, unless his is accused of a crime, or has a privilege, or is outside jurisdiction. Interestingly, a footnote in the above case said: The Government of the Cayman Islands maintains that a compelled consent, such as the one at issue in this case, is not sufficient to authorize the release of confidential financial records protected by Cayman law. Sounds like the Cayman Islands might be a good place for your key escrow agents. Roger Schlafly From eck at panix.com Fri Apr 19 19:26:38 1996 From: eck at panix.com (Mark Eckenwiler) Date: Sat, 20 Apr 1996 10:26:38 +0800 Subject: 5th protect password? In-Reply-To: <rschlafly1102233230> Message-ID: <199604192318.TAA22554@panix.com> Roger Schlafly sez: + [quotes from] + DOE v. United States, 487 U.S. 201; 108 S. Ct. 2341 (1988) + ... + I conclude that in a criminal case, all of the supreme court + justices agree that a criminal defendant cannot be forced to + reveal the combination to a wall safe, or any other information in + his mind, by the Fifth Amendment. Except that the Fifth Amendment is not limited to "criminal cases" in the way one might ordinarily understand that phrase. One may assert the Fifth Amendment in a civil case, in an administrative proceeding, at a legislative hearing, or, indeed, in the absence of any formal proceeding. See _Kastigar_. (I posted a summary of Doe II just the other day. Did it not reach the list?) Also, "any other information" is a little too broad. You can be forced to reveal "pedigree" information such as name and DOB. See _Penna. v. Muniz_ (1990). Asking an apparently drunk driver the date of his sixth birthday (as part of a DWI test) is, however, an effort to elicit Fifth Amendment "testimony"; given the added factors of potential incrimination and compulsion (implicit in custodial interrogation sans Miranda warnings), the privilege may be validly exercised in response to such a question. See ibid. The much more interesting question, from a legal perspective, is what happens if your key/password/passphrase is written/stored on physical media. From adam at lighthouse.homeport.org Fri Apr 19 19:55:27 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 20 Apr 1996 10:55:27 +0800 Subject: Cybercash vs Mark Twain Digicash? In-Reply-To: <Pine.SOL.3.91.960418123002.2012A-100000@goodguy> Message-ID: <199604200051.TAA10080@homeport.org> Despite its lack of popularity with many cypherpunks, I'm occaisonally a fan of FV. Yes, they blow big chunks in marketing. Yes, they're selling a cheesy hack to move credit cards. Yes, they sit on merchants cash for 90 days. But.. I can set up a client account for $2, a merchant for $10. I can set up the client account in literally three minutes. I don't need special software distributed in binary for machines I don't have. I don't like it, but the low tech cheesy solutions often beat out better stuff because they are cheap & low cost of entry. Not to start a religious war in this area, bit witness wintel. Adam | Hello. I've been off the list for quite a while now, so I'm not up to | date on the current ecash schemes. My company (a major internet service | provider with a lot of web advertising clients) is looking into which | digital cash method would be best to support for use on our customer's | web pages. The head of the web department has taken a look at several, | and is torn between Mark Twain's stuff and Cybercash. I was wondering if | people who have looked at these systems could give me a rundown on the | major differences. I know that Mark Twain is nice and secure (or at least | I *think* I know that) but Cybercash is signifigantly easier to use. Any | comments would be welcome, and to keep list volume down (I assume it's | still as busy as ever) I'd be happy to recieve replies via direct email, | and sumarize for the list. | | Happy Hunting, -Chris Odhner | - GoodNet - | -- "It is seldom that liberty of any kind is lost all at once." -Hume From runner at asiapac.net Fri Apr 19 20:00:56 1996 From: runner at asiapac.net (runner at asiapac.net) Date: Sat, 20 Apr 1996 11:00:56 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604192338.HAA06653@gandalf.asiapac.net> Hi, Lurking here for quite some time until now a real problem has come up and I need help here. I'm not in the US of A and the Netscape commerce server that my employer recently purchased has only 48bit key (as told by the salesman). My question is whether it is possible to add-in my own security module (RSA) and secondly, how difficult is it? The salesman cannot answer me. Thanks a lot. From unicorn at schloss.li Fri Apr 19 21:34:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 20 Apr 1996 12:34:28 +0800 Subject: 5th protect password? In-Reply-To: <rschlafly1102233230> Message-ID: <Pine.SUN.3.91.960419203753.1662E-100000@polaris.mindport.net> On Fri, 19 Apr 1996, Roger Schlafly wrote: > > An escrow agent can presumably be compelled, unless his is accused > of a crime, or has a privilege, or is outside jurisdiction. > Interestingly, a footnote in the above case said: > > The Government of the Cayman Islands maintains that a compelled > consent, such as the one at issue in this case, is not > sufficient to authorize the release of confidential financial > records protected by Cayman law. > > Sounds like the Cayman Islands might be a good place for your key > escrow agents. Currently, no better than the United States. First, the Cayman Islands law refers primarily (if not exclusively) to financial information. Second, the judicial blocking provisions in the Caymans have been much reduced by the U.S. Mutual Legal Assistance treaty that penetrates banking secrecy when it is interfering with a criminal investigation involving money laundering or a series of other crimes. Third, even in the event your escrow information was protected the court would be much more successful simply by trying to compel the defendant through contempt sanctions. (It's not always enough to put data overseas, particularly where you're still sitting in the U.S. or otherwise within the court's jurisdiction). Fourth, prosecutors don't typically bother to try and compell [escrow] agents, but instead seek "consent orders" from defendants instructing the agent to release the information. So, in sum, the Caymans law doesn't have anything to do with non-financial information safekeeping. Even if it did, a criminal investigation that would be interesting enough to try and seek non-tax and non-financial information from an agent in the Islands would almost certainly trigger the secrecy penetration clauses of the Mutual Legal Assistance Treaty. And finally, the fact that they cant get your data is not going to protect you from a major main in the rump. The large article I posted to the list goes into these points in detail in the context of protecting financial information and assets. If you would like another copy, please let me know. > > Roger Schlafly > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Fri Apr 19 21:46:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 20 Apr 1996 12:46:44 +0800 Subject: Dictionary searching code In-Reply-To: <199604200102.UAA10156@homeport.org> Message-ID: <Pine.SUN.3.91.960419214457.1662F-100000@polaris.mindport.net> On Fri, 19 Apr 1996, Adam Shostack wrote: > > Does anyone have some code that will search a dictionary, and > tell me *quickly* if an arbitrary chunk of text is in the dictionary? > Pre-indexing steps are fine, as is using big chunks of disk for hash > tables. The point of course, is to check arbitrary possible plaintext > that a test decryption produces. There are several serachable dictionaries on the web. That might be a good place to look for search code. > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Fri Apr 19 21:57:51 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 20 Apr 1996 12:57:51 +0800 Subject: Message-ID: <m0uAR5B-0008z7C@pacifier.com> At 02:57 PM 4/19/96 -0700, anonymous-remailer at shell.portal.com wrote: >Black Unicorn wrote: > >>> >> >> Clever kidnappers make arrangement in advance to deposit this cash with >> willing financial institutions who will hold it for several years before >> mixing it into their cash withdrawl stream. Kidnappers are paid based >> on a subtraction of interest for the period while the cash is undeposited >> and earns no interest for the financial institution, plus a fee. >> >> BCCI was quite notorious for using this method to cool off hot money. >> >> When the money was only mildly hot, it was simply physically transported >> to offshore banks in smaller lots and used for their cash payouts. >> (While riskier, this allowed the payment of interest). >> >> The other option was simply to launder the money through enough >> agitations so that two or three banking secrecy entities were between the >> return of the currency to free circulation and the kidnappers. >> > >christ. > >who the hell is this guy? He's a person whose entire income stream (or most of it, probably) is derived from the misbehavior of government. Jim Bell jimbell at pacifier.com From ddt at lsd.com Fri Apr 19 22:26:10 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sat, 20 Apr 1996 13:26:10 +0800 Subject: [NOISE] sign-off instructions Message-ID: <v03006603ad9da8922289@[192.187.167.52]> [author unknown, fwds elided] Uni, take note... Might make an amusing periodic auto-post to the clueless list. ;) dave ................................. cut here ................................. "HOW TO UNSUBSCRIBE" This is what you need to do. Please read these instructions carefully before beginning. tools needed: one Hammer one scredriver one pair of pliers one heavy-duty pair of wire cutters one bucket of saline water a box of sani-wipes Step #1: Stop payment on any checks that you may have sent to your Internet Service Provider (GOD). Step #2: If GOD is unresponsive and you are still receiving mail from this list, you will need to find the "mailhost". This is a machine usually located in a locked office. Every day around noon, the mailman will deliver a box of diskettes with that day's mail messages, including yours from this list, to this machine. Typically, only a handful of people have keys to the "mailhost". The reason why this machine is locked up is because this is typically the best, fastest, most powerful computer at your facility and the people with keys don't want to share it. If you must, break or pry the door down with one (1) hammer (you did get all the tools needed?). Step #3: Find the ON/OFF switch for this machine. Using the pliers, set the switch to the OFF position by tugging downwards until the disposable plastic switch breaks away from the computer casing. Discard the disposable plastic switch in an environmental-friendly manner. This will alert the mailman to not deliver the diskettes with the messages to the "mailhost" not unlike the little red flag found on mailboxes. This should resolve your mail problem immediately. Step #4: You may experience a recurrence of mail within 72 hours. If this should happen, you will need to disable the "mailhost" once again with more forceful measures. Repeat Step #2. Don't be suprised if there is a sturdier door in place than the one you destroyed previously. This is due to the fact that the "Have Key" clique found out that someone has seen their private stash of computer equipment. Step #5: After you have once again regained entry into the "mailhost" room, open up the back of the "mailhost". There may be a large tv-like device on top of the "mailhost" You will need to remove this first. Take your wire cutters, and cut any cables binding the tv-like device to the "mailhost". Set the tv-like device to the side. With your screwdriver, remove each and every screw that you can find on the "mailhost". Once this is done, the "mailhost" should break away into two or more pieces. Step #5: Find a large box with a fan attached to it. It will be clearly marked with the following labels: "Danger" "High Voltage" "Do not open - no user-servicable parts". Don't worry, these labels are merely in place to satisfy OSHA requirements and you are not in any danger at all. Take the bucket of saline water and pour it into any vents or ports that the large box may have. Any extra water should be poured directly into the computer chassis, be sure to properly soak each and every component. Step #6: In the event of fire (OSHA has been known to be right on occassion), douse any flames with the sani-wipes. This solution is provided without warranty. It is not bio-degradable or fat-free. In the event of sudden death, contact a physician immediately. From ddt at lsd.com Fri Apr 19 22:26:33 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sat, 20 Apr 1996 13:26:33 +0800 Subject: [EVENT] cheap date w/Bob Dole Message-ID: <v03006604ad9daa598d82@[192.187.167.52]> Calling All Cypherpunks: An interesting "special event" just showed up on the radar. Sorry for the noise if you've heard about it already. dave ................................ cut here ................................. "Public Policy Issues Forum on Information Security" (aka "Celebration of 20 years of Public Key Cryptography" 1976-1996) Co-Hosts: Cylink Corporation The Churchill Club Date & Place: Monday, April 29 (6-10 PM) Marriott Hotel, Burlingame (spittin' distance from SF Airport) Dinner: $20 for club members $35 for non-members Menu includes [mad cow] steak dinner and wine Cash bar Speakers include: - James Freeman FBI Special Agent in Charge of the San Francisco Region; on the $100 billion annual loss to U.S. business from industrial espionage. - David Morris Vice President of Cylink; on advanced security systems needed today beyond firewalls which are only partial solutions; five requirements a truly secure information protection system must have. - Senator(s) Larry Pressler (and Bob Dole?*) on new legislation (The Encryption Communications Privacy Act of 1996) to loosen restrictions on strong crypto in the U.S.; need to allow U.S. firms to export long-key-length crypto. [yes, Virginia, _that_ Senator Pressler, the one who made the Bottom Ten list] - Senator Conrad Burns (R/Montana) on his proposed bill (Promotion of Commerce On-Line in the Digital Era) which could include preventing government from becoming an escrow registry bureau. [of CFP96 cowboy-hat voicelink fame] - Congressman Robert Goodlatte on his "Security and Freedom Through Encryption Act" (SAFE) legislation. - Paul Raines Project Manager with the U.S. Postal Service; previewing the USPS Electronic Postmarking System (1st nationwide use of PKC in a consumer-based public service, includes a certificate authority registry). - Whitfield Diffie - Martin Hellman - Ralph Merkle the three inventors/original patent-holders in the field of Public Key Cryptography on a panel discussing the future of cryptography, 3DES and "other issues." __________ If you're planning on being hungry on 29 April, get more info or RSVP and reserve a seat by calling: The Churchill Club 2323 South Bascom Ave Campbell CA 95008 408.371.4460 voice - ask for Lisa (try pressing #0 at the menu) 408-371-4180 fax There's a suggestion that you _could_ pay by sending your credit card info over the net (ironically, I see no public key being provided, but that's AOL for you...). For the foolhardy, the address is: <chrchllclb at aol.com> Alternatively, you can send it to <kmitnick at ax.netcom.com> or <donations at lsd.com> ;) __________ Notes: * Sen. Dole hasn't confirmed yet, but he's co-sponsor of the Encryption Communications Privacy Act, so if there are no high-visibility Senate votes or major campaign babies to kiss on-camera, chances are he'll paint a target on his back and kick it with us. The speakers alledgely include representatives from all three Congressional legislation groups. Expect the Press to attend. Other confirmations are still coming in from additional participants. For the price of a Van Halen ticket, this should be worth a giggle or two. -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00001.pgp Type: application/octet-stream Size: 320 bytes Desc: "PGP signature" URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/19960420/f3ac021e/attachment.obj> From adam at lighthouse.homeport.org Fri Apr 19 22:54:02 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 20 Apr 1996 13:54:02 +0800 Subject: Dictionary searching code Message-ID: <199604200102.UAA10156@homeport.org> Does anyone have some code that will search a dictionary, and tell me *quickly* if an arbitrary chunk of text is in the dictionary? Pre-indexing steps are fine, as is using big chunks of disk for hash tables. The point of course, is to check arbitrary possible plaintext that a test decryption produces. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From llurch at networking.stanford.edu Fri Apr 19 23:04:57 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 20 Apr 1996 14:04:57 +0800 Subject: Baby-Food Bombing and highly selective quoting In-Reply-To: <199604190412.VAA12784@jobe.shell.portal.com> Message-ID: <Pine.ULT.3.92.960419161343.18820D-100000@Networking.Stanford.EDU> On Thu, 18 Apr 1996, some anonymous FUDder sent us this: > ------- Forwarded Message Follows ------- > Date: Thu, 18 Apr 1996 10:01:03 -0500 > From: Al Thompson <alt at iquest.net> > To: Multiple recipients of list NEWS <NEWS at AEN.ORG> > Subject: > > [Congressional Record: April 17, 1996 (Senate)] > [Page S3454-S3478] Specifically, page S3455. But the quote is so out of context as to be inaccurate. For an accurate record of Senator Biden's remarks, plus the full text of the Baby-Food Bomb and Unabomber Wannabe documents, you want to follow the *second* of the *two* TERRORISM PREVENTION ACT--CONFERENCE REPORT links on: http://thomas.loc.gov/r104/r104s17ap6.html I think the following is a permanent URL, but I'm sure you can't make hard links any deeper: http://thomas.loc.gov/cgi-bin/query/z?r104:S17AP6-332: Also note that this speech concerns an amendment to S735 that FAILED. I.e., the language for which the esteemed [snort] Mr. Biden is arguing IS NOT IN THE BILL AS PASSED BY THE SENATE. >[...] > As some people tell > it, you would think the FBI and BATF and the local and State police > are tapping our phones left and right, that they are riding down the > streets in vans with electronic devices eavesdropping into our > windows and houses--which they have the capacity to do, by the way. Mr. Biden's next sentence, which either Mr. Thompson or the anonymous forwarder conveniently left out, is "But that is just not the way it works." It should come as no surprise to anyone on the cypherpunks that such things are technically possible. But do they happen? Does even our friend Senator Joe "You Heard It Here First" Biden approve? Mr. Biden's speech continues, also conveniently left out by Mr. Thompson and the anonymous forwarder: That necessity requirement is meant to ensure that wiretapping is not the normal investigative technique, like physical surveillance or the use of informants. These are very serious protections, Mr. President. I believe that interposing a court between the prosecutor and the wiretap is a citizens' best protection. But even before we get to the judge who makes his decision, there is a very painstaking, stringent process within the Justice Department for determining when to seek a court authorization for a wiretap. First, the agent in the field, under the supervision of his or her supervisor, must write an affidavit, a sworn affidavit, that they must sign that sets out all the particular facts relating to probable cause, because even if an order is granted based on the agent, if he is lying, then that information is gone even if the judge issued the wiretap order. [...] This is painstaking. It is time consuming, as well it should be, for we want to make sure that wiretaps are used in only the most serious cases. We want to make sure that they are used only as a last resort when all other less intrusive techniques have failed, and we want to make sure that the Government is not making unwarranted intrusions into our privacy. But we also need to make sure that law enforcement has the tools, if they meet all these hurdles, to catch the bad guy. [...] You cannot get a wiretap, even if you do all the things I just said, unless you turn to the Criminal Code, and you have all these crimes listed in the Criminal Code. OK. You may find a crime in one section, and then you have to turn to another section, section 251, of the Criminal Code entitled, `Authorization for Interception of Wire, Oral or Electronic Communications.' And then you have to find there in subsection (c) the list of offenses for which you can get a wiretap. Not every crime is entitled to have a wiretap attached to it. So there we are. The next speech is by Orrin Hatch, who doesn't really address any of Biden's points, but that's OK, because I don't agree with them. Oh yeah, and Biden read the full text of the "Attention All Unabomber Wannabes" and "Babyfood Bombs" documents into the Congressional Record, supposedly to underscore the point that those nasty Republicans are endorsing such nasty nasty stuff. Sort of like Exon's little blue book. So if you want to know how to build a baby-food bomb, simply write your congresscritter. -rich From tcmay at got.net Fri Apr 19 23:06:10 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 20 Apr 1996 14:06:10 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <ad9da80f000210044d78@[205.199.118.202]> It should be interesting to see what happens when the Bernstein ruling (assuming it is further upheld as the court case and appeals proceed) meets the proposed law making the writing of virus code a crime. If crypto software is essentially speech, albeit in a non-traditional human language, then virus software is no different. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Fri Apr 19 23:44:56 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 20 Apr 1996 14:44:56 +0800 Subject: Baby-Food Bombing and highly selective quoting Message-ID: <m0uATlP-00092YC@pacifier.com> At 04:45 PM 4/19/96 -0700, Rich Graves wrote: >On Thu, 18 Apr 1996, some anonymous FUDder sent us this: > > http://thomas.loc.gov/r104/r104s17ap6.html > >I think the following is a permanent URL, but I'm sure you can't make hard >links any deeper: > > http://thomas.loc.gov/cgi-bin/query/z?r104:S17AP6-332: > >Also note that this speech concerns an amendment to S735 that FAILED. >I.e., the language for which the esteemed [snort] Mr. Biden is arguing IS >NOT IN THE BILL AS PASSED BY THE SENATE. > >>[...] >> As some people tell >> it, you would think the FBI and BATF and the local and State police >> are tapping our phones left and right, that they are riding down the >> streets in vans with electronic devices eavesdropping into our >> windows and houses--which they have the capacity to do, by the way. > >Mr. Biden's next sentence, which either Mr. Thompson or the anonymous >forwarder conveniently left out, is "But that is just not the way it >works." Here's a question, however: What, exactly, stands between the way it is supposedly done, today, and wiretapping with none of these "protections." I see nothing in the Constitution which mandates them, at least explicitly, which suggests that the thugs might simply decide, tomorrow, that they are not really necessary after all. Is it possible that the only reason these protections are in place is to provide a window-dressing of caution, to ensure that the disgust of the public doesn't get too great? And another question I've never seen a satisfactory answer for: Why is there not an automatic policy to inform the person tapped, at least after the tap is removed, analogous to the level of information the victim of a search warrant normally gets? Jim Bell jimbell at Pacifier.com From attila at primenet.com Fri Apr 19 23:47:50 1996 From: attila at primenet.com (attila) Date: Sat, 20 Apr 1996 14:47:50 +0800 Subject: Dictionary searching code Message-ID: <199604200410.VAA21173@usr2.primenet.com> ** Reply to note from Adam Shostack <adam at lighthouse.homeport.org> 04/19/96 8:02pm -0500 = = = Does anyone have some code that will search a dictionary, and = tell me *quickly* if an arbitrary chunk of text is in the dictionary? = Pre-indexing steps are fine, as is using big chunks of disk for hash = tables. The point of course, is to check arbitrary possible plaintext = that a test decryption produces. = for this purpose, the OLD unix code starting with V6 20 years ago has a speller with a fairly comprehensive dictionary. The code is small. about 15 years ago I broke it out and rewrote it as linkable libraries to handle multiple dictionaries. I know I have the code somewhere --probably on MIPS 2000 tape or Sun 3 tape... the code also contains excellent prefix/suffix codes, etc. I do not remember spending a great deal of time doing the conversion, and it was straighforward to convert it to a callable library (or even a .dll). attila -- Obscenity is a crutch for inarticulate motherfuckers. Fuck the CDA! cc: Cypherpunks <cypherpunks at toad.com> From wombat at mcfeely.bsfs.org Fri Apr 19 23:50:34 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Sat, 20 Apr 1996 14:50:34 +0800 Subject: plaugue of unsubscribes In-Reply-To: <199604191618.JAA20702@spike.hnc.com> Message-ID: <Pine.BSF.3.91.960420000537.3166C-100000@mcfeely.bsfs.org> If you haven't already deleted the "unsuscrive" messages, take a look at the headers. I suspect that someone is using a browser to forge e-mail (very easy to do, bit very obvious where it came from) A lot of these have come from the same address. ---------------------------------------- Rabid Wombat wombat at mcfeely.bsfs.org ---------------------------------------- > >What still confuses me is the number of people who asked to be > >"unsubscrived." Seems like an odd coincidence that all those folks would > >miss the B key. Some had done it severeal times in the same message. I > >wonder if they were totally set up -- if they got mail telling them to > >"unsubscrive." Some people's idea of fun boggles me... > > > >Rich From declan at eff.org Sat Apr 20 00:50:17 1996 From: declan at eff.org (Declan McCullagh) Date: Sat, 20 Apr 1996 15:50:17 +0800 Subject: Protocols at the Point of a Gun In-Reply-To: <OTwdx8m9LYbG085yn@netcom.com> Message-ID: <Pine.SUN.3.91.960419192512.4950B-100000@eff.org> On Thu, 18 Apr 1996, Alan Bostick wrote: > Don't forget: There are lots of colleges and universities on the net, > and most of these universities have undergraduates, and a significant > fraction of these undergraduates are minors. The potential user base is > going to be mixed and must be presumed to be so. (That, I'm told, is > the chief justification of the Carnegie-Mellon ban on the alt.sex.* > Usenet newsgroups.) *Lots* of systems are affected by this problem. This is an excellent point, and one worth repeating. The Chronicle of Higher Education has been quite diligent in covering the CDA hearings in Philadelphia since their readership is concerned about this issue. As for CMU's justification for censoring USENET newsgroups, the legal justification for protecting minors is non-existent -- the administration's reasons are financial and PR. Check out this February 1996 thread on the fight-censorship list: http://fight-censorship.dementia.org/fight-censorship/dl?thread=CMU+basks+in+favorable+publicity+from+Rimm+study,+Usenet+censorship&after=1323 The attached excerpt from a Carnegie Mellon University PR newsletter shows how top administrators are basking in the publicity sparked by the Rimm study and CMU's CompuServe-esque censorship of sexual discussion groups in November 1994. The Warner Hall bureaucrats are smug in claiming they were justified in "limiting the access of pornography on our campus computers." Of course, that's not to say that CMU administrators aren't prudes as well. For more info: http://www.cs.cmu.edu/~declan/rimm/ http://www.cs.cmu.edu/~kcf/censor/ http://joc.mit.edu/cmu.html -Declan // declan at eff.org // I do not represent the EFF // declan at well.com // From ses at tipper.oit.unc.edu Sat Apr 20 00:55:02 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 20 Apr 1996 15:55:02 +0800 Subject: Dictionary searching code In-Reply-To: <199604200102.UAA10156@homeport.org> Message-ID: <Pine.SOL.3.91.960419200322.14381A-100000@chivalry> On Fri, 19 Apr 1996, Adam Shostack wrote: > > Does anyone have some code that will search a dictionary, and > tell me *quickly* if an arbitrary chunk of text is in the dictionary? > Pre-indexing steps are fine, as is using big chunks of disk for hash > tables. The point of course, is to check arbitrary possible plaintext > that a test decryption produces. You could try using isite (see http://www.cnidr.org/), which is a pretty cool search engine, and should work well enough, and the patrie structure could make restarts really fast . The real answer to your question depends almost entirely on the machine you wish to run it on- is memory not a problem? If so, tries may be your best bet, though you may have bad cache interactions. Otherwise, you might be best going for a probabalistic approach and using hash table to elimate definite non-matches, then an AVL-Tree or similar for confirmation. If you just use a single bit for each hash-table datum, you can afford to make the table pretty sparse Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From frantz at netcom.com Sat Apr 20 02:58:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 20 Apr 1996 17:58:25 +0800 Subject: Dictionary searching code Message-ID: <199604200639.XAA24430@netcom9.netcom.com> At 8:02 PM 4/19/96 -0500, Adam Shostack wrote: > Does anyone have some code that will search a dictionary, and >tell me *quickly* if an arbitrary chunk of text is in the dictionary? >Pre-indexing steps are fine, as is using big chunks of disk for hash >tables. The point of course, is to check arbitrary possible plaintext >that a test decryption produces. This application sounds perfect for Bloom filters. The basic idea of a Bloom filter is to build a database by taking each word in the dictionary and hashing with N different hashes. The hashes do not need to by cryptographically secure, but they do need to be good hashes, XOR doesn't make it. You use those hashes as bit offsets in a giant bit map, which is the database. When building the database you turn on the bits at each of these N locations. When accessing the database, you hash the chunk of text with the same hashes, and then test the bits in the database at those offsets. If any of the bits are zero, then the chunk of text is not in the dictionary. The failure mode is to say something is in the dictionary when it isn't. If half the bits in the database are on, then the probability of failure is 2**(-N), so if N==10, then the failure rate is 1 in 1024. If empirically, you get a higher failure rate, check the quality of your hashes. For cryptanalysis, I might pick a higher N and eyeball check for failures. Say you want 1 in a million failure rate, and have an 80,000 word dictionary. You need a 20 * 80,000 * 2 bit database, which is 400,000 bytes. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From daw at cs.berkeley.edu Sat Apr 20 03:06:24 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Sat, 20 Apr 1996 18:06:24 +0800 Subject: why compression doesn't perfectly even out entropy In-Reply-To: <199604182255.PAA13373@jobe.shell.portal.com> Message-ID: <4la5b6$1sb@joseph.cs.berkeley.edu> In article <199604182255.PAA13373 at jobe.shell.portal.com>, Hal <hfinney at shell.portal.com> wrote: > So I think the lesson is that there is only one way to estimate entropy, > and that is to study your source. I have to agree with Perry that this > filtering concept is not the way to go. It is a red herring that lures > you in the direction of automatic entropy estimation, and that is really > not safe. Excellent point! Very nicely put. You've convinced me: I was looking at the problem the wrong way. Thanks for correcting & educating me... Appreciative of the "signal", -- Dave Wagner From unicorn at schloss.li Sat Apr 20 03:36:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 20 Apr 1996 18:36:20 +0800 Subject: [Yadda Yadda Yadda] Re: In-Reply-To: <m0uAR5B-0008z7C@pacifier.com> Message-ID: <Pine.SUN.3.91.960420025151.17622B-100000@polaris.mindport.net> On Fri, 19 Apr 1996, jim bell wrote: > >> > > > >christ. > > > >who the hell is this guy? [unicorn] > > He's a person whose entire income stream (or most of it, probably) is > derived from the misbehavior of government. Most of my income comes from investments and venture capital. I circumvent government only as a hobby. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From herf+ at CMU.EDU Sat Apr 20 04:58:59 1996 From: herf+ at CMU.EDU (Michael B Herf) Date: Sat, 20 Apr 1996 19:58:59 +0800 Subject: Dictionary searching code In-Reply-To: <199604200102.UAA10156@homeport.org> Message-ID: <klS_BhG00iWY40oIYF@andrew.cmu.edu> I have some anagram code that could be easily adapted to do what you say. Basically, it will find any anagram of a word exists in a dictionary. This means you can query an arbitrarily large dictionary at >100 words per second. Actually, now that I think about it, it takes 2 seeks, but you could remove one of them if you were doing a lot of queries. (i.e. 1+n seeks for n=number of words.) Look at ftp://vivarin.res.cmu.edu/pub/scram mike From brucem at wichita.fn.net Sat Apr 20 10:13:29 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Sun, 21 Apr 1996 01:13:29 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <ad9da80f000210044d78@[205.199.118.202]> Message-ID: <Pine.BSI.3.91.960420095805.28058B-100000@wichita.fn.net> On Fri, 19 Apr 1996, Timothy C. May wrote: > It should be interesting to see what happens when the Bernstein ruling > (assuming it is further upheld as the court case and appeals proceed) meets > the proposed law making the writing of virus code a crime. > > If crypto software is essentially speech, albeit in a non-traditional > human language, then virus software is no different. I think the determination of whether virus software will be considered free speech (and thus legal) or speech needing limits (illegal) will be based entirely on whether that code is active in system memory or just sitting on a hard drive. The U.S. and many other countries already have laws that make it a crime to destroy or manipulate data in an unauthorized manner, which active viruses would qualify as doing. In comparison to someone shouting "I have a bomb," on an airplane, this type of speech is already illegal. However, I would have no problem with people having viruses or virus source code on their own computers or sharing this code with others as long as the receiver is aware of the infective nature of the software. My guess is that the law will probably pan out in this manner. Bruce Marshall From Majordomo at c2.org Sat Apr 20 10:55:28 1996 From: Majordomo at c2.org (Majordomo at c2.org) Date: Sun, 21 Apr 1996 01:55:28 +0800 Subject: Welcome to clueless Message-ID: <199604201535.IAA05505@infinity.c2.org> -- Welcome to the clueless mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at c2.org" with the following command in the body of your email message: unsubscribe clueless cypherpunks at toad.com Here's the general information for the list you've subscribed to, in case you don't already have it: #### No info available for clueless. From brucem at wichita.fn.net Sat Apr 20 11:00:38 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Sun, 21 Apr 1996 02:00:38 +0800 Subject: Wiretapping v warrants In-Reply-To: <m0uATlP-00092YC@pacifier.com> Message-ID: <Pine.BSI.3.91.960420101301.28058D-100000@wichita.fn.net> On Fri, 19 Apr 1996, jim bell wrote: > Here's a question, however: What, exactly, stands between the way it is > supposedly done, today, and wiretapping with none of these "protections." First and foremost Congress, then the Judicial system and finally the people themselves. As far as I know, the Communications Assistance for Law Enforcement Act still hasn't been enforced since Congress won't give them funding until better statistics are provided by the FBI as to why they need the ability to place wiretaps so extensively. I'm sure the reasonability of privacy would come into play with the court system along with who knows what other claims. > And another question I've never seen a satisfactory answer for: Why is > there not an automatic policy to inform the person tapped, at least after > the tap is removed, analogous to the level of information the victim of a > search warrant normally gets? Since I'm not exactly sure whether the targets of a wiretap are ever informed that their conversations were monitored if they aren't later prosecuted using the info gained through the wiretap, I couldn't really comment on why if that is the case. Personally, I think a better example could be used. When a person is placed under visual surveilance they also are uninformed that their actions are being scrutinized. Their conversations can be picked up using high powered microphones and they can be plainly seen with binoculars or even night vision goggles. I would assume that they probably aren't informed after the fact either unless the surveilance is used against them in court. Regardless, I think that if people aren't informed that they were the subject of an investigation after they are cleared, they should be. Bruce Marshall From rwaldrip at vdospk.com Sat Apr 20 11:09:17 1996 From: rwaldrip at vdospk.com (rwaldrip at vdospk.com) Date: Sun, 21 Apr 1996 02:09:17 +0800 Subject: Puffer? Message-ID: <316DBE61.5D97@vdospk.com> Does anyone use Puffer? Tell me about your experience with it. I just got it installed. From perry at piermont.com Sat Apr 20 12:38:45 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 21 Apr 1996 03:38:45 +0800 Subject: Add-in encryption module to Netscape In-Reply-To: <199604192338.HAA06653@gandalf.asiapac.net> Message-ID: <199604201650.MAA14845@jekyll.piermont.com> runner at asiapac.net writes: > I'm not in the US of A and the Netscape commerce server that my > employer recently purchased has only 48bit key (as told by the > salesman). My question is whether it is possible to add-in my own > security module (RSA) and secondly, how difficult is it? The > salesman cannot answer me. You made a mistake in buying Netscape commerce in the first place, but don't despair! You can still get Apache, an excellent web server, and an unencumbered SSL module that you can use without restriction outside the U.S. (if you want to run it inside the U.S. you need to pay a fee because of the patents on RSA). Perry From tcmay at got.net Sat Apr 20 14:05:21 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 21 Apr 1996 05:05:21 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <ad9e769802021004d3a5@[205.199.118.202]> At 3:05 PM 4/20/96, Bruce Marshall wrote: >On Fri, 19 Apr 1996, Timothy C. May wrote: > >> It should be interesting to see what happens when the Bernstein ruling >> (assuming it is further upheld as the court case and appeals proceed) meets >> the proposed law making the writing of virus code a crime. >> >> If crypto software is essentially speech, albeit in a non-traditional >> human language, then virus software is no different. > > I think the determination of whether virus software will be >considered free speech (and thus legal) or speech needing limits >(illegal) will be based entirely on whether that code is active in system >memory or just sitting on a hard drive. I of course was being careful to specifically say "the proposed law making the writing of virus code a crime." I think most of us will agree that destroying someone else's data via viruses may well be a crime, depending on circumstances. However, the talk of trying to felonize the _writing_ of virus code, irrespective of whether it is ever used criminally, is what I think the Bernstein decision bears on. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From umwalber at cc.UManitoba.CA Sat Apr 20 14:38:49 1996 From: umwalber at cc.UManitoba.CA (Sean A. Walberg) Date: Sun, 21 Apr 1996 05:38:49 +0800 Subject: ApacheSSL Message-ID: <199604201850.NAA09592@electra.cc.umanitoba.ca> An ISP that I have ties with is looking to set up a secure server. Currently, they are running Apache. I told them that for ~$500 they can put on Apache SSL and be all ready. However, they want to buy Netscape (for the name, I've already given them the 40bit gospel), put it on a separate, firewalled machine, allow no access to it, etc, etc. Is all this paranoia necessary? Sean =================] Will work for RAM [================== | Sean A. Walberg | PGP key | C programmers | | Computer Engineering ][ | on | do it in | | umwalber at cc.umanitoba.ca | servers | libraries! | =============] http://www.escape.ca/~sean [============= From steve at edmweb.com Sat Apr 20 15:33:51 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 21 Apr 1996 06:33:51 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.BSI.3.91.960420095805.28058B-100000@wichita.fn.net> Message-ID: <Pine.BSF.3.91.960420125016.6813A-100000@kirk.edmweb.com> > I think the determination of whether virus software will be > considered free speech (and thus legal) or speech needing limits > (illegal) will be based entirely on whether that code is active in system > memory or just sitting on a hard drive. In Canada, there is a law that makes "unauthorized use of computing resources" illegal. That makes both hacking and malicious virus spreading illegal with one law, without making it illegal to share virus information and source code. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From jimbell at pacifier.com Sat Apr 20 15:36:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 06:36:46 +0800 Subject: Wiretapping v warrants Message-ID: <m0uAhuj-00090KC@pacifier.com> At 10:42 AM 4/20/96 -0500, Bruce Marshall wrote: >On Fri, 19 Apr 1996, jim bell wrote: > >> Here's a question, however: What, exactly, stands between the way it is >> supposedly done, today, and wiretapping with none of these "protections." > > First and foremost Congress, But were these "protections" the product of a law passed by Congress? > then the Judicial system I'm feeling much better....NOT! >and finally the people themselves. It's called "Right to Keep and Bear Arms." >> And another question I've never seen a satisfactory answer for: Why is >> there not an automatic policy to inform the person tapped, at least after >> the tap is removed, analogous to the level of information the victim of a >> search warrant normally gets? > > Since I'm not exactly sure whether the targets of a wiretap are ever >informed that their conversations were monitored if they aren't later >prosecuted using the info gained through the wiretap, I couldn't really >comment on why if that is the case. The reason you don't know is simply that there is no _Constitutional_ reason. There is merely a practical one: The act of wiretapping does not automatically inform those tapped, in the same way that service of a search warrant does, so the government CONVEEEENIENTLY forgets to tell them. Most government suck-ups don't even want to address this issue; they have no explanation. Unlike them, you acknowledged that you weren't away of the reason why. > Personally, I think a better example could be used. When a person is >placed under visual surveilance they also are uninformed that their >actions are being scrutinized. Their conversations can be picked up >using high powered microphones and they can be plainly seen with >binoculars or even night vision goggles. I would assume that they >probably aren't informed after the fact either unless the surveilance is >used against them in court. I seem to recall a news item from Washington state within the last couple of years in which a conviction was thrown out because evidence was obtained with thermal-IR imagers. You know, look for the hot house and it's being used to grow pot. Problem is, that kind of viewing is not normally publicly apparent, so a citizen has a reasonable belief that it can't be used against him. In another case, in Oregon, the use of night-vision goggles to observe people (at least in collecting evidence) was thrown out, for the same reason: Even if, arguably, people were out "in public," they had a reasonable expectation that they would not be observed if they were careful to remain in the dark. One more thing: Until about 1968, the private use of tiny recording microphones, in public, was essentially unlimited. About that year, in many states, it was restricted. (In some states it's illegal to record conversations by surreptitious means, EVEN IF you're a party to that conversation. How bizarre!) My theory is that politicians recognized, correctly, that they would be the ones most subject to such recording, and since they engaged in incriminating (bribery) conversations fairly regularly, they didn't want lobbyists to be able to collect a series of recorded conversations that could later be used against the politician if they later fell out of favor. > Regardless, I think that if people aren't informed that they were the >subject of an investigation after they are cleared, they should be. >Bruce Marshall The reason I consider "the system" to be so crooked is that it tries to get away with things like this whenever it can. Jim Bell jimbell at pacifier.com From sameer at c2.org Sat Apr 20 15:40:33 1996 From: sameer at c2.org (sameer at c2.org) Date: Sun, 21 Apr 1996 06:40:33 +0800 Subject: Add-in encryption module to Netscape In-Reply-To: <199604201650.MAA14845@jekyll.piermont.com> Message-ID: <199604201932.MAA01387@atropos.c2.org> > > You made a mistake in buying Netscape commerce in the first place, but > don't despair! You can still get Apache, an excellent web server, and > an unencumbered SSL module that you can use without restriction > outside the U.S. (if you want to run it inside the U.S. you need to > pay a fee because of the patents on RSA). > At least point the guy at a URL: Outside the US: http://www.algroup.co.uk/Apache-SSL/ Inside the US: http://apachessl.c2.net/ -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From jimbell at pacifier.com Sat Apr 20 15:44:00 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 06:44:00 +0800 Subject: 5th protect password? Message-ID: <m0uAiWV-00091CC@pacifier.com> At 03:33 PM 4/19/96 -0800, Roger Schlafly wrote: >Is this really an issue? I am not an expert, but I just read a >Supreme Court case: > > DOE v. United States, 487 U.S. 201; 108 S. Ct. 2341 (1988) > >It involved someone who was ordered by the court to consent to the >Cayman Islands bank to turn over account records. The Supreme >Court said yes, because it is "more like 'be[ing] forced to >surrender a key to a strongbox containing incriminating documents' >than it is like 'be[ing] compelled to reveal the combination to >[petitioner's] wall safe.'" > >The quote refers to Stevens' dissent, which said: > > A defendant can be compelled to produce material evidence that > is incriminating. Fingerprints, blood samples, voice > exemplars, handwriting specimens, or other items of physical > evidence may be extracted from a defendant against his will. As you might expect, I see a problem (and a pattern!) with even these examples. Notice that with the possible exception of "handwriting specimens", the examples above all represent pieces of evidence whose utility was only made technologically possible by developments done more than a century after the writing of the Constitution. Fingerprints have only come into use in this century, voiceprints only in the last 30 or so years, blood samples were only uniquely identifiable within the last 10-15 or so, etc. I think even graphology (handwriting analysis) for legal purposes is likewise comparatively recent, although there is no obvious technological reason which this should have been so. The last category, "other items of physical evidence" is too unspecific to interpret. The problem? Well, with the exception of the polygraph (whose reliability is severely (!) in doubt), I can't think of another technology which has been denied to cops by refusing their insistence on being given evidence. The implication, unfortunately, is that whereever a new technology pops up, the courts regularly ignore the fifth amendment, finding some excuse to insist that a defendant provide evidence. This really isn't surprising: Remember, the Constitution was written by _revolutionaries_, while the infringements on that Constitution are done by _bureaucrats_. Any bureaucratic interpretation of the Constitution is inherently flawed; the proper, "revolutionary" interpretation of the 5th amendment is that a defendant should in no way be required to cooperate with the prosecution if the results of that cooperation could conceivably be used to convict him. Anyone who denies this should be required to make a list of the kinds of evidence which was regularly demanded of a 1783-era defendant. Jim Bell jimbell at pacifier.com From shamrock at netcom.com Sat Apr 20 15:47:56 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 06:47:56 +0800 Subject: EFF/Bernstein Press Release Message-ID: <v02120d0dad9ef12ae10c@[192.0.2.1]> At 10:46 4/19/96, Alan Olsen wrote: >I have been seening a surprising amount of rant from the forces of >Government about keeping information out of "the hands of terrorists". I am >wondering how this is going to be brought about. The books are there. They >can be ordered from a number of mail order firms. They can also be found in >used book stores across the country. The information is alos on the net, on >cd-roms and other mediums of storage. How are they going to stuff the >tentacles back into the can? Trivial. Publish a book -> Ten years. Sell a book -> Ten years. Sell CDROM -> Ten years. Publish on the net (at this time US only, but identical campaigns are underway in just about any country with a decent net connection) -> Ten years. Won't stop the hard core terrorist, but will keep the general population from taking action once they finally realize what is going on. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From mirele at xmission.com Sat Apr 20 16:12:56 1996 From: mirele at xmission.com (mirele at xmission.com) Date: Sun, 21 Apr 1996 07:12:56 +0800 Subject: OS/2 encryption utilities Message-ID: <199604202027.OAA28387@xmission.xmission.com> Due to the fact that I have been threatened by the Church of Scientology with legal action if I do not cease and desist posting encheferated parodies of their secret scripture (per a letter I received from Cult attorneys via Federal Express today) I am in search of OS/2 disk encryption programs. If you can help, please respond asap with suggestions. Thank you, Deana M. Holmes mirele at xmission.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ ------END GEEK CODE BLOCK------ From cp at proust.suba.com Sat Apr 20 16:17:30 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 21 Apr 1996 07:17:30 +0800 Subject: Add-in encryption module to Netscape In-Reply-To: <199604201650.MAA14845@jekyll.piermont.com> Message-ID: <199604202042.PAA04800@proust.suba.com> > You made a mistake in buying Netscape commerce in the first place, but > don't despair! You can still get Apache, an excellent web server, and > an unencumbered SSL module that you can use without restriction > outside the U.S. (if you want to run it inside the U.S. you need to > pay a fee because of the patents on RSA). The browsers present a bit of a problem as well -- the free Netscapes that people download uses small keys, so it won't matter if you use an Apache or Netscape server if people browse your site with Netscape navigators. I think there are full strength Mosaic's available, but I've never used them. Also, you should check to see if you can get a verisign certificate for the international version of apache-ssl -- if you can't, that might cause you problems as well. The best answer for these sorts of problems (at least for those of you not constrained by ITAR) might be java form processing applets that use their own crypto routines to submit the data. From vhd at pobox.com Sat Apr 20 16:34:29 1996 From: vhd at pobox.com (Computer Virus Help Desk) Date: Sun, 21 Apr 1996 07:34:29 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <2.2.32.19960420195030.0067c844@indy.net> At 09:08 PM 4/19/96 -0700, Tim May wrote: > >It should be interesting to see what happens when the Bernstein ruling >(assuming it is further upheld as the court case and appeals proceed) meets >the proposed law making the writing of virus code a crime. > >If crypto software is essentially speech, albeit in a non-traditional >human language, then virus software is no different. To the best of our knowledge simply writing Virus Code including it's "distribution" is not a crime in the United States. However, the deliberate, malicious upload or infection of another's computer or system is a crime in many states. The writing and or distribution of Computer Viruses is a crime in some European countries. We don't see the "Bernstein" ruling as having an effect in the U.S. one way or the other. Virus Code seems to be treated just like "speech" right now. Use "it" to yell "fire" in a crowded theater and see what happens. Deliberately and maliciously infect another's computer or system with a computer virus and see what happens. What proposed law making writing virus code a crime were you referring to ? From lzirko at isdn.net Sat Apr 20 17:12:57 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sun, 21 Apr 1996 08:12:57 +0800 Subject: Georgia Legislation - Remailer Effect??? Message-ID: <199604202128.QAA09545@rex.isdn.net> -----BEGIN PGP SIGNED MESSAGE----- Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable T have included copy of text from c/net about a bill passed in the Georgia legislature. It would definately impact remailer service. Location of the remailers might fall in with the Arkansas (or was it Tennessee) BBS/Porno case. The URL is at: http://www.cnet.com/Content/News/Files/0,16,1144,00.html Article follows - --------------------------------- Georgia OKs "Net Police" law By Rose Aguilar April 19, 1996, 5 p.m. PST A bill signed into law this week by Georgia Governor Zell Miller has sparked yet another firestorm over what role the government should take in curbing the Internet and whether legislators are sufficiently techno-savvy to make considered judgments. House Bill 1630 was introduced on February 8 by Georgia House of Representatives member Don Parsons (R-Marietta). The bill makes it illegal to falsely identify yourself or place a registered trademark or logo on your home page. The bill also makes it illegal for email users to have addresses that don't include their own names. For example, an individual who sets up a site that gives the appearance of representing a government agency by using a state seal could be sued by the state. Also, "vanity" email addresses like jackpot at luckynumber.com purchased from a new service called VanityMail.com are now illegal in the state of Georgia. If someone is sued under the new law, the court will decide the penalties. Parsons says he drafted the bill to solve the problem of online impersonation. "Back in the winter I started hearing about home pages through the news that offer remedies and health related services. To the untrained eye the pages make it appear that the information provided is valid and could be some kind of remedy," Parsons said. "After some thought and research I decided to present the bill." The Electronic Frontier Foundation (EFF), a civil liberties organization devoted to technology-related issues, says the bill could undermine one of the essential benefits of the Net: the ability to link information posted to one site with related information posted to another. "The way the bill is written states that you can't put a button on your homepage that says, 'Click here to go to Wired magazine.'" If Wired is copyrighted I would be under violation if I didn't have their permission. Instead, I would have to say, 'Click here to go to this cool magazine,'" said Shari Steel, a staff attorney with the EFF. Parsons retorts back that the foundation is misinterpreting the bill. "The EFF is reading something into the bill which just isn't there. The bill has nothing to do with links. The bill is about using a name or a trademark to represent your page as being someone else's," he said. The problem is that the wording of the law leaves it open to multiple interpretations, according to the EFF. "He created a very vague law that could very well make everyone on the Internet a criminal," said Steel. Furthermore, the EFF is accusing Parsons of introducing the bill to help his employer, Bell South, win a lawsuit. Bell South announced this week that it has filed a suit against startup company "realpages.com" in a battle over domain names on the Internet. Realpages.com designs and maintains Web pages for other businesses. Bell South, however, has a trademark on the term The Real Yellow Pages for its printed directories and claims that this extends to a trademark on the "realpages.com" domain name for the Net. The Baby Bell wants to use "realpages.com" because "Realyellowpages.com" is too long. "This [bill] has been masterminded by Bell South. It's obvious, considering that the legislator who wrote the bill is a Bell South employee," said Stanton McCandlish, an online activist with the EFF. "This bill would give Bell South the victory that they want, but probably aren't going to get in court. Bell South is going to lose that case and lose big," he said. Parsons confirms that he works for Bell South but denies the charge. "The Bell South Corporation has no interest in this bill. I don't even think the cases are the same," Parsons said. "I put this bill together long before that case and they are totally separate," he said. Whatever Parsons' motivations, even some other Georgia representatives agree that he managed to get a bill passed with potential negative repercussions for the use of the Internet. "Many legislators are afraid of technology and they fear the power of information and the Internet, especially the Internet in the power of the voters and that's a nationwide problem," said Representative Mitchell Kaye (R-Marietta). Kaye is the Web master of a site called the Conservative Policy Caucus (CPC), which posts information about House activities from the viewpoint of the conservative legislative caucus. During debate over his bill, Parsons referred to the CPC site as an example of one that passes itself off as an official government site. Kaye says that Parsons is wrong about the CPC site and that it will be unaffected by the bill. But he's still concerned about the potential dampening affect that it will have on the use of the Internet in Georgia. "I'm concerned about the bigger page of the Internet," said Kaye. "The bottom line is that this is an unconstitutional infringement upon free speech and literally puts Georgia in the same category as communist China." Ridiculous, says Parsons. "I would never want to restrict anybody's freedom of speech, but I believe that end users have some right to know who is behind what they are looking at," he said. The passage of the law has since sparked conversation on Steve Outing's online-news mailing list. Copyright =A9 1996 c|net inc. all rights reserved - ---------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMXlW3hKvccEAmlQ9AQFTSAf+PuyHzI8sOFcye0hCpMrY0I8lWD9CLJcW KsD+2hfFAfjjRsA5YzB2LWhfZ2JfGrzwFibHrX4nc+qlDpZmECOipAdmDLf5/EmA 149YGLbLmn/E44BcsJK2MCFluASonON9HADZGrvr8IYDumRde7ycIshx3+YZ7KwL Ix4g+PsIP1mzRGTi0kkBgJL7/m6g7xY/QH0XPSZZEbiFSBXIFusYQ/YZCCH5JLUa VaGgWURRNnwz3eDHgfW0Ck+ES4HNV2yXDR5IQ/IL3fufZOjt2NCczomr29ebWJ9I IvXYQVZv8I+Wsus/YisgOA0Hz1VoNPdiUQgUPf4gO0MAEgo/9Ai1yw== =INB6 -----END PGP SIGNATURE----- From unicorn at schloss.li Sat Apr 20 17:40:22 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 08:40:22 +0800 Subject: OS/2 encryption utilities In-Reply-To: <199604202027.OAA28387@xmission.xmission.com> Message-ID: <Pine.SUN.3.91.960420180636.1115L-100000@polaris.mindport.net> On Sat, 20 Apr 1996 mirele at xmission.com wrote: > Due to the fact that I have been threatened by the Church of Scientology > with legal action if I do not cease and desist posting encheferated > parodies of their secret scripture (per a letter I received from Cult > attorneys via Federal Express today) I am in search of OS/2 disk > encryption programs. Were I a Co$ attorney, I would use this to bring discovery violations if I took you to court. I'm not saying they would pass muster, but they sure would be annoying. > > If you can help, please respond asap with suggestions. > > Thank you, > Deana M. Holmes > > mirele at xmission.com > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 > X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ > ------END GEEK CODE BLOCK------ > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From frissell at panix.com Sat Apr 20 17:43:13 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 21 Apr 1996 08:43:13 +0800 Subject: TERRORISM PREVENTION ACT--CONFERENCE REPORT was: EFF/Bernstein Press Release Message-ID: <2.2.32.19960420221948.00cfdef4@panix.com> At 01:59 PM 4/19/96 -0700, Bill Frantz wrote: >Real terrorists receive instruction at terrorism schools run by >organizations like the Iranians, the PLO, and even the US government (CIA, >Special Forces etc.) The rate of technology transfer is much greater with >hands-on teaching than it is with literature in e.g. libraries or the net. That's because most people are not autodidactic. You have to teach them in person and pound their heads in. Some like Ted K. do OK at self teaching, however. In addition, "teachers" can use the net for research and pick up lots of interesting info. They always could pick it up, though. DCF From jimbell at pacifier.com Sat Apr 20 18:11:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 09:11:46 +0800 Subject: [EVENT] cheap date w/Bob Dole Message-ID: <m0uAlHS-00091CC@pacifier.com> >"Public Policy Issues Forum on Information Security" >(aka "Celebration of 20 years of Public Key Cryptography" 1976-1996) > >Co-Hosts: > Cylink Corporation > The Churchill Club [stuff deleted] > - Senator(s) Larry Pressler (and Bob Dole?*) >on new legislation (The Encryption Communications Privacy Act of 1996) to >loosen restrictions on strong crypto in the U.S. What, exactly, are the "restrictions on strong crypto in the U.S.? > - Senator Conrad Burns (R/Montana) >on his proposed bill (Promotion of Commerce On-Line in the Digital Era) >which could include preventing government from becoming an escrow registry >bureau. I'm _still_ waiting to see the text of this bill. Jim Bell jimbell at pacifier.com From karlton at netscape.com Sat Apr 20 18:15:53 1996 From: karlton at netscape.com (Phil Karlton) Date: Sun, 21 Apr 1996 09:15:53 +0800 Subject: Add-in encryption module to Netscape In-Reply-To: <199604192338.HAA06653@gandalf.asiapac.net> Message-ID: <31796791.3F54@netscape.com> runner at asiapac.net wrote: > I'm not in the US of A and the Netscape commerce server that my employer > recently purchased has only 48bit key (as told by the salesman). For exportable clients and servers, the symmectric keys for doing bulk encryption are 40 bits. > My question is > whether it is possible to add-in my own security module (RSA) The symmetric (RSA) keys are at least 512 bits. > and secondly, how > difficult is it? The salesman cannot answer me. Netscape cannot get permission to distribute software with "pluggable" crypto. This and the above restrictions are the result of U.S. regulations. PK -- Philip L. Karlton karlton at netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin From shamrock at netcom.com Sat Apr 20 19:04:37 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 10:04:37 +0800 Subject: Wiretapping v warrants Message-ID: <v02120d16ad9f1b618a71@[192.0.2.1]> At 12:01 4/20/96, jim bell wrote: >I seem to recall a news item from Washington state within the last couple of >years in which a conviction was thrown out because evidence was obtained >with thermal-IR imagers. You know, look for the hot house and it's being >used to grow pot. You know, it is cases like this that I consider evolution in action. What was the fool doing growing pot in a house, anyway? Any smart pot grower knows that you grow pot in grow rooms underground. With a large septic tank above it. Through the septic tank, you bubble both the exhaust of the diesel generator used to power the high pressure sodium lights, as well as the exhaust of the grow room cooling fan. That neutralizes the exhaust smell and provides an obvious explanation to the IR scanners overhead, since septic tanks are naturally hot due to the bacterial activity taking place within. Amateurs. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 20 19:44:18 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 21 Apr 1996 10:44:18 +0800 Subject: OS/2 encryption utilities Message-ID: <01I3RZ4OQ1KW8Y4XUR@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 20-APR-1996 19:57:53.83 >>From: mirele at xmission.com >> Due to the fact that I have been threatened by the Church of Scientology >> with legal action if I do not cease and desist posting encheferated >> parodies of their secret scripture (per a letter I received from Cult >> attorneys via Federal Express today) I am in search of OS/2 disk >> encryption programs. >Were I a Co$ attorney, I would use this to bring discovery violations >if I took you to court. How would this work, since they _haven't_ served her with a subpoena? >I'm not saying they would pass muster, but they sure would be annoying. This is the Co$; they'll be annoying (or worse) no matter what. Admittedly, letting them get more annoying unnecessarily isn't a good idea. Now, I wouldn't disagree that she should have posted through a nym. -Allen From unicorn at schloss.li Sat Apr 20 19:50:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 10:50:33 +0800 Subject: OS/2 encryption utilities In-Reply-To: <01I3RZ4OQ1KW8Y4XUR@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.91.960420200558.1115P-100000@polaris.mindport.net> On Sat, 20 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 20-APR-1996 19:57:53.83 > > >>From: mirele at xmission.com > [reasons for desire for encryption deleted. > > >Were I a Co$ attorney, I would use this to bring discovery violations > >if I took you to court. > > How would this work, since they _haven't_ served her with a subpoena? I would use it to show the judge that she is obstructing and concealing her conduct and motion for all manner of annoying and intrusive discovery procedures as well as use it to show malice of intent. Because I asked 'nicely' the first time, her conduct is that much more offensive in that she merely used my good faith as a delay to more effectively conceal her conduct. It doesn't take much creativity to get really obnoxious. Judges get sympathetic to this kind of thing to. Paint the picture. Plaintiff tries to avoid litigation, sends correspondence, but defendant forces plaintiff's hand. This all assumes it ever gets to court, but Co$ is quick to sue. > > >I'm not saying they would pass muster, but they sure would be annoying. > > This is the Co$; they'll be annoying (or worse) no matter what. > Admittedly, letting them get more annoying unnecessarily isn't a good idea. > Now, I wouldn't disagree that she should have posted through a nym. > -Allen I'm just pointing out that she just gave them more ammo, and, I might add, that it will be sitting on an archive for quite awhile. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jamesd at echeque.com Sat Apr 20 19:56:48 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 21 Apr 1996 10:56:48 +0800 Subject: Oklahoma City - One Year Later - The Coverup Continues ! Message-ID: <199604210004.RAA02580@dns1.noc.best.net> On Wed, 17 Apr 1996 ssalgaller at CCGATE.HAC.COM wrote: > Suggested Reading: > > Oklahoma City - The Suppressed Truth We have already been through this several times on the cypherpunks list. The physical evidence indicates a very large deflagrating explosive, such as a truck full of ANFO or gunpowder, not a small detonating (military) explosive. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tallpaul at pipeline.com Sat Apr 20 20:30:40 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 21 Apr 1996 11:30:40 +0800 Subject: E-mail harassment by c2 Message-ID: <199604210048.UAA12205@pipe8.nyc.pipeline.com> Dear folks at C2, If people don't ask you to be placed on a mailing list they jolly well don't have to follow *your* instructions to get taken off. You can keep me and other people on "clueless" until we do what you want. But you can neither force other people to do it nor avoid getting a reputation for e-mail harassment for your "cute" games. --tallpaul >From Majordomo-Owner at c2.org Sat Apr 20 20:43 EDT 1996 Received: from infinity.c2.org (infinity.c2.org [140.174.185.11]) by mail.nyc.pipeline.com (8.7.3/8.7.3) with ESMTP id UAA12128 for <tallpaul at pipeline.com>; Sat, 20 Apr 1996 20:43:23 -0400 (EDT) Received: (from daemon at localhost) by infinity.c2.org (8.7.4/8.6.9) id RAA11637; Sat, 20 Apr 1996 17:37:24 -0700 (PDT) Community ConneXion: Privacy & Community: <URL:http://www.c2.net> Date: Sat, 20 Apr 1996 17:37:24 -0700 (PDT) Message-Id: <199604210037.RAA11637 at infinity.c2.org> To: tallpaul at pipeline.com From: Majordomo at c2.org Subject: Majordomo results: Re: Welcome to clueless Reply-To: Majordomo at c2.org Content-Type: text Content-Length: 1476 -- >>>> Since I didn't ask you to put me on the list I see no reason why I should **** Command 'since' not recognized. >>>> follow your instructions to be taken off. **** Command 'follow' not recognized. >>>> >>>> --tallpaul END OF COMMANDS **** Help for Majordomo at c2.org: This is Brent Chapman's "Majordomo" mailing list manager, version 1.92. In the description below items contained in []'s are optional. When providing the item, do not include the []'s around it. It understands the following commands: subscribe <list> [<address>] Subscribe yourself (or <address> if specified) to the named <list>. unsubscribe <list> [<address>] Unsubscribe yourself (or <address> if specified) from the named <list>. get <list> <filename> Get a file related to <list>. index <list> Return an index of files you can "get" for <list>. which [<address>] Find out which lists you (or <address> if specified) are on. who <list> Find out who is on the named <list>. info <list> Retrieve the general introductory information for the named <list>. lists Show the lists served by this Majordomo server. help Retrieve this message. end Stop processing commands (useful if your mailer adds a signature). Commands should be sent in the body of an email message to "Majordomo at c2.org". Commands in the "Subject:" line NOT processed. If you have any questions or problems, please contact "Majordomo-Owner at c2.org". From shamrock at netcom.com Sat Apr 20 20:34:25 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 11:34:25 +0800 Subject: OS/2 encryption utilities Message-ID: <v02120d03ad9f2eda1c88@[192.0.2.1]> At 14:26 4/20/96, mirele at xmission.com wrote: >Due to the fact that I have been threatened by the Church of Scientology >with legal action if I do not cease and desist posting encheferated >parodies of their secret scripture (per a letter I received from Cult >attorneys via Federal Express today) I am in search of OS/2 disk >encryption programs. Parodies have been found by the courts over and over again to not infringe on copyrights. Tell the criminal cult to shove it. They are bluffing. [IANAL.] Don't know about OS/2 disk encryption programs, though. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From shamrock at netcom.com Sat Apr 20 20:38:36 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 11:38:36 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <v02120d06ad9f30db9509@[192.0.2.1]> At 15:50 4/20/96, Computer Virus Help Desk wrote: >To the best of our knowledge simply writing Virus Code including it's >"distribution" is not a crime in the United States. However, the >deliberate, malicious upload or infection of another's computer or system is >a crime in many states. What about making Virus binaries available for download? Someone I know has been thinking about putting the famous "Outlaws" CD on the web, to provide a one-stop place for unrestricted virus information, including source code and live viruses. Of course the user has to accept an agreement that they will use the information for research purposes only. Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From shamrock at netcom.com Sat Apr 20 20:46:03 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 11:46:03 +0800 Subject: Smartcards are coming to the US Message-ID: <v02120d05ad9f2fef5d94@[192.0.2.1]> Years after smartcards have become ubiquitous in such countries as Pakistan and Nepal, not to mention Europe, I just saw my first smartcard commercial ever on US television. Way to go :-) Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From stewarts at ix.netcom.com Sat Apr 20 20:48:05 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Apr 1996 11:48:05 +0800 Subject: Spaces in passwords Message-ID: <199604210129.SAA14344@toad.com> At 12:32 PM 4/19/96 EDT, Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com wrote: >>>Of course not. In a normal Unix password, adding spaces to the >>>password search space increases the search space, so it necessarily >>>makes the search harder. >>Depends on the space of ideas that are leading to your passwords. >>If the reason you're adding spaces is to separate an n-character word >>from the dictionary from a 7-n character word from the dictionary, >>this reduces the search space for a cracker considerably. >>At least pick random punctuation instead. > >Huh? I don't follow your reasoning. >If you use two random words, the search space for a dictionary attack >with an N word dictionary is N^2. That's true whether you include a space >or leave it out. The context is Unix passwords, which are limited to 8 characters, not arbitrary-length passphrases like PGP uses. The size of the dictionary of words you can use to put two of into 8 characters is fairly small; the natural choice for two words with a space is a 4-letter word and a 3-letter word, both chosen from English dictionaries, though 5/2 and 6/1 are also possible. It's _way_ searchable, even if you're not attracted to popular phrases like "Exon You" or "Oh Exon!". If you're length-constrained, the choice of one word limits the maximum length of the other. If you take away another character for punctuation or space, it reduces it even more. If I were writing this on a Unix box, I'd check the number of words in the appropriate length categories, but it's pretty low, and there's probably a lot less entropy in 3-character words than 4. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From tallpaul at pipeline.com Sat Apr 20 20:50:35 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 21 Apr 1996 11:50:35 +0800 Subject: Welcome to clueless Message-ID: <199604210043.UAA11770@pipe8.nyc.pipeline.com> Since I didn't ask you to put me on the list I see no reason why I should follow your instructions to be taken off. --tallpaul On Apr 20, 1996 08:35:52, 'Majordomo at c2.org' wrote: >From cypherpunks-errors at toad.com Sat Apr 20 11:54 EDT 1996 >Received: from toad.com (toad.com [140.174.2.1]) by mail.nyc.pipeline.com >(8.7.3/8.7.3) with ESMTP id LAA08182; Sat, 20 Apr 1996 11:54:35 -0400 (EDT) >Received: (from majordom at localhost) by toad.com (8.7.5/8.7.3) id IAA10610 for >cypherpunks-outgoing; Sat, 20 Apr 1996 08:42:08 -0700 (PDT) >Received: from infinity.c2.org (infinity.c2.org [140.174.185.11]) by toad.com >(8.7.5/8.7.3) with ESMTP id IAA10593 for <cypherpunks at toad.com>; Sat, 20 Apr >1996 08:42:03 -0700 (PDT) >Received: (from daemon at localhost) by infinity.c2.org (8.7.4/8.6.9) > id IAA05505; Sat, 20 Apr 1996 08:35:52 -0700 (PDT) > Community ConneXion: Privacy & Community: <URL:http://www.c2.net> >Date: Sat, 20 Apr 1996 08:35:52 -0700 (PDT) >Message-Id: <199604201535.IAA05505 at infinity.c2.org> >To: cypherpunks at toad.com >From: Majordomo at c2.org >Subject: Welcome to clueless >Reply-To: Majordomo at c2.org >Sender: owner-cypherpunks at toad.com >Precedence: bulk >Content-Type: text >Content-Length: 392 > >-- > >Welcome to the clueless mailing list! > >If you ever want to remove yourself from this mailing list, >you can send mail to "Majordomo at c2.org" with the following command >in the body of your email message: > >unsubscribe clueless cypherpunks at toad.com > >Here's the general information for the list you've >subscribed to, in case you don't already have it: > >#### No info available for clueless. > From jimbell at pacifier.com Sat Apr 20 21:03:12 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 12:03:12 +0800 Subject: OS/2 encryption utilities Message-ID: <m0uAnQG-0008yqC@pacifier.com> At 06:08 PM 4/20/96 -0400, Black Unicorn wrote: >On Sat, 20 Apr 1996 mirele at xmission.com wrote: > >> Due to the fact that I have been threatened by the Church of Scientology >> with legal action if I do not cease and desist posting encheferated >> parodies of their secret scripture (per a letter I received from Cult >> attorneys via Federal Express today) I am in search of OS/2 disk >> encryption programs. > >Were I a Co$ attorney, I would use this to bring discovery violations >if I took you to court. You know, I've always thought it odd how some people misuse the English language when they speak in their chosen shorthand. "bring discovery violations"? How, exactly, does one _BRING_ a "discovery violation"? Like, maybe, bring it in a whellbarrow?!? Is "bring" a proper word in this context? Why not stop using that silly shorthand. BTW, you seem to have forgotten that this would be an excellent way to deter the kind of "knock and smash" warrant service common amongst government thugs. Any argument by the cops that "we must break down the door or else they'll erase the data!" is rendered obviously silly if the data is ALREADY encrypted and inaccessible. If anything, it would make the data permanently inaccessible since it would make (arguably) the release of a decrypt key "incriminating" if it were a criminal case. Yet another excellent reason to encrypt the data is that it deters burglaries, where the purpose of the burglary is to get this data illegally. Given the COS's history, that is a reasonable fear. Jim Bell jimbell at pacifier.com From roger at coelacanth.com Sat Apr 20 21:03:38 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 21 Apr 1996 12:03:38 +0800 Subject: OS/2 encryption utilities In-Reply-To: <199604202027.OAA28387@xmission.xmission.com> Message-ID: <9604210059.AA1147@sturgeon.coelacanth.com> >>>>> "Deana" == mirele <mirele at xmission.com> writes: > ...I am in search of OS/2 disk encryption programs... So far as I know, there is (so far) no encrypted IFS (e.g. CFS) available for OS/2. There are a few decent file encryption utilities, however, including Blowfish, DES, and Quipu, all available at Hobbes. The current version of Blowfish (ported by Matthew Spencer) seems pretty decent: it's fast (about 200 KBytes/s on my DX2) and easy to use (command line, not WPS). ftp://hobbes.nmsu.edu/os2/archiver/bfish151.zip This is what I'd suggest. DES encryption is available in ftp://hobbes.nmsu.edu/os2/diskutil/des_os2.zip and, with a WPS front end, in ftp://hobbes.nmsu.edu/os2/wpsutil/pcsec22.zip I don't know much about Quipu (Michael Mieves), but you can find it at ftp://hobbes.nmsu.edu/os2/diskutil/quipu10.zip -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From jimbell at pacifier.com Sat Apr 20 21:11:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 12:11:46 +0800 Subject: Georgia Legislation - Remailer Effect??? Message-ID: <m0uAnQI-0008yvC@pacifier.com> At 04:28 PM 4/20/96 -0500, Lou Zirko wrote: >T have included copy of text from c/net about a bill passed in the >Georgia legislature. It would definately impact remailer service. >Location of the remailers might fall in with the Arkansas (or was it >Tennessee) BBS/Porno case. The URL is at: >http://www.cnet.com/Content/News/Files/0,16,1144,00.html >Article follows >- ---------------------------- >Georgia OKs "Net Police" law > By Rose Aguilar > April 19, 1996, 5 p.m. PST > A bill signed into law this week by Georgia Governor >Zell Miller has sparked yet another firestorm > ver what role the government should take in curbing >the Internet and whether legislators are > sufficiently techno-savvy to make considered judgments. > > House Bill 1630 was introduced on February 8 by Georgia >House of Representatives member Don > Parsons (R-Marietta). The bill makes it illegal to >falsely identify yourself or place a registered >trademark or logo on your home page. The bill also >makes it illegal for email users to have addresses > that don't include their own names. [much scary but useful information deleted] Well, I love to be an "I told you so." Back when nearly everybody was fawning over the Leahy bill, I (and a few other people, to their credit) was telling you about its likely effect on the usage of encrypted remailers. Not surprisingly, my warnings were eventually recognized to be accurate, at least potentially so. Fortunately (I hope?) we were also told that "they" (government thugs, etc) would definitely oppose that bill, a claim which if true, would guarantee its quick death _IF_ the opposition of Internet-friendly people was also present. Now we see that if the thugs can't get what they want by Federal legislation, they're gonna try to sneak it through by state law. Hey, it's really doubtful that even NATIONAL law can have a prayer of controlling the Internet; I really doubt that Georgia is going to succeed at this attempt. Most likely it isn't even constitutional, and it certainly isn't compatible with the First amendment or the Federal regulation of most communications media. Even so, this shows just how desperate the statists have become to try to get a foothold into the regulation of the Internet. Ignore this at your own peril. Jim Bell jimbell at pacifier.com From thecrow at iconn.net Sat Apr 20 21:25:32 1996 From: thecrow at iconn.net (Jack Mott) Date: Sun, 21 Apr 1996 12:25:32 +0800 Subject: spinner entropy In-Reply-To: <Pine.SUN.3.93.960420170547.26203A-100000@eskimo.com> Message-ID: <3179954A.176A@iconn.net> > I believe this whole thread about randomness and entropy started with the > search for a portable software RNG and the discussion of how to estimate > the entropy of spinners. If we accept the above paragraph, then we have > to reject spinners as a candidate for such a RNG, for two reasons. First, > we have no model of how spinners generate randomness, so we can't estimate > their entropy. Second, even if we developed such a model for a particular > spinner on a particular OS, the model itself would not be portable because > it would likely rely on nonportable assumptions about the OS. > > Do we have other candidates for portable software RNGs? > > Wei Dai I think it is best to have a black box that can not be modeled personally. Anyway I am in the middle of putting together a portable RNG that will should consist of nothing more than a photoelectric tube, 9volt battery, and a bit of wiring. It will connect through the serial port. Just put your favorite radioactive substance near it and your set. before people freak out, there are many substances that will produce enough beta particles without killing anyone. In fact you could just use background radiation, but it would take longer. Anyway I'll let you all know how it turns out. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From stewarts at ix.netcom.com Sat Apr 20 21:27:09 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 21 Apr 1996 12:27:09 +0800 Subject: Dictionary searching code Message-ID: <199604210149.SAA14482@toad.com> At 08:02 PM 4/19/96 -0500, Adam wrote: > Does anyone have some code that will search a dictionary, and >tell me *quickly* if an arbitrary chunk of text is in the dictionary? >Pre-indexing steps are fine, as is using big chunks of disk for hash >tables. The point of course, is to check arbitrary possible plaintext >that a test decryption produces. Those who don't remember Unix are condemned to re-invent it :-) There have been _lots_ of papers done on the topic, and lots of programs written; there's probably a good chunk of material in Knuth as well. How quick is "quickly"? How big is your dictionary? "grep" is probably not the right model, since you have the opportunity to pre-sort your dictionary. "look" does a binary search on sorted text, which can be very fast for general applications; you can go faster if you want to play with indexing and hashes, using lots of programs like dbm. If you're looking up a bunch of words at a time, you probably win by looking up an index table before looking in the dictionary itself, since it'll be in cache or in your program for all but the first look. If your dictionary is under 1MB, the useful parts of it may stick around in cache long enough to avoid multiple disk reads, especially if you're able to pre-sort the words you're searching against as well. On the other hand, if it's 100MB, and you're using a large machine, it's worth using maybe 100-1000KB of hash table to speed up lookups. Somebody mentioned the use of a bitmapped hash-table to get a quick check on whether an entry is probably there; there was a paper in Usenix's journal about 5 years ago on this by one of the Bell Labs Research folks, probably Doug McIlroy or Peter Weinberger, in the context of a spelling checker. If the hashes aren't expensive to compute, and you get a small percentage of false hits, it's cheap to look them up in the real dictionary. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From jrochkin at cs.oberlin.edu Sat Apr 20 21:27:14 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Sun, 21 Apr 1996 12:27:14 +0800 Subject: Congress puts bomb-making material on internet Message-ID: <ad9f0aaa0202100488be@[132.162.233.188]> At 11:45 PM 04/19/96, Rich Graves wrote: >Oh yeah, and Biden read the full text of the "Attention All Unabomber >Wannabes" and "Babyfood Bombs" documents into the Congressional Record, >supposedly to underscore the point that those nasty Republicans are >endorsing such nasty nasty stuff. Sort of like Exon's little blue book. > >So if you want to know how to build a baby-food bomb, simply write your >congresscritter. Or access the congressional record on thomas, as Rich gives earlier gives us a URL to. Go to http://thomas.loc.gov/r104/r104s17ap6.html, choose the second TERRORISM PREVENTION ACT--CONFERENCE REPORT link, choose the first BIDEN link. Congress is putting information on how to build babyfood bombs on the internet! Clearly, the first thing the FBI would do under the law Biden wants is wiretap congress to see who is accessing the congressional record. Wonder what the congressional librarians who run thomas think of that. From richieb at teleport.com Sat Apr 20 21:35:54 1996 From: richieb at teleport.com (Rich Burroughs) Date: Sun, 21 Apr 1996 12:35:54 +0800 Subject: E-mail harassment by c2 Message-ID: <2.2.32.19960421013859.006a6538@mail.teleport.com> At 08:48 PM 4/20/96 -0400, you wrote: >Dear folks at C2, > >If people don't ask you to be placed on a mailing list they jolly well >don't have to follow *your* instructions to get taken off. [snip] I think you're missing what happened. Someone subscribed the address for the _cypherpunks_ list to the clueless list. The "welcome to clueless" message got sent to you via the cypherpunks list. Notice the instructions from C2 say: >If you ever want to remove yourself from this mailing list, >you can send mail to "Majordomo at c2.org" with the following command >in the body of your email message: > >unsubscribe clueless cypherpunks at toad.com The email address there is the cypherpunks list, not yours. The reason you received the second email is that majordomo at c2.org (the address you sent mail to) is not a person -- it's a mail list administering program. Your mail had no command that majordomo recognized, so it sent you the majordomo help file. That's what it's supposed to do. You aren't being harassed by anyone. You aren't on the clueless list. You are on the cyperpunks list -- if you want to unsubscribe, send email to majordomo at toad.com with the words "unsubscribe cypherpunks" (without the quotes) in the body of your message. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From unicorn at schloss.li Sat Apr 20 21:51:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 12:51:55 +0800 Subject: [Yadda Yadda Yadda] Re: OS/2 encryption utilities In-Reply-To: <m0uAnQG-0008yqC@pacifier.com> Message-ID: <Pine.SUN.3.91.960420215800.13247A-100000@polaris.mindport.net> On Sat, 20 Apr 1996, jim bell wrote: > At 06:08 PM 4/20/96 -0400, Black Unicorn wrote: > >Were I a Co$ attorney, I would use this to bring discovery violations > >if I took you to court. > > You know, I've always thought it odd how some people misuse the English > language when they speak in their chosen shorthand. "bring discovery > violations"? How, exactly, does one _BRING_ a "discovery violation"? > Like, maybe, bring it in a whellbarrow?!? Is "bring" a proper word in this > context? Why not stop using that silly shorthand. Perhaps Mr. Bell would have been happier if I had said "bring forth a motion calling for measures to deal with the defendant's supposed conduct in bad faith in answering the discovery requests presented by the plaintiff." Somehow, however, I doubt it. Like I told Mr. Bell before, when he starts paying my hourly rate, I will copyedit all my posts. > BTW, you seem to have forgotten that this would be an excellent way to deter > the kind of "knock and smash" warrant service common amongst government > thugs. Any argument by the cops that "we must break down the door or else > they'll erase the data!" is rendered obviously silly if the data is ALREADY > encrypted and inaccessible. This requires the assumption that all the data is already encrypted, not an assumption a prosecutor or private litigant is about to make. The case will then become one of a defendant with a reputation for concealing or otherwise destroying evidence, and a private litigant would be quite justified in calling for measures to preserve what evidence might have thusfar survived encryption. If anything, it would make the data permanently > inaccessible since it would make (arguably) the release of a decrypt key > "incriminating" if it were a criminal case. Well then, next time I am involved in a civil or criminal case I will just suggest that the defendant simply encrypt all his documents, burn the paper and then turn over the cyphertext to the plaintiff to comply with discovery. Now the plaintiff will be powerless to touch us. In a criminal case, the defendant will be protected completely from prosecution by the Fifth Amendment. I will win _every case_, I will be famous! They will call for me all over the world. I will then use my profits to buy a massive ice maker, and freeze the planet's water supply. Those humans will have to come to me for their precious commodity. We can make billions on the sale of ice melters, and the franchise rights to our chain of fast water stores will be priceless! We will _take over the world_. Muwahahaha. Pinky: "But Brain, why don't we just buy a pack of cards? I like cards." (What color is the sky in your world Mr. Bell?) > Yet another excellent reason to encrypt the data is that it deters > burglaries, where the purpose of the burglary is to get this data illegally. > Given the COS's history, that is a reasonable fear. > > Jim Bell > > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From littlitt at MIT.EDU Sat Apr 20 21:57:49 1996 From: littlitt at MIT.EDU (Jonathan Litt) Date: Sun, 21 Apr 1996 12:57:49 +0800 Subject: On computer face recognition: In-Reply-To: <199604120630.XAA14255@dns1.noc.best.net> Message-ID: <199604210013.UAA04209@hazelwood.mit.edu> geeman at best.com writes: > Subject: Re: On computer face recognition: > Date: Thu, 11 Apr 1996 23:30:49 -0700 > > There was a piece, I _think_ in Scientific American, tho it might > have been an AI journal, on face recognition by use of neural > nets together with what were called "eigenface" images: These > eigenfaces each have specific characteristics, which when > combined together can closely approximate a specific face image. > The target face was analyzed in terms of closeness-of-match to a > small set of eigenfaces, on the order of 5 to 8, I think. > Results of course were promising (else why write about it, eh?) > if not excellent. You are thinking of the article in Scientific American about the Vision and Modeling group at the MIT Media Lab. For face recognition stuff, check out: http://www-white.media.mit.edu/vismod/demos/facerec/index.html Crypto and privacy relevance? Lots, I imagine. -jon From unicorn at schloss.li Sat Apr 20 22:27:26 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 13:27:26 +0800 Subject: Smartcards are coming to the US In-Reply-To: <v02120d05ad9f2fef5d94@[192.0.2.1]> Message-ID: <Pine.SUN.3.91.960420223254.13247C-100000@polaris.mindport.net> On Sat, 20 Apr 1996, Lucky Green wrote: > Years after smartcards have become ubiquitous in such countries as Pakistan > and Nepal, not to mention Europe, I just saw my first smartcard commercial > ever on US television. > > Way to go :-) Have you seen the Visa (mastercard) commercial that shows the finger print reader and spouts off "Single digit PINs" (Digit, get it?) > Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. > > -- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jis at MIT.EDU Sat Apr 20 22:44:32 1996 From: jis at MIT.EDU (Jeffrey I. Schiller) Date: Sun, 21 Apr 1996 13:44:32 +0800 Subject: PGP's +makerandom is broken (was: Re: Article on PGP flaws) Message-ID: <3179A2EB.646D@mit.edu> -----BEGIN PGP SIGNED MESSAGE----- On April 16, 1996 jf_avon at citenet.net said: > I fed the result of > pgp +makerandom=2000 rnd.pgp > into noisesphere.exe > > Every times, it gives a distribution that looks like a zebra from the > top view. Any comments? This is a bug in PGP. +makerandom doesn't work properly. I discovered this a few week ago myself when I needed some random numbers for another project. Due to a programming bug, the idea based random number generator doesn't get initialized (read: doesn't get seeded at all) when +makerandom is used. Note: +makerandom is an undocumented feature. IMPORTANT: Only +makerandom is effected. In normal use PGP properly generates random session keys as well as RSA public key pairs. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXmiyMUtR20Nv5BtAQHiYwP/dEAf5w0KstdALRabGYeUOlhEEN+fvVJH +TE215jh91EvPP2h9XqnOS5tWKiHpAjoRng5yUF6vyfD9rsHTS9EkCPC+yrlAkPb E5XrnAsOx3W1EkkT2kA15RDePt8lOpXetltNVBsGqBMEupCFExYldz7h6o9g9DQj e+NSMQZzIB8= =m21a -----END PGP SIGNATURE----- From grafolog at netcom.com Sat Apr 20 22:51:24 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Sun, 21 Apr 1996 13:51:24 +0800 Subject: 5th protect password? In-Reply-To: <m0uAiWV-00091CC@pacifier.com> Message-ID: <Pine.3.89.9604210212.A12876-0100000@netcom2> Jim: On Sat, 20 Apr 1996, jim bell wrote: > > DOE v. United States, 487 U.S. 201; 108 S. Ct. 2341 (1988) > > A defendant can be compelled to produce material evidence that > > is incriminating. Fingerprints, blood samples, voice > > exemplars, handwriting specimens, or other items of physical > > evidence may be extracted from a defendant against his will. > > As you might expect, I see a problem (and a pattern!) with even these The pattern is that you are again ignoring legal realities. << Which is a thing to be expected. >> > examples. Notice that with the possible exception of "handwriting > specimens", the examples above all represent pieces of evidence whose Handwriting as a tool used by most people, dates back to Eighteenth Century. Before that, it was a trade practiced by scribes, and priests. In Europe, outside of the Clergy, illiteracy was the standard, till the begining of the Industrial Revolution. << Remember that John Dee had an incredibly large library of 200 volumes. >> > or so, etc. I think even graphology (handwriting analysis) for legal > purposes is likewise comparatively recent, although there is no obvious > technological reason which this should have been so. The last category, Courts have yet to rule that an individual can be forced to provide a sample of their handwriting, if the purpose of obtaining such a script is for a graphological profile. More to the point, courts -- or at least US Courts -- don't accept graphological profiles, as proof of anything. I suspect you confusing graphology with questioned document examination. Courts have ruled that a person may be forced to provide a sample of writing, for use in questioned document examination, without violating the fifth amendment. << You ought to read the case law, to see why providing such a sample is not a fifth amendment violation ---- it might help you be a better armchair lawyer, who spends to much time watching Perry Mason reruns. >> > Anyone who denies this should be required to make a list of the kinds of Questined Document Examination, which you alluded to, was first accepted by courts in the United States, at the turn of the century. And it was only after World War One, that it was accepted in all courts in the US. xan jonathon grafolog at netcom.com Owner: Graphology-L at Bolis-com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From roger at coelacanth.com Sat Apr 20 22:58:12 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 21 Apr 1996 13:58:12 +0800 Subject: OS/2 encryption utilities In-Reply-To: <199604202027.OAA28387@xmission.xmission.com> Message-ID: <9604210303.AA1314@sturgeon.coelacanth.com> >>>>> "Deana" == mirele <mirele at xmission.com> writes: > ...I am in search of OS/2 disk encryption programs... However, for those of you who can wait... > From: pb at netcom.com > Organization: Quantum Corp. Milpitas CA USA > Newsgroups: comp.os.os2.utilities > I am beta testing an ifs that does DES and DES3 on a network-like > drive letter. Example -- x: may be assigned to d:\unknown. > Then whenever you write to x: the file becomes encrypted. > But it aint your ideal freeware does everything product. > It is not my product. My guess is that it will cost US$150 and should > hit selected mail order houses in shrink wrap in June or July. > Drag and drop of selected files or entire subdirectories into encrypted > form is also supported. (Files often become smaller because compression > is used.) > Expect announce here with URL for more info when product is ready. -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From kdf at gigo.com Sat Apr 20 23:02:40 1996 From: kdf at gigo.com (John Erland) Date: Sun, 21 Apr 1996 14:02:40 +0800 Subject: Mixmaster to DOS Yet? Message-ID: <aea_9604202019@gigo.com> [Please respond netmail - I do not see this list regularly...thanks!] Time to ask again: Has anyone ported Mixmaster to DOS yet? Thanks for any info. JE -- : Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. : Internet: kdf at gigo.com From jimbell at pacifier.com Sun Apr 21 00:20:52 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 15:20:52 +0800 Subject: OS/2 encryption utilities Message-ID: <m0uAqM0-000909C@pacifier.com> At 10:13 PM 4/20/96 -0400, Black Unicorn wrote: >On Sat, 20 Apr 1996, jim bell wrote: >Perhaps Mr. Bell would have been happier if I had said "bring forth a >motion calling for measures to deal with the defendant's supposed >conduct in bad faith in answering the discovery requests presented by the >plaintiff." Somehow, however, I doubt it. Much better! >> BTW, you seem to have forgotten that this would be an excellent way to deter >> the kind of "knock and smash" warrant service common amongst government >> thugs. Any argument by the cops that "we must break down the door or else >> they'll erase the data!" is rendered obviously silly if the data is ALREADY >> encrypted and inaccessible. > >This requires the assumption that all the data is already encrypted, not >an assumption a prosecutor or private litigant is about to make. They might not make such an "assumption," however it's an issue that must be addressed. I think that search done by COS lawyers last year (can't recall the target; I'm sure somebody recalls it) in which they not only copied data but also erased it from the hard disk...including other material not relevant to the case... is instructive. At least in hindsight, this was an improper search using improper techniques, which improperly allowed the defendant to damage the property searched. Surely you agree that was in error, whether or not you agree that the whole search was wrong, per se. There is certainly a good justification to make it as difficult as possible for those wanting to serve a search warrant in an _abusive_ fashion. Pre-encrypting the data would have ensured that the COS had access to none of the data while appeals occurred, and would have required that they continue to justify the search SUBSEQUENT TO its completion in order to have the judge compel some sort of key. If, arguably, the behavior at the search was wrong, that fact would have been citable as evidence of the abusive nature of their original request. As it is, COS was allowed to run roughshod over Constitutional rights, they abused a court, etc. Moreover, none of this was reversible, in REALITY. You can't turn back the clock and undo the search or the erasure of data, etc. And I think my original conclusion was correct: While most people don't encrypt most data NOW, in a few years just about everybody who has "sensitive" data will be using some sort of system to do this. At that point, the reality will be that search warrants will be issued _without_ any presumption that the evidence in any computer in the place will be identifiable, and thus the argument "we've gotta go in or the evidence will disappear!" will be obviously wrong. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sun Apr 21 00:21:03 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 21 Apr 1996 15:21:03 +0800 Subject: 5th protect password? Message-ID: <m0uAq1k-00091WC@pacifier.com> At 02:22 AM 4/21/96 +0000, Jonathon Blake wrote: > Jim: > >On Sat, 20 Apr 1996, jim bell wrote: > >> > DOE v. United States, 487 U.S. 201; 108 S. Ct. 2341 (1988) > >> > A defendant can be compelled to produce material evidence that >> > is incriminating. Fingerprints, blood samples, voice >> > exemplars, handwriting specimens, or other items of physical >> > evidence may be extracted from a defendant against his will. >> >> As you might expect, I see a problem (and a pattern!) with even these > > The pattern is that you are again ignoring legal realities. No, I am not "ignoring legal realities." I am NOTING them, and noting that they form a suspicious pattern. I do not deny that these items are currently demanded regularly in certain cases; what I challenge is the appropriateness of that demand by historical and Constitutional standards. >> examples. Notice that with the possible exception of "handwriting >> specimens", the examples above all represent pieces of evidence whose > > Handwriting as a tool used by most people, dates back to > Eighteenth Century. Before that, it was a trade practiced > by scribes, and priests. In Europe, outside of the Clergy, > illiteracy was the standard, till the begining of the Industrial > Revolution. << Remember that John Dee had an incredibly large > library of 200 volumes. >> Yikes! You REALLY need to learn to read! I wasn't referring to handwriting itself , or for that matter to graphology ( the study of handwriting; which goes back perhaps 2000 years) but in fact the _forensic_ use of graphology. The point is that the demanding of handwriting samples is a fairly new concept, at least compared with the writing of the Constitution and the 5th amendment. I'm sure a REAL LAWYER (TM) reading this note will cite the first known example of a handwriting example being demanded by a court. What do you want to bet that it first occurred in this century? > >> or so, etc. I think even graphology (handwriting analysis) for legal >> purposes is likewise comparatively recent, although there is no obvious >> technological reason which this should have been so. The last category, > > Courts have yet to rule that an individual can be forced > to provide a sample of their handwriting, if the purpose > of obtaining such a script is for a graphological profile. Which simply means that they have to have more justification than a shotgun-approach inquiry. > More to the point, courts -- or at least US Courts -- don't > accept graphological profiles, as proof of anything. If that were the case, there there would be no justification for demanding a handwriting sample. Nevertheless, it is apparently done. And while a handwriting sample, ALONE, may not be "proof" of something, like most evidence it is used in conjunction with other evidence to support a conclusion. In any case, the initial reference to handwriting samples came from the Supreme Court, as quoted above, not me. Pay more attention. I was using the commentary of the SC to show that most if not all of the kinds of evidence demanded of defendants were NOT demande until well over a century after the 5th amendment was written. > > I suspect you confusing graphology with questioned document > examination. No, that's a larger issue. Graphology is a tool which can be used, but there are plenty of other technologies which are also useful on questioned documents. Paper analysis, ink analysis, electron microscopy, text analysis, to name just a few. That wasn't the point, however. > Courts have ruled that a person may be forced > to provide a sample of writing, for use in questioned document > examination, without violating the fifth amendment. << You ought > to read the case law, to see why providing such a sample is > not a fifth amendment violation ---- it might help you be a > better armchair lawyer, who spends to much time watching > Perry Mason reruns. >> Question: Let's suppose, for the purposes of argument, the policy was diametrically opposite, and no such samples were taken, ostensibly because that would be in violation of the 5th amendment. Please explain the arguments you would use to convince everybody that this opinion was in error. Remember, you couldn't cite precedent, because all the precedent would come to the opposite conclusion. You would have to explain to people why the precedents were all wrong. See the problem? Lawyers are full of "appeal to authority" arguments, which is what a precedent really is. But precedents can be wrong, are wrong, and are occasionally changed. I pointed out (correctly, I think) that since well over 100+ years after the writing of the 5th amendment, there has been a pattern of allowing prosecutors to demand evidence of a defendant whenever that evidence is considered useful to incriminate that defendant. I pointed out that all of the examples listed in the quotation above represented types of evidence that would not have been collected in 1783, or for that matter 1883, or even a few decades after this. As such, there is a reasonable doubt that the people who wrote the constitution actually intended to allow this sort of thing. After all, the fact that a given technique is, arguably, useful cannot be automatically used to justify its "reasonableness." After all, confessions can be useful to the cops, but that does not automatically grant the cops the right to beat confessions out of their prisoners, does it? Clearly not. And remember, there were a number of examples listed, so I think there is a suspicious pattern. Your response does not address this issue. >> Anyone who denies this should be required to make a list of the kinds of > > Questined Document Examination, which you alluded to, was > first accepted by courts in the United States, at the turn > of the century. And it was only after World War One, that > it was accepted in all courts in the US. I don't think that challeges anything I've already said. And you cut off the part where I challenged people to show the kinds of evidence regularly demanded of a defendant in 1783, which was about when the 5th amendment was written. > jonathon > grafolog at netcom.com > > Owner: Graphology-L at Bolis-com Aha! Yet another person who benefits from current government policy! Jim Bell jimbell at pacifier.com From attila at primenet.com Sun Apr 21 00:21:21 1996 From: attila at primenet.com (attila) Date: Sun, 21 Apr 1996 15:21:21 +0800 Subject: OS/2 encryption utilities Message-ID: <199604210427.VAA24493@usr5.primenet.com> ** Reply to note from mirele at xmission.com 04/20/96 2:26pm = Due to the fact that I have been threatened by the Church of Scientology = with legal action if I do not cease and desist posting encheferated = parodies of their secret scripture (per a letter I received from Cult = attorneys via Federal Express today) I am in search of OS/2 disk = encryption programs. = DISCLAIMER: I am not a practicing attorney; I am not offering you legal advice in any form. I personally would be first and foremost concerned with all the ramifications of destroying evidence; and, testing the rules of discovery. In no way am I condoning any action which may be contrary to the rules of justice in any jurisdiction. Keep in mind what "schwarzerPford mit gehornt" said: having asked for help in a public forum, the Co$ attorneys potentially will be going for discovery violations. That said.................. The only way you are going to get automatic disk encryption with OS/2 is to write a driver which would need to distinguish between drives and/or partitions as you would probably not wish to encrypt the operating system and routine files. Secondly, if you have _all_ your files encrypted, you are begging for a contempt citation if you refuse the keys. alternatively, you could reverse engineer one of the disk compress programs (__.sys drivers) and add a stream function for encryption --again begging contempt. A better way from my perspective to preserve some of my first amendment rights would be to use an IOMega optical floppy (flopitcal). IOmega has a new 100+M byte unit for around $200 which can double as a standard 3.5 floppy and runs on SCSI cards like the Adaptec and others (they may have an EIDE version). I believe there is now a version which is bootable. The blank disks are under $20/100MB (quite reasonable). Unless you are storing an enormouse amount of data, 100MB is a lot of space (maybe not on my OS/2 system which has 4G!). Again, if you wish to run the encryption automatically, then you are required to write a new driver. Keep in mind, with a driver, you are immediately faced with the problem of the encrytion keys --particularly if they are embedded in the controller. You could have one of the keys embedded in each floptical and a utility program to enter the second key, password, etc. when the driver started up... however, from my perspective, you would be better off to just convert your encrypted files to plain text to work with your files; then re-encrypting the material when you are done. needless to say, the floptical is not very obvious... and confiscating your system does not give away the keys, etc. However, you would be wise _not_ to involve another individual, etc. Not only is that a weak point, but it puts them in the loop and provides the government with an opportunity to include conspiracy --which carries the same penalty as the "crime" and additional charges of obstructing justice. pgp is available for OS/2, obtainable from Hobbes. BTW, do NOT keep your key ring, particularly the private key king, on the hard disks; keep it on a *separate* floppy. do NOT keep it on the floptical with the encrypted material. we are all concerned with privacy: the first, second, fourth, fifth,etc. amendment rights --what little there is left of them. However, regardless of any anarchistic-libertarian viewpoints, the best advice is not to raise your head --put your helmet on the rifle butt and raise that if you must --and, if you're riding in a helicopter, sit on your helmet. revenge may be a dish best served up cold, but anonymous remailers, particularly the encrypting ones, (do not use penet) are wonderful tools for the underground publishing of unpopular political and/or religious beliefs. There is a long line of court decisions which permit anonymous publishing --despite the fact Bubba certainly intends to take away our rights, particularly in cyberspace. lastly, learn from many who have preceded you: don't stonewall the court --that "fool" in the black robe can ring your bell however he wishes with contempt citations; there is little you can do about it and the local jails are not Club Fed. -- "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" --Joni Mitchell, 1972 cc: Black Unicorn <unicorn at schloss.li> Cypherpunks <cypherpunks at toad.com> From tcmay at got.net Sun Apr 21 00:24:31 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 21 Apr 1996 15:24:31 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <ad9efef905021004de07@[205.199.118.202]> At 7:50 PM 4/20/96, Computer Virus Help Desk wrote: >At 09:08 PM 4/19/96 -0700, Tim May wrote: >> >>It should be interesting to see what happens when the Bernstein ruling >>(assuming it is further upheld as the court case and appeals proceed) meets >>the proposed law making the writing of virus code a crime. >> >>If crypto software is essentially speech, albeit in a non-traditional >>human language, then virus software is no different. My point. (Also a point made by Mark Neely, I just noticed, when he wrote a couple of days ago: "Well, that puts legislation making virus authoring a crime into a new (and difficult) position.") >To the best of our knowledge simply writing Virus Code including it's >"distribution" is not a crime in the United States. However, the >deliberate, malicious upload or infection of another's computer or system is >a crime in many states. Again, my point. I was not saying such virus writing is currently against U.S. laws, at least not at the national level (the fifty states and various other local governments have their own laws, as the Georgia example about remailers is only the latest example of). >We don't see the "Bernstein" ruling as having an effect in the U.S. one way >or the other. Virus Code seems to be treated just like "speech" right now. >Use "it" to yell "fire" in a crowded theater and see what happens. >Deliberately and maliciously infect another's computer or system with a >computer virus and see what happens. > >What proposed law making writing virus code a crime were you referring to ? I was referring to the general discussion reported here and in places like "Risks" about illegalizing the generation of virus software. (A search of the archives, when they come back up, will reveal debates here on this.) (And I dimly recall at least one state legislature passing a law making "virus software" ipso facto illegal, regardless of being used in a trespass situation. The archives may produce more on this.) I don't think such a law is Constitutional, which is my point. Judge Patel seems to recognize this, as it relates to the Bernstein case. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From thecrow at iconn.net Sun Apr 21 00:33:07 1996 From: thecrow at iconn.net (Jack Mott) Date: Sun, 21 Apr 1996 15:33:07 +0800 Subject: spinner entropy In-Reply-To: <Pine.BSI.3.91.960420193617.11348A-100000@newton.forequest.com> Message-ID: <3179BFF2.157A@iconn.net> Jeremey Barrett wrote: > > Wei Dai writes: > > Do we have other candidates for portable software RNGs? > > > > > > What is more important, good portable software RNGs or good portable > seeding mechanisms? Seems to me there are good RNGs out there, but > there is virtually no way to portably guarantee a good seed. > > Netscape's RNG was probably good as any, but their seed sucked, so they > got cracked. Take an RC4 state box. grab 30 or so random seeds from a hardware device, use them to mix the state box, and use the rest of RC4 to grab random values. Just an idea, very fast at least. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) From steve at edmweb.com Sun Apr 21 01:00:30 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 21 Apr 1996 16:00:30 +0800 Subject: 5th protect password? In-Reply-To: <m0uAiWV-00091CC@pacifier.com> Message-ID: <Pine.BSF.3.91.960420214313.7498B-100000@kirk.edmweb.com> > > A defendant can be compelled to produce material evidence that > > is incriminating. Fingerprints, blood samples, voice > > exemplars, handwriting specimens, or other items of physical > > evidence may be extracted from a defendant against his will. > As you might expect, I see a problem (and a pattern!) with even these > examples. Notice that with the possible exception of "handwriting > specimens", the examples above all represent pieces of evidence whose > utility was only made technologically possible by developments done more > than a century after the writing of the Constitution. Fingerprints have I think you missed the main pattern... When a suspect is required to provide fingerprints, voice, blood and/or handwriting samples, those things are used exclusively for _identification_. The only exceptions I can think of are when blood, breath and urine samples are taken from a suspect to detect certain chemicials in the body. But, AFAIK, those exceptions are entirely the product of the recent war on drugs. Just my two bits. IANAL. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From frantz at netcom.com Sun Apr 21 01:00:57 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 21 Apr 1996 16:00:57 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604210453.VAA01630@netcom9.netcom.com> At 3:42 PM 4/20/96 -0500, Alex Strasheim wrote: >The best answer for these sorts of problems (at least for those of you not >constrained by ITAR) might be java form processing applets that use their >own crypto routines to submit the data. I have thought about the sources of entropy available to a Java applet, and there aren't many. You should design your protocol so entropy is not needed on the applet side. Entropy is normally used to pick symmetric encryption keys, and Initialization vectors ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mirele at xmission.com Sun Apr 21 01:26:56 1996 From: mirele at xmission.com (mirele at xmission.com) Date: Sun, 21 Apr 1996 16:26:56 +0800 Subject: OS/2 encryption Message-ID: <199604210544.XAA09283@xmission.xmission.com> I have received a lot of comment about my request for OS/2 encryption...perhaps I didn't make myself clear. I have already taken precautions (have been, for over a year) to protect my private documents and email via use of PGP. I simply wanted to improve the security of my home system overall. I have been alarmed to see how, in the Wollersheim and Penney court cases, the Church of Scientology was able to sue people, take custody of their computers, and basically trash their hard drives. Frankly, I've worked too damned hard on getting my system just right to have some bozo blunder in and erase things, either through stupidity, cupidity, or maliciousness. *That's* why I inquired about disk security. Not because I'm trying to hide something from Scientology...but because I don't appreciate people messing around with something that I've worked very hard on. Deana M. Holmes mirele at xmission.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ ------END GEEK CODE BLOCK------ From steve at edmweb.com Sun Apr 21 02:48:10 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 21 Apr 1996 17:48:10 +0800 Subject: Hardware RNG (was Re: spinner entropy) In-Reply-To: <3179954A.176A@iconn.net> Message-ID: <Pine.BSF.3.91.960420223831.7579C-100000@kirk.edmweb.com> > Anyway I am in the middle of putting together a portable RNG that will should > consist of nothing more than a photoelectric tube, 9volt battery, and a bit of > wiring. It will connect through the serial port. Just put your favorite > radioactive substance near it and your set. before people freak out, there are Why not just use a sound sample? "Please blow into the microphone"... You've got the randomness of the sound itself, along with the minute errors produced by the analog/digital converter. Should be able to get plenty of entropy. Maybe even just use background noise. Even if you don't have a sound card, you could probably fix something up that plugs into a port. Seems like a good idea, but I'm no expert on entropy. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From ljt at fs3.ucc.on.ca Sun Apr 21 02:50:25 1996 From: ljt at fs3.ucc.on.ca (Jed Liu) Date: Sun, 21 Apr 1996 17:50:25 +0800 Subject: On computer face recognition In-Reply-To: <199604120630.XAA14255@dns1.noc.best.net> Message-ID: <3179D617.16CA@fs3.ucc.on.ca> Jonathan Litt wrote: > > geeman at best.com writes: > > Subject: Re: On computer face recognition: > > Date: Thu, 11 Apr 1996 23:30:49 -0700 > > > > There was a piece, I _think_ in Scientific American, tho it might > > have been an AI journal, on face recognition by use of neural > > nets together with what were called "eigenface" images [...] > > You are thinking of the article in Scientific American about the > Vision and Modeling group at the MIT Media Lab. [...] Actually, I read about it a while ago in "Discover Magazine". (It could very well be that it was published in Sci. American also.....) From abostick at netcom.com Sun Apr 21 02:50:51 1996 From: abostick at netcom.com (Alan Bostick) Date: Sun, 21 Apr 1996 17:50:51 +0800 Subject: [Yadda Yadda] Re: OS/2 encryption utilities In-Reply-To: <m0uAnQG-0008yqC@pacifier.com> Message-ID: <Yxaex8m9LksY085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <m0uAnQG-0008yqC at pacifier.com>, jim bell <jimbell at pacifier.com> wrote: > At 06:08 PM 4/20/96 -0400, Black Unicorn wrote: > >On Sat, 20 Apr 1996 mirele at xmission.com wrote: > > > >> Due to the fact that I have been threatened by the Church of Scientology > >> with legal action if I do not cease and desist posting encheferated > >> parodies of their secret scripture (per a letter I received from Cult > >> attorneys via Federal Express today) I am in search of OS/2 disk > >> encryption programs. > > > >Were I a Co$ attorney, I would use this to bring discovery violations > >if I took you to court. > > You know, I've always thought it odd how some people misuse the English > language when they speak in their chosen shorthand. "bring discovery > violations"? How, exactly, does one _BRING_ a "discovery violation"? > Like, maybe, bring it in a whellbarrow?!? Is "bring" a proper word in this > context? Why not stop using that silly shorthand. > > BTW, you seem to have forgotten that this would be an excellent way to deter > the kind of "knock and smash" warrant service common amongst government > thugs. Any argument by the cops that "we must break down the door or else > they'll erase the data!" is rendered obviously silly if the data is ALREADY > encrypted and inaccessible. If anything, it would make the data permanently > inaccessible since it would make (arguably) the release of a decrypt key > "incriminating" if it were a criminal case. > > Yet another excellent reason to encrypt the data is that it deters > burglaries, where the purpose of the burglary is to get this data illegally. > Given the COS's history, that is a reasonable fear. > > Jim Bell > > jimbell at pacifier.com > subscribe clueless jimbell at pacifier.com - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMXmsmuVevBgtmhnpAQG6IAL+LUJpn1C056Hff6wmmwhHVfSWiy1d9PUy gYtM0IceT8q7xDmRTph4Nfh6Vel+QzjrlPSunpHlmHe/tvPp7asmp3ci1Pkoecp1 w1cvcc0nxs/LsWjJoDxoNmmlUHsug+z5 =rQ+d -----END PGP SIGNATURE----- From shamrock at netcom.com Sun Apr 21 03:05:03 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 21 Apr 1996 18:05:03 +0800 Subject: Smartcards are coming to the US Message-ID: <v02120d0dad9f5dfbbe2f@[192.0.2.1]> At 22:33 4/20/96, Black Unicorn wrote: >On Sat, 20 Apr 1996, Lucky Green wrote: > >> Years after smartcards have become ubiquitous in such countries as Pakistan >> and Nepal, not to mention Europe, I just saw my first smartcard commercial >> ever on US television. >> >> Way to go :-) > >Have you seen the Visa (mastercard) commercial that shows the finger >print reader and spouts off "Single digit PINs" (Digit, get it?) No, I saw the MC commercial with the Australian pilot. Are you serious? Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From love5683 at voicenet.com Sun Apr 21 04:06:29 1996 From: love5683 at voicenet.com (Chevelle) Date: Sun, 21 Apr 1996 19:06:29 +0800 Subject: HANDS UP! Message-ID: <199604210734.DAA19234@mail.voicenet.com> Hey guys if there's anything I can do to help Kevin out anything at all please let me know! chevelle out.... 07:14 AM 4/5/96 +0200, THE HIJACK-CREW wrote: >HI THERE! THIS IS etoy! > >"the digital hijack" is NOW running ! > >the internet-underground has decided: it is definitely time to blast SOUND >and ACTION into the net !!! > >our software-agents have invaded the main searchservers... > >++++for more information check out : http://www.hijack.org/++++++++++ > >or get kidnapped live --> go to infoseek (netsearch-button on your browser) >and search for: > >UNDERGROUND - CENSORSHIP - DISCO - XTC - CLINTON - PORSCHE - CRACK - >KRAFTWERK - ELVIS - TERROR - PENTHOUSE - SEGA - MONDRIAN - SEXPISTOLS - >FIREARMS - TARANTINO - DJ - STONES - NETWORKS - BASE - CRIME - WAR - >BUSINESS - WOMEN - NET - SOCIETY - ART - CASTRO - PARADISE - ATHLETICS - >PULP - CYBER - YELLO - PETSHOPBOYS - REM - HUSTLER - BITCH - GUEVARA - >SEVESO - MELODYMAKER - PORNO - GABBER - ROLLERBLADES - REBEL - OASIS - >COMMUNICATIONS - PLAYBOY - BELGIUM - ORB - AND MANY MORE... > >these keywords will all appear on the TOP 10 - LIST. take the link to >hijack.org to get the hijack-experience like millions of bored >internet-users... > >download the hijackers-sound, get the best pictures and help us free our >friend KEVIN D. MITNICK, THE SUPERHACKER (charged for electronic-terrorism, >maximum sentence: 460 years prison) ! > >we would be very happy to welcome you on our site. spread this new >internet-lifestyle to your friends and to internet-freaks + surfers ! > >this is a underground art-project not a bastard-business mail. our grab >robot "etoy.IVANA" got your email-address by cruising the net. > >for the hijack-crew etoy >MARTIN KUBLI > >email mailme at etoy.com >fax ++41 1 363 35 57 >_______________________________________________________________________ >http://www.hijack.org/ >for highres-pictures: ftp.etoy.com /press > > >etoy: >leaving reality behind...abusing technology...flashing the net > > From unicorn at schloss.li Sun Apr 21 04:06:36 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 19:06:36 +0800 Subject: [Yadda Yadda Yadda] Re: 5th protect password? In-Reply-To: <m0uAq1k-00091WC@pacifier.com> Message-ID: <Pine.SUN.3.91.960421034850.21453C-100000@polaris.mindport.net> [Obnoxiously long cc: list trimmed.] On Sat, 20 Apr 1996, jim bell wrote: > amendment. I'm sure a REAL LAWYER (TM) reading this note will cite the > first known example of a handwriting example being demanded by a court. > What do you want to bet that it first occurred in this century? I have US$ 50,000 that says it didn't. Care to take me up on it? > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun Apr 21 04:06:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 19:06:40 +0800 Subject: [Noise?] Re: Smartcards are coming to the US In-Reply-To: <v02120d0dad9f5dfbbe2f@[192.0.2.1]> Message-ID: <Pine.SUN.3.91.960421034634.21453B-100000@polaris.mindport.net> On Sat, 20 Apr 1996, Lucky Green wrote: > At 22:33 4/20/96, Black Unicorn wrote: > >Have you seen the Visa (mastercard) commercial that shows the finger > >print reader and spouts off "Single digit PINs" (Digit, get it?) > > No, I saw the MC commercial with the Australian pilot. Are you serious? That's one of the series. > Disclaimer: My opinions are my own, not those of my employer. > > -- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun Apr 21 04:47:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 21 Apr 1996 19:47:02 +0800 Subject: OS/2 encryption In-Reply-To: <199604210544.XAA09283@xmission.xmission.com> Message-ID: <Pine.SUN.3.91.960421035428.21453D-100000@polaris.mindport.net> On Sat, 20 Apr 1996 mirele at xmission.com wrote: > I have received a lot of comment about my request for OS/2 > encryption...perhaps I didn't make myself clear. [...] > *That's* why I inquired about disk security. Not because I'm trying to > hide something from Scientology...but because I don't appreciate people > messing around with something that I've worked very hard on. Not to get too out of hand, but how is encryption going to prevent deletions? > Deana M. Holmes > mirele at xmission.com > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 > X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ > ------END GEEK CODE BLOCK------ > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From timd at consensus.com Sun Apr 21 04:57:36 1996 From: timd at consensus.com (Tim Dierks) Date: Sun, 21 Apr 1996 19:57:36 +0800 Subject: PGP's +makerandom is broken (was: Re: Article on PGP flaws) Message-ID: <v02140b02ad9f9d2812ba@[206.170.39.104]> At 10:52 PM 4/20/96, Jeffrey I. Schiller wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >On April 16, 1996 jf_avon at citenet.net said: >> I fed the result of >> pgp +makerandom=2000 rnd.pgp >> into noisesphere.exe >> >> Every times, it gives a distribution that looks like a zebra from the >> top view. Any comments? > >This is a bug in PGP. +makerandom doesn't work properly. I discovered >this a few week ago myself when I needed some random numbers for >another project. Due to a programming bug, the idea based random number >generator doesn't get initialized (read: doesn't get seeded at all) >when +makerandom is used. Note: +makerandom is an undocumented feature. > >IMPORTANT: Only +makerandom is effected. In normal use PGP properly >generates random session keys as well as RSA public key pairs. > > -Jeff As true as this may be, it doesn't explain the original posters problem; unseeded IDEA should generate data that looks every bit as random as data which was fully seeded (otherwise IDEA leaks information). This should raise a question regarding the utility of any post-facto measurement of entropy; the stream of bits generate by IDEA encrypting zero values in CBC mode with a key of zero clearly has little, if any, entropy, but the data generated should be indistinguishable from true random data by all statistical and pattern-recognition tests. See the discussion on coderpunks. Basically, to get crypto-quality random numbers: 1) Use a secure generator; any secure block cipher or hash function will do. 2) Seed it well. This is entirely specific to your situation & platform, and is unmeasurable for practical purposes. - Tim Tim Dierks timd at consensus.com Consensus Development http://www.consensus.com From JeanPaul.Kroepfli at ns.fnet.fr Sun Apr 21 09:03:10 1996 From: JeanPaul.Kroepfli at ns.fnet.fr (Jean-Paul Kroepfli) Date: Mon, 22 Apr 1996 00:03:10 +0800 Subject: Netscape Export + 128bits SSL (?) Message-ID: <01BB2F9B.1F300E20@JPKroepsli.S-IP.EUnet.fr> Hello, We are very curious about security + standard + on the shelf products, because so the market will use more naturally the cryptography. Do you know if it's possible to use Netscape client (export = 40bits RC4) on an external SSL layer (i.e., with full encryption, RC4 long keys or IDEA)? Use extra-US implantation (SSL-Leavy or AppacheSSL, etc.) the IDEA option? It seems that IDEA is no longer supported by SSL 3 (in the cipher suite we see IDEA with RSA but not with D-H). Are rumors on additional algorithms (e.g., Safer SK128, Blowfish, etc.)? On the S-HTTP side, are some non-US implantation (browser or server) available or some US-freeware that is smuggled out? Thanks for your answers. Jean-Paul ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Jean-Paul et Micheline Kroepfli (our son: Nicolas and daughter: Celine) eMail: JeanPaul.Kroepfli at utopia.fnet.fr Also Compuserve and MSNetwork Phone: +33 81 55 52 59 (F) PostMail: F-25640 Breconchaux (France) or: +41 21 843 27 36 (CH) or: CP 138, CH-1337 Vallorbe Fax: +33 81 55 52 62 (Switzerland) Zephyr(r) : InterNet, Communication, Security and Cryptography consulting PGP Fingerprint : 19 FB 67 EA 20 70 53 89 AF B2 5C 7F 02 1F CA 8F "The InterNet is the most open standard since air for breathing" From grafolog at netcom.com Sun Apr 21 09:49:33 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 22 Apr 1996 00:49:33 +0800 Subject: 5th protect password? In-Reply-To: <m0uAq1k-00091WC@pacifier.com> Message-ID: <Pine.3.89.9604211321.A14720-0100000@netcom10> Jim: On Sat, 20 Apr 1996, jim bell wrote: > > illiteracy was the standard, till the begining of the Industrial > > Revolution. << Remember that John Dee had an incredibly large > > library of 200 volumes. >> > > Yikes! You REALLY need to learn to read! I wasn't referring to handwriting & you totally missed my point that when literacy was a rare thing, there was no presumption that any individual could either read, or write. The rest of the things listed required no presumption about anything related to an individual. > itself , or for that matter to graphology ( the study of handwriting; which > goes back perhaps 2000 years) but in fact the _forensic_ use of graphology. The first book about graphology was written in 1622 by C Baldi. The first book on questioned document examination was written in the 1860s. The first forensic use of graphology may have occurred as early as 1960. In 1975, a Juvenile Court Judge in Boulder CO used graphology forensically to determine the most appropriate method of handling some of the cases that appeared in _his_ court. Most courts in the United States regard the forensic use of graphology as dubious, at best. A few have ruled against it. > The point is that the demanding of handwriting samples is a fairly new > What do you want to bet that it first occurred in this century? For questioned document examination? Sometime during the sixties. For graphological examination? Hasn't occurred yet. > If that were the case, there there would be no justification for demanding a > handwriting sample. Nevertheless, it is apparently done. And while a Can you provide a citation where a court has demanded a handwriting sample for graphological purposes? They can, and do require handwriting samples for questioned document examination. > In any case, the initial reference to handwriting samples came from the > Supreme Court, as quoted above, not me. Pay more attention. I was using A ruling that had no relationship to graphology ---- which is a subject that you brought up. > > I suspect you confusing graphology with questioned document > > examination. > No, that's a larger issue. Graphology is a tool which can be used, but there I was wondering how you were going to try to wriggle out of this one. > Question: Let's suppose, for the purposes of argument, the policy was > diametrically opposite, and no such samples were taken, ostensibly because The gist of the argument is that handwriting samples are public, and that things are written for public consumption, not private consumption. > would come to the opposite conclusion. You would have to explain to people > why the precedents were all wrong. You are taking a completely hypothetical situation that never had a basis in what could have happened. An individual who had seen another individual's handwriting _once_ could deem themselves to be an expert, for that particular person's writing. As such, an illiterate stable boy, who had seen his master writing something twenty years prior, was deemed more knowledgable about his master's script, than a QDE who had exemplars and the suspect document, and could demonstrate the authenticity or lack thereof, from the script. After several cases where the QDE's opinion was deemed incorrect, and later it was discovered that the QDE's opinion was correct, the rules of the acceptability of an expert witness became somewhat stricter. As the rules regarding who could be an expert witness became stricter, the requirements for obtaining authentic samples of writing became more urgent. Subpoenaing documents from numerous bodies << corporations and individuals >> became a standard way of obtaining exemplars. Such exemplars were/ are not always satisfactory, because they may be signatures only -- in the case of checks, or be written under non-ordinary conditions --- such as filed tax forms, or other reasons. By requesting an individual provide an authentic sample, the ease with which a document can be demonstrated to be authentic, or not, is considerbly increased. And the likelyhood of error creeping in, is decreased dramatically. Now if you'd rather have an illiterate stabhle boy, that saw you write something 20 years ago be considered an expert as regards what your handwriting looks like... > demanded of a defendant in 1783, which was about when the 5th amendment was > written. What they said. Where they said it. What they had in their possession. Where they had said items in their possession. Note in passing that rules for admitting something into evidence was a lot looser then, than it is now. > > Owner: Graphology-L at Bolis-com > Aha! Yet another person who benefits from current government policy! I do? That's news to me, and the rest of graphological profession that we benefit from current government policy --- especially in light of rulings that imply that graphology can not be used for employment screening, selection or profilling. xan jonathon grafolog at netcom.com Owner: Graphology-L at Bolis-com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From declan+ at CMU.EDU Sun Apr 21 10:05:35 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 22 Apr 1996 01:05:35 +0800 Subject: OS/2 encryption In-Reply-To: <199604211304.HAA04319@xmission.xmission.com> Message-ID: <ElSYVzC00YUv431dQA@andrew.cmu.edu> Excerpts from internet.cypherpunks: 21-Apr-96 Re: OS/2 encryption by mirele at xmission.com > (If people would like to read the letter I received from the Church > <spit>, either read alt.religion.scientology, where it has been posted, or ema > il me and I will send you a copy.) I have excerpts from the letter and some other background on the recent Sciento threats at: http://fight-censorship.dementia.org/fight-censorship/dl?thread =Scientology's+legal+fishing+expedition,+expanded+enemies+list& after=2259 But for more detailed treatment, Ron Newman's web page is the place to look: http://kalypso.cybercom.net/~rnewman/scientology/home.html -Declan From mirele at xmission.com Sun Apr 21 10:11:26 1996 From: mirele at xmission.com (mirele at xmission.com) Date: Mon, 22 Apr 1996 01:11:26 +0800 Subject: OS/2 encryption In-Reply-To: <Pine.SUN.3.91.960421035428.21453D-100000@polaris.mindport.net> Message-ID: <199604211304.HAA04319@xmission.xmission.com> In <Pine.SUN.3.91.960421035428.21453D-100000 at polaris.mindport.net>, on 04/21/96 at 03:55 AM, Black Unicorn <unicorn at schloss.li> said: >On Sat, 20 Apr 1996 mirele at xmission.com wrote: >> I have received a lot of comment about my request for OS/2 >> encryption...perhaps I didn't make myself clear. >[...] >> *That's* why I inquired about disk security. Not because I'm trying to >> hide something from Scientology...but because I don't appreciate people >> messing around with something that I've worked very hard on. >Not to get too out of hand, but how is encryption going to prevent >deletions? Well, anything to slow them down. It was reported to me that when Dennis Erlich was raided last year, they rendered his computer unbootable because of the deletions they had made. As it is, I haven't been able to find an appropriate security utility beyond PGP (which I've been using for over a year anyway). So this discussion is moot. Look folks. *This* is what it's about. I like a little humour. So what I've been doing is taking *posted* documents and running them through a filter (the "encheferizer" of alt.swedish.chef.bork.bork.bork) and then reposting them to alt.religion.scientology. I have been doing this for over a year. It's only been recently that (a) the Church <spit> started cancelling them and (b) that they started threatening me over it. And then the humourless gits of the Church <spit> went to the trouble to get an attorney in New York City to threaten me. I'm taking the threat very seriously. This (looking for more secure ways to keep my computer from being trashed) is part of it. (If people would like to read the letter I received from the Church <spit>, either read alt.religion.scientology, where it has been posted, or email me and I will send you a copy.) Deana M. Holmes mirele at xmission.com -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s++ a C++ U P L E- W++ N++ o-- K++ w--- O++ PS++ PE-- Y+ PGP+ t 5 X-- R- tv-- b++ DI++ D++ G e++++ h+ r* x++ ------END GEEK CODE BLOCK------ From sandfort at crl.com Sun Apr 21 12:12:53 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 22 Apr 1996 03:12:53 +0800 Subject: [Yadda Yadda Yadda] Re: 5th protect password? In-Reply-To: <Pine.SUN.3.91.960421034850.21453C-100000@polaris.mindport.net> Message-ID: <Pine.SUN.3.91.960421084606.11213A-100000@crl11.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, > On Sat, 20 Apr 1996, jim bell wrote: > > > amendment. I'm sure a REAL LAWYER (TM) reading this note will cite the > > first known example of a handwriting example being demanded by a court. > > What do you want to bet that it first occurred in this century? To which Black Unicorn responded: > I have US$ 50,000 that says it didn't. Care to take me up on it? Though I think the wager offered way out of line, I wish that this mechanism for handling disputes were used more often on the Cypherpunk list. It's easy for folks to shoot their mouths off when they can do so at virtually zero cost. The results are endless flame wars with only rare resolution. When money is at stake, there is an incentive to be more temperant in ones claims. I would be interested to see if Jim Bell and Black Unicorn could engage in a "friendly" wager on the question in point for the nominal sum of, say, US$100. Perhaps they can cooperate to frame their dispute in unambiguous terms, mutually agree upon an escrow agent and pick a referee or other resolution mechanism to decide their "case." Wouldn't that be something? By the way, gentlemen, I'm not kidding. Everyone on this list could use a respite from all the "yes-it-is-no-it's-not" posts among various combatants engaged in "how-many-angels..." spats. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From alex at crawfish.suba.com Sun Apr 21 13:02:22 1996 From: alex at crawfish.suba.com (Alex Strasheim) Date: Mon, 22 Apr 1996 04:02:22 +0800 Subject: Add-in encryption module to Netscape In-Reply-To: <199604210453.VAA01630@netcom9.netcom.com> Message-ID: <199604211638.LAA00274@crawfish.suba.com> > I have thought about the sources of entropy available to a Java applet, and > there aren't many. You should design your protocol so entropy is not > needed on the applet side. Entropy is normally used to pick symmetric > encryption keys, and Initialization vectors This is a reasonable approach if you're just going to send information from the applet to the server, which is what we were talking about. But if we want to use java applets for secure two way communications, aren't we going to need to find some entropy somewhere? Is it feasible to make an input package that stores up entropy from keyboard and mouse events as an applet is used? Then when entropy is needed, whatever's available is used. If there's not enough a scribble window or text field could pop up and the user could generate the rest. (This isn't my idea, I'm inferring it from something Hal wrote.) And over the long run, what, if anything, could Sun do to let applets have access to more entropy in Java? Would it be practical to have an entropy source in the api, that could be combined with other sources in the applet? From declan+ at CMU.EDU Sun Apr 21 13:41:03 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 22 Apr 1996 04:41:03 +0800 Subject: DC gossip on Mike Nelson Message-ID: <glSanqK00YUv44g5ha@andrew.cmu.edu> Just heard from a reliable source: Mike Nelson of the White House Office of Science and Technology Policy has moved on from the position of civilian co-chair of the Interagency Key Escrow Alternatives committee (I think I got that right) and will be replaced by Bruce McConnell, deputy to Sally Katzen at OMB/OIRA. -Declan From jamesd at echeque.com Sun Apr 21 13:49:02 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 22 Apr 1996 04:49:02 +0800 Subject: [Yadda Yadda Yadda] Re: 5th protect password? Message-ID: <199604211716.KAA08249@dns1.noc.best.net> >To which Black Unicorn responded: > >> I have US$ 50,000 that says it didn't. Care to take me up on it? At 09:07 AM 4/21/96 -0700, Sandy Sandfort wrote: > Though I think the wager offered way out of line, I wish that > this mechanism for handling disputes were used more often on the > Cypherpunk list. It's easy for folks to shoot their mouths off > when they can do so at virtually zero cost. The results are > endless flame wars with only rare resolution. When money is at > stake, there is an incentive to be more temperant in ones claims. This mechanism was tried extensively on the extropians list, and in my judgement it was totally unsuccessful. When money is at stake, flames concerning ill considered factual claims are replaced by power moves to manipulate the system, obtain corrupt adjudicators, and intimidate, exclude and silence dispute in order to win, or conceal evasion of, ill considered bets. > I would be interested to see if Jim Bell and Black Unicorn could > engage in a "friendly" wager on the question in point for the > nominal sum of, say, US$100. Perhaps they can cooperate to frame > their dispute in unambiguous terms, mutually agree upon an escrow > agent and pick a referee or other resolution mechanism to decide > their "case." Wouldn't that be something? This would work at $100. But the temptation is always to escalate the bet, to win by bluffing, with the result that the dispute is escalated, rather than resolved. At $500, our problem would become much worse, rather than much better. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From sandfort at crl.com Sun Apr 21 14:11:06 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 22 Apr 1996 05:11:06 +0800 Subject: [Yadda Yadda Yadda] Re: 5th protect password? In-Reply-To: <199604211716.KAA08249@dns1.noc.best.net> Message-ID: <Pine.SUN.3.91.960421102257.29838A-100000@crl6.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 21 Apr 1996 jamesd at echeque.com wrote: > This mechanism was tried extensively on the extropians list, and > in my judgement it was totally unsuccessful. This is not extropians. We are more anarchic, less ideological and more goal oriented. > When money is at stake, flames concerning ill considered factual > claims are replaced by power moves to manipulate the system, > obtain corrupt adjudicators, and intimidate, exclude and silence > dispute in order to win, or conceal evasion of, ill considered bets. And you like endless cross-talking better? In any event, the problems you mentioned primarily impact the combatants and are (in my opinion) easily structured out of the system. > This would work at $100. But the temptation is always > to escalate the bet, to win by bluffing, with the result that > the dispute is escalated, rather than resolved. Again, compare it to the current "solution." > At $500, our problem would become much worse, rather than much > better. Here we agree, 100%. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jimbell at pacifier.com Sun Apr 21 14:11:44 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 22 Apr 1996 05:11:44 +0800 Subject: 5th protect password? Message-ID: <m0uB2v1-00090gC@pacifier.com> At 10:03 PM 4/20/96 -0700, Steve Reid wrote: >> > A defendant can be compelled to produce material evidence that >> > is incriminating. Fingerprints, blood samples, voice >> > exemplars, handwriting specimens, or other items of physical >> > evidence may be extracted from a defendant against his will. > >> As you might expect, I see a problem (and a pattern!) with even these >> examples. Notice that with the possible exception of "handwriting >> specimens", the examples above all represent pieces of evidence whose >> utility was only made technologically possible by developments done more >> than a century after the writing of the Constitution. Fingerprints have > >I think you missed the main pattern... When a suspect is required to >provide fingerprints, voice, blood and/or handwriting samples, those >things are used exclusively for _identification_. Is this "a distinction without a difference"??? > >The only exceptions I can think of are when blood, breath and urine >samples are taken from a suspect to detect certain chemicials in the body. >But, AFAIK, those exceptions are entirely the product of the recent war on >drugs. This is odd. By mentioning those exceptions you just destroyed your argument. If you were trying to claim that "identification"-intended evidence was not protected by the 5th amendment, mentioning samples taken to detect drugs are obviously not of this type. The implication is that they represent an entirely different class of "non-violations" of the 5th amendment. How many other non-violations are you going to be able to pull out of that hat, along with that rabbit? This, as you might expect, is getting hilarious. Somehow, I think everything that might be construed as a violation of the 5th is going to be called "a special case" or "an exception" by those who see no problem, or at least those who are not willing to admit to a problem. What's so hard about admitting that the powers-that-be in this country today chafe at the protections guaranteed in the Bill of Rights, and try to do everything in their power to minimize or eliminate them? It's certainly not an unexpected possibility, and in fact most people probably recognize that it is unavoidable. Once you are dragged, kicking and screaming, to an admission that this kind of thing actually happens, your next task is to identify current policy practices which are the product of this kind of misinterpretation. See, my argument is that there is a pattern of violation of the 5th amendment, and glory be, you provide yet more ammunition for my claims. I think you need to go back, try to figure out the originally intended meaning of the 5th, and differentiate it from the subsequent 210+ years of wishful thinking on the part of the government. Jim Bell jimbell at pacifier.com From tcmay at got.net Sun Apr 21 14:16:12 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Apr 1996 05:16:12 +0800 Subject: Betting on the Unibells Message-ID: <ad9fc23a06021004bd86@[205.199.118.202]> At 4:07 PM 4/21/96, Sandy Sandfort wrote: >To which Black Unicorn responded: > >> I have US$ 50,000 that says it didn't. Care to take me up on it? > >Though I think the wager offered way out of line, I wish that >this mechanism for handling disputes were used more often on the >Cypherpunk list. It's easy for folks to shoot their mouths off >when they can do so at virtually zero cost. The results are >endless flame wars with only rare resolution. When money is at >stake, there is an incentive to be more temperant in ones claims. I believe Sandy was on the Extropians list at the same time I was (and maybe after I left), and must recall that this was tried. The Extropians tried several of these "market-based dispute resolution" schemes, including wagers on debates. In my view, all failed. Wagers and bets consumed far more list time to discuss, argue about, and (sometimes) resolve than the experiment was worth. Basically, not too surprising, as the actual stakes were quite low and the real-world consequences small. "Wiggle room" was always argued for, and "mediators" or "arbitrators" to decide the winner were hard to find for many of the bets. And many of the bets were poorly-formulated, at least in terms of having a neutral third party decide the outcome. (I don't doubt that better formulations are possible....it just requires a lot of work, and the stakes need to be worthwhile. Mediators have to get a big enough cut of the action to make it worthwhile for them to get involved. It takes motivation and effort to get inolved, and I can't see anyone with an IQ over 120--a slacker on this list--wanting to get involved in the "yadda-yadda-yadda" debate between the Unibells.) >I would be interested to see if Jim Bell and Black Unicorn could >engage in a "friendly" wager on the question in point for the >nominal sum of, say, US$100. Perhaps they can cooperate to frame >their dispute in unambiguous terms, mutually agree upon an escrow >agent and pick a referee or other resolution mechanism to decide >their "case." Wouldn't that be something? > >By the way, gentlemen, I'm not kidding. Everyone on this list >could use a respite from all the "yes-it-is-no-it's-not" posts >among various combatants engaged in "how-many-angels..." spats. I find it much easier to just let Jim Bell and Black Unicorn rant at each other. I delete their rants and insults. I figure if this keeps them occupied for hours every night, to each their own. --Tim May (Speaking of the Unibells...did you hear about the bomber who blows up his victims and then eats the pieces? The Unadahmer.) Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From richieb at teleport.com Sun Apr 21 14:28:29 1996 From: richieb at teleport.com (Rich Burroughs) Date: Mon, 22 Apr 1996 05:28:29 +0800 Subject: OS/2 encryption Message-ID: <2.2.32.19960421174602.0068fcfc@mail.teleport.com> At 06:53 AM 4/21/96, you wrote: >In <Pine.SUN.3.91.960421035428.21453D-100000 at polaris.mindport.net>, on >04/21/96 at 03:55 AM, > Black Unicorn <unicorn at schloss.li> said: > >>On Sat, 20 Apr 1996 mirele at xmission.com wrote: > >>> I have received a lot of comment about my request for OS/2 >>> encryption...perhaps I didn't make myself clear. > >>[...] > >>> *That's* why I inquired about disk security. Not because I'm trying to >>> hide something from Scientology...but because I don't appreciate people >>> messing around with something that I've worked very hard on. > >>Not to get too out of hand, but how is encryption going to prevent >>deletions? > >Well, anything to slow them down. It was reported to me that when Dennis >Erlich was raided last year, they rendered his computer unbootable because >of the deletions they had made. As it is, I haven't been able to find an >appropriate security utility beyond PGP (which I've been using for over a >year anyway). So this discussion is moot. [snip] I really don't understand this whole thread. Deana wants an encryption utility to keep her data from prying eyes. Simple. The cypherpunks list is the last place I'd expect to see people question her judgment about it. Encryption will prevent someone from reading Deana's email and other private documents without a court ordering her to divulge her key. Despite whatever inference a court may draw from her encrypting data, it's a smart move, IMHO, when you consider that the "Church" has raided 4 people's homes with ex parte writs of seizure and hauled off their entire computer systems (people who received letters from the "Church" not very different than the one Deana got). When the computers were seized they weren't taken to the court -- they went straight to the offices of the "Church's" lawyers, where paid experts executed extremely broad searches on the hard drives. If you can picture your worst enemy poring through your hard drive, file by file, you'll understand why something like secure drive or SFS would come in handy. Encryption may prevent deletions -- if I remember right, it was alleged that the "Church" had selectively deleted files from one of the hard drives (I think it was Arnie Lerma's). If everything's encrypted, selective deletions based on content would be impossible. OTOH, Steve Fishman, author of the famous Fishman Affidavit, alleges that people working for CoS came into his house under false pretenses and deleted the contents of his entire c:\ drive. As for the free legal advice, Deana's very legal savvy (IMHO, based on my time on a.r.s.), so I think we can spare it. She's surely weighed the consequences of what she's doing. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From alano at teleport.com Sun Apr 21 14:37:25 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 22 Apr 1996 05:37:25 +0800 Subject: [NOISE] Re: DC gossip on Mike Nelson Message-ID: <2.2.32.19960421181938.00aa6a00@mail.teleport.com> At 01:14 PM 4/21/96 -0400, Declan B. McCullagh wrote: >Just heard from a reliable source: Mike Nelson of the White House Office >of Science and Technology Policy has moved on from the position of >civilian co-chair of the Interagency Key Escrow Alternatives committee >(I think I got that right) and will be replaced by Bruce McConnell, >deputy to Sally Katzen at OMB/OIRA. But what will happen to Crow and Tom Servo? ];> It does explain alot about Government policy towards Cryptography though... --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From reagle at MIT.EDU Sun Apr 21 14:48:15 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Mon, 22 Apr 1996 05:48:15 +0800 Subject: (Privacy) Stop unwanted email Message-ID: <9604211749.AA13551@rpcp.mit.edu> >From: 'reagle at ATHENA.MIT.EDU'" <reagle at MIT.EDU> >To: "Jack M. Spiegel" <mobius at llv.com>" >Subject: Stop unwanted email >Date: Sat, 20 Apr 1996 20:47:45 -0700 >Encoding: 43 TEXT > >4-20-96 9321 > >Hi reagle at ATHENA.MIT.EDU: > >Your name was on a list that I bought. It was advertised as a "clean list" >of people who do not object to getting junk email. After sending a few >hundred, I realized the list was not "clean" and decided to create a place >on the net where people can register not to get junk email. In the future, >I will offer to clean other lists that other commercial mailers are >compiling. Huh, can I ask who you purchased this list from and how much was my privacy bought/sold for? (I might have sold it cheaper! <grin>) >You can log onto my web site http://www.directnet.com/~spiegel, and >register not to be on the list. There are no graphics on the web page, its >just a form, so it won't take long to load. All you need to leave is your >email address (the rest, even your name is optional) and press submit. > >Before you get upset, think about it, you are already on some kind of list, >because I have your address. Registering at my web site will only take you >off the list. There is no advertising on the page, there is no money being >made by this. > >I will take your name off of this list and off any other list that other >mailers submit. I will not give your name or address out to anyone else. > >I know that some people don't have browsers and only have mail access. If >you are among that group, please send email to me at mobius at llv.com and be >sure to put your email address in the subject field and nothing in the body >of the letter. >****************************************************************** > DO NOT REPLY AND SEND BACK THIS LETTER, IT WILL BE IGNORED BY MY SYSTEM ! >****************************************************************** >By the way, if you get junk mail, refer them to my web site as well and by >all means, tell your friends to register. > >Maybe this will help. > >Oh, and if you don't care about junk mail, you don't have to do a thing! > >Thank you > >Jack Spiegel > > > > > _______________________ Regards, I am a creationist; I refuse to believe that I could have evolved from humans. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From frantz at netcom.com Sun Apr 21 15:03:01 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 22 Apr 1996 06:03:01 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604211814.LAA07390@netcom9.netcom.com> I beleive the distilled wisdom on entropy availability is summed up by Wei Dai's post. On Sat, 20 Apr 1996 17:21 -0700 Wei Dai <weidai at eskimo.com> said: >It appears that a consensus has been established on cypherpunks regarding he meant coderpunks [bf] >entropy estimation. Hal summarized it nicely: > >> The first is whether this mysterious black box, the entropy estimator, >> is really possible. In practice the only way to know how much entropy >> you've gotten is to have a model for how the data is being generated, >> and to deduce from that an estimate of the entropy rate. So the entropy >> estimator can't be a general-purpose calcluation, but it must be one >> which is specifically chosen, developed and tuned for the specific source >> of entropy you are dealing with. > >I believe this whole thread about randomness and entropy started with the >search for a portable software RNG and the discussion of how to estimate >the entropy of spinners. If we accept the above paragraph, then we have >to reject spinners as a candidate for such a RNG, for two reasons. First, >we have no model of how spinners generate randomness, so we can't estimate >their entropy. Second, even if we developed such a model for a particular >spinner on a particular OS, the model itself would not be portable because >it would likely rely on nonportable assumptions about the OS. > >Do we have other candidates for portable software RNGs? At 11:38 AM 4/21/96 -0500, Alex Strasheim wrote: >Bill Frantz said: >> I have thought about the sources of entropy available to a Java applet, and >> there aren't many. You should design your protocol so entropy is not >> needed on the applet side. Entropy is normally used to pick symmetric >> encryption keys, and Initialization vectors ... >Is it feasible to make an input package that stores up entropy from >keyboard and mouse events as an applet is used? Then when entropy is >needed, whatever's available is used. If there's not enough a scribble >window or text field could pop up and the user could generate the rest. >(This isn't my idea, I'm inferring it from something Hal wrote.) I don't think there is a way to get "normal" keyboard/mouse data. A "scribble" window is certainly a possibility. However, see my comments below. >And over the long run, what, if anything, could Sun do to let applets have >access to more entropy in Java? Would it be practical to have an entropy >source in the api, that could be combined with other sources in the >applet? Bill Sommerfeld <sommerfeld at apollo.hp.com> posted to coderpunks: >Subject: Entropy overestimation in Ted Ts'o's /dev/random driver >Date: Thu, 18 Apr 1996 17:24:39 -0400 > >I just played around a bit with Ted's /dev/random driver a bit more.. > >It appears that the add_timer_randomness() function may overestimate >the amount of entropy in a sequence of timestamps by a factor of five >or more. It attempts to keep track of first- and second-order deltas >in order to avoid overestimating the amount of entropy added; however, >it seems like this may not be enough. > >Adding a third-order delta, and doing the 2nd and 3rd-order deltas on >the absolute value of the lower deltas seems to make things better.. Note that what Ted is using and Bill Sommerfeld is commenting on is basically a spinner. In looking over the detailed data (which I have not copied), it appears to me that even adding the 3rd order deltas may leave the actual entropy overestimated. The source of entropy is basically the system scheduler. It is a deterministic process, which depends slightly on the somewhat less deterministic processes of I/O interrupts etc. I feel uncomfortable estimating 1 bit/second from it, and prefer to accept Wai Dai's zero bits/second. One severe problem we seem to have is that all automatic entropy estimation techniques tend to over-estimate the amount of entropy present. Perhaps when the millennium comes, we will have hardware generation and be able to sleep at night. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From bdolan at use.usit.net Sun Apr 21 16:33:59 1996 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 22 Apr 1996 07:33:59 +0800 Subject: Smartcards are coming to the US In-Reply-To: <v02120d05ad9f2fef5d94@[192.0.2.1]> Message-ID: <Pine.SOL.3.91.960421151036.4476E-100000@use.usit.net> Saw a CNN story Friday about an interesting special debit card application in Mexico. They're being issued to poor Mexicans, who can use them to buy tortillas and a few other foodstuffs. The cards are tied to a behavior-control database and failure to send kids to school, get mandatory medical exams/treatments/vaccinations, etc. results in card deactivation. bd On Sat, 20 Apr 1996, Lucky Green wrote: > Years after smartcards have become ubiquitous in such countries as Pakistan > and Nepal, not to mention Europe, I just saw my first smartcard commercial > ever on US television. > > Way to go :-) > > > > Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. > > -- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. > > > From frogfarm at yakko.cs.wmich.edu Sun Apr 21 17:22:51 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Mon, 22 Apr 1996 08:22:51 +0800 Subject: (fwd) Important new web site discusses risks of loss of domain names Message-ID: <199604212005.QAA06633@yakko.cs.wmich.edu> [Original article has been snipped to save space. The report will probably be of particular interest to anarcho-capitalists, extropians, and other followers of polylegal systems.] >From: oppedahl at patents.com (Carl Oppedahl) Newsgroups: misc.news.internet.announce Subject: Important new web site discusses risks of loss of domain names Date: 21 Apr 1996 11:41:05 GMT Three graduate students at the George Washington University Law School (David Pauker, Stacey Halpern, and Jonathan Agmon) have prepared what is surely the definitive and comprehensive resource covering Internet domain name disputes provided, appropriately enough, in the form of a topic-specific web site. The site, called "What's in a Name?", is located at <http://www.law.georgetown.edu/lc/internic/domain1.html>. *Who should visit this site* For anybody who has a domain name ending in COM, ORG, GOV, EDU, or NET, this site is a must-read. It illustrates vividly how vulnerable any domain name owner is to loss of a domain name on just 30 days' notice, without any of the usual legal safeguards against loss of a valuable property right. *What's there* It will be apparent to any visitor that the "What's in a Name?" web site is the result of a prodigious amount of effort. The authors have drawn together nearly everything about the twenty-five publicly known domain name disputes, and provide a synopsis of each dispute as well as links to further information about them. (Because Network Solutions Inc. (NSI) conducts its decisionmaking process regarding domain name disputes in secret, one can only speculate how many other domain name disputes have arisen and how NSI decided the disputes. The authors can't be blamed for not knowing about all of the dispute decisions that NSI has made.) The authors go on to provide helpful background to trademarks and domain names, they discuss in detail the present NSI domain name policy, and they review a number of proposed replacements for the present flawed NSI policy. As counsel for Roadrunner Computer Systems Inc. in its lawsuit against NSI, I was particularly interested in the authors' comments on the present NSI policy, for example: "In the United States, NSI's Dispute Resolution Policy does not take account of common law or state registered trademarks, unfair business practices, dilution, or conflicts with even well known marks. "NSI's Dispute Resolution Policy is an imposed contract predicated on unequal bargaining power, failing to provide a proper mechanism for adjudicating disputes. "NSI, a private company, is acting in a quasi-judicial manner with limited mechanisms for judicial review." [snippage] -- frogfarm at yakko.cs.wmich.edu free market anarchist, natural law advocate, s..O).... You hit the smurf! --More-- male, lesbian, polyamorous, @.../.".. You destroy the smurf! --More-- reader, atheist, chaotic, $$*...].. You feel cynical! free and natural sovereign individual From fletch at ain.bls.com Sun Apr 21 18:01:38 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Mon, 22 Apr 1996 09:01:38 +0800 Subject: Georgia Legislation - Remailer Effect??? In-Reply-To: <199604202128.QAA09545@rex.isdn.net> Message-ID: <9604212054.AA03211@outland.ain_dev> [NOTE: These are my opinions, not those of my employer (Who is mentioned below :).] > Georgia OKs "Net Police" law > > By Rose Aguilar > April 19, 1996, 5 p.m. PST > > A bill signed into law this week by Georgia Governor > Zell Miller has sparked yet another firestorm *Sigh*. Well, now I know voting for Bill The Cat wasn't a mistake. :) > House Bill 1630 was introduced on February 8 by > Georgia House of Representatives member Don Parsons > (R-Marietta). The bill makes it illegal to Ah, Cobb County. That would explain it. That's Mr. Newt's stomping grounds, for y'all unfamiliar with Georgia. > Parsons says he drafted the bill to solve the > problem of online impersonation. "Back in the winter I started > hearing about home pages through the news that offer remedies and > health related services. To the untrained eye the pages make it > appear that the information provided is valid and could be some kind > of remedy," Parsons said. "After some thought and research I decided > to present the bill." Can't prosecute those under existing fraud statutes if they're using one of them newfangled com-pootrs now can we. > The problem is that the wording of the law leaves it > open to multiple interpretations, according to the EFF. "He created > a very vague law that could very well make everyone on the Internet > a criminal," said Steel. Furthermore, the EFF is accusing Parsons of > introducing the bill to help his employer, Bell South, win a > lawsuit. Didn't this get cleared up with whomever it was that got the "mcdonalds.com" domain (some Wired reporter?)? > Kaye is the Web master of a site called the > Conservative Policy Caucus (CPC), which posts information about > House activities from the viewpoint of the conservative legislative > caucus. During debate over his bill, Parsons referred to the CPC > site as an example of one that passes itself off as an official > government site. There was something about this on the local news. The big brouhaha was that the CPC page used the state seal "improperly". Again, doesn't existing trademark law cover this? Gee, I wonder if my email address is sufficently vague that I'm now a criminal . . . . --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From steve at edmweb.com Sun Apr 21 18:17:36 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 22 Apr 1996 09:17:36 +0800 Subject: [getting noisy] Re: 5th protect password? In-Reply-To: <m0uB2v1-00090gC@pacifier.com> Message-ID: <Pine.BSF.3.91.960421134036.8631B@kirk.edmweb.com> > >I think you missed the main pattern... When a suspect is required to > >provide fingerprints, voice, blood and/or handwriting samples, those > >things are used exclusively for _identification_. > >The only exceptions I can think of are when blood, breath and urine > >samples are taken from a suspect to detect certain chemicials in the body. > >But, AFAIK, those exceptions are entirely the product of the recent war on > >drugs. > This is odd. By mentioning those exceptions you just destroyed your > argument. If you were trying to claim that "identification"-intended > evidence was not protected by the 5th amendment, mentioning samples taken to > detect drugs are obviously not of this type. The implication is that they [SNIP] > This, as you might expect, is getting hilarious. Somehow, I think > everything that might be construed as a violation of the 5th is going to be > called "a special case" or "an exception" by those who see no problem, or at > least those who are not willing to admit to a problem. No need to be so defensive, Mr. Bell... I didn't say that samples used to detect drugs are OK under the constitution. I just said that, IMNALO, samples taken for identification have always been okay. The samples taken to detect unauthorized molecules are the exception to the identification rule I noted. I do agree that requiring people to provide such samples to detect illegal substances (as I said, a recent development) is wrong. I wasn't trying to score points for either side of the debate, I was just pointing out that _before_the_war_on_drugs_, the samples listed in the previous post were used exclusively for identification. Handwriting, fingerprints, and voice (not to mention name and appearance) are still used exclusively for idenitification. Breath and urine (items that I added when I mentioned the war on drugs) are used exclusively for detecting chemicals (although I think DNA can be found in urine). Just my two bits. That's all I'm willing to spend on this discussion. Only time will tell whether or not the courts will force people to provide encryption keys. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 18:24:38 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 09:24:38 +0800 Subject: Was the clause for Biometric ID Cards dropped? Message-ID: <01I3T7J6YK8W8Y4Y84@mbcl.rutgers.edu> As the subject line says, was the proposal for Biometric ID Cards dropped? I saw something about it on here and forwarded it; my respondent (Phil Agre of the RRE news service) says he thought that clause had been dropped. -Allen From jsw at netscape.com Sun Apr 21 18:46:27 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Mon, 22 Apr 1996 09:46:27 +0800 Subject: ApacheSSL In-Reply-To: <199604201850.NAA09592@electra.cc.umanitoba.ca> Message-ID: <317AAC9A.3DB4@netscape.com> Sean A. Walberg wrote: > > An ISP that I have ties with is looking to set up a secure server. > Currently, they are running Apache. I told them that for ~$500 they > can put on Apache SSL and be all ready. However, they want to buy > Netscape (for the name, I've already given them the 40bit gospel), > put it on a separate, firewalled machine, allow no access to it, etc, > etc. Is all this paranoia necessary? I won't argue about the merits of Apache vs. Netscape servers. However I will point out that if your ISP friend is in Canada, they can get the 128-bit version of the Netscape server. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From shamrock at netcom.com Sun Apr 21 18:50:51 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 22 Apr 1996 09:50:51 +0800 Subject: OS/2 encryption Message-ID: <v02120d15ada05def3c52@[192.0.2.1]> At 6:53 4/21/96, mirele at xmission.com wrote: >And then the humourless gits of the Church <spit> went to the trouble to >get an attorney in New York City to threaten me. I'm taking the threat >very seriously. This (looking for more secure ways to keep my computer >from being trashed) is part of it. Back up the HD to tape (encrypt the data on the tape). Move the tape out of reach. And don't tell anyone, especially not this list, that you did that. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 18:55:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 09:55:15 +0800 Subject: Scientology harassing anon.penet.fi again! Message-ID: <01I3T9KG3X588Y4Y84@mbcl.rutgers.edu> I've got someone (Phil Agre) who wants to forward the scientology stuff (i.e., on their potential troubling of anonymous remailers et al)... _if_ he can avoid any legal problems by doing so. Any legal opinions on what that's been posted on cypherpunks he _can_ forward without the likelihood of legal hassles? Thanks, -Allen From shamrock at netcom.com Sun Apr 21 18:58:52 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 22 Apr 1996 09:58:52 +0800 Subject: Smartcards are coming to the US Message-ID: <v02120d12ada05b56a034@[192.0.2.1]> At 15:15 4/21/96, Brad Dolan wrote: >Saw a CNN story Friday about an interesting special debit card >application in Mexico. They're being issued to poor Mexicans, who can >use them to buy tortillas and a few other foodstuffs. The cards are tied to >a behavior-control database and failure to send kids to school, get >mandatory medical exams/treatments/vaccinations, etc. results in card >deactivation. My first response was: he is making this up. But it shoudn't come as a surprise to any reader of this list. Expect to see more of it. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From jya at pipeline.com Sun Apr 21 19:01:39 1996 From: jya at pipeline.com (John Young) Date: Mon, 22 Apr 1996 10:01:39 +0800 Subject: GAW_ker Message-ID: <199604212212.SAA11991@pipe2.nyc.pipeline.com> Security Management, published by the American Society for Industrial Security, has two articles on computer security in its April, 1996, issue: "Legal Lessons in the Computer Age," by Mark D. Rasch, J.D., director of information security law and policy with SAIC, and former DoJ prosecutor of Robert Tappan Morris. A tabloid on tabloiding computer crime to hacker-phobics. This snapshot of current law and court rulings gives security professionals a glimpse into the evolving legal landscape that companies must be prepared to negotiate when pursuing those who might attempt to steal or damage computerized systems or information. (30kb) "E-Mail Policy By the Letter," by Fred L. Trickey, an information security officer at Columbia University. An account of good e-mail policies and procedures, with salient references, and a sidebar on E-mail gawking. (24kb) GAW_ker (for both) ----- For info on security management see: http://www.securitymanagement.com From stewarts at ix.netcom.com Sun Apr 21 19:49:28 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 22 Apr 1996 10:49:28 +0800 Subject: rng hardware running ... Message-ID: <199604212245.PAA20254@dfw-ix6.ix.netcom.com> >>The dist of 0 vs 1 is documented as being slightly skewed (.05%) toward >>1s. >If the RNG chips aren't too expensive, you could take the output from 2 (or >more) of them and XOR the outputs together to reduce skew. There are all sorts of statistics you can look at that may help you understand the quality of the randomness you're getting. One of the central concerns is finding the underlying patterns and the random noise driving them, though in this case we're looking for the noise and dumping the patterns rather than the opposite. Some things that are good to look at are first and second differences of the series (e.g. take Y1=X2-X1, Y2=X3-X2, ... and Z1=Y2-Y1, Z2=Y3-Y2... and on up for higher differences) and look for distributions and patterns there. You may also want to look at moving averages (take a window of K samples and slide that through the sample space, for several values of K.) This stuff is similar to Fourier-series analysis for discrete-valued data. If you want to read lots of gory details on the math, the book by Box and Jenkins on Time Series Analysis was one of the best textbooks ~20 years ago. As my professor put it, if you stare at the numbers long enough, you can find all sorts of things in them, which may or may not really be there :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From jimbell at pacifier.com Sun Apr 21 20:23:54 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 22 Apr 1996 11:23:54 +0800 Subject: 5th protect password? Message-ID: <m0uB87E-00092FC@pacifier.com> At 02:13 PM 4/21/96 -0700, Steve Reid wrote: >No need to be so defensive, Mr. Bell... I didn't say that samples used to >detect drugs are OK under the constitution. I just said that, IMNALO, >samples taken for identification have always been okay. The samples taken >to detect unauthorized molecules are the exception to the identification >rule I noted. I do agree that requiring people to provide such samples to >detect illegal substances (as I said, a recent development) is wrong. > >I wasn't trying to score points for either side of the debate, I was just >pointing out that _before_the_war_on_drugs_, the samples listed in the >previous post were used exclusively for identification. And _my_ point was that before about 1900 or so, the various "identification" (your distinction, not mine) examples that were listed by the SC were not demanded, and not regularly demanded. I came to what I considered (and still consider) a reasonable conclusion: The Constitution does not support (and certainly does not OBVIOUSLY support) exceptions based on identification principles. I don't doubt that somebody could have presented this (the "identification" aspect) as intended to sound like a reasonable exception; the issue is whether this is just an opportunistic justification or whether there is some logical basis for this position. That latter conclusion would have been stronger if there had been no exceptions to the 5th amendment other than identification techniques. But the "straw that broke the camel's back" principle is at work here: Having added the drug-testing issues to the mix, the fig leaf has dimished in size, and it becomes harder (and, in fact, impossible) to explain why the natural interpretation of a document written in 1783 could be so CONVEEEEENIENTLY re-interpreted so as to allow exceptions which were did not become technologically "interesting" for 150-200 more years. The most obvious interpretation is that whenever an investigative technology that the cops would like to use appears, and if that technology appears to be proscribed by some Constitutional protection, the Constitution is automatically re-interpreted to allow it anyway. The exceptions occur only when the new technique is so unreliable (polygraph, for instance) that certainty of test results can't be guaranteed. This is particularly true when the technique has just as much, if not more, ability to cause an acquittal as a conviction. The reason this subject is NOT noise is that the issue of providing decrypt keys is going to be a more and more important issue, and it is vital that faulty precedents be replaced by good ones. It would be very useful to be able to prove that the only reason these "exceptions" are considered exceptions is that somebody thought they'd be a useful investigative technique, and was pissed when it was denied to him. Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 20:28:25 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 11:28:25 +0800 Subject: Nazis on the Net Message-ID: <01I3T7WPGNL48Y4Y84@mbcl.rutgers.edu> In view of the Zundelsite business, I thought people might find the following of interest. Unfortunately, the author is either leaving some critical information out or is misinformed. Specifically, the actual history on the Zundelsite business, and the actual circumstances at Ruby Ridge; on the latter, Randy Weaver was neither a neo-Nazi nor a racist. He was (and, so far as I know, still is) a white separatist. (One would think liberals would tolerate this - they tolerate the equally offensive black separatists, after all...). The Zundelsite reference is incomplete in that it fails to describe the motivations of the mirrorsites. -Allen From: IN%"rre at weber.ucsd.edu" 20-APR-1996 22:29:19.43 From: Phil Agre <pagre at weber.ucsd.edu> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 17 Apr 1996 08:27:22 GMT From: Crawford Kilian <ckilian at hubcap.mlnet.com> Subject: Nazis on the Net I published the following rather long article in the Georgia Straight, a Vancouver weekly paper, on April 11. It may be of interest for the issues of free speech and Internet access that it deals with. You may, however, find some passages disturbing or offensive; I certainly do. Nazis on the Net by Crawford Kilian The far right has become very visible lately. New groups and movements have sprung up here, in the US, and in Europe; old groups have revived. They go under many names: neo-Nazis, Holocaust deniers, racist skinheads, militias, white nationalists. They often seem to disagree with one another as intensely as they disagree with the status quo, and their ideology ranges from the sophisticated to the incoherent. Psychologically they seem to bear a striking resemblance to many of the North American communists of the 1930s and 40s. Like the Reds, they see themselves as the persecuted vanguard of a morally superior group (whites instead of workers) which unaccountably fails to recognize its own interests. Politically, though, they are very far indeed from the Reds--all the way over on the far end of the spectrum. So let's call these groups the "Ultra-violets," or Ultras for short. Whatever we may think of their views, they deserve attention as a phenomenon--especially as a phenomenon that tests other people's genuine commitment to democratic values like freedom of speech, freedom of the press, and open debate. But the Ultras would be far less significant if they were not exploiting a technology designed to defend just those democratic values: the Internet. The creators of the original Internet --back in the '60s, during the Cold War--built it to survive multiple nuclear strikes. Even if Soviet H-bombs vaporized scores of cities and military bases, information would still flow between surviving computers to sustain a defence and counterattack. Democracy would withstand nuclear war, even if most of its supporters would not. Whether democracy can withstand the rigorous application of its own values is now in question. Designed to be unkillable, today's Internet looks uncontrollable. We now possess a communications system in which anyone can say anything to anyone else. People can be obscene, scurrilous, malevolent--and no one can silence them. Other nations, democratic and otherwise, are alarmed about the political and cultural consequences of free Internet discourse. Singapore wants its three million citizens to live on an "intelligent island" wired into the Net--but it doesn't want pornography or political dissidence leaking in. China is equally cool to the idea, given its memories of the fax invasion it suffered in 1989, when overseas Chinese students bombarded campuses at home with news and pictures of the Tiananmen Square massacre. The Ultras pose a complex challenge. They've taken to the Internet eagerly and effectively. They have their own newsgroups, discussion areas available to almost anyone with access to the Internet. They also run listservs, discussions open only to subscribers (and subscribing is usually quite easy). The Ultras have their own websites, locations holding extensive texts and graphics which computer users can view and copy onto their own machines. Along with the pornographers, the Ultras provoke repeated calls for limits on Net freedom of speech, calls that are sometimes answered: those who supply the Ultras with Net access often cancel their accounts. Because their views are so unpopular, the Ultras make themselves a litmus test for the rest of us: Does freedom of speech mean tolerating racism and anti-Semitism? And if it does, should we respond with contemptuous silence? Or should we devote time and energy to detailed rebuttal of Ultra views? To answer those questions, it helps to know what--and whom--we're talking about. Look at the live Ultras on the Net and you find few who match the stereotype of the halfwitted skinhead or the paranoid pretend-soldier of the militia. For one thing, most are far from illiterate. The texts on Don Black's Stormfront website, for example, are generally clear and articulate. While I can't judge his German-language materials, his texts in Spanish are also well-written. Running a trilingual website reflects a cosmopolitan outlook--another challenge to stereotype. Many Ultras try to make an academically documented case for their views. Marc Lemire of the Digital Freedom BBS in Toronto posts long reviews of books questioning the Holocaust or documenting the firestorm that destroyed Dresden. Greg Raven of the Institute for Historical Review (a Holocaust-denying group in California) says revisionism has no connection with neo-Nazism, white nationalism, or other Ultra positions: "Historical revisionism is supposed to be a part of writing history (historiography). As time passes, we gain new information and new insights, which allow us to better perceive not only the facts of events but also their context. Furthermore, the IHR is neither ideological nor political." For a time last year, Raven offered a link to the home page of the North Shore News, which carries Doug Collins's columns supporting Holocaust revisionism and other Ultra positions. When the News discovered the link, it asked Raven to close it; he promptly did so. Raven's home page explicitly denies carrying anything racist or hateful and promises to withdraw anything criticized as such. Nevertheless, Raven doesn't ask Stormfront to close its links to his own home page. And Stormfront is avowedly White Nationalist. Based in West Palm Beach, Florida, Stormfront features Nazi-style Gothic lettering, numerous links to sympathetic groups elsewhere in the US and Canada, and extensive texts and graphics. According to Milton John Kleim, Jr., who calls himself "Net Nazi Number One," Stormfront "lists just about every important individual and group that should be noted." Indeed, the Net itself is the common denominator of the Ultras. They may disagree with one another, even quarrel bitterly, but they keep the lines of communication open to one another. That's because without the Net, the Ultras are scattered and isolated. Marc Lemire describes his own progress in Ontario (via e-mail, as is the case with most quoted material here): "On April 1, 1995 I started up Digital Freedom BBS (416) 462-3327. I also got two Internet sites and began forging a lot of contacts with likeminded people on the Internet. Within four months I had an E-mailing list of around 400+ and contacts with all the Sysops and leaders throughout the United States and Canada. We are also working quite closely with European leaders. We have our address on two Web sites and I post to Usenet almost every day." Milton Kleim, in Minnesota, has found a similar community forming through the Net: "All of my comrades and I, none of whom I have ever met face-to-face, share a unique camaraderie, feeling as though we have been friends for a long time. Selfless cooperation occurs regularly amongst my comrades for a variety of endeavors. This feeling of comradeship is irrespective of national identity or State borders." Is the Net a useful means of recruiting sympathizers? "Absolutely," says Kleim. "There are millions of people who agree with us, but feel isolated and helpless because they don't know who to contact to network with others who feel similarly... Usenet, in combination with the Web, offers unparalleled opportunity for our Movement to get our views and more importantly our facts across to the general public." He's even created a manual, "Tactics and Strategy for Usenet," advising Ultras on how to use the medium to attract and hold sympathetic "newbies." And Lemire says a little publicity goes a long way: "Digital Freedom has been listed in over 5 different publications in the Toronto area, which has brought us over 1800 users." What else do Ultras share besides a sense of camaraderie? Stormfront currently offers several major documents: three long articles about the US government's attacks on the Branch Davidians in Waco and on an Ultra family in Ruby Ridge, Idaho; an article about a Canadian rabbi who wants Net censorship and another about the Chretien government's "gun grab" legislation. Other articles deal with racial issues. In one, ex-Klansman David Duke finds much to admire in the Indian caste system. Stormfront also offers links to like-minded pages. The Aryan Nations page, for example, after describing Jews as a "virus," rejects the label of "hate group": "It is not hate that makes the average White man look upon a mixed racial couple with a scowl on his face and loathing in his heart. It is not hate that makes the White housewife throw down the daily jewspaper [sic] in repulsion and anger after reading of yet another child-molester or rapist sentenced by corrupt courts to a couple short years in prison or on parole. It is not hate that makes the White workingman curse over his beer about the latest boatload of mud-creatures dumped upon our shores to be given job preference over the White citizens who build this land.* No, it is not hate, IT'S LOVE." Other links offer Net surfers access to Resistance Records, producers of skinhead music; the British National Party; the Independent White Racialists ("Your skin is your uniform."); and a collection of Canadian groups known as Freedom Site: the Heritage Front, the Canadian Patriots Network, Citizens for Foreign Aid Reform, and others. Another recent link is the Pat Buchanan for President home page. Although Stormfront's Black doesn't consider Buchanan adequately "racialist," he feels the candidate is worth supporting. Fellow-Ultras like Milton Kleim strongly disagree, and advocate voting for the "Bolshevik" Bill Clinton instead. This, they say, will ensure that life will become more rapidly intolerable for exploited whites, rousing them from their apathy to join the Ultra cause. Kleim argues: "Boobus Americanus does NOT operate rationally; he has no opinion, and cannot form an opinion independent of the Jewsmedia. The ONLY thing that can 'convert' Boobus Americanus is more and more Negro crime, less and less jobs, greater and greater hardships of all kinds. Joe Sixpack will do absolutely nothing until the flow of his beer ends. The average American moron must be FORCED to think, and no amount of racist propaganda concealed Buchanan-style in patriotic wrappers will make the masses consider 'the Truth.'" A "White Nationalism FAQ" (frequently asked questions) on Stormfront proposes creating separate nations for whites and non-whites, to spare whites from continuing exploitation through racial-preference schemes in hiring, university admissions, and government contracting. The FAQ's author, using the Norse-mythology pen name Yggdrasil, suggests ceding land already occupied by non-whites. Whites-only areas, however, would still welcome Asians. (The only ones with much to fear, evidently, would be white liberals: "Those who are guilty of 'integrationism' should do the sensible thing and flee. It will spare us all a lot of pain.") Milton Kleim, by contrast, sees a different future: "The United States of America, the Confederate States of America, Canada, and Quebec would be unified into one Nation-State, perhaps known as the Aryan Confederation." Local government would operate with elected officials, "but the present ridiculous parliamentary game in national politics would be replaced with frequent referenda for important issues." Kleim would follow a "live and let live" policy with nations like Japan and Iraq. "Belligerent actions of those governments violently opposed to us, such as the criminal State of Israel, or the menace to the world called China, would be countered with equal force, up to and including total utilization of America's strategic forces." The Ultras have suffered everything from jail sentences to e-mailed death threats, but appear determined to carry on. Critics may damn their anti-Semitism, mock their paranoia (one Ultra wondered whether Stormfront were a government-run trap), and dismiss their "facts" as exploded fantasies. Outsiders may wonder why Ultras are going to so much trouble for "Boobus Americanus" whites who are mere "sheeple" even if they are, technically, Aryans. Nevertheless, half a century after the defeat of Nazism, something in its worldview appeals to them. And just as the Nazis used the new media of radio and film, their spiritual descendants are using the Net to spread their message. The case of Toronto's Ernst Zundel shows how technically hard it is to suppress that message. Spreading neo-Nazi views is illegal in Germany, so when Zundel set up his own website recently, the German government tried to close German Netters off from access to it. Several other Net servers (computers directly linked to the Internet) promptly established "mirror" sites that Berlin would find it much more awkward to close off--such as university campuses. Like the hydra, unpopular propaganda can grow more heads each time one is cut off. This is not to say that mirror sites at American and Canadian universities portend a neo-Nazi trend on campus--only that the logic of free speech means supporting it especially in the cases of those we may not only oppose but detest. It also means considering whether Canadian laws against "hate speech" and "false news" may be intrinsically oppressive, however well-intended. (Even when such cases fail, the prospect of court action, like "libel chill," may keep some people from expressing unpopular views.) One response strategy, adopted by the Simon Wiesenthal Center, is to promote an "acceptable use" code for persons and organizations providing Net access. This amounts to a refusal to take the money of Ultras wanting to purchase such access. It could also include refusing to provide access to Ultra-oriented newsgroups like alt-skinheads and alt.revisionism. Such boycotts may make it harder for Ultras, but only until they set up their own servers--as they have already done in several cases. Others echo the German government's desire simply to ban Ultras from the Net altogether. Twenty years ago, Graham Forst founded the Vancouver Standing Committee on the Holocaust. Since then the Committee has brought together survivors of the Holocaust with 40,000 high school students from B.C., Washington state, and Alberta--including some of Jim Keegstra's students.[Until he was fired in the 1980s from his job as a high-school teacher in Eckville, Alberta, Keegstra had taught anti-Semitism to his students.] Forst rejects the idea that Holocaust denial deserves the same right to expression enjoyed by those who debate details of the Holocaust. "Holocaust denial is not a 'position' of any kind," he says, "but is simply and unequivocally an expression of anti-Semitism." Forst argues that deniers are no more exercising "freedom of speech" than they would be if they disrupted a meeting by speaking in imaginary tongues, or by screaming. "Why," he asks, "should such a person be allowed a place at the table?" In Forst's view, "The Holocaust is denied for one reason only: to cause pain to those vicitmized by the worst eruption of racial hatred in history, not to contribute to any free exchange of ideas. Deniers are anti-Semites hiding behind high principles to sanitize Nazism and prepare for its return; in my opinion, such a nefarious intention requires the 'discussant' to be quickly and unceremoniously thrown out of the room." But as experience has shown, it's impossible to throw anyone permanently off the Internet. The Ultras, of course, consider all the attacks as just a cost of doing business--and their business is recruiting. They know their potential supporters are few and scattered. The Net brings them together, encourages them, and provides them with a community. Yet they seem to have no program for acquiring power. Milton Kleim says: "Since we have no idea what the future holds, there has been little speculation about what will transpire to bring about an 'Aryan Confederation.' It will certainly be via 'unconventional' means, but it is impossible to assume a certain course of action will be followed when inevitable chaos ensues." Kleim's strategy for recruitment through Usenet newsgroups is clear and frank: "Except on 'our' groups, avoid the Race Issue. Side-step it as much as possible. We don't have the time to defend our stance on this issue against the comments of hundreds of fools, liars, and degenerates who, spouting the Jewish line, will slaughter our message with half-truths, slander, and the ever-used sophistry. Avoid engaging in non-productive debates with enemy activists. It is often difficult to distinguish between the Enemy's dedicated lackeys, and the misguided who are merely parroting what the Jewsmedia has taught them." Kleim is keenly aware of being monitored: "WARNING: Be aware that EVERYTHING you post will be seen by the Enemy. All of your posts may be catalogued and archived for future use by the Enemy, either by self-appointed 'Net police' like the notorious Ken McVay, or by lurkers from the so-called 'Anti-Defamation League' and the 'Simon Wisenthal Center.' The above-mentioned McVay is doing a great deal to earn his notoriety among the Ultras and to keep their community from growing. McVay, a 55-year-old transplanted American (now holding dual US-Canadian citizenship)lives on Vancouver Island. He'd been a World War II buff when he was younger, and when he began to run across Ultra propaganda on the Internet--especially Holocaust denial--he went back to his books to try to refute the Ultras' version of history. Out of the "flame wars" he fought online during the early 1990s emerged the information equivalent of a gigantic weapons dump: The Nizkor Project. Created by McVay and his supporters, Nizkor is a Web site that is also an immense archive. It includes detailed refutations of common Ultra assertions (for example, that the concentration-camp gas chambers were nothing of the sort), and much more. McVay has included detailed dossiers on many Ultras, storing the messages they have sent to various newsgroups over a period of years. Also included are such documents as the complete judgement in Jim Keegstra's original hate-crime trial. The first of Nizkor's goals is to forestall the Ultras' efforts to discredit democratic government--as they do, for example, in speculating that the Oklahoma City bombing was actually a US government plot. Second, by tracking and responding to Ultra posts, Nizkor sustains a documented debate rather than allowing Ultra assertions to go unchallenged. The third goal is probably the most important: "To foster a critical frame of mind which will help to protect the unwary from the deceit of hate propaganda." Although he once supported the idea of suppressing Ultra propaganda on the Net, McVay now sees documented argument as the best response to it. "It was a gradual change," he says, "over perhaps a year... and it was UseNet, and the Internet, that changed my mind. I came to understand that the key to dealing with insidious racism is through education. Suppression does not provide a cure,although it may be satisfying for a short time -- all it serves to do is drive the problem underground." Graham Forst doesn't agree with McVay's new attitude, but feels Nizkor is the only practicable way to counter Ultra propaganda. And while McVay is on the Ultras' side of the free-speech issue, they don't seem especially grateful. Don Black says he feels "amused and flattered" by the attention he gets from Nizkor, and Digital Freedom's Marc Lemire says the project helps propagate his viewpoint. "McVay does, to a certain degree, advance our cause," Lemire says. "He offers all our messages on one site. An inquisitive person can log in and read what we have said over the past years. Which, of course, helps us. I personally consider McVay as a childish reactionary. In one of the first messages I ever received from him, he claimed I wear diapers and was an idiot. His information is generally inaccurate and outdated." Kleim echoes Lemire's claims and also soft-pedals Nizkor's effect: "Actually, we consider McVay a nuisance, like the common house fly, rather than a real problem. He has done us more good than harm. Many sympathetic people have 'discovered' us by perusing his archives. * Most people don't care about what McVay is peddling. Only certain segments of society, Jews, political agitators of the ultra-left like 'Anti-Racist Action,' and allied groups, give a hoot about what McVay and his friends are doing." McVay, in turn, doesn't care what Lemire and Kleim say: "I am not doing this to change Milton Kleim's mind. I am doing this because millions of people know next to nothing about the Holocaust, and the ugly racism which denies it. It is all, sadly, ancient history to most of the population. They are not, however, indifferent - - they read, they query, and they learn to determine the truth for themselves." On the evidence of some posts, not all Ultras are as dedicated to free speech and legal action as they claim. In "Stormfront-L," a listserv run by Don Black, a Canadian sympathizer recently proposed a scenario "in which we assume power democratically, but then keep it. The only problem with this would be the necessity to combat opposing ideas to prevent an uprising. This would impinge on our right to 'Free Speech' that we hold so dear." Another Ultra responded: "Yes, I believe that certain 'rights' that are now available would probably not be so in a fascist state. However, I am not interested in preserving 'Free Speech' as it is defined today, I am interested in preserving the Aryan race." McVay recently reported an attempt by an Ultra supporter to "mail-bomb" his Internet server, swamping the computer with unwanted messages. (The mail-bombing failed and the Ultra lost his own computer account.) He also argues that Ultras like Ernst Zundel support free speech only when it suits them. McVay says he does not intend to abandon his efforts against the Ultras. "Me? I'm in this for life. These guys offend me deeply. The public needs to understand that the Internet is borderless and near-indestructible. It is the one place on earth where you can educate tens of millions --billions, in years to come -- it is a tool for the racists, yes, but I have seen ample evidence that it is a far more powerful tool for those dedicated to fighting racism." Journalists reporting on this issue face an ethical issue also. No doubt such articles would stir some interest in Ultra organizations and views, increasing the 200,000-plus Stormfront "hits" (log-ins to its web pages and files) already counted in the past year. Some may join Ultra groups as a result. But readers will also look in on Nizkor, which is not exactly neglected. Last June Nizkor was counting 33 visitors a day but this February it recorded 532 daily visitors--117,768 hits on its various files in that month alone. Neither side is going to go away, and many people are going to continue to push for the silencing of the Ultras. Some will argue that the best way to fight them would be to ignore them. They might invoke the German poet Friedrich von Schiller's famous line: "Mit der Dummheit kampfen Gotter selbst vergebens." ("Against stupidity, the gods themselves struggle in vain.") The most dangerous ideas, though, are those that go unchallenged. The Ultras do everyone a favour, however unwelcome and unasked-for, by questioning the very premises of democracy and equality. If nothing else, they should make us reconsider our dependence on hate laws which suppress debate rather than promote it--and which actually promote Ultra goals by publicizing people like Ernst Zundel and Jim Keegstra. John Dixon, a philosophy instructor at Capilano College and a member of the executive of the B.C. Civil Liberties Association, says all hate-propaganda laws should be repealed. "Immigration policies, race relations, the Holocaust -- these are all legitimate topics for discussion and debate by a democratic citizenry; that is, if you believe, as civil libertarians do, that a genuinely democratic citizenry must have the freedom to communicate with one another about any and all matters of political consequence." McVay and the Nizkor Project, in turn, challenge the Ultras to document their assertions or lose the debate; significantly, the Ultras prefer to make personal attacks on McVay as a hireling of the Jews who is in the anti-Ultra business only for money from sympathetic Jewish organizations. Some may wish Ken McVay would shut up and quit giving the Ultras the attention they desire. But "Nizkor" is Hebrew for "We will remember." Remembrance is brief if not shared. And as Santayana observed: "Those who cannot remember the past are condemned to repeat it." -30- Sidebar: Web Addresses Stormfront: http://stormfront.wat.com/stormfront/ This provides access to a great many other Ultra pages in the US, Canada and Britain. Nizkor Project: http://www.almanac.bc.ca Nizkor also provides links to some Ultra sites as well as anti-Ultra groups. Vancouver Progressive Home Page: http://www2.portal.ca/~comprev/ This site links with many anti-racist groups. From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 20:34:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 11:34:07 +0800 Subject: Anonymnity at teleport Message-ID: <01I3T84SPUOW8Y4Y84@mbcl.rutgers.edu> A bit of interesting information about teleport. Still not as good as c2 (as I stated), but it's still good to have multiple anonymous account providers around... whether or not they mean to be anonymous. This is from a sysadmin type there (why I deleted the name) who I'll ask about the Majordomo patch. -Allen >>Our users can have a P.O. Box as their address (or a false address), >>whatever they want as their 'real name', and can pay for their accounts by >>mailing in cash. All they need to do is be close to a phone that isn't >>theirs for an hour or so. > >>The can put in a phone# when they set up, then call in from that phone (even >>if it isn't their own) and have one of us call them back with a few >>minutes...all set. > >>Can't get any more anonymous than that. > >>Of course it *is* against the rules. > > The reason that I'd take your name off, yes. Also a reason not to be as >trusting... since it is against the rules at teleport, you're more likely to >cooperate than Sameer is if the feds or someone want to know who the anonymous >person is. Sameer makes quite sure he doesn't _have_ any information to give >such types.... including log files of telnet sessions. True, but a log file without a name, address, phone# or SS# to attach to it is worth *very* little.... :) From frogfarm at yakko.cs.wmich.edu Sun Apr 21 20:40:50 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Mon, 22 Apr 1996 11:40:50 +0800 Subject: Scientology harassing anon.penet.fi again! In-Reply-To: <01I3T9KG3X588Y4Y84@mbcl.rutgers.edu> Message-ID: <199604212340.TAA08738@yakko.cs.wmich.edu> I'm sure within hours of reading this message, you'll be inundated with requests to have Phil "send me the stuff and I'll post it". The net is full of people to whom a letter from Helena Kobrin [CoS attorney] is like a Medal of Honor, who would be happy to relieve Phil of liability by posting the material themselves. -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information Tell your friends 'n neighbors you read this on the evil pornographic Internet "Where one burns books, one will also burn people eventually." -Heinrich Heine People and books aren't for burning. No more Alexandrias, Auschwitzs or Wacos. From tedwards at Glue.umd.edu Sun Apr 21 21:20:40 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Mon, 22 Apr 1996 12:20:40 +0800 Subject: Scientology's fishing expedition mentions remailers Message-ID: <Pine.SUN.3.91.960421195910.12109B-100000@kolo.isr.umd.edu> Biased Journalism [via fight-censroship list] is reporting that Keith Henson received a Demand For The Production Of Documents and Things from counsel for the Religious Technology Center [RTC], an arm of the church of scientology. Among the documents to be produced by Mr. Henson: Demand 14. Any and all documents relating to postings of Advanced Technology materials, including, but not limited to, actual postings or discussions of such postings, whether actual or planned, made through the following servers: a. freezone.remailer b. nately.ucsd.edu C. penet.fi d. replay.comm e. utopia.backtic.nl Demand 19. Any and all documents relating to communications with the following individuals relating to the Advanced Technology: a. Alex Dejoode b. Dennis Erlich c. Steven Fishman d. Mike Godwin e. Johan Helsingius f. Jeff Jacobsen g. Tom Klemesrud h. Arnaldo Lerma i. Dierdre Malloy j. Peter Mante k. Ron Neuman l. Robert Penny m. Felipe Rodriquez n. Karin Spaink o. Shari Steele p. Shelly Thomson q. David Touretzky r. Grady Ward s. Lawrence Wollersheim Demand 20. Any and all documents relating to postings made through the following servers: a. freezone.remailer b. nately.ucsd.edu c. penet.fi d. replay.comm e. utopia.hacktic.nI From richieb at teleport.com Sun Apr 21 21:43:05 1996 From: richieb at teleport.com (Rich Burroughs) Date: Mon, 22 Apr 1996 12:43:05 +0800 Subject: Anonymnity at teleport Message-ID: <2.2.32.19960421221944.006df628@mail.teleport.com> At 05:29 PM 4/21/96 EDT, Allen wrote: > A bit of interesting information about teleport. Still not as good >as c2 (as I stated), but it's still good to have multiple anonymous account >providers around... whether or not they mean to be anonymous. This is from a >sysadmin type there (why I deleted the name) who I'll ask about the Majordomo >patch. [snip] And to think I gave them my real name... Do check about the majordomo patch. It's saved list owners here a lot of headaches. I'm not sure what it would take to implement, but the end result is very good, IMHO. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From froomkin at law.miami.edu Sun Apr 21 22:03:52 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Mon, 22 Apr 1996 13:03:52 +0800 Subject: Georgia Legislation - Remailer Effect??? [NOT!] In-Reply-To: <9604212054.AA03211@outland.ain_dev> Message-ID: <Pine.SUN.3.91.960421215231.7967N-100000@viper.law.miami.edu> Having read the admittedly vague and badly worded statute, I bet you that an competent court (query whether this includes the first state prosecutor and trial court that actually are faced with a case) would interpret the act to apply only to cases where someone infringes on the intellectual property of another. If only to avoid constitutional problems. Although as a formal matter EFF are right that the bill's language *could* be read to apply to all anonymous communication, I don't think EFF has done us a favor by whipping up panic, because it seems to me relatively unlikely that it *should* or *would* be read that way. Oh well. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From CS5549 at conrad.appstate.edu Sun Apr 21 22:08:32 1996 From: CS5549 at conrad.appstate.edu (CS5549 at conrad.appstate.edu) Date: Mon, 22 Apr 1996 13:08:32 +0800 Subject: privacy Message-ID: <01I3TIRPO54GBIJ7TQ@conrad.appstate.edu> Send me info....soon!!! From shamrock at netcom.com Sun Apr 21 22:10:22 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 22 Apr 1996 13:10:22 +0800 Subject: Was the clause for Biometric ID Cards dropped? Message-ID: <v02120d19ada09b665bb8@[192.0.2.1]> At 17:12 4/21/96, E. ALLEN SMITH wrote: > As the subject line says, was the proposal for Biometric ID Cards >dropped? I saw something about it on here and forwarded it; my respondent >(Phil Agre of the RRE news service) says he thought that clause had been >dropped. If it passes this year, next year, or five years from now, pass it will. With the customary >90%. Presumably after a suitable Reichstag Brand. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From tcmay at got.net Sun Apr 21 22:14:17 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Apr 1996 13:14:17 +0800 Subject: Jim Bell, Apology to list. Was: [Yadda Yadda Yadda] Message-ID: <ada035ed07021004ec5a@[205.199.118.202]> At 11:44 PM 4/21/96, Black Unicorn wrote: >All this said, I find Mr. May's and Mr. Sandfort's criticism stinging. Mr. >Bell, and my response to him, manages to sap a great deal of time and effort >from myself and others for no gain aside draining his (and to some extent >my) reputation >capital. These disputes serve little purpose otherwise. It's clear to By the way, I certainly was not making a personal condemnation of Uni, or of Jim Bell for that matter. I was mainly making the point that Sandy's point about setting up a wager is problematic (in fact, Uni makes the same points vis-a-vis his view of how Bell might start finagling about the terms of any bet--this was in fact seen during the Extropians experiments, and is what I meant when I said that more time would be spent debating the bet....). I admit that I once I wrote the word "the Unibells" (Uni + Bell, of course), I liked the ring of it (:-}) and used it for the thread title as well. I was serious that I deleted unread the Bell/Unicorn rants; I suspect nearly all others do as well, so their time spent on these messages these last several weeks was even more of a waste. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Apr 21 22:31:51 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Apr 1996 13:31:51 +0800 Subject: Smartcards are coming to the US Message-ID: <ada03b280802100426fb@[205.199.118.202]> At 10:06 PM 4/21/96, Lucky Green wrote: >At 15:15 4/21/96, Brad Dolan wrote: >>Saw a CNN story Friday about an interesting special debit card >>application in Mexico. They're being issued to poor Mexicans, who can >>use them to buy tortillas and a few other foodstuffs. The cards are tied to >>a behavior-control database and failure to send kids to school, get >>mandatory medical exams/treatments/vaccinations, etc. results in card >>deactivation. > >My first response was: he is making this up. But it shoudn't come as a >surprise to any reader of this list. Expect to see more of it. Why should this surprise you? In the U.S. there are _already_ several programs which are similar to this Mexican example. For example, "food stamps." Not valid for expenditures on alchohol, tobacco, and various other disapproved-of consumables. One hand takes away the tax monies (albeit not from those getting food stamps, as their income is typically exempt from taxation) and the other hand doles out a special form of scrip that can theoretically only be spent on approved-of substances. Someday--maybe when Perry is out of the country at an IETF meeting--I'll forward my article about the scandalous plan to privatize the nation's food stores, thus making food only available to the rich and denying the poor of their access to the foodstuffs deemed nutricious by the Parent-Grocer Associations (PGAs) and available at their local People's Public Food Distribution Centers. (This was a piece I did in the late 1980s, critiquing the critics of schools vouchers and private schools by imagining a world in which food distribution was done at "public stores" and run much the way our public education is run.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From WlkngOwl at UNiX.asb.com Sun Apr 21 23:06:01 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Mon, 22 Apr 1996 14:06:01 +0800 Subject: A better entropy estimation method for random.c/noise.sys? Message-ID: <199604220324.XAA09211@unix.asb.com> I've been hacking with the hashing method used in noise.sys and decided to throw it away, since it did more to overestimate the entropy. Until I find something better an xor-checksum of the ast N samples seems to do fine. Alternating samples generate no entropy and samples with periods <= N seem to generate less than 1 bit per sample. The method (in pseudo-code) is as follows: delta = abs( LastSample - sample ) LastSample = sample hash ^= delta /* until I can think of a better hashing algorithm */ swap delta, lastNtable[ indexNtable ] indexNtable = (indexNtable+1) mod N hash ^= delta t = counter /* counts the number of samples so far */ counter++ swap t, lastseen[ hash & (TABLESIZE-1) ] diff = lastseen[ hash & (TABLESIZE-1) ] - t if diff<=N, assume no entropy (or fractional entropy?) otherwise return log2(diff) Comments? Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From tcmay at got.net Sun Apr 21 23:18:19 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 22 Apr 1996 14:18:19 +0800 Subject: Betting (Re: [Yadda Yadda Yadda]....) Message-ID: <ada040ff090210048622@[205.199.118.202]> At 5:28 PM 4/21/96, Sandy Sandfort wrote: >This is not extropians. We are more anarchic, less ideological >and more goal oriented. I suspect we also delete more messages, too. By the way, my hunch is that virtually none of us know very well what Bell and Uni are saying to each other, so who would possibly agree to be the judge? Maybe Sandy, you will volunteer. Let us know how it turns out, if it turns out and $100 actually changes hands. ... >And you like endless cross-talking better? In any event, the No, I prefer to delete arguments I have no interest in. This includes Bell and Uni ranting at each other, or other ranting at each other (and I don't hold myself blameless here, natch), etc. My memories of the Extropians experiments were that I deleted most of the "polycentric law" court cases and "decision duel" wagers. I recall there were wagers involving Mike Price, Perry Metzger, Tim Starr, Eric Raymond, and others, though I don't recall what the issues were about, nor who won, nor if any money was actually transferred on _any_ of these wagers. What I remember is what James Donald also remembers, that large amounts of bandwidth got consumed in debates about the terms, about the conditions for payout, and about weaseling out of judgments. If Harry Shapiro is reading our list, he can perhaps shed some light on things, as he was a sort of List Judge and Executioner at the time. >> At $500, our problem would become much worse, rather than much >> better. > >Here we agree, 100%. By the way, I recall that bets on the Extropians list rapidly escalated to "serious" levels. I recall one apparently-serious [see below] bet of $10,000. I say "apparently serious" because the bettor did not appear to be joking. However, it also seemed likely he was using the outrageous size to "bluff" his opponent into backing down, just as James Donald alluded to. My "bet" is that the issues in ever formulating such a large bet would ensure that it never got realized...precisely the desired result of absurdly large bets. I'll bet $10,000 that no bet of $10,000 or more ever actually gets settled on this list. (By "absurdly large" I mean in this context. I have many times placed "bets" much larger than this on stock market expectations, but not on "bar bets." Such a bet would never be collected, would in fact be tied up in waffling, finessing, backing off, dissemmbling, shuffling, and, of course, would never be collected upon.) But, again, if Sandy is volunteering to judge, and both Jim Bell and Unicorn accept him and the terms....well, I won't stop them. Let me know what happens, but please include a tag like "[Final Bet Outcome]," as I'll be skipping the likely back-and-forth posturing. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 23:26:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 14:26:34 +0800 Subject: Scientology harassing anon.penet.fi again! Message-ID: <01I3TFBYCPYO8Y4YAG@mbcl.rutgers.edu> From: IN%"frogfarm at yakko.cs.wmich.edu" 21-APR-1996 19:39:01.86 >I'm sure within hours of reading this message, you'll be inundated with >requests to have Phil "send me the stuff and I'll post it". The net is >full of people to whom a letter from Helena Kobrin [CoS attorney] is >like a Medal of Honor, who would be happy to relieve Phil of liability >by posting the material themselves. Umm... he'd like to send it out on a mailing list (the RRE newsletter) to which only he can post. Plus, it's simply the stuff that was on cypherpunks. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 21 23:37:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 22 Apr 1996 14:37:17 +0800 Subject: Scientology harassing anon.penet.fi again! Message-ID: <01I3TG0ZTVWW8Y4YAN@mbcl.rutgers.edu> Umm... I'm getting quite a few offers to forward the material in question; thank you. But it's just the stuff that was on cypherpunks earlier. And he's wanting to know if _he_ can safely legally (w/regards to the Scientologists) put it on _his_ mailing list - which isn't a discussion list. Sorry that it apparantly wasn't clear, although I have no idea how it wasn't. Thanks, -Allen From unicorn at schloss.li Sun Apr 21 23:55:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 22 Apr 1996 14:55:40 +0800 Subject: Jim Bell, Apology to list. Was: [Yadda Yadda Yadda] In-Reply-To: <Pine.SUN.3.91.960421084606.11213A-100000@crl11.crl.com> Message-ID: <Pine.SUN.3.91.960421192206.9131E-100000@polaris.mindport.net> On Sun, 21 Apr 1996, Sandy Sandfort wrote: [...] > To which Black Unicorn responded: > > > I have US$ 50,000 that says it didn't. Care to take me up on it? [...] > I would be interested to see if Jim Bell and Black Unicorn could > engage in a "friendly" wager on the question in point for the > nominal sum of, say, US$100. Perhaps they can cooperate to frame > their dispute in unambiguous terms, mutually agree upon an escrow > agent and pick a referee or other resolution mechanism to decide > their "case." Wouldn't that be something? > > By the way, gentlemen, I'm not kidding. Everyone on this list > could use a respite from all the "yes-it-is-no-it's-not" posts > among various combatants engaged in "how-many-angels..." spats. Prediction: During the terms negotiation phase much backpeddling by Mr. Bell will be seen. This will include a narrowing of the geographical scope of the wager, a revival of the debate as to when a new century actually begins (00:00:01 Jan 1, 1900 or 00:00:01 Jan 1, 1901), endless hand wringing about what exactly an "exemplar" is, and whether he has to pay US$ 50,000 on losing, or the amount representing its depreciation from the time I made the wager. (US$ $49,999.997?) The reality is that Mr. Bell, more often than most people, is speaking before thinking. He pulled his claim right out of the air, which is generally the substance of the support for his works. He does not bother to research, (except to cite the constitution) or ground any of his discussion in anything like reality. He backs his claims instead with posture and bluff ("How much do you want to bet that...") This is smoke he hopes will solidify into substance for those too lazy to check up on him. (It is worth noting that Mr. Bell has gotten into disputes with 4 people (by my limited count) who actually seem to have a clue about the subjects they discuss. Every one of these has been in the context of a correction to Mr. Bell's facts or assumptions. The irony is that occasionally he has some good points, which are simply decimated by the Yadda Yadda Yadda portions of his work. All this said, I find Mr. May's and Mr. Sandfort's criticism stinging. Mr. Bell, and my response to him, manages to sap a great deal of time and effort from myself and others for no gain aside draining his (and to some extent my) reputation capital. These disputes serve little purpose otherwise. It's clear to me, if not everyone else, that Mr. Bell simply fabricates his positions, evidence, and persuasion out of the mist. I will waste no more time on him unless he makes the most offensive errors in legal fact. He is still quite welcome to stand by the original statement that promoted my wager. I still await an apology for being compared with the Nazi oven workers. With my apologies to the list for not restraining myself sooner - --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From alano at teleport.com Mon Apr 22 00:49:48 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 22 Apr 1996 15:49:48 +0800 Subject: Smartcards are coming to the US Message-ID: <2.2.32.19960422024309.00a7ef74@mail.teleport.com> At 03:15 PM 4/21/96 -0400, Brad Dolan wrote: >Saw a CNN story Friday about an interesting special debit card >application in Mexico. They're being issued to poor Mexicans, who can >use them to buy tortillas and a few other foodstuffs. The cards are tied to >a behavior-control database and failure to send kids to school, get >mandatory medical exams/treatments/vaccinations, etc. results in card >deactivation. Interesting method of social control. "Do anything we don't like and we revoke your ability to spend money through government approved outlets." What a Brave New World we live in... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From blancw at accessone.com Mon Apr 22 00:58:52 1996 From: blancw at accessone.com (blanc) Date: Mon, 22 Apr 1996 15:58:52 +0800 Subject: Betting (Re: [Yadda Yadda Yadda]....) Message-ID: <01BB2FCE.B8DD4D20@blancw.accessone.com> Well, I don't know about Sandy or Tim, but I found the rants between Jim & Uni somewhat amusing (although I myself only skimmed through them) because for every huff&puff which transpired between them, Uni was prompted to dig up more info from the depths of his knowledge, and this effect was quite interesting, psychologically, as well as in regard of the info which came out of it. I expect Jim & Uni could become great friends! (giggle) .. Blanc From stewarts at ix.netcom.com Mon Apr 22 01:04:28 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 22 Apr 1996 16:04:28 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604220502.WAA05299@dfw-ix2.ix.netcom.com> At 09:55 PM 4/20/96 -0700, frantz at netcom.com (Bill Frantz) wrote: >I have thought about the sources of entropy available to a Java applet, and >there aren't many. You should design your protocol so entropy is not >needed on the applet side. Entropy is normally used to pick symmetric >encryption keys, and Initialization vectors If your applet wants to set up a Diffie-Hellman connection, it'll need a random number to set its half-key; a scribble window may be good enough. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stewarts at ix.netcom.com Mon Apr 22 01:12:09 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 22 Apr 1996 16:12:09 +0800 Subject: OS/2 encryption Message-ID: <199604220501.WAA05264@dfw-ix2.ix.netcom.com> At 06:53 AM 4/21/96, mirele at xmission.com wrote: >Well, anything to slow them down. It was reported to me that when Dennis >Erlich was raided last year, they rendered his computer unbootable because >of the deletions they had made. As it is, I haven't been able to find an >appropriate security utility beyond PGP (which I've been using for over a >year anyway). So this discussion is moot. Good luck finding something. You might want to see if there's a Norton version for OS/2; their Diskrete product for DOS may not be the highest quality system in the world but at least it's a start, and maybe they do OS/2. There are two ways the Bad Guys can get your system, or the data off it - they can get a search/seizure warrant, or they can subpoena it into court, and you have a lot more control over the process with a subpoena, though the court may be able to compel production of your password (that's debatable, and it's been much debated here and on Cyberia-L, but a search or seizure warrant _can't_ get your password if it's not written down.) Therefore, if they do a seizure, and your file system is encrypted, the Bad Guys can trash the whole thing, or random blocks, but without the password they can't selectively delete data, and trashing the whole thing could look _real_ bad for them in court. >Look folks. *This* is what it's about. I like a little humour. So what >I've been doing is taking *posted* documents and running them through a >filter (the "encheferizer" of alt.swedish.chef.bork.bork.bork) and then >reposting them to alt.religion.scientology. I have been doing this for >over a year. It's only been recently that (a) the Church <spit> started >cancelling them and (b) that they started threatening me over it. Parodies are legal, but translations may still violate copyright, and essentially you're doing an automated translation into some bizarre language space. So if you're using real* CoS documents, you may have a problem. [* Yeah, I know, "real CoS documents" is a bit of an oxymoron. ] Does the Chef do Clam Chowder? # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From matts at pi.se Mon Apr 22 01:22:06 1996 From: matts at pi.se (Matts Kallioniemi) Date: Mon, 22 Apr 1996 16:22:06 +0800 Subject: RSA-130 Falls to NFS - Lenstra Posting to sci.crypt.research Message-ID: <2.2.32.19960422062019.00386aec@mail.pi.se> At 09:08 1996-04-16 -0500, Bruce Marshall wrote: >On Mon, 15 Apr 1996, Vladimir Z. Nuri wrote: >> I have been wondering about malicious hackers getting into these >> pools. would it be possible for them to contribute false data >> that screws up the end results? or are such anomalies easily >> discarded or disregarded by the final processes? > > I guess I would have to ask you why you think hackers would be >interested in these projects in the first place? Your typical hacker >would care very little about such a project and in fact may be interested >in seeing it succeed. The hacker might be a Netscape shareholder. A successful cracking of ssl means that his shares lose value. Matts From unicorn at schloss.li Mon Apr 22 01:27:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 22 Apr 1996 16:27:05 +0800 Subject: Betting (Re: [Yadda Yadda Yadda]....) In-Reply-To: <ada040ff090210048622@[205.199.118.202]> Message-ID: <Pine.SUN.3.93.960422011612.26348A-100000@polaris.mindport.net> On Sun, 21 Apr 1996, Timothy C. May wrote: > it never got realized...precisely the desired result of absurdly large > bets. I'll bet $10,000 that no bet of $10,000 or more ever actually gets > settled on this list. Were Mr. May not kidding, (I assume he is) I'd settle with Mr. Bell for $10,000 and have Mr. May pay the debt with his losing wager above. Of course, in the best of all worlds, Mr. Bell and I would split the result. :) > --Tim May --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From sandfort at crl.com Mon Apr 22 01:34:11 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 22 Apr 1996 16:34:11 +0800 Subject: Betting (Re: [Yadda Yadda Yadda]....) In-Reply-To: <ada040ff090210048622@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960421220732.1273D-100000@crl13.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks: On Sun, 21 Apr 1996, Timothy C. May wrote: > By the way, my hunch is that virtually none of us know very well what Bell > and Uni are saying to each other, so who would possibly agree to be the > judge? MAYBE SANDY, YOU WILL VOLUNTEER. Let us know how it turns out, if it > turns out and $100 actually changes hands. [emphasis added] I'd be happy to help resolve any wager of this sort that arises on the Cypherpunks list. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at schloss.li Mon Apr 22 02:59:35 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 22 Apr 1996 17:59:35 +0800 Subject: Smartcards are coming to the US In-Reply-To: <2.2.32.19960422024309.00a7ef74@mail.teleport.com> Message-ID: <Pine.SUN.3.91.960422002225.9131V-100000@polaris.mindport.net> On Sun, 21 Apr 1996, Alan Olsen wrote: > At 03:15 PM 4/21/96 -0400, Brad Dolan wrote: > >Saw a CNN story Friday about an interesting special debit card > >application in Mexico. They're being issued to poor Mexicans, who can > >use them to buy tortillas and a few other foodstuffs. The cards are tied to > >a behavior-control database and failure to send kids to school, get > >mandatory medical exams/treatments/vaccinations, etc. results in card > >deactivation. > > Interesting method of social control. "Do anything we don't like and we > revoke your ability to spend money through government approved outlets." Just the next logical extension of removing professional licenses for failure to comply with government edicts, removing driving licenses for failure to pay government imposed fines. See Reich, "The New Property" and "The New Property after 25 Years" (Harvard Law Review I believe). He suggests constitutional protections for these and other entitlements (like welfare), including due process. An entitlement to entitlements so to speak. I believe that the better solution is to protect the rights ex ante (anonymous drivers/age and entitlement credentials) rather than ex post through the constitution but he has a very interesting survey of the various largess that government withholds to get its way. > > What a Brave New World we live in... > --- > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "We had to destroy the Internet in order to save it." - Sen. Exon --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From stewarts at ix.netcom.com Mon Apr 22 03:08:51 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 22 Apr 1996 18:08:51 +0800 Subject: Memorized secret keys Message-ID: <199604220655.XAA10327@dfw-ix10.ix.netcom.com> At 03:16 PM 4/19/96 -0700, Hal <hfinney at shell.portal.com> wrote: >Choose x bits of good random numbers (x defined below), calling it X. >Seed an MD5 iteration or some other crypto RNG with X and generate >random starting points for p and q. Search for the next primes after >these starting points to get p and q, multiply to get n, and choose the >first exponent >= 3 or 17 or 65537 (choose by taste) as e. Burn p and >q but memorize the random seed X. An interesting approach; given enough spare computing, the passphrase is the key. Remember to transform the passphrase space into some wide-enough space that it will include a bunch of primes, to avoid having multiple passphrases generating the same prime. Primes density is approximately log n (ln n?), e.g. 1/512 for a 512-bit number, so a crude approach like using a 128-bit hash as the most significant bits should do fine. >The main question is, can x be both long enough that it is not the >weakest length in factoring, say, a 1024 bit key, while being short >enough that it can be memorized? >My guess is that x must be 80-120 bits, somewhere in there. This would >be 6 to 9 words chosen from a 16K word list: marginaly doable. Almost by definition, you want at least 128 bits, since you'll probably be using the public key crypto to protect a 128-bit session key. (Keys for signatures may need a bit less slack, though I'd still be wary of <90 bits.) Also, if you're starting by taking an MD5 of the passphrase (after looking up the words in the dictionary or whatever), you're limited to 128 bits of entropy; it's probably worth using SHA, or at least picking p from the MD5 and q from the MD5 of the reverse of the passphrase. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From frantz at netcom.com Mon Apr 22 03:32:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 22 Apr 1996 18:32:58 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604220748.AAA17997@netcom9.netcom.com> At 10:04 PM 4/21/96 -0700, Bill Stewart wrote: >At 09:55 PM 4/20/96 -0700, frantz at netcom.com (Bill Frantz) wrote: >>I have thought about the sources of entropy available to a Java applet, and >>there aren't many. You should design your protocol so entropy is not >>needed on the applet side. Entropy is normally used to pick symmetric >>encryption keys, and Initialization vectors > >If your applet wants to set up a Diffie-Hellman connection, it'll need >a random number to set its half-key; a scribble window may be good enough. Indeed, Bill Stewart (and someone else whose name I forget) are right. I had it in the back of my head that you don't want to harass the user. If you are willing, as in PGP, to ask the user to enter some entropy, then there you can get some sources of randomness which may be good enough. However, do be conservative. After being conservative, gather 10 times as much as you thought you needed. The models of entropy in scribbling are none too good. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jlasser at rwd.goucher.edu Mon Apr 22 03:44:14 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Mon, 22 Apr 1996 18:44:14 +0800 Subject: Smartcards are coming to the US In-Reply-To: <2.2.32.19960422024309.00a7ef74@mail.teleport.com> Message-ID: <Pine.SUN.3.91.960422025540.16240A-100000@rwd.goucher.edu> On Sun, 21 Apr 1996, Alan Olsen wrote: > At 03:15 PM 4/21/96 -0400, Brad Dolan wrote: > >Saw a CNN story Friday about an interesting special debit card > >application in Mexico. They're being issued to poor Mexicans, who can > >use them to buy tortillas and a few other foodstuffs. The cards are tied to > >a behavior-control database and failure to send kids to school, get > >mandatory medical exams/treatments/vaccinations, etc. results in card > >deactivation. > > Interesting method of social control. "Do anything we don't like and we > revoke your ability to spend money through government approved outlets." > > What a Brave New World we live in... I had read it rather differently: "Do what we want and we'll give you food and maybe some other essentials." One can argue about the government's right to do this, the source of the money, etc. But if private charity or industry had chosen to do this, we'd probably look on it rather differently. It's still scary, though; sometimes smart cards are too smart. Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From stewarts at ix.netcom.com Mon Apr 22 05:12:46 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 22 Apr 1996 20:12:46 +0800 Subject: java security Message-ID: <199604220633.XAA07953@dfw-ix2.ix.netcom.com> At 10:24 PM 4/21/96 -0700, Lucky Green wrote: >>A couple of glitches I've gotten from Javascripts are poorly >>(purposely?) written applets that crash. One kept printing a modal >>dialog box continuously, the result being a need to reboot the >>computer because there was no way to exit Netscape or Windows. > >I can confirm this. Under Win95, I have seen applets that keep running >after the browswer instance that loaded has been closed. Even run over >other applications windows, leaving aninmated artifacts on the screen. >Sometimes only the power switch will do. I thought that the applets weren't >supposed to be able to wander out of their memory space... Were they Java, or JavaScript? Much different. Among other things, JavaScript runs on Win3.1, and Netscape doesn't let you turn it off. I've had at least one event of JavaScript crashing Netscape; the part of the script I noticed was scrolling lots of stuff along the bottom (Hail Eris! All Hail Discordia! Etc. Etc.) but maybe there was more. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From frissell at panix.com Mon Apr 22 06:41:03 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 22 Apr 1996 21:41:03 +0800 Subject: Anonymnity at teleport Message-ID: <2.2.32.19960422104035.0068ee58@panix.com> >>>Our users can have a P.O. Box as their address (or a false address), >>>whatever they want as their 'real name', and can pay for their accounts by >>>mailing in cash. All they need to do is be close to a phone that isn't >>>theirs for an hour or so. >> >>>The can put in a phone# when they set up, then call in from that phone (even >>>if it isn't their own) and have one of us call them back with a few >>>minutes...all set. Of course, you can also do this with CompuServe or any service that uses phone verification. I opened my CompuServe account in my True Name but with the phone number of one of my mail receiving services. They wanted a similar callback scheme as above. I went to my mail receiving service, called the CIS 800 number and they called me right back. I was friendly with my mail services so had no trouble. DCF From frissell at panix.com Mon Apr 22 06:42:33 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 22 Apr 1996 21:42:33 +0800 Subject: CoS and anon remailers Message-ID: <2.2.32.19960422103718.00ce7260@panix.com> At 02:49 PM 4/10/96 -0400, Jim Byrd wrote: >My feeling is that they will be doing anything they can >to attempt to produce "hard evidence" that I am part of >the Grand Conspiracy. I would say it is virtually certain >that U.S. anon remailers will be subpoenaed as well as any >foreign ones in which they can handle the authorities. Isn't it a bit difficult to subpeona an anonymous remailer? If run on a large enough system, a remailer can be shut down but not siezed. (I can imagine the marshalls hauling off the Cal Tech mainframes.) If a remailer operator has an accomodation address and/or a false name effective service of process also becomes difficult. Usually in life I've noticed that if you just ignore stuff it goes away. Occaisionally you will be hassled but if you ignore many of the orders of others for your whole life, you will find that your net amount of what we might call "autonomous activity" will be greater than if you slavishly obey every order. DCF From frissell at panix.com Mon Apr 22 07:10:24 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 22 Apr 1996 22:10:24 +0800 Subject: Was the clause for Biometric ID Cards dropped? Message-ID: <2.2.32.19960422103441.00cee464@panix.com> At 07:20 PM 4/21/96 -0700, Lucky Green wrote: >At 17:12 4/21/96, E. ALLEN SMITH wrote: >> As the subject line says, was the proposal for Biometric ID Cards >>dropped? I saw something about it on here and forwarded it; my respondent >>(Phil Agre of the RRE news service) says he thought that clause had been >>dropped. > >If it passes this year, next year, or five years from now, pass it will. >With the customary >90%. Presumably after a suitable Reichstag Brand. But since they are unlikely to imprison you for not having them. And you will be able to be self employed and drive cars (with foreign or no licenses) and everything without them. What good are they? DCF "Note to commentators about little Jessica's tragic crash. It *is* legal for 7 year olds to drive cars as long as they don't do so on the public streets and highways." From nobody at tjava.com Mon Apr 22 07:51:22 1996 From: nobody at tjava.com (Anonymous) Date: Mon, 22 Apr 1996 22:51:22 +0800 Subject: Bad news from Judge Richey Message-ID: <199604221100.GAA05024@tjava.com> At 11:33 PM 3/25/96 tcmay wrote: ------------------- jim bell: >talk to Jim Bell about implementing a program using encryption that doesn't >_need_ to be exported...legally anyway. tcmay: You're coming perilously close to actually calling for the killing of a federal judge. My recollection is that a couple of folks have been arrested and charged for calling for the killing of judges. ------------------- Any half-wit falling for agent provocateur Bell's rap will do hard time, or maybe get popped "in self-defense" by his TLA watchers. The son-of-a-bitch's baiting pigeon traps, no question. He's too myopic to see how he's luring falcons for attack by high-circling eagles. Bell's going down blind-sided with his gulls. From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Mon Apr 22 10:28:21 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Tue, 23 Apr 1996 01:28:21 +0800 Subject: Dictionary searching code Message-ID: <9604221646.AA0800@> At 08:02 PM 4/19/96 -0500, Adam wrote: > Does anyone have some code that will search a dictionary, and >tell me *quickly* if an arbitrary chunk of text is in the dictionary? >Pre-indexing steps are fine, as is using big chunks of disk for hash >tables. The point of course, is to check arbitrary possible plaintext >that a test decryption produces. If you want to do string matching (search for an exact match on a string -- as opposed to checking whether a set of words is in a database) a good choice would be the Boyer-Moore algorithm. It has the nice property that worst case it requires O(n) time (n = dictionary byte count) but on average it is quite a lot better -- and furthermore, the longer the string you're looking for, the faster it gets... paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From MBSFT-0K at carraig.ucd.ie Mon Apr 22 10:28:44 1996 From: MBSFT-0K at carraig.ucd.ie (MBSFT-0K) Date: Tue, 23 Apr 1996 01:28:44 +0800 Subject: Unsubsrive Message-ID: <4E964C26B1@carraig.ucd.ie> > > > unsubscribe cypherpunks Lorca Kelly MBSFT-0K at carraig.ucd.ie From fletch at ain.bls.com Mon Apr 22 10:29:18 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Tue, 23 Apr 1996 01:29:18 +0800 Subject: java security In-Reply-To: <v02120d1dada0c4c8e7c4@[192.0.2.1]> Message-ID: <9604221338.AA04168@outland.ain_dev> > >A couple of glitches I've gotten from Javascripts are poorly > >(purposely?) written applets that crash. One kept printing a modal > >dialog box continuously, the result being a need to reboot the > >computer because there was no way to exit Netscape or Windows. > > I can confirm this. Under Win95, I have seen applets that keep running > after the browswer instance that loaded has been closed. Even run over > other applications windows, leaving aninmated artifacts on the screen. > Sometimes only the power switch will do. I thought that the applets weren't > supposed to be able to wander out of their memory space... Applets (let alone javascript) should have no way to exist once you kill the Netscape that is running the Java interpreter. It is possible for applets to keep running in their own thread even after you've left the page they're loaded from, but once you kill the browser the VM should get shut down (the whole browser, not just a particular window). I can't think of any way that an applet could keep going once the VM stops. As for the original dialog thing, couldn't you C-A-Del it to get the task window up and then shutdown the offending NS task? --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From trei at process.com Mon Apr 22 10:49:59 1996 From: trei at process.com (Peter Trei) Date: Tue, 23 Apr 1996 01:49:59 +0800 Subject: Add-in encryption module to Netscape Message-ID: <199604221333.GAA13236@toad.com> runner at asiapac.net > Hi, > > Lurking here for quite some time until now a real problem has come up and I > need help here. > > I'm not in the US of A and the Netscape commerce server that my employer > recently purchased has only 48bit key (as told by the salesman). My question is > whether it is possible to add-in my own security module (RSA) and secondly, how > difficult is it? The salesman cannot answer me. > > Thanks a lot. Funny, this looks an awful lot like a query (with an apparently real name attached) which appeared in www-security last week from Malaysia. I'm aware of the following servers, available outside the US, which claim to offer 128 bit SSL encryption: Apache-SSL Unix see http://www.algroup.co.uk/Apache-SSL free, commercial support available. supports client authentication Available from British sites Sioux Unix (solaris) see ftp://ftp.inect.co.za/pub/products/sioux/ANNOUNCE support client authentication Based on Apache 2500 Rand Available from South Africa Alibaba NT/Win95 see http://alibaba.austria.eu.net/ Available from Austria US $599 Zeus Very nice website at http://www.zeus.co.uk/ Unix 999 UK # Available from Britain COSMOS Unix Nice site at http://www.ristech.com/SOMMAIRE/B_PRODUITS/INTERNET/ WebCompare claims this has SSL2, but I can't find a mention of their Website. US $2000 and up. Available from France. For a survey of web servers, I strongly recommend WebCompare: http://www.webcompare.com Peter Trei From ericande at cnw.com Mon Apr 22 10:50:11 1996 From: ericande at cnw.com (Eric Anderson) Date: Tue, 23 Apr 1996 01:50:11 +0800 Subject: Micro$oft Crypto API Message-ID: <01BB2F50.52E74D00@king1-06.cnw.com> Has anyone heard anything about the crypto API M$ is working on? Will it work W/ RSA? and will it support GAK? Sorry if this ?? is redundant, I havent' read my mail for a week. From LJT at fs3.ucc.on.ca Mon Apr 22 10:53:41 1996 From: LJT at fs3.ucc.on.ca (Jed Liu) Date: Tue, 23 Apr 1996 01:53:41 +0800 Subject: Entropy Message-ID: <C11834F190D@fs3.ucc.on.ca> I've heard a lot of discussion here about "entropy tests" and "tests for randomness". Could somebody please explain to me one of these tests (or would that take too long?) ? Thanks. -=[###########################]=- -=[## Jed Liu ##]=- -=[## ljt at fs3.ucc.on.ca ##]=- -=[###########################]=- Things are entirely what they appear to be--and behind them...there is nothing. --Jean-Paul Sartre, "Nausea" SignaQuote v1.00 by Jed Liu From brucem at wichita.fn.net Mon Apr 22 10:55:56 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Tue, 23 Apr 1996 01:55:56 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.BSF.3.91.960420125016.6813A-100000@kirk.edmweb.com> Message-ID: <Pine.BSI.3.91.960422084746.14906B-100000@wichita.fn.net> On Sat, 20 Apr 1996, Steve Reid wrote: > In Canada, there is a law that makes "unauthorized use of computing > resources" illegal. That makes both hacking and malicious virus spreading > illegal with one law, without making it illegal to share virus information > and source code. Several other countries have very similiar laws. However, I had heard a somewhat unproven rumor that a U.S. state had actually made the writing of programs with malicious purposes illegal. Basically meaning that if you write a virus you have committed a crime. Like I said though, this was just a statement in a message so I can't vouch for the accuracy. Bruce Marshall From brucem at wichita.fn.net Mon Apr 22 11:10:12 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Tue, 23 Apr 1996 02:10:12 +0800 Subject: Wiretapping v warrants In-Reply-To: <m0uAhuj-00090KC@pacifier.com> Message-ID: <Pine.BSI.3.91.960422082951.14906A-100000@wichita.fn.net> On Sat, 20 Apr 1996, jim bell wrote: > At 10:42 AM 4/20/96 -0500, Bruce Marshall wrote: > >On Fri, 19 Apr 1996, jim bell wrote: > > > >> Here's a question, however: What, exactly, stands between the way it is > >> supposedly done, today, and wiretapping with none of these "protections." > > > > First and foremost Congress, > > But were these "protections" the product of a law passed by Congress? As I do not qualify as a legal historian or expert I don't have any definitive answer for you on this point. My guess would be that it lies somewhere in the bowels of the legal system. I recall hearing about some early cases involving operators listening in on telephone calls (which I believe they are still able to do as long as it is random and for purposes of "service checks") and how this was declared a violation of privacy to the calling parties. > > then the Judicial system > > I'm feeling much better....NOT! Obviously not a flawless and perfect branch of government, but what is? > >and finally the people themselves. > > It's called "Right to Keep and Bear Arms." More likely, the "Right to Vote Out the Incumbents." > > Since I'm not exactly sure whether the targets of a wiretap are ever > >informed that their conversations were monitored if they aren't later > >prosecuted using the info gained through the wiretap, I couldn't really > >comment on why if that is the case. > > The reason you don't know is simply that there is no _Constitutional_ > reason. There is merely a practical one: The act of wiretapping does not > automatically inform those tapped, in the same way that service of a search > warrant does, so the government CONVEEEENIENTLY forgets to tell them. Most > government suck-ups don't even want to address this issue; they have no > explanation. Unlike them, you acknowledged that you weren't away of the reason why. I also think the majority of us can look at that and say "what a bad thing." But the real question is what we want to do about it. > I seem to recall a news item from Washington state within the last couple of > years in which a conviction was thrown out because evidence was obtained > with thermal-IR imagers. You know, look for the hot house and it's being > used to grow pot. Problem is, that kind of viewing is not normally publicly > apparent, so a citizen has a reasonable belief that it can't be used against > him. In another case, in Oregon, the use of night-vision goggles to observe > people (at least in collecting evidence) was thrown out, for the same > reason: Even if, arguably, people were out "in public," they had a > reasonable expectation that they would not be observed if they were careful > to remain in the dark. Throw out the IR gogs then and look at the rest of the picture. You still have the binoculars, the dish microphones and plain old eyes. Dosn't this pose a more reasonable comparison to your original topic of wiretaps? I have a feeling though that IR vision will become more accepted by the courts as a valid means of surveilance as its use increases. > One more thing: Until about 1968, the private use of tiny recording > microphones, in public, was essentially unlimited. About that year, in many > states, it was restricted. (In some states it's illegal to record > conversations by surreptitious means, EVEN IF you're a party to that > conversation. How bizarre!) And unconveinent for those of us who would like to be able to record our conversations without the explicit permission of the other party. > My theory is that politicians recognized, > correctly, that they would be the ones most subject to such recording, and > since they engaged in incriminating (bribery) conversations fairly > regularly, they didn't want lobbyists to be able to collect a series of > recorded conversations that could later be used against the politician if > they later fell out of favor. While that may have been some of their original intentions for passing such a bill, do you think people who are already involved in illegal activities would stop and think "Wait a minute, I can't ILLEGALLY record this bribe,"? Such blackmails surely continue. > The reason I consider "the system" to be so crooked is that it tries to get > away with things like this whenever it can. Well, think about the situation. The number of people who aren't prosecuted after a wiretap is likely a small fraction of the whole number of wiretaps (then again, how do we know?). The number that find out they were under observation but not prosecuted is even more likely nil. So, where are your chances to challenge this in court? Where are the test cases? Admitedly, Congress shouldn't have to wait for a case to take action to change this practice, but I doubt they are going to make a fuss about it before anyone else does. Bruce Marshall From raph at CS.Berkeley.EDU Mon Apr 22 11:38:37 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 23 Apr 1996 02:38:37 +0800 Subject: List of reliable remailers Message-ID: <199604221350.GAA03507@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = "<remail at miron.vip.best.com> cpunk pgp special"; $remailer{"portal"} = "<hfinney at shell.portal.com> cpunk pgp hash"; $remailer{"alumni"} = "<hal at alumni.caltech.edu> cpunk pgp hash"; $remailer{"bsu-cs"} = "<nowhere at bsu-cs.bsu.edu> cpunk hash ksub"; $remailer{"c2"} = "<remail at c2.org> eric pgp hash reord"; $remailer{"penet"} = "<anon at anon.penet.fi> penet post"; $remailer{"hacktic"} = "<remailer at utopia.hacktic.nl> cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = "<remailer at flame.alias.net> cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = "<homer at rahul.net> cpunk pgp hash filter"; $remailer{"mix"} = "<mixmaster at remail.obscura.com> cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = "<remailer at bi-node.zerberus.de> cpunk pgp hash ksub ek"; $remailer{"robo"} = "<robo at c2.org> cpunk hash mix"; $remailer{"replay"} = "<remailer at replay.com> cpunk mix pgp hash latent cut post ek"; $remailer{"rmadillo"} = "<remailer at armadillo.com> mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = "<cpunk at remail.ecafe.org> cpunk mix"; $remailer{"wmono"} = "<wmono at valhalla.phoenix.net> cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = "<remailer at shinobi.alias.net> cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = "<amnesia at chardos.connix.com> cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = "<mix at remail.gondolin.org> cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = "<remailer at tjava.com> cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = "<pamphlet at idiom.com> cpunk pgp hash latent cut ?"; $remailer{'alpha'} = '<alias at alpha.c2.org> alpha pgp'; $remailer{'gondonym'} = '<alias at nym.gondolin.org> alpha pgp'; $remailer{"lead"} = "<mix at zifi.genetics.utah.edu> cpunk pgp hash latent cut ek"; $remailer{"treehole"} = "<remailer at mockingbird.alias.net> cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = "<remailer at meaning.com> cpunk pgp hash latent cut"; $remailer{"exon"} = "<remailer at remailer.nl.com> cpunk pgp hash latent cut ek"; $remailer{"vegas"} = "<remailer at vegas.gateway.com> cpunk pgp hash latent cut"; $remailer{"haystack"} = "<haystack at holy.cow.net> cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = "<ncognito at gate.net> mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 22 Apr 96 6:46:30 PDT remailer email address history latency uptime ----------------------------------------------------------------------- exon remailer at remailer.nl.com ++****+****# 3:56 99.98% shinobi remailer at shinobi.alias.net +*#-+-*+*--* 1:21:52 99.97% alpha alias at alpha.c2.org + *+*+++-*++ 44:07 99.88% portal hfinney at shell.portal.com ###*#-# *### 2:35 99.80% hacktic remailer at utopia.hacktic.nl *+* +*****+* 9:33 99.73% amnesia amnesia at chardos.connix.com -+---+----- 2:41:12 99.60% treehole remailer at mockingbird.alias.net --+-+ --.--+ 5:09:41 99.40% alumni hal at alumni.caltech.edu ## * * *### 3:58 99.38% replay remailer at replay.com *+* ****** 6:37 99.36% extropia remail at miron.vip.best.com --- --.---- 6:42:44 99.09% haystack haystack at holy.cow.net #*#++#*#*#++ 4:30 99.08% lead mix at zifi.genetics.utah.edu ++++++++++++ 42:08 98.55% c2 remail at c2.org ++++++ +-*** 36:14 98.49% ecafe cpunk at remail.ecafe.org *+---+*-#*+ 22:24 98.25% flame remailer at flame.alias.net --- _.----- 7:26:44 97.13% penet anon at anon.penet.fi -__...__ -- 32:56:37 96.98% vegas remailer at vegas.gateway.com +*##*+*+ 1:03:31 57.66% ncognito ncognito at gate.net *## :58 24.27% mix mixmaster at remail.obscura.com ----+ 2:24:40 22.82% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From ac at hawk.twinds.com Mon Apr 22 13:08:32 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Tue, 23 Apr 1996 04:08:32 +0800 Subject: Spaces in passwords In-Reply-To: <9604181538.AA16305@divcom.umop-ap.com> Message-ID: <Pine.HPP.3.91.960422114851.20543B-100000@hawk.twinds.com> How is a control character, @, and # any different from typing an uppercase letter? Just curious. Arley Carter Tradewinds Technologies, Inc. email: ac at hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from <insert your favorite corporation or government agency>." On Thu, 18 Apr 1996, Jon Leonard wrote: > > Ben Rothke writes: > > > Do spaces (ASCII 20) in passwords make them less secure? > > > > Of course not. In a normal Unix password, adding spaces to the > > password search space increases the search space, so it necessarily > > makes the search harder. > > The exception to this is when you may be overheard typing a password. > The space bar sounds different, and an attacker who knows you've used > a space has a significantly smaller search space. > > So I usually recommend avoiding space, @, #, and control characters > when generating passwords. Have I missed any or gotten too many? > > > .pm > > Jon Leonard > From tallpaul at pipeline.com Mon Apr 22 15:08:45 1996 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 23 Apr 1996 06:08:45 +0800 Subject: Nazis on the Net Message-ID: <199604220217.WAA14740@pipe5.nyc.pipeline.com> On Apr 21, 1996 17:23:00, '"E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU>' wrote: > In view of the Zundelsite business, I thought people might find the >following of interest. Unfortunately, the author is either leaving >some critical information out or is misinformed. Specifically, the actual >history on the Zundelsite business, and the actual circumstances at Ruby Ridge; > >on the latter, Randy Weaver was neither a neo-Nazi nor a racist. He was (and, >so far as I know, still is) a white separatist. (One would think liberals >would >tolerate this - they tolerate the equally offensive black separatists, after >all...). The Zundelsite reference is incomplete in that it fails to describe >the motivations of the mirrorsites. > -Allen Since E.A. Smith wants completeness re the Zundelsite issue, I am curious about his assertion about Weaver. Might we know the source of his complete info on Weaver's political and racial beliefs. I see, in essence, three hypothesis: 1) Cover the ass of a potential neo-Nazi or racist (or both) without any reference to what is really true; 2) Get information from outer space; 3) Base the conclusion on hard evidence. If the answer is 3) I'd like to get a real pointer to the real evidence. By real evidence I mean just that, not wishful thinking or advertising jingles for points 1) or 2). --tallpaul PS: Cypherpunks seems to be getting very wiggy these days. From sentiono at cycor.ca Mon Apr 22 15:13:39 1996 From: sentiono at cycor.ca (Sentiono Leowinata) Date: Tue, 23 Apr 1996 06:13:39 +0800 Subject: OFF Topic: MS-Exchange bug (winmail.dat) Message-ID: <199604221430.LAA03540@bud.peinet.pe.ca> I need help to disable the long-trailer from MS-Exchange. Everytime my friend sends me an e-mail, the "trailer" (winmail.dat) always there. How to disable it or turn it off? I believe someone mention about this "feature" in this mailing list long time ago, but I can't find it in my archive. Thank you. Sent. ps. can Winmail.Dat be considered as cryto-useless? <grin> From llurch at networking.stanford.edu Mon Apr 22 15:41:06 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 23 Apr 1996 06:41:06 +0800 Subject: Nazis on the Net In-Reply-To: <01I3T7WPGNL48Y4Y84@mbcl.rutgers.edu> Message-ID: <Pine.ULT.3.92.960422103411.1448D-100000@Networking.Stanford.EDU> I've been told that Crawford is a clueful science fiction writer. I'm not interested in discussing this here, but I and others (including some self-described Nazis) have posted responses to alt.internet.media-coverage. -rich From JonWienke at aol.com Mon Apr 22 16:34:16 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Tue, 23 Apr 1996 07:34:16 +0800 Subject: OS/2 encryption Message-ID: <960422145817_380368356@emout18.mail.aol.com> In a message dated 96-04-21 22:11:06 EDT, Lucky Green wrote: >Back up the HD to tape (encrypt the data on the tape). Move the tape out of >reach. And don't tell anyone, especially not this list, that you did that. Personally, I recommend the Syquest EZdrive over tape. The EZ is a fully functional (bootable, too) 130 MB hard drive ($200 for an IDE internal model, also available in SCSI and parallel port versions) that uses removable cartridges ($20 each) for storage. Most backup programs let you back up to a hard drive, which is much faster than tape, and more reliable as well. Ditto the bit about storing the backups (whatever media) somewhere the CO$ will never find them, and keeping your mouth shut about it. From schoiack at tahoma.cwu.edu Mon Apr 22 16:53:00 1996 From: schoiack at tahoma.cwu.edu (Chris Van Schoiack) Date: Tue, 23 Apr 1996 07:53:00 +0800 Subject: Portland Cypherpunk Meeting for April In-Reply-To: <2.2.32.19960416035657.00ab813c@mail.teleport.com> Message-ID: <Pine.VUL.3.91.960422121748.3032A-100000@tahoma.cwu.edu> Hello, I'm a student at Central Wash. University and would like to attend the conference. Is there anyone that would be willing to give me a ride. If you stay over, I've a friend I can stay with.. I don't have a (functioning) car, but can get a ride to the Seattle area.. My phone number is 509-925-3662. Will contibute gas money. Thanks, Chris Van Schoiack On Mon, 15 Apr 1996, Alan Olsen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > There will be another physical meeting on the Cypherpunks in Portland, OR. > > The particulars: > > Location: Powell's Technical Bookstore > 33 NW Park > Portland, OR 97209 > (Just north of Burnside off of the Park blocks.) > > Date: April 27th, 1996 > Time: 5:23pm > > Discussions will cover: > > ** A Portland Remailer > > ** Various Coding Projects > > ** Events in the News > > ** Other Projects related to Crypto (Web sites and Documentation) > > ** Possible PGP Keysigning (Depends on the response) > > ** General Discussion Devolving into Chaos > > If you have any other topics for discussion, bring them up at the meeting or > you can e-mail me in advance. > > Powell's Technical Book has a good selection of crypto books, so you might > want to be prepared. (Do not bring money you cannot afford to spend. > Powell's has an evil force that seduces people into buying books.) > > A PGP keysigning will be held if there are enough interested people. If you > are interested in participating, please send me your public key via e-mail. > > Any comments, suggestions, ideas, and/or complains can be sent to me at > alano at teleport.com. > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQEVAwUBMXMZZeQCP3v30CeZAQG0/Af/To2q0fuLk8Q6KquP+6LX1/1EOqGGoxBZ > jWfCJoz40Wk1EHMJMis+XpiPgcXg2nAZNeQXubS4Q9se8uGG57UbzpX8rv5GnzdV > HWimufNeL/bfxSn+OYswTEQExSwG2V/TSWZNwfFf5Xl/6V0zy1Xa5qY8CEtXn1fr > 3/vXicYexd3NwSvToN5udYYtUe2kH14O3RIoXAnaJwMZLvS+oiDzw8LWXI7UMdsf > akUbhisfgf/lu3wiMVQkN2hdP15rioIlAhryA0skvl1fxh3OkFC8/GDJpRBRWD+K > RjO5VgRRXYrQUG4PKAK8Y1/PSINzandOkaMc2duaSshslZYyI3YRmg== > =zD1a > -----END PGP SIGNATURE----- > --- > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "We had to destroy the Internet in order to save it." - Sen. Exon > > From maldrich at grctechs.va.grci.com Mon Apr 22 17:16:23 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Tue, 23 Apr 1996 08:16:23 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.BSI.3.91.960422084746.14906B-100000@wichita.fn.net> Message-ID: <Pine.SCO.3.91.960422142653.7158C-100000@grctechs.va.grci.com> On Mon, 22 Apr 1996, Bruce Marshall wrote: > Date: Mon, 22 Apr 1996 08:50:21 -0500 (CDT) > From: Bruce Marshall <brucem at wichita.fn.net> > Subject: Re: Bernstein ruling meets the virus law > > On Sat, 20 Apr 1996, Steve Reid wrote: > > > In Canada, there is a law that makes "unauthorized use of computing > > resources" illegal. That makes both hacking and malicious virus spreading > > illegal with one law, without making it illegal to share virus information > > and source code. > > Several other countries have very similiar laws. However, I had > heard a somewhat unproven rumor that a U.S. state had actually made the > writing of programs with malicious purposes illegal. Basically meaning > that if you write a virus you have committed a crime. Like I said > though, this was just a statement in a message so I can't vouch for the > accuracy. But, define "malicious purpose." One man's low-level format is another man's desired application of the moment. I hate to paraphrase a tired line, but "self-replicating programs don't hurt computers - mean people do." The term "virus" connotes a pathogenic quality in the mind of many. Unfortunately, this tendency continues in the use of the word 'virus' within our community. While I understand that "intent" is something with which lawyers have to contend when they defend or prosecute a case, I don't think that the notion of intent to commit harm extrapolates correctly into the field of virus writing. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From froomkin at law.miami.edu Mon Apr 22 17:39:45 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 23 Apr 1996 08:39:45 +0800 Subject: Draft paper on law of digital signatures, CAs Message-ID: <Pine.SUN.3.91.960422161257.15955B-100000@viper.law.miami.edu> [cross-posted to Cyberia-L, Cypherpunks & Cyberprof; apologies for duplication] A preliminary draft of my paper on Digital Signatures, Certification Authorities, and a few of the legal problems they (may) create can be found under the title, "The Essential Role of Trusted Third Parties in Electronic Commerce" at this URL: http://www.law.miami.edu/~froomkin/articles/trusted.htm A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From shamrock at netcom.com Mon Apr 22 17:58:17 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 23 Apr 1996 08:58:17 +0800 Subject: java security Message-ID: <v02120d25ada197b3463b@[192.0.2.1]> At 23:35 4/21/96, Bill Stewart wrote: >Were they Java, or JavaScript? Much different. Among other things, >JavaScript runs on Win3.1, and Netscape doesn't let you turn it off. >I've had at least one event of JavaScript crashing Netscape; the part >of the script I noticed was scrolling lots of stuff along the bottom Javascript started the new browser. The renegade applet was Animator, which is Java, I believe. I didn't spend much effort investigating it, since I try to stay away from doing things over that have hosed my system twice in a row. Win95, Atlas beta. The offending page was http://www.dippybird.com/java.html Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From brucem at wichita.fn.net Mon Apr 22 18:34:08 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Tue, 23 Apr 1996 09:34:08 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.SCO.3.91.960422142653.7158C-100000@grctechs.va.grci.com> Message-ID: <Pine.BSI.3.91.960422151102.19963B-100000@wichita.fn.net> On Mon, 22 Apr 1996, Mark Aldrich wrote: > On Mon, 22 Apr 1996, Bruce Marshall wrote: > > Several other countries have very similiar laws. However, I had > > heard a somewhat unproven rumor that a U.S. state had actually made the > > writing of programs with malicious purposes illegal. Basically meaning > > that if you write a virus you have committed a crime. Like I said > > though, this was just a statement in a message so I can't vouch for the > > accuracy. > But, define "malicious purpose." One man's low-level format is another > man's desired application of the moment. There usually is a pretty apparent line between authorized and unauthorized functions in regards to computer programs. I don't think that even Microsoft with their pages of disclaimers could release software that, unbeknownst to its user, destroyed data. > I hate to paraphrase a tired > line, but "self-replicating programs don't hurt computers - mean people > do." I have heard AV people argue that regardless of its purpose (malicious/destructive or not) all viruses can be harmful. Whether this is simply running the computer out of memory or using bad system calls that result in data loss is irrelevant to them. I don't quite buy into that argument since we can find the same flaws to be inherent in any software we run. However, since you haven't really consciously allowed the program to do whatever it is doing, the person who infected your machine is typically to be held responsible for unauthorized access at a minimum. > The term "virus" connotes a pathogenic quality in the mind of > many. Unfortunately, this tendency continues in the use of the word > 'virus' within our community. Personally, I can see many useful functions for viruses. But I find the viruses that simply destroy data--which tends to be the majority--to be quite boring and childish. A non-destructive and innovative virus is very interesting and comparable to any good software hack in my eyes. > While I understand that "intent" is something with which lawyers have to > contend when they defend or prosecute a case, I don't think that the > notion of intent to commit harm extrapolates correctly into the field of > virus writing. These were not my thoughts as I was only commenting on a alleged law that had been passed. I agree that we can't look into our crystal ball and see whether Mr. McViruswriter had really intended for his virus to wipe out part of the Secret Service's computer network. I would wager that if legislators did indeed pass such a law in the U.S., they probably were hammered with the same type of anti-virus propaganda that AV people always seem to be throwing out. Bruce Marshall From alano at teleport.com Mon Apr 22 18:47:56 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 23 Apr 1996 09:47:56 +0800 Subject: java security Message-ID: <2.2.32.19960422212139.00aa57ec@mail.teleport.com> At 01:26 PM 4/22/96 -0700, Lucky Green wrote: >At 23:35 4/21/96, Bill Stewart wrote: > >>Were they Java, or JavaScript? Much different. Among other things, >>JavaScript runs on Win3.1, and Netscape doesn't let you turn it off. >>I've had at least one event of JavaScript crashing Netscape; the part >>of the script I noticed was scrolling lots of stuff along the bottom > >Javascript started the new browser. The renegade applet was Animator, which >is Java, I believe. > >I didn't spend much effort investigating it, since I try to stay away from >doing things over that have hosed my system twice in a row. Win95, Atlas >beta. The offending page was http://www.dippybird.com/java.html The one advantage to Netscape 3.0 is that you can turn Javascript off. (You may be able to do that in 2.01 as well...) 3.0 has some pretty nasty bugs. There appears to be a memory leak dealing with forms, as well as a number of nasty little gotchas. (I have been getting crashes that seem to be assocaited with one of the plug-ins.) Hopefully the next beta is out for 3.0. (I have not checked in the last couple of days, so it may be... Sunday night seems to be the favored time of posting.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From steve at edmweb.com Mon Apr 22 19:03:22 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 23 Apr 1996 10:03:22 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.BSI.3.91.960422084746.14906B-100000@wichita.fn.net> Message-ID: <Pine.BSF.3.91.960422143210.10285A-100000@kirk.edmweb.com> > Several other countries have very similiar laws. However, I had > heard a somewhat unproven rumor that a U.S. state had actually made the > writing of programs with malicious purposes illegal. Basically meaning > that if you write a virus you have committed a crime. Like I said > though, this was just a statement in a message so I can't vouch for the > accuracy. Hmm... "malicious purposes".... How would they determine that? Some viruses are clearly designed to be destructive, but some do nothing but replicate. Then there are viruses and worms (like RTM's) that crash systems, but may or may not have been designed to do that. Then there are trojan horses, which look useful, but are designed to crash your machine... Then there are programs that are designed to be useful, but have bugs that will cause your machine to crash. Things are only black and white in lawmaker's dreams. :-/ ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From rah at shipwright.com Mon Apr 22 19:23:03 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 23 Apr 1996 10:23:03 +0800 Subject: [Laffs] Citizen in need of correction Message-ID: <v03006606ada1b8119d22@[199.0.65.105]> --- begin forwarded text Date: 21 Apr 1996 03:25:13 +0200 From: anon-remailer at utopia.hacktic.nl (Anonymous) (by way of rah at shipwright.com (Robert A. Hettinga)) To: rah at shipwright.com Subject: Citizen in need of correction Organization: Hack-Tic International, Inc. Path: news-central.tiac.net!news-in.tiac.net!news.kei.com!newsfeed.internetmci.com!how land.reston.ans.net!EU.net!sun4nl!xs4all!utopia.hacktic.nl!not-for-mail Newsgroups: talk.politics.crypto,talk.politics.libertarian,alt.politics.libertarian,alt.soci ety.anarchy,alt.privacy,alt.security.pgp,alt.activism,alt.anarchism,alt.cyberpun k,alt.politics.datahighway Lines: 4 Sender: remailer at utopia.hacktic.nl NNTP-Posting-Host: utopia.hacktic.nl Comments: <postmaster at utopia.hacktic.nl> Xref: news-central.tiac.net talk.politics.crypto:205 talk.politics.libertarian:3955 alt.politics.libertarian:5165 alt.society.anarchy:606 alt.privacy:251 alt.security.pgp:802 alt.activism:3485 alt.anarchism:116 alt.cyberpunk:492 alt.politics.datahighway:297 X-Newsreader: Yet Another NewsWatcher 2.1.2 We seem to have a problem with an inconsiderate citizen. This is a call for bids on the case of jimbell at pacifier.com (jimbell) -- Please send your bids to getjim at blacknet.net by midnight GMT, April 25th, 1996. --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From frissell at panix.com Mon Apr 22 19:55:31 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 23 Apr 1996 10:55:31 +0800 Subject: Biometric ID Message-ID: <2.2.32.19960422182608.0081eeb4@popserver.panix.com> Someone asked about biometric ID requirements in HR 2202 "Immigration in the National Interest Act of 1996". This passed the House a few weeks ago. The Senate may pass it this week or next. Watch out for stuff to slip back in in the Conference Committee. The whole "pilot program" to develop a forge resistant biometric ID card has been removed from the bill. The Border Crossing Cards that speed crossings from Mexico are supposed to have machine readable finger prints or hand prints added but those can probably be duped by the forgers. The online SS# verification program is reduced to a voluntary (for the employer) pilot. DCF From warlord at MIT.EDU Mon Apr 22 20:17:13 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 23 Apr 1996 11:17:13 +0800 Subject: DES as a stream cipher In-Reply-To: <2.2.32.19960422214547.006b636c@geoplex.com> Message-ID: <9604222228.AA01072@bart-savagewood.MIT.EDU> > As this sounds like a previously solved problem, I wanted to find out about > using DES (or any block cipher) as a stream cipher, i.e., in a manner that > keeps input and output data length equal. I don't want to use a true stream > cipher, as I want to use the same key for multiple messages and stream > ciphers tend to place the bulk of their overhead in the re-key. Since stream > ciphers have "memory," I would have to "re-key" to the same key for each of > my messages. I would rather key something like DES once and run it in CBC > mode or use some other form of IV. Well, it all depends on what encryption mode you are using. You can always use cfb or ecb or ofb modes to get a stream-like cipher. However you have to beware the security ramifications of using these encryption modes. FYI: PGP uses IDEA in cfb mode (albeit in a strange way). -derek From perry at piermont.com Mon Apr 22 20:58:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 23 Apr 1996 11:58:39 +0800 Subject: DES as a stream cipher In-Reply-To: <2.2.32.19960422214547.006b636c@geoplex.com> Message-ID: <199604222225.SAA18546@jekyll.piermont.com> "Karl A. Siil" writes: > Folks, > > As this sounds like a previously solved problem, I wanted to find out about > using DES (or any block cipher) as a stream cipher, i.e., in a manner that > keeps input and output data length equal. DES (and other block ciphers) has a couple of modes that let you do this -- CFB mode and OFB mode come to mind. Their security hasn't been that well studied to my knowledge. However... > I don't want to use a true stream cipher, as I want to use the same > key for multiple messages and stream ciphers tend to place the bulk > of their overhead in the re-key. ???? > Since stream ciphers have "memory," I would have to "re-key" to the > same key for each of my messages. I would rather key something like > DES once and run it in CBC mode or use some other form of IV. ??? You ought to explain your application more clearly; it isn't necessarily the case that a stream cipher is appropriate for you. .pm From jcorgan at aeinet.com Mon Apr 22 21:01:26 1996 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Tue, 23 Apr 1996 12:01:26 +0800 Subject: Smartcards are coming to the US In-Reply-To: <ada03b280802100426fb@[205.199.118.202]> Message-ID: <317C12C0.6C92@aeinet.com> Timothy C. May wrote: > Someday--maybe when Perry is out of the country at an IETF meeting--I'll > forward my article about the scandalous plan to privatize the nation's food > stores, thus making food only available to the rich and denying the poor of > their access to the foodstuffs deemed nutricious by the Parent-Grocer > Associations (PGAs) and available at their local People's Public Food > Distribution Centers. If it is online, could you send me a pointer? Is it a searchable archive somewhere? Thanks. Johnathan From master at internexus.net Mon Apr 22 21:02:15 1996 From: master at internexus.net (Laszlo Vecsey) Date: Tue, 23 Apr 1996 12:02:15 +0800 Subject: [NOISE]: Test, please ignore. Message-ID: <Pine.LNX.3.92.960422192711.12006A-100000@micro.internexus.net> Just bouncing a message off the server in the hopes that cypherpunks messages begin to flow again... (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) From crisper at ascensionet.com Mon Apr 22 21:06:44 1996 From: crisper at ascensionet.com (Sean T Carnes) Date: Tue, 23 Apr 1996 12:06:44 +0800 Subject: Searching Message-ID: <01BB3082.9D8BFEE0@ppp4> Is anyon eon this list who recently went or is currently attending Purdue University in Indiana?? From dan at vplus.com Mon Apr 22 21:39:38 1996 From: dan at vplus.com (Dan Weinstein) Date: Tue, 23 Apr 1996 12:39:38 +0800 Subject: java security In-Reply-To: <199604220633.XAA07953@dfw-ix2.ix.netcom.com> Message-ID: <317c16d7.7421788@mail.vplus.com> On Sun, 21 Apr 1996 23:35:38 -0700, you wrote: >Were they Java, or JavaScript? Much different. Among other things, >JavaScript runs on Win3.1, and Netscape doesn't let you turn it off. >I've had at least one event of JavaScript crashing Netscape; the part >of the script I noticed was scrolling lots of stuff along the bottom >(Hail Eris! All Hail Discordia! Etc. Etc.) but maybe there was more. ># Thanks; Bill ># Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 You can turn off JavaScript, but you must be running 2.01 or later. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From eay at mincom.oz.au Mon Apr 22 21:49:48 1996 From: eay at mincom.oz.au (Eric Young) Date: Tue, 23 Apr 1996 12:49:48 +0800 Subject: DES as a stream cipher In-Reply-To: <2.2.32.19960422214547.006b636c@geoplex.com> Message-ID: <Pine.SOL.3.91.960423093853.1018F-100000@orb> On Mon, 22 Apr 1996, Karl A. Siil wrote: > As this sounds like a previously solved problem, I wanted to find out about > using DES (or any block cipher) as a stream cipher, i.e., in a manner that > keeps input and output data length equal. I don't want to use a true stream > cipher, as I want to use the same key for multiple messages and stream > ciphers tend to place the bulk of their overhead in the re-key. Since stream > ciphers have "memory," I would have to "re-key" to the same key for each of > my messages. I would rather key something like DES once and run it in CBC > mode or use some other form of IV. Have a look at cipher feed back mode. I have functions I call cfb64 in my DES library that give a 'single' character interface to cfb mode DES using 64bit feedback. This should be what you want. I also have a triple DES version of cfb64. In my SSL library also has cfb64 mode for IDEA. eric ftp://ftp/pub/Crypto/DES ftp://ftp/pub/Crypto/SSL http://www.psy.uq.oz.au/~ftp/Crypto -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From karl at geoplex.com Mon Apr 22 22:13:12 1996 From: karl at geoplex.com (Karl A. Siil) Date: Tue, 23 Apr 1996 13:13:12 +0800 Subject: DES as a stream cipher Message-ID: <2.2.32.19960422214547.006b636c@geoplex.com> Folks, As this sounds like a previously solved problem, I wanted to find out about using DES (or any block cipher) as a stream cipher, i.e., in a manner that keeps input and output data length equal. I don't want to use a true stream cipher, as I want to use the same key for multiple messages and stream ciphers tend to place the bulk of their overhead in the re-key. Since stream ciphers have "memory," I would have to "re-key" to the same key for each of my messages. I would rather key something like DES once and run it in CBC mode or use some other form of IV. Help or pointers to help are greatly appreciated. Karl From jya at pipeline.com Mon Apr 22 22:31:55 1996 From: jya at pipeline.com (John Young) Date: Tue, 23 Apr 1996 13:31:55 +0800 Subject: TOE_hol Message-ID: <199604222155.RAA28631@pipe2.nyc.pipeline.com> 4-22-96. WJur: "French Smart Card Proves a Bright Idea. Once-Shunned European Innovation Is Sizzling." Reports on French dominance of the burgeoning global smart- card use, and which hungry giants are prowling for fries. Compares security munitions and foot shootings. TOE_hol From jimbell at pacifier.com Mon Apr 22 23:28:04 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 23 Apr 1996 14:28:04 +0800 Subject: [Laffs] Citizen in need of correction Message-ID: <m0uBXXg-000951C@pacifier.com> At 06:26 PM 4/22/96 -0400, Robert Hettinga wrote: > >--- begin forwarded text > >Xref: news-central.tiac.net talk.politics.crypto:205 >talk.politics.libertarian:3955 alt.politics.libertarian:5165 >alt.society.anarchy:606 alt.privacy:251 alt.security.pgp:802 >alt.activism:3485 alt.anarchism:116 alt.cyberpunk:492 >alt.politics.datahighway:297 >X-Newsreader: Yet Another NewsWatcher 2.1.2 > >We seem to have a problem with an inconsiderate citizen. This is a call >for bids on the case of jimbell at pacifier.com (jimbell) >-- Please send your bids to getjim at blacknet.net by midnight GMT, April >25th, 1996. > >--- end forwarded text >----------------- >Robert Hettinga (rah at shipwright.com) >e$, 44 Farquhar Street, Boston, MA 02131 USA >"If they could 'just pass a few more laws', > we would all be criminals." --Vinnie Moscaritolo >The e$ Home Page: http://thumper.vmeng.com/pub/rah/ In the spirit of Ivan Dragomiloff and the Lord High Executioner, I'll take that contract! Jim Bell jimbell at pacifier.com From timd at consensus.com Mon Apr 22 23:37:01 1996 From: timd at consensus.com (Tim Dierks) Date: Tue, 23 Apr 1996 14:37:01 +0800 Subject: DES as a stream cipher Message-ID: <v02140b0aada1b8276f86@[206.170.39.104]> At 2:45 PM 4/22/96, Karl A. Siil wrote: >Folks, > >As this sounds like a previously solved problem, I wanted to find out about >using DES (or any block cipher) as a stream cipher, i.e., in a manner that >keeps input and output data length equal. I don't want to use a true stream >cipher, as I want to use the same key for multiple messages and stream >ciphers tend to place the bulk of their overhead in the re-key. Since stream >ciphers have "memory," I would have to "re-key" to the same key for each of >my messages. I would rather key something like DES once and run it in CBC >mode or use some other form of IV. > >Help or pointers to help are greatly appreciated. Just generate a stream of octets by running DES (or some other block cipher) in the following mode: C_-1 = IV C_n = E_K(C_n-1) i.e., start by encrypting the IV with your key, and thereafter generate a block by encrypting the previous block with your key. Here the IV is essentially part of the key. XOR the resulting bits (or octets) with your plaintext to generate an encrypted stream. Remember within your cipher's state the current output block and how much of it you've used. Note that if you reuse a key, you'll enable attacks that rely on the fact that similar messages will produce similar ciphertext. - Tim Dierks Tim Dierks -- timd at consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development From wendigo at gti.net Mon Apr 22 23:55:52 1996 From: wendigo at gti.net (Mark Rogaski) Date: Tue, 23 Apr 1996 14:55:52 +0800 Subject: OpenSoft ExpressMail Message-ID: <199604230238.WAA15212@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- I've been a bit behind with the mail, so I don't know if anyone brought this up yet. We just got a beta copy of OpenSoft ExpressMail. It's a DLL that plugs in as a messaging service for the Win95 desktop Inbox. The sheet that comes with it mentions the following: Compatible with: -- S/MIME -- DCS -- Verisign format Digital ID's -- POP3 -- RFC's 821, 822, 876, 1123, 1153, 1460, 1651, and 1653 Features: -- Talk about "Total encryption key (digital ID) management system -- Full MIME support -- Variable key length (no ceiling mentioned) -- Talk about spiffy address book capabilities (good to get the non-geeks into it) The problem is, I can't seem to get it working. There is no setup app (which I hope they plan to put in the production model ... for their sakes). The Macro$loth Mail system doesn't seem to like the idea of using the DLL. I'm going to see if I have any luck with the Mail server that came with it (I forgot to mention that this is a whole client/server combo). The client is for Win95, the server for Win95/NT. Another added nicety is that there is supposedly a free standalone decoder app. I'm going to see if I can get my hands on it (if it is past vapor yet). I hope I can get this functional, cuz I wanna play, dammit! - -- Mark Rogaski | Why read when you can just sit and | Member System Admin | stare at things? | Programmers Local GTI GlobalNet | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXxCoQ0HmAyu61cJAQGoAwP/Wj01PYKKBn8BPgHHqq4jgscpwnkk2kBK xiRzzhcY59N0POPpf6pujxCESfXH7kpa6c5ZGgF/iZKgdaKCLQyfpS08pu+Bw5uO 7RxOI/MTaPrYHmCCrwCJ15ZYLm2mIOGh2MqA6qaJ+km6mK9vrzdxZ/Td+dj/4Hct SYqq2OfdXpo= =8OyV -----END PGP SIGNATURE----- From richieb at teleport.com Tue Apr 23 00:14:32 1996 From: richieb at teleport.com (Rich Burroughs) Date: Tue, 23 Apr 1996 15:14:32 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <2.2.32.19960422223911.006db2fc@mail.teleport.com> At 03:28 PM 4/22/96 -0400, Mark Aldrich <maldrich at grctechs.va.grci.com> wrote: [snip] >While I understand that "intent" is something with which lawyers have to >contend when they defend or prosecute a case, I don't think that the >notion of intent to commit harm extrapolates correctly into the field of >virus writing. Intent may not even be a necessary part of a "computer crime" case. Here in Oregon, Randal Schwartz's case was the first test (I believe) of the state's vague computer crime law. Proving that Randal had malicious intent wasn't part of the prosecution's case, AFAIK -- only that he had altered data "without authorization." Given that viewpoint, I can easily picture a virus author getting busted here even if they didn't have intent to commit harm. The O'Reilly book _Computer Crime_ (by Icove, Seger & VonStorch) has a discussion of US federal law in these areas and the state computer crime laws. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From hfinney at shell.portal.com Tue Apr 23 00:51:15 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 23 Apr 1996 15:51:15 +0800 Subject: PGP's +makerandom is broken (was: Re: Article on PGP flaws) Message-ID: <199604230424.VAA15677@jobe.shell.portal.com> I have a Java applet which runs 10K bytes of output of pgp +makerandom through a noise sphere program. It looks random to me. I don't know how it compares with jf_avon's observations. Judge for yourself. http://www.portal.com/~hfinney/java/noise/noise.html Hal From rbersten at ia.com.au Tue Apr 23 01:27:40 1996 From: rbersten at ia.com.au (Rosanne Bersten) Date: Tue, 23 Apr 1996 16:27:40 +0800 Subject: OFF Topic: MS-Exchange bug (winmail.dat) Message-ID: <v01540a05ada1d5ce96fd@[203.8.88.46]> I don't believe you, the recipient, can do anything. But your friend the sender can.. To get rid of the dumb info Exchange sends out in WINMAIL.DAT to non-exchange mail clients, select Address Book from the Tools menu. Add every single Internet address you know of which is a) a mailing list or b) someone who doesn't use exchange. Double click on each address individually and Click on the tab "SMTP - Internet". Uncheck the "Always send messages in Microsoft Exchange Rich Text Format" for *each* *address* *individually*. Are we having fun yet? Apparently, for a 38 word msg, with one word in colour and one in a different font, exchange sends out a 1514 character file to describe it. cya, r *-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-* + Rosanne Bersten (editor at ia.com.au) - Editor, internet.au magazine + + tel: +61 2 310 1433 * fax: +61 2 310 1315 * http://www.ia.com.au + *-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-* From unicorn at schloss.li Tue Apr 23 01:29:27 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 23 Apr 1996 16:29:27 +0800 Subject: premail/pine 3.93 Message-ID: <Pine.SUN.3.93.960422220429.10858E-100000@polaris.mindport.net> Has anyone gotten premail to work with pine 3.93 properly yet? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Tue Apr 23 01:30:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 23 Apr 1996 16:30:36 +0800 Subject: NTFS Support for DOS/Win3.x,95 (fwd) Message-ID: <Pine.ULT.3.92.960422174012.2448E-100000@Networking.Stanford.EDU> This could be interesting, since some people considered the NTFS file system for Linux to be news. ---------- Forwarded message ---------- Date: 22 Apr 1996 15:17:04 -0700 From: mark eugene russinovich <mer at cs.uoregon.edu> To: comp-os-ms-windows-announce at uunet.uu.net Subject: NTFS Support for DOS/Win3.x,95 We are releasing our first version of NTFSDOS, a DOS/Windows NTFS disk recognizer, today at Andrew Schulman's web site: ftp://ftp.ora.com/windows/pub/examples/win95.update/schulman.html In addition, the executable has been posted to: comp.binaries.ms-windows Below is the README that accompanies the executable. ====================================================================== NTFS File System Redirector for DOS/Windows V0.9 (read-only) Copyright (C) 1996 Mark Russinovich and Bryce Cogswell ====================================================================== NTFSDOS.EXE is a network file system redirecter for DOS/Windows that is able to recognize and mount NTFS drives for transparent access. It makes NTFS drives appear virtually indistinguishable from standard FAT drives, providing the ability to navigate, view and execute programs on them from DOS or from Windows, including from the Windows 3.1 File Manager and Windows 95 Explorer. Here is sample output from an NTFSDOS session under DOS 7.0 (Windows 95): ---------------------------------------------------------------------- C:\ntfsdos>ntfsdos NTFS File System Redirector for DOS/Windows V0.9 (read-only) Copyright (C) 1996 Mark Russinovich and Bryce Cogswell Initialized 512KB of EMS cache. Mounting NTFS partition(0x80:3) as drive: H C:\ntfsdos>h: H:\>dir Volume in drive H is ntfs Directory of H:\ ctrl2cap <DIR> 04-09-96 3:15p dblscan <DIR> 04-09-96 3:15p filemon <DIR> 04-09-96 3:15p flush <DIR> 04-09-96 3:15p new <DIR> 04-08-96 5:35p NEWFILE 9 04-18-96 4:31p record <DIR> 04-09-96 3:15p vcmon <DIR> 04-09-96 3:15p vsd <DIR> 04-09-96 3:15p vxdmon <DIR> 04-09-96 3:15p winnt <DIR> 04-19-96 9:02a 1 file(s) 9 bytes 10 dir(s) 79,872 bytes free H:\> ---------------------------------------------------------------------- Installation and Use -------------------- To use NTFSDOS, simply execute it from the DOS command line (DOS 5.0 or greater is required). Executing NTFSDOS before Windows is started will create logical drives that are visible globally once inside Windows. Executing NTFSDOS in a DOS box means that the NTFS drives only exist within the DOS box where NTFSDOS was executed. When NTFSDOS starts, it will scan all hard-disk parititions on your system to look for NTFS drives. It will mount all NTFS drives it finds as unique DOS logical drive letters, and will inform you as it does so. NTFSDOS implements its own caching, and uses one of two types of memory, depending on how your system is configured. Its first choice is to use EMS memory for caching, as this minimizes demands placed on conventional memory. If you start NTFSDOS before Windows, then HIMEM.SYS and EMM386.EXE (without the /NOEMS option), both of which can be found in the WINDOWS directory under Windows 95 or the DOS directory under Windows 3.1, or their equivalents, must be started before NTFSDOS. If NTFSDOS does not detect an EMS server, it will resort to allocating 64KB of conventional memory for its cache. In either case, it will inform you of its action. There is currently no way to unload NTFSDOS from memory once it has started. Notes on Usage -------------- NTFSDOS is being released with no known bugs, although it does currently have some shortcomings, most of which we hope to solve for a next release: - executing some Windows programs on NTFS drives results in messages indicating that some DLL is missing. This error appears to be the result of updates to the network redirecter specification for Windows 95 which are undocumented. Specifically, it appears that INT 2F/1123 (qualify pathname) has changed and must be supported. If you have any information regarding this, please contact us. - modify and access times are not supported (for example when "properties" is selected in the Windows 95 explorer) since their addition to the Windows 95 network redirecter spec is undocumented. NTFSDOS does have this time information available to it, so if you have any knowledge of the redirecter support required to provide it, please let us know. - performance is particularly poor when viewing extremely large directories (that contain hundreds of files) under the Windows 95 explorer. This is due to a blind, sector-base caching scheme. We plan to implement "smart caching" (tm) :-), that adds directory information to the caching scheme. This should improve performance dramatically. - opening some types of documents, for example bitmaps, results in a message from Windows that the document cannot be registered. This again appears to be a side-effect of a changed Windows 95 redirecter interface. Unfortunatley, to view these files you must first copy them to a non-NTFS drive and then open them. If you have any information about this, please contact us. - NTFSDOS does not currently provide long-file name support for its NTFS drives under Windows 95. We are looking into providing this for the next release. Reaching Us ----------- We would appreciate any feedback you have concerning this utility including suggestions and bug reports. Mark can be reached at markr at numega.com, and Bryce can be reached at cogswell at cs.uoregon.edu. Acknowledgements ---------------- Significant understanding of the NTFS file system layout was derived by studying the Linux-based NTFS driver code maintained by Martin von Lowis. We acknowledge his indirect contribution to this endeavor. Andrew Schulman, et. al.'s, book, Undocumented DOS (Addison-Wesley), was invaluable in providing network redirecter information necessary for implementing NTFSDOS. From jamesd at echeque.com Tue Apr 23 01:37:11 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 23 Apr 1996 16:37:11 +0800 Subject: Entropy Message-ID: <199604230500.WAA23405@dns1.noc.best.net> At 10:16 AM 4/22/96 EST, Jed Liu wrote: > I've heard a lot of discussion here about "entropy tests" and "tests > for randomness". Could somebody please explain to me one of these > tests (or would that take too long?) ? Thanks. You cannot test for entropy, not can you test for randomness. You can however test for particular kinds of non randomness and particular kinds of lack of entropy. Such tests are only useful if you have an adequately understood source of entropy. Each such test is only appropriate for particular sources of entropy. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From gnu at toad.com Tue Apr 23 01:54:37 1996 From: gnu at toad.com (John Gilmore) Date: Tue, 23 Apr 1996 16:54:37 +0800 Subject: EFF member discount @ Forum on Information Security, Apr. 29 Message-ID: <199604230438.VAA04546@toad.com> Benjamin Group and The Churchill Club graciously offer a discount to EFF members ($20 instead of $35; includes filet mignon dinner, etc.) The Forum on Information Security Celebrating 20 Years of Public Key Cryptography Monday, April 29, 1996 -- 6 to 9 p.m. At the San Francisco Airport Marriott Hotel (Burlingame) Dinner and Forum: $20 for Club & EFF Members, $35 for Non-Members Call 408-371-4460 to Make Reservations This program is supported in part by an unrestricted grant from Cylink Corporation Press Release ------------- FORUM ON INFORMATION SECURITY TO REVIEW LEGISLATION TO COMBAT ECONOMIC ESPIONAGE Senate and House Bill Sponsors to Join FBI and U.S. Postal Service Representatives, Along With the Inventors of Public Key Cryptography, in Discussing Ways to Safeguard Sensitive Data and Electronic Commerce For More Information, Contact: Gary Quackenbush The Benjamin Group Inc. 408-559-6090; fax (408) 599-6188 gquack at s.v.tbgi.com Kate Apgar The Churchill Club 408-371-4460 BURLINGAME, California (April 22, 1996) -- The Forum on Information Security, Celebrating 20 Years of Public Key Cryptography, will be held next Monday night, April 29, 1996, from 6 to 9 p.m in the main ballroom of the San Francisco Airport Marriott Hotel in Burlingame, Calif. Topics to be addressed include: What is the threat to national economic security? Will Federal export rules be eased on strong public keys? Should government have copies of your secret codes? Can state-of-the-art encryption be used by everyone in the U.S.? And will the legislation now in Congress solve these problems? Sponsored by The Churchill Club, Silicon Valley's premier non-profit public affairs forum, this event is supported in part with an unrestricted grant from Cylink Corporation. The purpose of this Forum is to address increasing public concerns over the rise in economic espionage, which -- according to a White House study -- is estimated to cost American businesses up to $100 billion a year as some 23 countries target U.S. trade secrets. Keynote speakers will include Senator Conrad Burns (R-MT), Senator Larry Pressler (R-SD), and Congressman Robert Goodlatte (R-VA), sponsors of three separate legislative initiatives focusing on relaxing government restrictions on the use and export of strong encryption systems. The Forum is also being held to honor the founding fathers and inventors of Public Key Cryptography, Whitfield Diffie, Martin Hellman and Ralph Merkle, who some 20 years ago developed the original, patented secure encryption algorithms used today as the pioneering technology behind the Data Encryption Standard (DES), Digital Signature Standard (DSS) and other standards-based cryptosystems. The three inventors will provide their perspectives on the past, present and future of Public Key Cryptography The program agenda also features a number of other information security experts including: David Morris, Vice President with Cylink Corporation, will serve as master of ceremonies for the Forum and set the stage for the evening by outlining a five-part criteria essential for a hackerproof information security system. Jim Omura, Chief Technology Officer and co-founder of Cylink, will provide a definition of Public Key Cryptography and other unfamiliar terminology required to understand the technology and how it impacts the public and private sectors. James Freeman, FBI Special Agent in Charge of the San Francisco area, will provide an overview of the threat to national economic security with examples of investigations involving Silicon Valley high-tech companies. Paul Raines, Project Manager with the U.S. Postal Service, will preview the soon-to-be-announced electronic postmarking system, the first nationwide consumer application of Public Key Cryptography incorporating a certificate authority and key registry bureau. For Forum information and reservations, call the Churchill Club at 408-371-4460. The fee for this event is $20 for Churchill Club members and $35 for non-members and includes a full-course dinner and the program. Registration and the cocktail hour starts at 5:30 p.m. at the San Francisco Airport Marriott Hotel in Burlingame with dinner at 6:00 p.m. immediately followed by the program at 6:35 p.m. Agenda ------ The Forum on Information Security Celebrating 20 Years of Public Key Cryptography San Francisco (Burlingame) Airport Marriott Hotel April 29, 1996 (6 p.m. to 9:30 p.m. PDT) 5:30 p.m. Registration and Seating Begins (Cocktail Hour at Cash Bar) 6:00 p.m. Dinner is Served: Marriott Hotel Ballroom 2nd Floor 6:30 p.m. Ken Roberts, Principal, New Futures World Marketing, and Churchill Club President, Gives Welcome, IntroducesMC 6:35 p.m. David Morris, Vice President, Cylink Corporation. Overview of Events by Master of Ceremonies The Five Essential Ingredients of Any Data Security System 6:45 p.m. Jim Omura, Chief Technology Officer, Cylink Corporation, and a Co-Founder of the Company What is Public Key Cryptography? 7:00 p.m. Senator Conrad Burns (R-MT) Senator Larry Pressler (R-SD) Congressman Robert Goodlatte (R-VA) The Need for Legislation to Ease Export Restrictions and to Ensure the Widest Possible Utilization of Strong Encryption Systems in the United States 7:45 p.m. James Freeman, Special Agent in Charge, FBI (Federal Bureau of Investigation), San Francisco Office The Threat and Reality of Industrial Espionage in the Bay Area 8:00 p.m. Paul Raines, Project Manager, USPS United States Postal Service Electronic Postmark Service and the Key Registry Bureau, The First Nationwide Application of Public Key Cryptography for the Average Citizen Incorporating a Certificate Authority 8:15 p.m. Whitfield Diffie, Martin Hellman, Ralph Merkle Pioneering Inventors/Developers of Public Key Cryptography Comment on the Past and Future of Advanced Cryptosystems. 20 Years of Public Key Cryptography (Panel) 9:00 p.m. Award Presentations, Conclusion & Summary (David Morris) From llurch at networking.stanford.edu Tue Apr 23 02:03:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 23 Apr 1996 17:03:53 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <01I3V1T4ISI88Y4Z9L@mbcl.rutgers.edu> Message-ID: <Pine.ULT.3.92.960422221019.4599J-100000@Networking.Stanford.EDU> E. Allen Smith actually might have written: >I've seen various quotes from Randy Weaver in various publications, >including Time and other non-right-wing ones. None of them indicated him >as an actual neo-Nazi or racist BWAHAHAHA!!! Here's a URL for a *highly sympathetic* piece on Weaver that complains that, "I will be happier when the press stops demonizing Weaver -- in subtle and not so subtle ways -- in news stories and editorials. He is referred to so consistently as "White Separatist Randall Weaver" that one would be forgiven for assuming that his parents gave him the first name "White," while "Separatist" was some old family name handed down from his maternal aunt": http://www.omnet.com/What-I-Think/col.09-01-95B.html Here are some *highly sympathetic* URLs that mention that Weaver was a white separatist/Aryan Nations wacko: http://www.scimitar.com/revolution/by_topic/firearms/enforce/rubyridge/setup.html http://eagle.tamu.edu/~carlp/Liberty/Weaver.Case.AR.html A slightly more balanced piece from the New York Times: http://eagle.tamu.edu/~carlp/Liberty/Weaver.Case.NYT.html FWIW, the Anti-Defamation League, which I am *well aware* has said sily things about militias and skinheads in the past, mentions Weaver in this report: http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/w/weaver.randy/aryan-nations I have also heard Weaver cited quite favorably on the Stormfront list, which has repudiated Timothy McVeigh because his friend Terry Nichols has a Filipino wife. This makes McVeigh a Race Traitor by association, of course. -rich From jamesd at echeque.com Tue Apr 23 02:10:36 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 23 Apr 1996 17:10:36 +0800 Subject: Nazis on the Net Message-ID: <199604230524.WAA24749@dns1.noc.best.net> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU>' wrote: > > Randy Weaver was neither a neo-Nazi nor a racist. He was > > (and, so far as I know, still is) a white separatist. > > (One would think liberals would tolerate this - they > > tolerate the equally offensive black separatists, > > after all...). The well known child molester tallpaul wrote: > Might we know the source of his complete info on Weaver's political and > racial beliefs. > > I see, in essence, three hypothesis: > > 1) Cover the ass of a potential neo-Nazi or racist (or both) without any > reference to what is really true; > > 2) Get information from outer space; Well, child-molester-tallpaul, I notice that the liberal lapdog press calls him White-Separatist-Randy-Weaver as though he was baptized "white separatist" at birth. Presumably if they had one grain of evidence that he was a Nazi or a white supremacist, they would call him White-supremacist-Randy-Weaver. I notice that you have not one grain of evidence that he is a nazi, just as I have not one grain of evidence that you fuck little boys up their asses, but you insinuate that he is a Nazi until somehow proven innocent (and how can anyone prove himself innocent of thought crime), and you also insinuate that anyone who suggests otherwise must be a nazi or nazi sympathizer himself. Obvious proof that you are a homosexual child molester. (Note for the seriously humor impaired. I have no more reason to believe that tallpaul rapes little children than tallpaul has to believe that Randy Weaver was a white supremacist or tallpaul has to believe that Allen Smith is a Nazi sympathizer.) --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From scon at 2600.com Tue Apr 23 03:50:17 1996 From: scon at 2600.com (Summercon Organizers) Date: Tue, 23 Apr 1996 18:50:17 +0800 Subject: ANNOUNCE: Summercon IX Message-ID: <199604230622.CAA07772@phalse.2600.com> Phrack Magazine and Cult of the Dead Cow proudly present: The 1996 Summer Security Conference sSSSS U U M M M M EEEEE RRRR CCCC OOOO N N S U U MM MM MM MM E R R C O O NN N sSSSs U U M M M M M M M M EEE RRRR C O O N N N S U U M M M M M M E R R C O O N NN SSSSs UUUU M M M M EEEEE R R CCCC OOOO N N IIIII XX XX III XX XX III XXXX III XX XX IIIII XX XX "SUMMERCON IX" June 15th, 1996 Georgetown Holiday Inn Washington D.C. This is the official announcement and open invitation to the 1996 incarnation of Summercon. In the past, Summercon was an invite-only hacker gathering held annually in St. Louis, Missouri. Starting in 1995, SummerCon became an open event to any and all interested parties: Hackers, Phreaks, Pirates, Virus Writers, System Administrators, Law Enforcement Officials, Vigilantes, Neo-Hippies, Secret Agents, Teachers, Disgruntled Employees, Telco Flunkies, Journalists, New Yorkers, Programmers, Conspiracy Nuts, Musicians, Nudists, and Rug Sucking Wannabes. LOCATION: The Georgetown Holiday Inn 2101 Wisconsin Ave. NW Washington, DC The hotel is located in scenic Georgetown, close to the Mall and the Smithsonian Museums as well as all the major tourist attractions in D.C... Georgetown itself is a major tourist area, with many fine shops, restaurants, PUBS and NIGHTCLUBS located there. If you can't figure out anything to do here, you need to get a life pretty badly. DIRECTIONS: from I66 coming east: Just keep going east. Take the Key Bridge exit off of 66, the bridge will be a left at the 3rd light after you take the exit. It's hard to miss, keep left and you will be forced over the bridge pretty much. On the other side of the bridge, take a right on M street (right and left being the ONLY choices possible.) keep right on the bridge and you will again be forced onto M street. Go down M and take a left at the second or third light. Go up 2-3 blocks and take a right (either or), and proceed to Wisconsin Ave. Take a left on Wisconsin. There is NO left turn from M st. onto Wisconsin, thus the diverse route. (Hey welcome to DC, run by the U.S. Congress and Mayor Barely.) (You will soon discover the same logic that brought you the CDA.) >From MD and 95 North: Take 95 south to 495 towards Northern Virginia. Take the George Washington Parkway South to Key Bridge. Follow I66 East directions above rest of the way from Key bridge. >From VA and 95 South: Get on 395 North, follow signs to National Airport. At National Airport, turn around and follow directions from National Airport. (this will keep you from getting LOST, just do it) >From National Airport: Tell the cabbie to take you to the hotel. OR Take George Washington Parkway to the Key Bridge / Rosslyn Exit. Follow I66 East directions from above from Key Bridge. >From Dulles Airport: Tell the cabbie to take you to the hotel. OR Take the Dulles Access road back southeast away from the Airport. This will dump you out on I66 eastbound. (See above) If you are trying to get TO Dulles, take I66 westbound and get in the right hand lane after the Sycamore St. exit, and veer to the right to take the next exit to the airport. Get in the left hand lane, and stay there to avoid being on the toll road. There is a parallel road that leads to the airport, but it's a local toll highway, stay left and avoid giving Virginia money unnecessarily. Taxis: The average airport fare runs around $20 from national, to $30 for Dulles. Your mileage may vary however with local road conditions. CONFERENCE INFO: It has always been our contention that cons are for socializing. "Seekret Hacker InPh0" is never really discussed except in private circles, so the only way anyone is going to get any is to meet new people and take the initiative to start interesting conversations. Because of this, the formal speaking portion of Summercon will be held on one day, not two or three, leaving plenty of time for people to explore the city, compare hacking techniques, or go trashing and clubbing with their heretofore unseen online companions. If you are coming from out of town and want the full hacker/tourist experience, we will informally meet in the lobby of the Georgetown Holiday Inn Friday, June 14th, 1996, at 2pm. From there we will have an informal hacker sight-seeing tour of DC, including the FBI headquarters and other interesting (and legal) places to go. The sight-seeing will converge with DC locals and mall security at 2600 in Pentagon City Mall Friday, June 14th, 1996, at 6pm. Although this isn't the first Friday of the month, this is definitely an official 2600 meeting, and likely to be the biggest one ever. This informal meeting will be held until about 8pm. The formal conference will be held on Saturday, June 15th, 1996, from 10am to 6pm (with a break for lunch). There will be a variety of speakers, panel discussions, demonstrations, and other events guaranteed to keep everyone entertained. No video or audio tapes will be allowed in the conference room. No still photography will be permitted in the conference room without prior permission of all those being photographed. Violation of these policies will result in you being asked to leave the conference. There will be no selling of t-shirts, disks, firewalls, payphones, etc. in or around the conference area without prior permission of the organizers. If you are interested in demoing or selling something, please contact us at the address listed at the bottom. SPEAKERS: The speakers list for Summercon IX is still being finalized, but it is sure to be even more dynamic and interesting than previous years. Speakers at Summercon '95 included such people as ex-CIA agent Robert Steele, author Winn Shwartau, Cypherpunk founder Eric Hughes, movie producer Annaliza Savage, and network security expert Bob Stratton. If you are an expert in some aspect of computer, network, or telco security and are interested in speaking at Summercon, please contact us to discuss the possibility further at the address listed at the end of this document. We are also going to be having short speeches by real hackers or phreakers giving their own perspective on some issue or insight into a new technology. This is an open invitation for you hackers to be heard; just provide us with a brief outline of the topic you will be covering and the amount of time you will take (suggested: 5 - 15 minutes) at the address listed below. COSTS: Costs for SummerCon IX are as follows: Secret Service / FBI Rate: $500.00 Government / Institutional Rate: $ 80.00 Hacker / Individual Rate: $ 20.00 Members of the United States Secret Service or Federal Bureau of Investigations, and anyone that has in the past or currently is providing information or services to the Secret Service or FBI are required to pay the 'Secret Service / FBI Rate'. Employees of a local, state, or federal government, members and associates of any L.E.O., and employees of any corporation working in the area of computer security must pay the 'Government / Institutional Rate'. Anyone that does not fit into one of the above categories is eligible for the 'Individual / Hacker Rate'. Due to historical lack of interest, there will not be pre-registration for the conference. Registration will begin at 9am the day of the conference, and will continue for the duration of the conference or until the meeting facilities have reached their capacity. Since the latter is likely to occur, it is suggested you don't oversleep. No purchase orders, checks, money orders, foreign currency, stock certificates, IOUs, or coins will be accepted for registration. Secret Service agents, small unmarked bills only, please. Sorry for this being a bit more expensive than last year for the hackers, DC seems to be a more expensive place to hold a conference and the expenses are several times what they were in Atlanta. Bring money for t-shirts, they are cool! HOTEL INFORMATION: Georgetown Holiday Inn 2102 Wisconsin Ave NW Washington, DC Phone Number: (202) 338-4600 The cost for a double occupancy room at the Georgetown Holiday Inn is $99. There is no special conference rate, there is no need to mention you are with a conference at all, the people in reservations probably won't know what you are talking about anyhow. The $99 rate is however a a special rate being held by Holiday Inn, so don't be afraid to tell them so if they try to quote you a higher rate. If the hotel is damaged in any manner, you are going to pay for it, and you will probably end up in jail. And even if you are lucky enough to get away with it, the rest of the hackers staying at the hotel will end up paying for it, and I'm sure that's going to make you a well-liked and respected hacker, especially among some of the bigger hackers who might feel tempted to inflict bodily harm on someone who causes any damage to the hotel. Please act responsibly, don't drink and drive, chew all your food before you swallow, don't swallow your gum, and recycle. CONTACTING SUMMERCON ORGANIZERS: You can contact the Summercon organizers through e-mail. If you haven't figured out e-mail yet, you probably shouldn't be coming to Summercon. As a final note, if you are planning on coming to Summercon, we would appreciate you sending e-mail to us with the subject of "GOING TO SCON" or something similar, just so that we have a rough idea of how many people are going to show up. E-mail: scon at 2600.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=- From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 04:02:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 23 Apr 1996 19:02:15 +0800 Subject: Nazis on the Net Message-ID: <01I3V1T4ISI88Y4Z9L@mbcl.rutgers.edu> From: tallpaul at pipeline.com (tallpaul) >Since E.A. Smith wants completeness re the Zundelsite issue, I am curious >about his assertion about Weaver. >Might we know the source of his complete info on Weaver's political and >racial beliefs. >I see, in essence, three hypothesis: >1) Cover the ass of a potential neo-Nazi or racist (or both) without any >reference to what is really true; >2) Get information from outer space; >3) Base the conclusion on hard evidence. >If the answer is 3) I'd like to get a real pointer to the real evidence. By >real evidence I mean just that, not wishful thinking or advertising jingles >for points 1) or 2). Hmm... good question. I've seen various quotes from Randy Weaver in various publications, including Time and other non-right-wing ones. None of them indicated him as an actual neo-Nazi or racist, even in the stories (such as in Time) which appeared to assume that militia member = neo-Nazi (quite incorrect, from what I know of the subject. For instance, the most anti-government of the gun-rights organizations, which appears to have quite a few militia members, is Jews for Firearms Ownership. The founders of the organization in question believe that gun rights are necessary to prevent another Holocaust. Other gun-rights political organizations concentrate on self-defense from non-governmental criminals). I don't know when I'll have the time to check on the matter. >PS: Cypherpunks seems to be getting very wiggy these days. Most mailing lists do on a regular basis... my (passing) scans of the archives indicate that cypherpunks is prone to this. -Allen From jimbell at pacifier.com Tue Apr 23 04:32:07 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 23 Apr 1996 19:32:07 +0800 Subject: 5th protect password? Message-ID: <m0uBZkb-000986C@pacifier.com> At 02:25 PM 4/21/96 +0000, Jonathon Blake wrote: > > The first forensic use of graphology may have occurred as early > as 1960. In 1975, a Juvenile Court Judge in Boulder CO used > graphology forensically to determine the most appropriate method > of handling some of the cases that appeared in _his_ court. > > Most courts in the United States regard the forensic use of > graphology as dubious, at best. A few have ruled against > it. > >> The point is that the demanding of handwriting samples is a fairly new >> What do you want to bet that it first occurred in this century? > > For questioned document examination? Sometime during the > sixties. > For graphological examination? Hasn't occurred yet. Tell this to Unicorn. He seems to disagree, although he hasn't cited specifics yet. > >> If that were the case, there there would be no justification for demanding a >> handwriting sample. Nevertheless, it is apparently done. And while a > > Can you provide a citation where a court has demanded a handwriting > sample for graphological purposes? Adding the conditional "for graphological purposes," I can't. I was merely referring to a SC decision previously quoted here. The writing of that reference didn't make clear what purposes the sample could be used for. > >> Question: Let's suppose, for the purposes of argument, the policy was >> diametrically opposite, and no such samples were taken, ostensibly because > > The gist of the argument is that handwriting samples are public, > and that things are written for public consumption, not private > consumption. > >> would come to the opposite conclusion. You would have to explain to people >> why the precedents were all wrong. > > > You are taking a completely hypothetical situation that never had > a basis in what could have happened. No. What I was trying to do is to get people to stop thinking of legal precedent as being some sort of end-all incident that makes all further discussion pointless. >> demanded of a defendant in 1783, which was about when the 5th amendment was >> written. > > What they said. > Where they said it. > What they had in their possession. > Where they had said items in their possession. > > Note in passing that rules for admitting something into > evidence was a lot looser then, than it is now. If that's really the case, and this would today be considered a clear violation of the 5th, what does that say about the claim that "current government policy" must be right? Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 04:57:23 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 23 Apr 1996 19:57:23 +0800 Subject: Nazis on the Net Message-ID: <01I3V3793L1W8Y4Z9L@mbcl.rutgers.edu> From: IN%"jamesd at echeque.com" 23-APR-1996 01:23:34.90 >(Note for the seriously humor impaired. I have no more reason >to believe that tallpaul rapes little children than tallpaul >has to believe that Randy Weaver was a white supremacist or >tallpaul has to believe that Allen Smith is a Nazi sympathizer.) Thank you for your support (although I am not named Bartles or James), but I don't _think_ that tallpaul was calling me a Nazi sympathizer. Doing so would be thoroughly inaccurate, and would be contradicted by my previous statements re: Nazi Germany (one reason for Hiroshima and Nagasaki being right was the Japanese alliance with Germany) and the Holocaust (people who claim it didn't happen are calling my paternal grandfather a liar). -Allen From grafolog at netcom.com Tue Apr 23 05:23:07 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Tue, 23 Apr 1996 20:23:07 +0800 Subject: 5th protect password? In-Reply-To: <m0uBZkb-000986C@pacifier.com> Message-ID: <Pine.3.89.9604230552.A27763-0100000@netcom2> Jim: On Mon, 22 Apr 1996, jim bell wrote: > >> The point is that the demanding of handwriting samples is a fairly new > >> What do you want to bet that it first occurred in this century? > > For questioned document examination? Sometime during the > > sixties. > > For graphological examination? Hasn't occurred yet. > > Tell this to Unicorn. He seems to disagree, although he hasn't > cited specifics yet. I was only thinking in terms of US Courts. Black Unicorn didn't limit himself to that. His citations are early than 1900. Think Ecclesiastical Courts. Or use Lexis. > > Can you provide a citation where a >> court has demanded a handwriting > > sample for graphological purposes? > > Adding the conditional "for graphological purposes," I can't. Why doesn't that surprise me? You raised the conditional "for graphological purposes". > I was merely > referring to a SC decision previously quoted here. The writing of that > reference didn't make clear what purposes the sample could be used for. I guess you didn't read any of the SC decision. It was only for Questioned Document Examination. > No. What I was trying to do is to get people to stop thinking of legal > precedent as being some sort of end-all incident that makes all further > discussion pointless. So you totally ignore what was practiced. Thus creating hypothetical situations that could never have occured. > > Note in passing that rules for admitting something into > > evidence was a lot looser then, than it is now. > If that's really the case, and this would today be considered a > clear violation of the 5th, what does that say about the claim that I guess you are not familiar with the _current_ requirements for one to be qualified as an expert witness in court. Or studied _Federal Rules for Evidence_. Or faced a hostile attorney whose sole intent is to totally discredit you, because the facts don't support the client's allegations. > "current government policy" must be right? Given a choice between being able to prove my innocence, based on scientifically demonstrable facts, or on the heresay of unsubstantiated opinion, I'd rather use the scientific facts, anytime. And as you've been told, the items you gave in your list were for identification of an individual. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 06:20:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 23 Apr 1996 21:20:29 +0800 Subject: FBI Bulletin: Social Protests in the 1990s: Planning a Response Message-ID: <01I3V17SNRYW8Y4Z9L@mbcl.rutgers.edu> An interesting look at FBI psychology for some things. Looks like the pro-lifers are getting a bit more sensible... pity from my viewpoint, but good as an example. -Allen From: IN%"rre at weber.ucsd.edu" 22-APR-1996 07:46:41.16 From: Phil Agre <pagre at weber.ucsd.edu> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Sat, 20 Apr 1996 12:57:28 -0400 From: Matthew Gaylor <freematt at coil.com> Subject: FBI Bulletin: Social Protests in the 1990s: Planning a Response Social Protests in the 1990s: Planning a Response By Gary A. Allgeyer, M.S. Captain Allgeyer serves with the Melbourne, Florida, Police Department. >From the January 1996 Issue of The FBI Law Enforcement Bulletin "The Law Enforcement Bulletin is published monthly by the Federal Bureau of Investigation, Ninth and Pennsylvania Ave, N.W., Washington, D.C. 20535. Contributors' opinions and statements should not be considered as an endorsement for any policy, program, or service by the FBI." During the 1990s, many communities have witnessed a resurgence in protests and civil disobedience demonstrations reminiscent of the civil rights and antiwar movements of earlier decades. Major issues today include abortion, nuclear proliferation, environmental protection, service and access rights of the physically challenged, and continued civil rights concerns. Any community with product- or service-oriented businesses or military installations may be targeted for action, either by local activists or national organizations. The City of Melbourne, located on the southeast central coast of Florida, has been the focus of such actions in recent years, primarily due to the presence of the only abortion clinic in a county with almost one-half million residents. In addition, the clinic's highly outspoken owner makes her home in Melbourne, as does the leader of Operation Rescue, a national pro-life organization. These factors have made the city a hotbed for the abortion issue. The intensity of pro-life and pro-choice sentiments and the multitude of proponents on either side required the Melbourne Police Department (MPD) to meet this challenge head on. Yet, despite hundreds of arrests, lengthy trials, lawsuits, and attempts by both sides of the issue to challenge the department's neutrality and professionalism, the MPD continued to maintain a positive public image, as demonstrated in television coverage, press reports, and editorials. The department has learned a great deal since its first encounter with activism several years ago. Agency administrators have identified and established methods to address several issues common to the protests they faced. In many ways, these issues represent features typical to most contemporary activist movements, regardless of where they operate or what causes they support. NEW CRUSADERS For the most part, the general public's perception of social protests has focused on the fringe--a picture of activists as a few misguided malcontents driven by extreme viewpoints. Images of barefooted flower children dressed in tie-dyed shirts and old jeans usually come to mind. Protesters today are more likely to arrive at the scene conservatively dressed, some even wearing designer clothes. They are committed to a cause, but operate from what would appear to be a less radical position. Whereas the old school proclaimed to Middle America, "We're different," the activists of the 1990s claim, "We are Middle America." Activism, once the domain of extremists, now is viewed as a valid form of creating social change. Christian activists, in particular, come from conservative backgrounds and depend on the belief that most Americans share their basic values to build their ranks and project an image of legitimacy onto their activities. Protesters who once would have been considered reactionary now may be seen as courageous proponents of a cause. This change in public perception creates some particular challenges for law enforcement. CHALLENGES TO LAW ENFORCEMENT Intelligence Gathering: Florida law allows law enforcement to collect and maintain intelligence on persons and groups if the surveillance is conducted with "a reasonable, good faith belief that it will lead to detection of ongoing or reasonably anticipated criminal activities"1 (emphasis added). Unfortunately, incidents of past abuse create a negative public perception of police efforts to gather intelligence information on activist groups. Nevertheless, the necessity for intelligence gathering cannot be over emphasized. To cope successfully with a major incident or a series of announced protests, the police must collect information about the leaders and members of the sponsoring group(s). The Melbourne Police Department assigned a full-time de-tective to intelligence duties with the advent of large-scale abortion protests. The detective and the department met the challenge of intelligence gathering in a very direct way. Every issue has two sides, and law enforcement can use this fact to its advantage with regard to activist groups. For the MPD, much of the intelligence information gained on pro-life organizers came from their opposition. Private investigators contracted by pro-choice groups tracked, photographed, and collected data on pro-life activists, and then offered much of this in-telligence information to the police department. By accepting this information, the department could have opened itself to criticism from the pro-life side. But such protests have not materialized, largely because pro-life organizations have their own intelligence groups in operation, gathering similar data on clinic employees, doctors, and patients. The police department uses this intelligence information to plan its response to demonstrations and other protest activities. Much of the success of this effort can be attributed to the approach taken by the MPD investigator. During the first critical months of the intelligence-gathering initiative, the MPD investigator remained open and approachable to both sides. After introducing himself to pro-life leaders, he began to attend their groups' public meetings. Although he remained steadfastly neutral on the issue of abortion, pro-life organizers accepted the detective in his official role. Some of the Christian activists even saw his personal conversion to the cause as a special challenge. While he may have gained little critical information from these contacts, the personal interaction enabled him to provide the department's command staff with his intuitive assessment of the pro-life leadership. His close involvement with the groups also minimized the effect of an anticipated disinformation campaign against the police department as the protests and demonstrations grew. In contrast, efforts to infiltrate pro-life groups with undercover officers produced little benefit. Because of the successful application of racketeering statutes to their organizations, pro-life leaders avoided discussing any law-breaking activity in rallies or other public forums. Therefore, it became difficult for the police department to anticipate the number and identities of participants in trespass and civil disobedience incidents prior to the actual events. Police staffing for the events became a combination of "best guess" deci-sionmaking and trial and error. Staffing and Financial Concerns: Protests and mass-arrest situations are labor-intensive events that often require more staff than departments can schedule for regular duty. Thus, staffing becomes a financial challenge for any agency faced with such events. In 1993, the MPD spent $51,000 in overtime for peacekeeping and enforcement duties. Most communities accept such costs as a natural consequence of the rights of citizens to engage in peaceful protests. However, in the abortion-rights battle, public funds can become a propaganda tool for both sides. Pro-choice leaders decry the need to devote tax dollars to protect abortion clinics. They attempt to influence public opinion by claiming that if not for the antiabortion activity, police could be out fighting crime. Pro-life leaders attack local governments, questioning why they spend public funds to protect clinics that perform abortions. For law enforcement, the obvious need for overtime staffing does not justify a carte blanche approach to personnel allocation. Indeed, agencies should plan their staffing levels carefully. Overstaffing can be interpreted as overreaction and can erode public and political support for the police as expenses build. At the same time, understaffing delays an appropriate response to a fast-breaking event, opening an agency to accusations of favoritism and lack of preparation. The MPD approach uses past experience, current intelligence data, and consensus building among the command staff to determine the department's response on a daily basis. Contingency plans, such as callout lists and mutual-aid requests, complement the daily plan and allow for a quick escalation of personnel levels as the need arises. Use of Force: During a demonstration, the arrest procedures and defensive tactics employed by police become high-visibility--and potentially high-liability--issues. The public perceives how well an agency responds to incidents based on the level and type of force used in restraining, moving, and arresting nonviolent protesters. Antiabortion protesters usually employ passive resistance techniques when engaged in trespass activities and civil disobedience. Department administrators decided that officers should not use take- downs, come-alongs, and pressure point control techniques in response to the protestors' passive resistance. After reviewing news videos, newspaper photographs, and media accounts, the command staff concluded that these techniques produced fewer benefits than their associated costs--images of over-reaction and the appearance of unnecessary cruelty. Thus, training becomes a focal point for any agency tasked with responding to such incidents. Training: Recognizing the hazards of overreaction, the MPD command staff developed a thorough training plan, and from the outset, communicated to officers both the policy and philosophy of the department's response strategy. Instructors briefed officers on the respective beliefs and positions of both sides of the abortion issue and juxtaposed this information with the MPD's operational plan: The morality of allowing (abortion) is unquestionably the most passionate issue of today, and undoubtedly, the personnel of the Melbourne Police Department hold as varied a collection of outlooks on the matter as does the general public. However, our code of ethics requires that we never act officiously or permit personal feelings, prejudices, animosities or friendships to influence our decisions and that we will enforce the law courteously and appropriately, without fear of aggression. Professionally, then, we cannot and will not, collectively or individually, take sides on the issue of whether abortion is moral or immoral. It is therefore our intention to safeguard the rights of holders of both convictions to the best of our ability, by enforcing the law firmly but compassionately, while respecting the constitutional rights of all persons.2 This foundation set the tone for more specific training in perimeter security, crowd control, arrest techniques, and booking procedures. Advised that both sides of the issue often try to provoke personal responses from police personnel on the scene, officers were briefed on deflection responses and the importance of maintaining neutrality. Instruction also included handling press inquiries, complaints from neighbors adjacent to the clinic, and comments from passing motorists. Training also focused on methods of response to a frequent tactic used by pro-life groups--individuals' and groups' chaining or locking themselves to doors, fences, and one another to impede entry into abortion clinics. In these attempts, the protestors generally use steel bicycle locks or heavy chains. Therefore, when responding to pro-life demonstrations, the MPD always comes prepared with a variety of cutting tools, protective shields, and specially trained personnel. The emphasis of the department's philosophy and the depth of officer training paid off when the level of protests increased in the spring of 1993. An injunction granted in April 1993, restricting activities within a buffer zone around the abortion clinic, led to over 140 arrests in the ensuing weeks. During that time, no arrestees were injured, although one officer received a back injury while attempting to catch a protestor who suddenly had gone limp. Logistics: Preparation for events likely to result in mass arrests entails tre-mendous effort. The wide range of potential scenarios forces agencies to prepare numerous contingencies. In other words, they must have a plan for personnel and equipment to respond to a small protest that could easily either expand or fizzle. Implementing a response plan involves considerable risk, especially in financial terms. The MPD spent over $7,000 during the first week of scheduled protests in spring 1993, but made no arrests. As the protests grew, the need for more flexibility in response became clear. The MPD command staff brainstormed the logistical process by asking a number of questions. What resources are necessary for the arrest function? How many arrests should be expected? What are the best- and worst-case arrest scenarios? How many officers are needed per arrestee? How long should the booking process take? What special equipment should be on hand--or quickly available--each day? The command staff compiled the answers to these questions into an operational plan for the continuing protests. The plan outlined job descriptions for all personnel. Many jobs were combined for small events, but remained separate in the plan to allow for easy expansion. The plan identified eight command and logistical positions: Incident commander, field force commander, tactical commander, arrest processing supervisor, logistics officer, traffic and security supervisor, supply officer, and tactical supervisor. The command staff also compiled a list of equipment that might be needed during large demonstrations. These items were gathered for quick issue to officers. Flowcharts and checklists provided incident commanders with an easy method to evaluate and control the police response. Interagency Coordination: The police department supplemented its efforts by coordinating mutual aid with other local and State agencies. An interagency agreement for mutual aid in emergencies had long been in place. In addition, the MPD made arrangements with agencies to provide personnel in the event of a major disturbance. To date, the police department has not found it necessary to invoke the agreement. However, as arrests mounted in the spring of 1993 and beyond, police coordination with the Brevard County Detention Center (BCDC) assumed particular importance. Operated by the Brevard County Sheriff, the BCDC holds over 800 prisoners serving county jail terms or awaiting trial, sentencing, or transfer to other institutions. A large-scale protest easily can produce arrest numbers that equal 10 to 20 percent of the current jail population. Many of the tactics employed by activists--such as refusing to identify themselves upon arrest--are designed specifically to land them in jail and thus heighten the impact of their protests. To reduce booking time at the jail, the police de-partment's command staff developed an on-scene arrest procedure. Police personnel photographed arrestees (full face, with no hats or sunglasses) with the arresting officer. Officers then restrained the arrestees using flex-cuffs marked with indelible ink. This procedure simplified the paperwork process once the officers had positively identified the arrestees. Department administrators also conducted advanced planning with the county prosecutor's office. With input from police administrators, the prosecutor's office predetermined appropriate charges for given actions and prepared sample narratives for officers that include all elements of each separate offense. For major events, an assistant State's attorney provides on-scene legal advice to the incident commander. Because pro-life groups often allow, and even encourage, children to engage in protest activities, the police department also included the Youth Services Division of the Department of Health and Rehabilitative Services in the planning process. During demonstrations, this agency assumes responsibility for safeguarding children who are in custody due to a parent's arrest. Policymakers decided to take all juvenile violators into custody, but to file criminal charges only against those 16 or older. Younger children are transported from the scene and held until their parents come to get them. PLANNING FOR PROTESTS: Communities of all sizes face the potential for demonstrations and acts of social protest. Even when peaceful, these events challenge the resources of local law enforcement agencies. Because demonstrations can escalate quickly into more menacing assaults against public order, agencies must prepare for a full range of response options. Agency administrators should use specific planning methods to determine appropriate responses. In the face of potential protests and demonstrations, agencies need to scan, plan, train, respond, and evaluate. Scan: Police administrators should scan the environment. Does the community have protest potential? Are there abortion or family planning facilities, nuclear plants, military bases, or defense contractors in the area? Is economic disparity an issue? Are there civil rights concerns or racial unrest? What types of protests have occurred locally and regionally? Plan: The size and type of potential protests should dictate the response. Police administrators should contact their counterparts in jurisdictions already affected by protests. Law enforcement agencies must coordinate their planning with related agencies and offices. Local law enforcement agencies must predetermine task planning, personnel allocation, and deployment plans. Adequate supervision of the field force and booking facilities is essential. Police administrators also should arrange contingency funding through the local government if current funds appear insufficient. Train: Effective training cannot occur on the day of the event; personnel must be trained in advance. Agencies should review and address use-of-force issues related to nonviolent or passive resistance. Officers should train in arrest, transportation, and confinement techniques. Administrators should use training sessions to assess employee readiness, both on emotional and physical scales. Respond: When an event occurs, the established reaction plan should be implemented in increments, according to need. This measured reaction will enable the police department to escalate or scale down its response in a more controlled way. Incident commanders should scan for new tactics, attitudes, and actions of all participants. Supervisors should monitor personnel closely for compliance with established policies. When responding to volatile situations, officers must avoid the temptation to become overinvolved or to allow emotion to overtake reason. Evaluate: Agencies should conduct after-action debriefings and report their findings in detailed postincident reports. The reports should answer basic questions about the police response. Was the plan effective? If not, why not? How do command officers, supervisors, and line officers feel about their performances? What needs to be changed? The evaluation stage also includes the tabulation of costs. Agencies should count on various groups--including the press, politicians, local government administrators, and even the protesters themselves--to ask how much the police response cost taxpayers. Of course, each of these groups has different needs and motives for acquiring this information. No matter how well-executed its response, the police department should expect criticism to come from one or more camps. PREPARING FOR THE NEXT EVENT: After completing these stages, the agency faces additional tasks. Scanning, planning, and training for the next potential incident must begin anew. Unexpected questions should be answered, and old ones revisited. Administrators must remember that despite the nonviolent focus of most social protesters, fringe elements still exist that use firearms, bombs, and chemical agents to accomplish their goals. All aspects of the planning process should incorporate a response strategy for such contingencies. CONCLUSION: Social protest--sometimes honorable, sometimes inglorious--has a long history in the United States. The role of law enforcement is not to impede legitimate acts of social demonstration but to enforce court-mandated restrictions and to ensure individual and community safety. By following a methodical plan and anticipating problems before they occur, law enforcement can meet the challenges of contemporary protests successfully. Endnotes: 1 FLA. STAT. 119.011, d. 2. 2 Melbourne, Florida, Police Department Abortion Protest Operational Plan, January 1993, 1. From wombat at mcfeely.bsfs.org Tue Apr 23 09:49:40 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 24 Apr 1996 00:49:40 +0800 Subject: [NOISE]Re: E-mail harassment by c2 In-Reply-To: <2.2.32.19960421013859.006a6538@mail.teleport.com> Message-ID: <Pine.BSF.3.91.960423075758.10503B-100000@mcfeely.bsfs.org> OTOH, maybe he's trying to declare himself a candidate :) This is turning into some sort of a weird ponzi scheme - we'll all wind up on "clueless" by virtue of belonging to other lists which have been subscribed to clueless which ... Please attach your name to the bottom of the list, and subscribe your list to clueless ... eventually, the entire 'net will be clueless ... (insert favorite aol-bash here) ;) ---------------------------------------- Rabid Wombat wombat at mcfeely.bsfs.org ---------------------------------------- On Sat, 20 Apr 1996, Rich Burroughs wrote: > I think you're missing what happened. > > Someone subscribed the address for the _cypherpunks_ list to the clueless > list. The "welcome to clueless" message got sent to you via the cypherpunks > list. Notice the instructions from C2 say: > > >If you ever want to remove yourself from this mailing list, > >you can send mail to "Majordomo at c2.org" with the following command > >in the body of your email message: > > > >unsubscribe clueless cypherpunks at toad.com > > The email address there is the cypherpunks list, not yours. From trei at process.com Tue Apr 23 10:53:40 1996 From: trei at process.com (Peter Trei) Date: Wed, 24 Apr 1996 01:53:40 +0800 Subject: RSA Day in Washington Message-ID: <199604231313.GAA12863@toad.com> Anyone else on the list going to be at RSA Day in DC this Thursday? It might be fun to get together for lunch, or dinner Wednesday night. More info at: http://www.rsa.com/EVENTS/washdc.html Peter Trei trei at process.com Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From ddt at lsd.com Tue Apr 23 10:58:32 1996 From: ddt at lsd.com (Dave Del Torto) Date: Wed, 24 Apr 1996 01:58:32 +0800 Subject: EFF member discount @ Forum on Information Security, Apr. 29 In-Reply-To: <199604230438.VAA04546@toad.com> Message-ID: <v03006605ada289afe287@[192.187.167.52]> At 9:38 pm -0700 4/22/96, John Gilmore wrote: >7:45 p.m. James Freeman, Special Agent in Charge, FBI > (Federal Bureau of Investigation), San Francisco Office > The Threat and Reality of Industrial Espionage in the Bay Area That reminds me: I believe Jim Freeman is the FBI-SAiC who supervised the local UNABOM case investigations. This could be an explosively interesting evening, (metaphorically speaking _only_, Officer Friendly!). See you there. dave ______________________________________________________________________ "I _do_ speak for my employer: _I_ founded the whole %*&#ing company!" From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Tue Apr 23 11:08:03 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Wed, 24 Apr 1996 02:08:03 +0800 Subject: DES as a stream cipher Message-ID: <9604231709.AA0869@> The easiest approach (for one thing, easiest to analyze as far as security issues goes) is counter mode. See Scheier, Applied Crypto, second edition, section 9.9. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "Be wary of strong drink. It can make you shoot at tax collectors ! -- and miss!" ! -- Robert A. Heinlein, "The Notebooks of Lazarus Long" ! in "Time Enough for Love" From sandfort at crl.com Tue Apr 23 11:09:27 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 24 Apr 1996 02:09:27 +0800 Subject: 5th protect password? In-Reply-To: <m0uBZkb-000986C@pacifier.com> Message-ID: <Pine.SUN.3.91.960423061250.9587A-100000@crl3.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Mon, 22 Apr 1996, jim bell wrote: > Tell this [statement about the use of handwriting analysis in > court] to Unicorn. He seems to disagree, although he hasn't > cited specifics yet. Correct me if I'm wrong, but didn't Unicorn offer Mr. Bell a wager on this issue? Isn't the ball in Mr. Bell's court to put his money where his mouth is? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jya at pipeline.com Tue Apr 23 11:51:19 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Apr 1996 02:51:19 +0800 Subject: EYE_suk Message-ID: <199604231401.KAA10892@pipe2.nyc.pipeline.com> 4-22-96. WaPo: "Counter-Terrorism to Be Olympic Event for-U.S." Federal authorities are taking precautions against the use of unconventional weaponry such as poison gas, germ weapons or even a nuclear device. Those attending the Games will see only a small portion of the immense security operation. At its heart will be an estmated 3,000 Army troops, 6,300 National Guardsmen, and at least 10,000 other police and private security guards at peak strength, with an additional force of agents from the FBI, ATF, DIA, CIA, NSA and FEMA. The Pentagon's office of special operations and low-intensity conflict plans to place its elite counter- terrorism teams in readiness. "We keep telling everybody we wil be armed with a radio and a smile," said Maj. Gen. Robert R. Hicks Jr. EYE_suk (A scary skinhead rumble for I-MAX gouge) From richieb at teleport.com Tue Apr 23 12:38:18 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 24 Apr 1996 03:38:18 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <2.2.32.19960423143032.00690690@mail.teleport.com> At 10:26 PM 4/22/96 -0700, Rich Graves wrote: >E. Allen Smith actually might have written: > >>I've seen various quotes from Randy Weaver in various publications, >>including Time and other non-right-wing ones. None of them indicated him >>as an actual neo-Nazi or racist > >BWAHAHAHA!!! This is from the DOJ report on the Ruby Ridge shooting: "Weaver first came to the attention of the BATF in July 1986 during its investigation of a series of bombings in Coer d'Alene, Idaho in which the Aryan Nations was believed to be involved. BATF asked Kenneth Fadeley, a confidential informant, to assist its investigation by obtaining information about people attending an upcoming World Aryan Congress who might be engaged in illegal activities.[FN23] Thereafter, Fadeley portrayed himself as a weapons dealer who catered to motorcycle gangs and, in this role, managed to be introduced to high level members of the Aryan Nations in Northern Idaho.[FN24] In July, 1986, Fadeley attended the World Aryan Congress at Hayden Lake, Idaho. During this assembly, Fadeley was introduced to Weaver, who was at that time of no particular investigative significance to BATF.[FN25]" Weaver may have just been attending the World Aryan Nations Congress for the beer and chicks... Portions of the report are online at http://isdn33.eng.uc.edu/~rabagley/ruby/ruby.toc.html Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From bryce at digicash.com Wed Apr 24 03:44:55 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Wed, 24 Apr 1996 03:44:55 -0700 (PDT) Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <199604240516.WAA10983@dns1.noc.best.net> Message-ID: <199604241043.MAA26907@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- For what it's worth, Webster's defines: rac.ism \'ra--.siz-*m\ \-s*st\ n 1: a belief that race is the primary determinant of human traits and capacities and that racial differences produce an inherent superiority of a particular race 2: RACIALISM - rac.ist n "http://c.gp.cs.cmu.edu:5103/prog/webster" Thus no two of "racists", "separatists" and "race-haters" would be identical sets of people. But with a high degree of overlap, I'd warrant. This means that Abraham Lincoln was a racist, by the way. (That definition isn't too good, though. "_The_ primary determinant"? I would have to classify as racist those who believe that race is _a_ primary determinant of those qualities.) Sorry to be off-topic, but if a thing is going to be discussed I might as well try to add signal. (The "[NOISE]" tag that I left in the subject line doesn't indicate noise, but off-topicness.) Perhaps we could just drop the "Cc: cypherpunks" part and continue this discussion? Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMX4F7EjbHy8sKZitAQHOgQMAn3+no8l1gYl9jpS0V5IFwK2WwOVRlkY4 cp1h7GEE1uW/Ky/djlOkfHfrbsfIoDSwr4N6dUZAhyhyjWu9eDXwdoLHGLdROR72 sMBnmsd/QrJ02Mptywt52wqCXN1iDkzz =yv4l -----END PGP SIGNATURE----- From jamesd at echeque.com Tue Apr 23 13:37:30 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 24 Apr 1996 04:37:30 +0800 Subject: 5th protect password? Message-ID: <199604231456.HAA06590@dns2.noc.best.net> At 06:19 AM 4/23/96 -0700, Sandy Sandfort wrote: > didn't Unicorn offer Mr. Bell a > wager on this issue? Isn't the ball in Mr. Bell's court to put > his money where his mouth is? Yeah: fifty thousand dollars. Not that it makes the slightest difference. On the extropians list a number of very large bets were made and accepted, but nobody ever paid up. (Or very few -- I know of no cases.) When somebody proposes a bet that is substantially larger than the likely cost to his reputation if he weasels out, one can expect that, if he erred, he will not pay. Now if Unicorn had proposed a bet for one hundred dollars, then I would sit up and take notice. A hundred dollars is real money. Fifty thousand dollars is hot air, like one kid says, "I bet you I am right", and the other kid says "I bet you a zillion dollars you are wrong". If somebody proposes a bet that is larger than the likely reputation cost of weaseling, we should ignore the bet and subtract from the guys reputation as if he had already weaseled, since the events of the extropian list show that that is the most likely outcome. All of us have been wrong from time to time on matters where we were sure we were right. Anybody who was serious about paying would not make such ridiculous bets. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From bryce at digicash.com Wed Apr 24 04:49:46 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Wed, 24 Apr 1996 04:49:46 -0700 (PDT) Subject: arbiter/escrow agent for hire Message-ID: <199604241149.NAA27753@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- I hereby offer to be arbiter and escrow agent for cypherpunks bet settlements. My conditions: 1. I won't deal in old-fashioned currencies. Mark Twain U.S. Dollar ecash or Merita Bank of Finland Finnish Mark ecash or First Digital Bank cyberbuck ecash only, please. 2. I don't handle bets larger than USD300.00, or FIM1500.00, or cyb300,000.00. These are just my arbitrary comfort limits. (It's also large enough to cover the kinds of things that go on here, IMESHO.) 3. My fee per bet is USD5.00 or FIM50.00, or cyb7000.00. This is for "simple", winner-take-all bets. For other arrangements, make me an offer. 4. I have to have an explicit description of how the bet will be settled which is acceptable to me. This will be known as the "bet description". a. It has a dearth of loopholes and ambiguities, both with regard to the subject of contention and with regard to the settling procedure, including settling agents and settling schedule. b. It doesn't require me to be the "settling agent" who does the research or performs the experiment or whatever. Before I am committed to the job I will require 3 items to be submitted to me: 1. Acceptable digital signature upon the "bet statement" from each bettor. (Note that PGP signatures from PGP key pairs which are not connected to me via the Web of Trust, or which are not verifiable by me via an out-of-band connection, are not acceptable digital signatures. This is because of the MITM attack problem, not because I need True Names to be connected to the signatures.) 2. My fee. (I don't care who pays it-- One or both bettors or spectators.) 3. Amount of the bet from each bettor. This chunk of money will be known as the "ante". Note that depending upon the details of the "bet statement", each bettor may submit a different ante. (Yes, up front. Yes, I get antes from both bettors. Yes, I keep them while the bet is being settled. Why do you think my fee is so low?) Final Notes: 1. I reserve the right to reject any bet for any reason. Although my fee is non-refundable, the antes are refundable in this case. If I exercise this right after the antes have been delivered, I will return them to their respective owners. 2. The bettors may _not_ unilaterally or unconditionally reserve the right to cancel the bet after having signed the bet statement and submitted their antes. Provisions for cancelling the bet after that point, if desired, should be written into the bet statement. 3. I don't do currency exchange. If your betting partner submits his ante in Finnish Marks and you win then you are getting Finnish Marks. If you submit an ante in cyberbucks and then I cancel the bet, you are getting cyberbucks refunded to you. Please contact me via e-mail (PGP preferred) if you wish to engage my services. Cordially, Bryce, Escrow and Arbitration Agent Serving the cypherpunks Mailing List Since 1996. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMX4VUkjbHy8sKZitAQGOQwMAzsITvGj54RvUnwr0DWXbtbiQeMRIOZMv igN2qUVArkP8TsC8/KkMaSlxD1jEVdGcDj+UGegLIO8Jfq62NCkz41LSUSNi1nWY 0/pNUikhSAFZ2DAh6u42K45HmhPAypeC =eS7Z -----END PGP SIGNATURE----- From wb8foz at nrk.com Wed Apr 24 05:25:47 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 24 Apr 1996 05:25:47 -0700 (PDT) Subject: EYE_suk In-Reply-To: <Pine.SOL.3.91.960423221718.19976A-100000@chivalry> Message-ID: <199604241225.IAA05345@nrk.com> > > > > Isn't the CIA forbidden from doing anything on US soil? > > That'd make cointel a little tricky :-) > Simon Errr, That is the Feeb's department, & they guard it like the family jewels..... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From smith at sctc.com Tue Apr 23 15:14:51 1996 From: smith at sctc.com (Rick Smith) Date: Wed, 24 Apr 1996 06:14:51 +0800 Subject: DES as a stream cipher Message-ID: <199604231630.LAA14179@shade.sctc.com> karl at geoplex.com ("Karl A. Siil") asks: >As this sounds like a previously solved problem, I wanted to find out about >using DES (or any block cipher) as a stream cipher, i.e., in a manner that >keeps input and output data length equal. I don't want to use a true stream >cipher, as I want to use the same key for multiple messages and stream >ciphers tend to place the bulk of their overhead in the re-key. Since stream >ciphers have "memory," I would have to "re-key" to the same key for each of >my messages. I would rather key something like DES once and run it in CBC >mode or use some other form of IV. The right answer depends on the types of attacks you're interested in countering. The classic reference is probably Voydock and Kent's "Security Mechanisms in High Level Network Protocols," from Computing Surveys in 1983. I think Stallings recently put together collection of paper reprints for IEEE Press that included this one. This paper is particularly nice since they present various streaming modes and then talk about the vulnerabilities associated with them. So it's not crypto algorithms so much as how to use them. Rick. smith at sctc.com secure computing corporation From jya at pipeline.com Wed Apr 24 06:16:37 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Apr 1996 06:16:37 -0700 (PDT) Subject: GIV_way Message-ID: <199604241316.JAA09448@pipe4.nyc.pipeline.com> FiTi reports on a Lisbon money laundering conference: 4-23-96: "Long arm of US law threatens business." The extra-territorial reach of US law poses a growing threat to non-US companies doing business, even indirectly, with that country, an expert on money laundering said yesterday. Mr Rowan Bosworth-Davies told a conference in Lisbon that US courts had been "consistent in concluding that US law enforcement interests outweigh a foreign nation's interests in preserving the confidentiality of its banking or its business records". 4-24-96: "US prosecutor attacks bank secrecy laws." A US federal prosecutor yesterday told banks that they are no better than prostitutes if they transmit money without knowing their customers or the purpose of the transaction. Mr John Moscow said: "The ancient concept that bank secrecy must be preserved to keep a gentleman's financial affairs confidential -- dating back to the days when only gentlemen had cheque accounts, and their servants did not -- must give way to the current reality. GIV_way From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 15:16:55 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 06:16:55 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <01I3VQJGR4JK8Y4Y01@mbcl.rutgers.edu> From: Rich Graves <llurch at networking.stanford.edu> >E. Allen Smith actually might have written: >>I've seen various quotes from Randy Weaver in various publications, >>including Time and other non-right-wing ones. None of them indicated him >>as an actual neo-Nazi or racist >BWAHAHAHA!!! I assume that you are thinking I'm incorrect? Incidentally, I classify a racist as someone who says "this race is evil and should be killed/enslaved/tortured/whatever." Someone who says that different races shouldn't live together is a separatist; it's only when they start having seperate but equal being anything but equal (e.g., apartheid) that it crosses the line into racism. Thus, I don't regard Charles Murray or Richard Herrnstein as racist, for instance. >Here's a URL for a *highly sympathetic* piece on Weaver that complains >that, "I will be happier when the press stops demonizing Weaver -- in >subtle and not so subtle ways -- in news stories and editorials. He is >referred to so consistently as "White Separatist Randall Weaver" that one >would be forgiven for assuming that his parents gave him the first name >"White," while "Separatist" was some old family name handed down from his >maternal aunt": >http://www.omnet.com/What-I-Think/col.09-01-95B.html Yes, it doesn't give any information to call him a racist... it gives information to call him a separatist. I don't support either, but I call the former more evil than the latter. If you thought I had claimed that Weaver wasn't a separatist, you've misread me. >Here are some *highly sympathetic* URLs that mention that Weaver was a >white separatist/Aryan Nations wacko: >http://www.scimitar.com/revolution/by_topic/firearms/enforce/rubyridge/setup.html >http://eagle.tamu.edu/~carlp/Liberty/Weaver.Case.AR.html They both, yes, state that he was a white separatist. They don't state that he was an Aryan Nations member... just that the FBI was trying to use him to infiltrate the Aryan Nations. One doesn't have to be a member of something before recruitment by an undercover (or intelligence) operation to be useful for infiltrating it - you just have to be someone that that organization would accept. As a known white separatist, Weaver becoming an out-and-out racist would be more believable than, say, you or me becoming an out-and-out racist. Often, those who are already members of such an organization will be more resistant to turning - more emotional committment, more watchfullness for attempts to frame/entrap, etcetera. >A slightly more balanced piece from the New York Times: >http://eagle.tamu.edu/~carlp/Liberty/Weaver.Case.NYT.html Which, again, doesn't give any evidence that he was an actual racist, as opposed to a white separatist. >FWIW, the Anti-Defamation League, which I am *well aware* has said sily >things about militias and skinheads in the past, mentions Weaver in this >report: >http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/w/weaver.randy/aryan-nations I'm glad you mentioned their unreliability; otherwise I would have had to. This one I haven't been able to check (connection refused), but I wouldn't believe them in any case if they did claim he was a racist. >I have also heard Weaver cited quite favorably on the Stormfront list, >which has repudiated Timothy McVeigh because his friend Terry Nichols has >a Filipino wife. This makes McVeigh a Race Traitor by association, of >course. Well, yes, a martyr is quite helpful to most movements. Of course he's going to be cited favorably, so long as they can't find any ideological problems such as the one you mention with regards to Terry Nichols and Timothy McVeigh. Thank you, you've done my research for me. -Allen From frantz at netcom.com Tue Apr 23 15:17:32 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 24 Apr 1996 06:17:32 +0800 Subject: Bernstein ruling meets the virus law Message-ID: <199604231714.KAA14970@netcom9.netcom.com> At 2:43 PM 4/22/96 -0700, Steve Reid wrote: >Things are only black and white in lawmaker's dreams. :-/ Note also that there are programs which replicate and maintain themselves on several machines in a network in order to provide reliable network services (e.g. print spooling). (The people at Xerox PARC, who did almost everything first, experimented with this kind of program.) If lawmakers are to come up with a rational law, a big if, they will have to differentiate between a bug in a "tame" worm which lets it get loose as a virus, and a virus which was meant to be destructive from the get go. And then they will have to decide what to do about the virus that was designed to write, "Hi Mom!" on as many screens as possible with no malicious damage, and bugs in it. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jya at pipeline.com Wed Apr 24 06:22:42 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Apr 1996 06:22:42 -0700 (PDT) Subject: SHA_dow Message-ID: <199604241322.JAA09828@pipe4.nyc.pipeline.com> Three US papers report on hardly any intelligence reforms endorsed by Don't Worry, Boys, Clinton in response to the ole-boy Brown's CIA-CYA-all-the-way dark shadowisms. SHA_dow From rah at shipwright.com Tue Apr 23 15:26:40 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 24 Apr 1996 06:26:40 +0800 Subject: [Flatulence] Re: EYE_suk Message-ID: <v03006601ada2bd05dd54@[199.0.65.105]> Is it just me, or is this sentence funny? > Underscoring the high-level attention the problem is > getting, the field exercise last week included Deputy > Attorney General Jamie S. Gorelick and other senior > officials in Washington, with Gore's staff getting a daily > briefing. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From s1113645 at tesla.cc.uottawa.ca Wed Apr 24 06:50:31 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Wed, 24 Apr 1996 06:50:31 -0700 (PDT) Subject: [An End To Noise] Wager: Permanent Resolution In-Reply-To: <glTPGm200YUu5iTVd2@andrew.cmu.edu> Message-ID: <Pine.3.89.9604240919.A26145-0100000@tesla.cc.uottawa.ca> On Wed, 24 Apr 1996, Declan B. McCullagh wrote: > I confess I had a good laugh at Jim Bell's expense. His attempt at > weaseling was sadly uninspired, and Black Unicorn was quite right to > move in for the kill. ^^^^^^^^^^^^^^^^^^^^ Is it possible that we are witnessing a self-fulfilling prophecy? I believe that we are contributing to the gradual implementation of Jim's AP system to deal with excessive noise posting (which makes AP to be The Assassination Posting) and unenforceable betting. It's interesting to note that this is the side-effect of Mr. Bell's own postings on the subject (congrats). I therefore bet 100 Monopoly Roubles that by the end of the "Unibell" dispute (sometime before all the stars freeze over) a contract on the original assassination politician's head(s) will have been successfully carried out. I also note that Mr. Unicorn, being wealthy and having wisely protected his anonymity is in a fine position to carry this out. without any fear of retaliation or discovery. What's more, during the "No matter where you go, there they are" thread, Jim sent a reply to Dr. Denning with the infamous cypherpunks at toad.com in the headers. Not smart. Alas, from now on, no matter where Jim goes, Dorothy will know. (Say, don't Uni and Denning both live around DC? Hmmm...) So I submit to the list that any reinvention of the AP is ultimately self-terminating. (Though it might reduce noise and deal with unsuscrivers) The odds aren't good, Jim. You should have been more careful. ;-) > But to be fair to Jim Bell, perhaps $100 is still too high? I mean this > in complete seriousness: I have to come up with nearly $2,000 cash by > this weekend, and I wouldn't be able to make such a wager at this time, > no matter how right I felt I was. Watch out Declan, the frustrated gamblers on the list might take your statements as encouragement to Jim and decide to test out the prototype AP on you first. )8-0 Be careful folks, Little Dorothy is watching You! Ps. As this pseudonym will disappear before September, I am quite safe, myself. From s1113645 at tesla.cc.uottawa.ca Wed Apr 24 07:00:03 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Wed, 24 Apr 1996 07:00:03 -0700 (PDT) Subject: your spam In-Reply-To: <1002C5F271A@cs_fs15.csd.plym.ac.uk> Message-ID: <Pine.3.89.9604240938.B26145-0100000@tesla.cc.uottawa.ca> On Wed, 24 Apr 1996, Jason Roissetter wrote: > UNSUBSCRIVE Which means that Jason Roissetter might soon be dead. ;-) Is anyone keeping lists? One must note that capital punishment is an excellent means of unsuvscription. (Ps. Just joking, Jason or whoever you are.) From jamesd at echeque.com Wed Apr 24 07:05:52 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 24 Apr 1996 07:05:52 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <199604241405.HAA09479@dns1.noc.best.net> At 11:45 PM 4/23/96 -0700, Timothy C. May wrote: > And so the back-and-forth continues...taking up even more list space > arguing, waffling, finessing, rebutting, disputing, and on an on. > > Exactly as several of us have predicted. True, but one should note that it is Jim Bell that is weaseling, and that Unicorn is not weaseling. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From ac at hawk.twinds.com Tue Apr 23 16:13:14 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Wed, 24 Apr 1996 07:13:14 +0800 Subject: [NOISE]Re: E-mail harassment by c2 In-Reply-To: <Pine.BSF.3.91.960423075758.10503B-100000@mcfeely.bsfs.org> Message-ID: <Pine.HPP.3.91.960423133022.21889C-100000@hawk.twinds.com> Now *this* is an interesting denial of service attack on c2's site. (**) (**) Crypto relevance On Tue, 23 Apr 1996, Rabid Wombat wrote: > This is turning into some sort of a weird ponzi scheme - we'll all wind > up on "clueless" by virtue of belonging to other lists which have been > subscribed to clueless which ... > > Please attach your name to the bottom of the list, and subscribe your > list to clueless ... > > eventually, the entire 'net will be clueless ... (insert favorite > aol-bash here) ;) > From sandfort at crl.com Tue Apr 23 16:14:38 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 24 Apr 1996 07:14:38 +0800 Subject: 5th protect password? Message-ID: <2.2.32.19960423181823.006b2c0c@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 07:58 AM 4/23/96 -0700, James Donald wrote: >Yeah: fifty thousand dollars. >Not that it makes the slightest difference. > >On the extropians list a number of very large bets were made and >accepted, but nobody ever paid up. (Or very few -- I know of no >cases.) As much as I like the Extropians, personally, they haven't got a clue how to implement practical social systems. It is trivial to set up a wagering system that works--and you don't need all the "polycentric" blah blah. >Now if Unicorn had proposed a bet for one hundred dollars, then >I would sit up and take notice. A hundred dollars is real money. >Fifty thousand dollars is hot air... a) I proposed that a bet of $100 which Jim Bell ignored. That should have made you sit up and take notice. b) Unicorn has the 50Gs and I'm confident he would have paid up if necessary. >... Anybody who was serious about paying >would not make such ridiculous bets. This is a non-sequitor. Anyone serious about winning WOULD make such a bet. Do you really think that a legal scholar as good as Unicorn would just shoot from the hip without knowing he had it in the bag? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at schloss.li Tue Apr 23 16:15:23 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 07:15:23 +0800 Subject: 5th protect password? In-Reply-To: <199604231456.HAA06590@dns2.noc.best.net> Message-ID: <Pine.SUN.3.93.960423135836.3588E-100000@polaris.mindport.net> On Tue, 23 Apr 1996 jamesd at echeque.com wrote: > At 06:19 AM 4/23/96 -0700, Sandy Sandfort wrote: > > didn't Unicorn offer Mr. Bell a > > wager on this issue? Isn't the ball in Mr. Bell's court to put > > his money where his mouth is? > > Yeah: fifty thousand dollars. [...] > Now if Unicorn had proposed a bet for one hundred dollars, then > I would sit up and take notice. A hundred dollars is real money. US$ 100.00 it is. Mr. Bell? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From hfinney at shell.portal.com Wed Apr 24 07:17:16 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 24 Apr 1996 07:17:16 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604241415.HAA02557@jobe.shell.portal.com> I appreciate the temperate responses to my knee-jerk diatribe against RSA's involvement in the golden key campaign. The key logo doesn't actually resemble RSA's very much, although the small versions do seem similar to the golden keys shown in Netscape's browser. So far as I know though Netscape hasn't threatened any lawsuits to make people take crypto off the net so I don't object to that... Now that the patent situation with regard to public key encryption has changed due to the RSA/Cylink split, it appears that the patent which claims to cover all PK encryption has been seriously weakened. There are other PK encryption systems than RSA which are just as good, such as El Gamal or Rabin encryption. Rabin encryption would have the advantage that it could be used with existing RSA keys as long as the modulus is a Blum modulus. PGP at least has always used Blum moduli, perhaps for this eventuality. So an alternative encryption program could use Rabin encryption and work with the existing infrastructure of PGP keys. It would not of course be compatible with PGP for encryption and decryption. This doesn't solve the signature problem; I'm not sure if there is a signature algorithm which could use RSA public keys but which is not covered by the RSA patent. In any case since PGP key certificates use RSA signatures it would not appear to be possible to validate key signatures without infringing on the RSA patents, so that cancels out a lot of the advantages of using existing PGP keys. Hal From adam at lighthouse.homeport.org Wed Apr 24 07:29:16 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 24 Apr 1996 07:29:16 -0700 (PDT) Subject: What's the best Mac crypto program? In-Reply-To: <v03006601ada3670bb3a8@[129.64.2.182]> Message-ID: <199604241533.KAA00162@homeport.org> I use Cryptdisk. I suspect its better than any of the ones you pay for. Most of them try to do too much, and thus probably fail. Also, most of them are no marked 'Export Controlled,' which incidates a scary lack of knowledge on the part of the companies. Bruce Schneier wrote 'Protect Your Macintosh.' http://www.peachpit.com/peachpit/titles/catalog/48436.html Adam Philip Trauring wrote: | | | What is the best free/shareware program for protecting(and I mean | government-strength encryption) a Mac folder or creating a protected Mac | volume? | | Additionally, are any of the commercial products available safer than these | free/shareware ones? | | Thanks, | Philip | | --=--=====--=--=====--=--=====--=--=====--=--=====--=-- | Philip Trauring philip at cs.brandeis.edu 617-736-6702 | "knowledge is my addiction, information is my drug" | http://www.cs.brandeis.edu/~philip/ | --=--=====--=--=====--=--=====--=--=====--=--=====--=-- | | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Tue Apr 23 16:43:08 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 24 Apr 1996 07:43:08 +0800 Subject: EYE_suk In-Reply-To: <199604231401.KAA10892@pipe2.nyc.pipeline.com> Message-ID: <199604231926.OAA26127@homeport.org> | security operation. At its heart will be an estmated | 3,000 Army troops, 6,300 National Guardsmen, and at | least 10,000 other police and private security guards at | peak strength, with an additional force of agents from | the FBI, ATF, DIA, CIA, NSA and FEMA. Isn't the CIA forbidden from doing anything on US soil? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nobody at REPLAY.COM Tue Apr 23 16:55:52 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 24 Apr 1996 07:55:52 +0800 Subject: Nazis on the Net Message-ID: <199604231853.UAA04047@utopia.hacktic.nl> E. ALLEN SMITH writes: | (one reason for Hiroshima and Nagasaki being right | was the Japanese alliance with Germany) Was Dresden also right? (more died than at Hiroshima) The firebombing of Tokyo? (10% died in one raid). Stalins execution of his own people? Look at facts, not propoganda, before coming to such conclusions. The conventions of war (namely the aim of keeping civilians out of it, along with good treatment of prisoners) evolved over many centuries, but then come the Brits and the Yanks to destroy it all with their indiscriminate bombing of civilians, using the "they can stop the torture simply by surrendering," and "those bombs saved countless [American/British] lives!" excuses, and directing attention away from their own attrocities by spreading propoganda such as soap made from Jews. Then to direct attention away from themselves even further, the victors judge the defeated at Nuremburg for "war crimes," when the accusors themselves were guilty of terror bombing, the worst war crime of them all. | and the Holocaust (people who claim | it didn't happen are calling my paternal grandfather a liar). Does anybody really claim it did not happen? I doubt it. I assert that those who express doubt over details of the current story (such as the numbers that died in the camps, the existence of gas chambers, or whether Hitler gave an order to systematically kill Jews) are referred to by the media as saying that the Holocaust didn't happen, but that is *not* what they are saying. With regard to your grandfather being liar, that is hard to say without knowing precisly he has said, but if he states that, eg, Dachau was a terrible place, riddled with disease and starvation and terrible conditions, and hundreds of thousands of people died, then who would disagree with him? If on the other hand he asserts that he saw gassed Jews at Dachau, then he is mistaken (although not necessarally a liar.) --- The Nuremberg Trials...had been popular throughout the world and particularly in the United States. Equally popular was the sentence already announced by the high tribunal: death. But what kind of trial was this? ...The Constitution was not a collection of loosely given political promises subject to broad interpretation. It was not a list of pleasing platitudes to be set lightly aside when expediency required it. It was the foundation of the American system of law and justice and [Robert Taft] was repelled by the picture of his country discarding those Constitutional precepts in order to punish a vanquished enemy. U.S. President, John F. Kennedy From banisar at epic.org Tue Apr 23 17:01:00 1996 From: banisar at epic.org (Dave Banisar) Date: Wed, 24 Apr 1996 08:01:00 +0800 Subject: Golden Key Campaign Message-ID: <n1381851986.93640@epic.org> PRESS RELEASE Wednesday, April 24, 1996 URL: http://www.privacy.org/ipc/ Contact: Marc Rotenberg, EPIC, 202/544-9240 Lori Fena, EFF, 415/436-9333 Barbara Simons, USACM 408/463-5661 Kurt Stammberger, RSA, 415/595-8782 ------------------------------------------ INTERNET PRIVACY COALITION FORMED Golden Key Campaign Launched Groups Urge Good Technology for Privacy and Security Senator Burns to Introduce Legislation ------------------------------------------ WASHINGTON, DC -- A new coalition today urged support for strong technologies to protect privacy and security on the rapidly growing Internet. The Internet Privacy Coalition said that new technologies were critical to protect private communications and on-line commerce, and recommended relaxation of export controls that limit the ability of US firms to incorporate encryption in commercial products. Phil Zimmermann, author of the popular encryption program Pretty Good Privacy, expressed support for the effort of the new coalition. "It is time to change crypto policy in the United States. I urge those who favor good tools for privacy to back the efforts of the Internet Privacy Coalition." GOLDEN KEY CAMPAIGN LAUNCHED The Coalition has asked companies and Internet users to display a golden key and envelope to show support for strong encryption technology. Copies of the logo are available at the group's web page on the Internet. According to Lori Fena, director of the Electronic Frontier Foundation, the purpose of the campaign is to educate the public about new techniques for privacy protection. "Society's feelings about privacy have not changed, only the medium has," said Ms. Fena. US industry has pressed the US government to relax export controls on encryption as consumer demand for software products has increased. They cite the fact that foreign companies have been able to sell strong products in overseas markets that are now restricted for US firms. Jim Bidzos, President and CEO of RSA Data Security, said that US firms continue to face excessive burdens. "Encryption is the key to on-line commerce. Government regulations are simply keeping US firms out of important markets." The Internet Privacy Coalition is the first attempt to bring together a broad base of companies, cryptographers and public interest organizations around the central goal of promoting privacy and security on the Internet and urging relaxation of export controls. Dr. Barbara Simons, chair of the public policy committee of the Association for Computing said, "The broad support for the Golden Key campaign shows that the reform of encryption policy is a shared goal for companies, users, and professional associations." SENATOR BURNS TO INTRODUCE LEGISLATION The Internet Privacy Coalition is being established as Congress considers new legislation to relax export controls on encryption. Senator Conrad Burns (R-MT) today introduced legislation that would relax export controls on commercial products containing technologies for privacy such as encryption. Marc Rotenberg, director of the Electronic Privacy Information Center, said "We believe that Senator Burns has put forward a constructive proposal. We look forward to working with him to ensure that good tools for privacy and security are widely available to Internet users." Hearings on Senator Burns bill are expected to take place in early June. The proposal has already gathered support from a bipartisan coalition in Congress. For Internet users who are interested in following the debate about encryption policy, the IPC has set up a Web page with information about encryption regulations, court challenges, legislative developments, and organizations and companies involved in the campaign. The Internet Privacy Coalition was established by more than a dozen of the nation's leading cryptographers, and thirty associations, companies, and civil liberties organizations committed to strong privacy and security technology for all users of the Internet. URL: http://www.privacy.org/ipc/ ---------------------------------------------- A KEY, AN ENVELOPE -- Both are historic means for communicating privately and protecting personal information. Today, encryption tools provide this privacy in the electronic world. The Golden Key Campaign is being launched to raise awareness and support for the preservation of the right to communicate privately and the availability of new techniques which make it possible. Privacy, a fundamental human right, has been affirmed by the US Supreme Court, the constitutions and laws of many countries, and the United Nations Universal Declaration of Human Rights. Privacy must be preserved as we move from paper to electronic communications. The Internet Privacy Coalition is urging members of the net community to display a Golden Key & Envelope symbol on their Web pages to show support for the right of privacy and the freedom to use good tools of privacy without government restraints. ---------------------------------------------- From gnu at toad.com Tue Apr 23 17:04:36 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 24 Apr 1996 08:04:36 +0800 Subject: Support for crypto bills is building Message-ID: <199604231831.LAA20028@toad.com> [From FARNET's Washington Update. This is interesting principally for the note about the number of co-sponsors.] SEN. BURNS' ENCRYPTION BILL TO BE INTRODUCED BY END OF NEXT WEEK The third encryption bill aimed at blowing the administration's key-escrow policy out of the water is set for introduction probably late next week. Sen. Conrad Burns (R-MT) will introduce a bill that is similar to both the Leahy and Goodlatte bills already in the Senate and House, respectively. Both prohibit a mandatory key-escrow system for the use of encryption in the United States. Both also significantly lift export restrictions on encryption software and hardware. (Export approval would be granted for any bit length that is already generally available in foreign markets. Current policy restricts the export of encryption hardware or software products with keys greater than 40 bits long.) Hill staff said yesterday that they saw strong support for the encryption bills forming in both houses. Thirty-eight co-sponsors have signed on to the Goodlatte bill in the House so far. The Burns bill is expected to garner the support of Sen. Leahy who also has a bill in the Senate. The House bill has been referred to the Judiciary committee and may be also referred to the House Committee on International Relations. The Senate expects to hold hearings in the Senate Commerce Committee sometime in June. While proponents are working to get the bill(s) passed this year, because of the elections this fall, it will be a tight schedule. Furthermore, the bills' supporters are trying to keep the three pieces of legislation from being referred to any of the intelligence or law enforcement committees where some of the strongest opposition is likely to arise. Strong encryption is generally regarded as extremely important to the success of electronic communications. The Clinton administration's various proposals for strict export restrictions and a mandatory key-escrow system have met with significant opposition from industry, privacy groups and netizens alike. Just this week, a court in California ruled that "source code" for encryption programs is speech, and therefore protected under the First Amendment. The case came at the instigation of a programmer who was forbidden to place his source code for an encryption program that he had developed on the Internet in order to get discussion on its merits from his colleagues. The ruling was just a preliminary step in order to continue with the case. It could, however, clear the way for the overruling of export restrictions on encryption source code. From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 08:39:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 08:39:52 -0700 (PDT) Subject: [NOISE] Re: Nazis on the Net Message-ID: <01I3X2F0KXIO8Y50EU@mbcl.rutgers.edu> From: IN%"wombat at mcfeely.bsfs.org" "Rabid Wombat" 23-APR-1996 21:57:59.91 >I'm typing green letters on a black background. All you people with black >characters on a white background should go talk on another 'net. I never said I approved of separatism; I just consider it slightly less evil than racism. It's sort of like the distinction between Chinese censorship of the Net and American (attempted) censorship of the net - both are evil, the American one is just less so because it doesn't go as far. The distinction between racism and separatism isn't as great, admittedly. -Allen From sameer at c2.org Wed Apr 24 08:41:13 1996 From: sameer at c2.org (sameer at c2.org) Date: Wed, 24 Apr 1996 08:41:13 -0700 (PDT) Subject: Golden Key Campaign In-Reply-To: <317DD5D2.6284@netscape.com> Message-ID: <199604241540.IAA03214@atropos.c2.org> > The key at the bottom of the Netscape window is not the RSA logo, and > doesn't even look much like it. Our key is meant to convey the > absence or presence of encryption via a metaphor that is understandable > to the average home user, not as an advertisement for RSA. The RSA key *does* appear on the flash screen though, remember. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From SBinkley at atitech.ca Tue Apr 23 17:44:17 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Wed, 24 Apr 1996 08:44:17 +0800 Subject: CO$ In-Reply-To: <65D1983A02502C79@-SMF-> Message-ID: <65D1983A01502C79@-SMF-> Hi, lately we have had numerous threads on the CO$, and its threats to remailers, and the such, I am quite interested in the discussions regarding the cult, and want to know if anyone out there knows of a mailing list that deals with it that I can join. /sb From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 08:49:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 08:49:41 -0700 (PDT) Subject: Majordomo patch will be available Message-ID: <01I3X2UUSU5I8Y50EU@mbcl.rutgers.edu> Here's the information on the majordomo patch to do the confirmation: >Allen, the patch to do this that you asked about is gonna be distributed as >part of the new majordomo beta, and will be freely available. -Allen From hfinney at shell.portal.com Wed Apr 24 09:03:24 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 24 Apr 1996 09:03:24 -0700 (PDT) Subject: Childporn found in UCSB Dean's Computer Message-ID: <199604241601.JAA08886@jobe.shell.portal.com> This from my local hometown paper in Santa Barbara. It illustrates the use of search rather than subpoena to collect information in criminal cases, as well as the dangers of having unencrypted files lying about: UCSB dean faces charge of child porn possession by Melissa Grace News-Press Staff Writer UCSB Dean David M. Kohl, under investigation for misues of universify funds, is facing a more embarrassing charge - possession of child pornography. While searching Koh's home for evidence in the investigation into the dean's alleged misuse of about $20,000 in fees charged to students applying to medical schools, campus police discovered photographs in Koh's computer files depicting minors engaging in or simulating sexual conduct. The pictures were downloaded by the 52-year-old professor into his computer from the Internet. his lawyer said Kohl was unaware of the contents until he opened the unsolicited files, which were sent by an Internet user whom Kohl does not know by name. Kohl has no criminal record, and because of that the pornography charge was filed as a misdemeanor, according to the District Attorney's Office. No charges have been filed against Kohl for his possible misuse of university funds. The police found two computer disks, with approximately 15 files containing the sexually explicit, graphic material, said Stanley M. Roden, one of Kohl's lawyers. [...] Roden explained that Kohl had been exploring what are known as chat rooms on America Online when he was approached by another user and asked if he was interested in seeing unspecified files. "David never showed, disseminated, paid for, asked for, or looked at them again," said his attorney. [...] Possession of child pornography locally is an unusual charge according to campus and city police and watchdog groups for the Internet and child pornography laws. "There have been no arrests here for child pornography over the last 10 years," said Santa Barbara Police Department Lt. Nick Katzenstein. The university police department's chief, John L. MacPherson, said he has never before had a complaint about child pornography. I also heard an interview with the lawyer on the radio this morning. He claimed that this would be a "test case" because Kohl had only had the files in the privacy of his own home and never looked at them after realizing what they were. "As soon as he needed a disk, that one would have been erased," he said. It's too bad Kohl didn't use software which automatically and transparently encrypts his floppies. Then they would have tried to subpoena the key, thinking that the floppies might have incriminating info related to the embezzling charge, never dreaming that they contained child porn. That would have been an interesting case. Hal From moroni at scranton.com Tue Apr 23 18:06:58 1996 From: moroni at scranton.com (Moroni) Date: Wed, 24 Apr 1996 09:06:58 +0800 Subject: Returned mail: User unknown (fwd) Message-ID: <Pine.LNX.3.91.960423153051.6358E-110000@locrian.scranton.com> ---------- Forwarded message ---------- Date: Tue, 23 Apr 1996 15:24:36 -0400 From: Mail Delivery Subsystem <MAILER-DAEMON at locrian.scranton.com> To: moroni at locrian.scranton.com Subject: Returned mail: User unknown The original message was received at Tue, 23 Apr 1996 15:24:33 -0400 from moroni at localhost ----- The following addresses had delivery problems ----- tc at scranton.com (unrecoverable error) X at scranton.com (unrecoverable error) ----- Transcript of session follows ----- ... while talking to lydian.scranton.com.: >>> RCPT To:<X at scranton.com> <<< 550 <X at scranton.com>... User unknown 550 X at scranton.com... User unknown >>> RCPT To:<tc at scranton.com> <<< 550 <tc at scranton.com>... User unknown 550 tc at scranton.com... User unknown ----- Original message follows ----- To: tc at scranton.com Subject: Returned mail: warning: cannot send message for 4 hours (fwd) From: Moroni <moroni at scranton.com> Date: Tue, 23 Apr 1996 15:24:33 -0400 (EDT) cc: X at scranton.com ---------- Forwarded message ---------- Date: Tue, 23 Apr 1996 14:57:32 -0400 From: Mail Delivery Subsystem <MAILER-DAEMON at locrian.scranton.com> To: moroni at locrian.scranton.com Subject: Returned mail: warning: cannot send message for 4 hours ********************************************** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ********************************************** The original message was received at Tue, 23 Apr 1996 10:44:18 -0400 from moroni at localhost ----- The following addresses had delivery problems ----- tcmay at got.net (transient failure) ----- Transcript of session follows ----- tcmay at got.net... Deferred: Connection refused by mail.got.net. Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old ----- Original message follows ----- To: tcmay at got.net Subject: huh no mail From: Moroni <moroni at scranton.com> Date: Tue, 23 Apr 1996 10:44:16 -0400 (EDT) Tim, I m not getting the mailing list for cypherpunks . This is the second no third time that I know about where entire lists have disappearedon me. One was religoius , but I wrote that off as them not liking my handle. Then I got a notice from the nueron digest that my mail was bouncing back to them and that they were cancelling my sub. That was ok too as I wasn't THAT interested in them .Now my beloved Cypherpunks is not being deliverd to my door(computer)and that hurt (even with the flaming and noise). Have I been left off because I get too much mail to my provider?Is it because I have recently only lurked and added nothing of worth? Anything else? Thanks in Advance moroni From wb8foz at nrk.com Wed Apr 24 09:07:50 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 24 Apr 1996 09:07:50 -0700 (PDT) Subject: crypto in .ja (fwd) Message-ID: <199604241607.MAA06196@nrk.com> Forwarded message: X-URL: http://www.us.net/~steptoe/276915.htm > Emerging Japanese Encryption Policy > > By Stewart A. Baker {} > Summary: The emerging Japanese consensus on cryptography This is worth reading for what it says about the US policy, if indirectly. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 09:11:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 09:11:37 -0700 (PDT) Subject: "Separate but equal" as a racist doctrine Message-ID: <01I3X3T0O8408Y50EU@mbcl.rutgers.edu> From: IN%"tallpaul at pipeline.com" 24-APR-1996 03:36:53.30 >For some considerable period of time the doctrine of "separate but equal" >was one of the major racist theories in the U.S. I am quite aware of this; I grew up in the South. In practice, it wasn't seperate but equal; it was separate but unequal. This was the intent of the persons pushing it, which made them racist. (They are also justifiably classified as racist on many other grounds). >People who wish to organize for racist ideology behind this doctrine while >proclaiming they are not racists merely place themselves in the old racist >camp. Their organizing for (and their denials of) racist ideology does not >make them less racist, just less honest. Persons who wish to organize for _racist_ ideology, yes. But assuming that every separatist is actually a racist is about like assuming that everyone on this list is an anarcho-capitalist; while correct in the majority of cases, it isn't correct in all. (You and I are both exceptions, for instance.) -Allen From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 18:18:32 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 09:18:32 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <01I3VX95Q4IO8Y4ZTJ@mbcl.rutgers.edu> From: IN%"richieb at teleport.com" "Rich Burroughs" 23-APR-1996 14:15:55.60 >In July, 1986, Fadeley attended the World Aryan Congress at Hayden Lake, >Idaho. During this assembly, Fadeley was introduced to Weaver, who was at >that time of no particular investigative significance to BATF.[FN25]" >Weaver may have just been attending the World Aryan Nations Congress for the >beer and chicks... Yes. For instance, I am a member of the Extropy Institute - but I'm _not_ an anarcho-capitalist, even though that's one of the things that the Institute stands for. >Portions of the report are online at >http://isdn33.eng.uc.edu/~rabagley/ruby/ruby.toc.html However, one reference in this report to Weaver's calling for a meeting to oppose the "Zionist Occupation Government" does provide an argument for calling him a racist of the anti-Semitic variety. On the other hand, the only person claiming this is the FBI's informant; the truth of his statements has been called into doubt. So far as I can tell, it's uncertain. -Allen From SBinkley at atitech.ca Tue Apr 23 18:40:37 1996 From: SBinkley at atitech.ca (Scott Binkley) Date: Wed, 24 Apr 1996 09:40:37 +0800 Subject: [Fwd: CyberDoctor] In-Reply-To: <67D1983A02502C79@-SMF-> Message-ID: <6AD1983A01502C79@-SMF-> This is a multi-part message in MIME format. --------------6DF66DED67CB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- ------------------------------------------------------------------------Ma rk Buckaway mark at uunet.ca +1 800 463 8123 UUNET Canada Technical Support +1 416 368 6621 UUNET Canada Inc. support at uunet.ca Internet Services ------------------------------------------------------------------------ --------------6DF66DED67CB Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: from cicerone.uunet.ca ([142.77.1.11]) by mail.uunet.ca with SMTP id <264090-5>; Tue, 23 Apr 1996 15:26:55 -0400 Received: from ghost.uunet.ca ([142.77.1.100]) by cicerone.uunet.ca with SMTP id <177226-4>; Tue, 23 Apr 1996 15:26:28 -0400 Received: from ghost.uunet.ca ([142.77.1.100]) by ghost.uunet.ca with SMTP id <52805-24166>; Tue, 23 Apr 1996 15:26:22 -0400 Date: Tue, 23 Apr 1996 15:26:19 -0400 From: Andrew Herdman <andrew at ghost.uunet.ca> To: Office Support <office at ghost.uunet.ca> Subject: CyberDoctor Message-ID: <Pine.SUN.3.91.960423152458.12136F-100000 at ghost.uunet.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Return-Path: <@cicerone.uunet.ca:andrew at ghost.uunet.ca> X-Mozilla-Status: 0001 This really should have been for funny, but I suspect others might get a chuckle out of it as well. Andrew -------------------------------------------------------------- From: Tatsuhiro Ikeda <ti08+ at andrew.cmu.edu> Newsgroups: news.admin.misc,pgh.opinion,news.admin.censorship,pgh.config Subject: CyberDoctor: READ THIS! Date: Sat, 20 Apr 1996 23:20:16 -0400 Organization: Senior, IM - Graphic Communications, Carnegie Mellon, Pittsburgh, PA CyberDoctor, This is from a pirated account at Carnegie Mellon. This was posted without ANYONE's permission or knowledge. I have been watching you activities with keen interest. I am a firm supporter of overthrowing the cabal of UUnet, and admire your bravery in defeating this evil organization. There's something you should know. In 1967, the organization that became known as UUnet was founded by a secret military cabal headed by David Lawrence, formally of the DIA and NSA. I was Lawrence's right-hand man, because of my experiences as the leader of a black operations group in charge of Psychological Warfare in Vietnam. One of our experiments was to, of course, manipulate communications to our advantage. We overthrew anyone who got in our way. In 1968, it was decided by UUnet to start genetic engineering on humans, in an attempt to create the ultimate double agent in censorship activities. We succeeded, and our agents have been surrepticiously implanted in key points all over the Internet. But some of the experiments went awry. I was one of those experiments. Because Lawrence is a meglomaniac who feared being found out by Senate probes, he turned on me. On October 17th, 1971, I was kidnapped against my will by Lawrence's goons. They attempted to brainwash me and injected genes in me that would cause me to censor anything against my will. I escaped before it was too late, and have been posing as a college student among other things for the last 25 years. After deep regression hypnosis, I recalled that one of the genetically engineered human experiments was a person by the name of John Grubor. He failed to fall under our control, and so he was left to die. A competing secret arm of the military revived him and gave him a new identity, as well as erased all his memories. Cyberdoctor, you are that John Grubor, and even worse, you are David Lawrence's bastard son by genetic engineering. This sick twist of fate was partly inspired by the movie, "The Empire Strikes Back", Lawrence's favorite movie of all time. Lawrence knows that you are still alive, no doubt, but he is not concerned. Why? Because in 14 days, 3 hours and 14 minutes, there is a 99.9% probability that your genes will mutate and you will become David Lawrence's identical genetic twin. You will censor and join the UUnet cabal against your free will, and there's nothing you can do. But I can save you. First, why am I breaking the silence? Because Lawrence tried to kill me, and my identity as a Pittsburgher is being blown. I will dissapear after I send this post from this pirated account. I can offer you salvation before I leave, as I have done to other innocent victims of "Operation Genetic Censorship". Go to the corner of Wood and Liberty and wait at the Bus Station at midnight. First be sure to close ALL your email accounts and logoff for good. That will let my agents know you are ready. Wait there, and my men will come and get you. They take you to a lab where they will execute you, but cryogenically freeze your brain until the technology exists to make a new body and replace your genes. I promise it will be painless. We already have 10 people (brains) in stasis cambers. It may sound desparate, but what's worse? Becoming a censor or indefinite stasis? Furthermore, the board has already decided that this must be carried out. No more censors must be born. I am powerless to stop them. I am only making it easy for you to accept. So close your accounts now, and prepare to meet us. It is the only option left. You have no one you can trust, not even yourself. REMEMBER TO CLOSE YOUR EMAIL ACCOUNTS FIRST. In solidarity, Deep Throat --------------6DF66DED67CB-- From stewarts at ix.netcom.com Tue Apr 23 19:20:37 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 24 Apr 1996 10:20:37 +0800 Subject: ApacheSSL Message-ID: <199604232059.NAA24322@toad.com> At 01:50 PM 4/20/96 +0000, umwalber at cc.UManitoba.CA wrote: >An ISP that I have ties with is looking to set up a secure server. >Currently, they are running Apache. I told them that for ~$500 they >can put on Apache SSL and be all ready. However, they want to buy >Netscape (for the name, I've already given them the 40bit gospel), >put it on a separate, firewalled machine, allow no access to it, etc, >etc. Is all this paranoia necessary? If they're handling money, then, yes, the paranoia is probably necessary. Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL and similar systems is that the server they run on is typically sitting right out there on the Internet waiting for somebody to crack it, and keeping credit card information on the same rather than handing the encrypted information across some secure interface (whether a firewall or dedicated RS232 or whatever.) A bulletproof 128-bit interface doesn't help if it's running on a cracked machine. Putting it on a separate firewalled machine is a Good Thing. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From richieb at teleport.com Tue Apr 23 19:25:51 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 24 Apr 1996 10:25:51 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <01I3VX95Q4IO8Y4ZTJ@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.92.960423140913.5193B-100000@kelly.teleport.com> On Tue, 23 Apr 1996, E. ALLEN SMITH wrote: [snip] > However, one reference in this report to Weaver's calling for a meeting > to oppose the "Zionist Occupation Government" does provide an argument for > calling him a racist of the anti-Semitic variety. On the other hand, the only > person claiming this is the FBI's informant; the truth of his statements has > been called into doubt. I'm sure it has been. That doesn't mean his report is untrue. Is the standard of proof the same for both of these issues? We need proof to establish that Weaver is a racist, but not to establish that the FBI informant is lying? > So far as I can tell, it's uncertain. Separatist/supremacist... I don't see much difference between them, and I believe the former is largely just a cover story for the latter. Weaver is no hero, IMHO, though I believe the govt. fucked up big at Ruby Ridge. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From jleonard at divcom.umop-ap.com Tue Apr 23 19:34:14 1996 From: jleonard at divcom.umop-ap.com (Jon Leonard) Date: Wed, 24 Apr 1996 10:34:14 +0800 Subject: Betting and reputations Was: Re: Jim Bell, Apology to list. Was: [Yadda Yadda Yadda] In-Reply-To: <Pine.SUN.3.91.960421192206.9131E-100000@polaris.mindport.net> Message-ID: <9604232037.AA21133@divcom.umop-ap.com> It's an interesting vindication of the nym reputation model that no one has questioned the meaning of Black Unicorn offering to bet $50,000, even though (to the best of my knowlege) this is only backed by his writings, not any sort of ecash account or reference to a True Name. I noticed this in my reaction to seeing the $50,000 figure, and wondering first about financial resources, and only then about the fact that there really isn't any way to force payment by a nym. Black Unicorn's writings are convincing evidence that he'd pay a gambling debt. (Not that I think he'd lose this bet, but that's a separate issue.) The other thing I noticed is that reputation capital isn't a simple economic quantity: Black Unicorn wrote: [snip] > All this said, I find Mr. May's and Mr. Sandfort's criticism stinging. Mr. > Bell, and my response to him, manages to sap a great deal of time and effort > from myself and others for no gain aside draining his (and to some extent my) reputation > capital. These disputes serve little purpose otherwise. It's clear to > me, if not everyone else, that Mr. Bell simply fabricates his positions, > evidence, and persuasion out of the mist. I have to disagree about the effect on Black Unicorn's reputation capital. My opinion of his legal skills and probable economic behavior are not diminished by his argument with Jim Bell. I have decided that he is more likely to rant than I had previously thought, though. The underlying model for reputation capital seems to be economics, but some amount of psychology or economic anthropology is probably more appropriate. We develop mental models of the behavior of others based on their actions. Often more detail is required than the monetary amount required to make someone untrustworthy. The relevant question seems to be "Is this worth reading", judged on the basis of prior writing. My answer of "Yes, but if it's about Jim Bell, then only maybe" can't be modeled as a single number. Jon Leonard From richieb at teleport.com Tue Apr 23 19:39:39 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 24 Apr 1996 10:39:39 +0800 Subject: CO$ In-Reply-To: <65D1983A01502C79@-SMF-> Message-ID: <Pine.SUN.3.92.960423140034.5193A-100000@kelly.teleport.com> On 23 Apr 1996, Scott Binkley wrote: > Hi, lately we have had numerous threads on the CO$, and its threats to > remailers, and the such, I am quite interested > in the discussions regarding the cult, and want to know if anyone out > there knows of a mailing list that deals with it that I can join. No mailing lists that I know of. There may be sekret ones, though. The Scientologists have a member's only list called TNX, but you have to be very Theta to get on. Alt.religion.scientology on Usenet is the big source for info. You might also check out #scientology on IRC. Ron Newman's excellent web site is at http://www.cybercom.net/~rnewman/scientology/home.html You can now do an Excite search of his entire site. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From byrd at ACM.ORG Tue Apr 23 19:40:28 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Wed, 24 Apr 1996 10:40:28 +0800 Subject: CO$ Message-ID: <2.2.32.19960423205236.006ce8a4@tiac.net> At 03:21 PM 4/23/96 -0400, Scott Binkley wrote: >Hi, lately we have had numerous threads on the CO$, and its threats to >remailers, and the such, I am quite interested >in the discussions regarding the cult, and want to know if anyone out >there knows of a mailing list that deals with it that I can join. There's no particular mailing list, but there is a very active discussion group at alt.religion.scientology. There are numerous web pages, a good place to start is http://www.cybercom.net/~rnewman/scientology/home.html. It has pointers to many other pages. Also, many of the critics (including several who have been raided, sued, or threatened) show up on IRC channel #scientology. Be careful of what you post in alt.religion.scientology, or the cult could start emailing threats to you too. From markm at voicenet.com Tue Apr 23 20:18:03 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 24 Apr 1996 11:18:03 +0800 Subject: Internet Watchdog Message-ID: <Pine.LNX.3.92.960423172151.384A-100000@gak> I found this on the Fringeware mailing list and thought it would be of interest. ---------- Forwarded message ---------- Date: Sat, 16 Mar 1996 17:58:26 -0600 From: FringeWare Daily <email at fringeware.com> Reply-To: Jim Thompson <jim at SmallWorks.COM> Subject: 1984 - I'll be watching you Sent from: jim at SmallWorks.COM (Jim Thompson) Algorithm Inc. -- WatchDog tracks where Internet users go, what they look at [The Boston Globe, 22-Feb-96, p. 54, by Hiawatha Bray] Ever get the feeling that your computer is watching you? Mine has been keeping an eye on me and I don't much like it. I've been trying out a clever, creepy piece of software called WatchDog that tracks every move I make on my office or home computer. Despite its name, Internet Watchdog doesn't track just on-line activity; it keeps a log of every program running. The program was created by Algorithm Inc. in Atlanta, and is being marketed by Charles River Media in Rockland. I've run Internet WatchDog on my home machine for about a week now, and I have only one problem with the product -- it works. It's a superb piece of software that makes my skin crawl. Blame it one experience. Years ago, I worked at the US Postal Service on an electronic mail sorting machine. In those days, Postal Service managers assumed that all workers were lazy and dishonest. We were constantly watched through video cameras and two-way mirrors to make sure we weren't stealing anything. And computers monitored us at the sorting consoles to make sure we put forth our maximum effort. Programs like Internet WatchDog could bring some of that flavor of paranoia to business offices all over America. But David Pallai, president of Charles River Media, says that's not what he has in mind. Pallai's goal was a less intrusive, more efficient way to monitor the Internet. "We did not believe in censorship or blocking, " Pallai said. Internet blockers like SurfWatch or Cyber Patrol rely on lists of naughty 'Net sites drawn up by a sort of Legion of Decency. It's a job Pallai didn't want. Besides, so many new sites open every day that these blocking programs must be constantly updated, and customers must pay for the privilege. "We decided that what we need is something that monitors, as a telephone bill monitors calls, instead of blocking a program," Pallai said. Internet WatchDog is available in Windows or Macintosh formats. It starts whenever you turn on the computer. You can switch it off, but the program will tell your boss if you do. The boss gets a password that lets him or her read the information that Internet WatchDog has filed away. Internet WatchDog stores a log of every important computer event. It remembers when you turned the machine on, the name of every piece of software you've used and when you used it. Start up your Internet dialer or a copy of Doom, and it's there. Do you occasionally download photos from the Internet? Don't save them on your hard drive. Internet WatchDog searches the drive and lists every file in the GIF and JPEG formats, the most popular way to distribute pictures on the net. So keeping files with names like NEKKID.GIF isn't a smart idea. The slickest, spookiest part of Internet WatchDog is its automatic screen capture. The software keeps count of the changes in pixels - the thousands of tiny glowing dots on your computer screen. If enough of the pixels change, the program knows that some new image has flashed up on your screen. When that happens, it takes a screen snapshot, marks it with the date and time, and files it away. Even if you don't change screens, a snapshot will be taken every 15 minutes. Then the boss can see the same images you've been looking at all day. The program will save up to 10 megabytes of data - more if the boss asks for it. You can go back in time and see exactly what an employer (sic - TT] was doing on his computer on 2:15 last Wednesday. Internet WatchDog has only been on sale for a few weeks, but already, Pallai has gotten lots of feedback. "When I hear from the CEOs, they love it," he said. "When I hear from employees, they hate it." I'll bet. Of course, employers aren't the only ones who can use Internet WatchDog. Pallai is also selling his products to parents and school systems who want to monitor children's use of computers. Indeed, Pallai estimates that about 60 percent of his customers so far have been parents and school systems. Snooping on the kids is fine with me. Children were made to be monitored. It's using this stuff on grown-ups that I don't care for. Even Pallai isn't entirely thrilled. To make Internet WatchDog a little less intrusive, he tweaked some features. For instance, the program doesn't spy on you in secret. It announces its presence when it starts up. Pallai decided not to include a feature that would identify every Internet site you visit. And there's no versions for networks yet - Pallai's not sure he wants a network administrator to look in on every worker's computer anytime he likes. "We were trying not to make it too Big Brotherish," he said. But other firms are selling snoop software designed for network use. Much of it was developed to ensure that workers aren't using pirated programs on the job, but it can also be used to analyze every move you make on your computer. And the rise of the Internet has given companies a big new reason to track corporate computer use. After all, it's the company's machine and the company's time. Your boss has every right to keep an eye on you. Still, it adds an unwelcome hint of paranoia in a world that already has enough to go around. Soon, we may all be staring at our computers, wondering whether they're staring back. From eck at panix.com Tue Apr 23 20:31:15 1996 From: eck at panix.com (Mark Eckenwiler) Date: Wed, 24 Apr 1996 11:31:15 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <199604231714.KAA14970@netcom9.netcom.com> Message-ID: <199604231749.NAA09020@panix.com> Bill Frantz sez: + + If lawmakers are to come up with a rational law, a big if, they will have + to differentiate between a bug in a "tame" worm which lets it get loose as + a virus, and a virus which was meant to be destructive from the get go. + And then they will have to decide what to do about the virus that was + designed to write, "Hi Mom!" on as many screens as possible with no + malicious damage, and bugs in it. 18 USC 1030(a)(5) makes such a distinction, treating intentional harm more severely than releasing a virus "with reckless disregard of a substantial and unjustifiable risk" of harm. The latter is only a misdemeanor; the former, a felony. The statute didn't always make this distinction. In fact, it was the RTM case -- brought under the former felony-only version of the statute -- that inspired the 1994 amendment dividing the offense into two separate offenses. -- Wovon man nicht sprechen kann, darueber muss man schreiben. Mark Eckenwiler eck at panix.com From dwa at corsair.com Tue Apr 23 20:34:28 1996 From: dwa at corsair.com (Dana W. Albrecht) Date: Wed, 24 Apr 1996 11:34:28 +0800 Subject: CO$ Message-ID: <199604232201.PAA08509@vishnu.corsair.com> > Hi, lately we have had numerous threads on the CO$, and its threats to > remailers, and the such, I am quite interested > in the discussions regarding the cult, and want to know if anyone out > there knows of a mailing list that deals with it that I can join. This isn't really cypherpunks material, but since we *have* had so many threads on the Co$ (for better or for worse), here are some recommended sources of information: (1) Ron Newman's Web Page. http://www.cybercom.net/~rnewman/scientology/home.html (2) Marina Chong's a.r.s. Web Page summary. http://www.cybercom.net/~rnewman/scientology/marina.html (3) The Usenet group alt.religion.scientology. (High volume). I'd recommend visiting (1) first, as it provides excellent background information. (2) provides a good master index to Scientology information (both pro and con) on the net, and provides a good starting point for exhaustive surfing. (3) is the standard discussion group. Hope this helps! And now back to our regularly scheduled crypto discussion... Dana W. Albrecht dwa at corsair.com From pcw at access.digex.net Tue Apr 23 20:37:52 1996 From: pcw at access.digex.net (CyberiaLON_5) Date: Wed, 24 Apr 1996 11:37:52 +0800 Subject: Text-based Steganography... Message-ID: <199604231854.TAA18197@easynet.co.uk> I'll be giving a talk on text-based Steganography this Friday at the Newton Institute in Cambridge, England. 10 am. The talk will discuss how to disguise data as innocuous looking text for all of the usual reason one wants to hide something. -Peter Wayner From sameer at c2.org Tue Apr 23 20:47:10 1996 From: sameer at c2.org (sameer at c2.org) Date: Wed, 24 Apr 1996 11:47:10 +0800 Subject: ApacheSSL In-Reply-To: <199604232059.NAA24322@toad.com> Message-ID: <199604232150.OAA01944@atropos.c2.org> > If they're handling money, then, yes, the paranoia is probably necessary. > Aside from the 40-bit vs. 128-bit issue, one of the big security risks of SSL > and similar systems is that the server they run on is typically sitting right > out there on the Internet waiting for somebody to crack it, and keeping > credit card information on the same rather than handing the encrypted > information > across some secure interface (whether a firewall or dedicated RS232 or > whatever.) > A bulletproof 128-bit interface doesn't help if it's running on a cracked > machine. > Putting it on a separate firewalled machine is a Good Thing. Yes, and being able to review the source code of the server for security holes is also Important, if you are dealing with real money. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From vznuri at netcom.com Tue Apr 23 20:54:52 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 24 Apr 1996 11:54:52 +0800 Subject: Java, distributed OO revision control Message-ID: <199604232022.NAA10094@netcom12.netcom.com> in some earlier essays posted here I have been exploring some of the ramifications of Java and the distributed computing model it gives rise to, suggesting that many new standards are on their way to deal with the unique associated programming complexities. here are some more thoughts along this line. Java clearly was designed to allow the integration of objects located anywhere in cyberspace, although this is not yet realized in widespread practice. even as part of the basic standard it proposes a naming hierarchy (i.e. object namespace) that includes internet domain names. the problem of distributed objects is somewhat interesting and I believe will lead to many new advancements but also require many sophisticated new practices on the internet. however, these are the "same problems" that have been repeatedly encountered in the past, just re-rearing their heads in a way that begs for systematic treatment. consider the problem of software that uses a lot of different components built by other people. I create a Widget X that uses Gadget A,B,C, all of these being different pieces of code maintained by other people somewhere on the net. each of these pieces of code may go through revisions that make earlier conventions obsolete, or worse yet, introduce unexpected bugs. this is a very basic problem of software development whether you are within a company or within cyberspace, but it is going to become far more prevalent once distributed objects are in place. how can we deal with this complexity? == one idea that occurs to me that would be very powerful in tackling these problems would be a "distributed object oriented revision control system", DOORCS. many here are familiar with revision control systems that work on program files. what I imagine is a RCS that allows individual objects to be checked in and checked out, and keeps track of earlier versions of objects. let's say then that I write my Widget X. I could "freeze" the versions of the objects A,B,C that I want to use if each of these designers was using the DOORCS-- they commit to keeping earlier versions of their code in place so that my own code is stable. this is *not* the same as me copying their code into my own directories, which is highly undesirable from the point of view of development, because it forks off the lines of geneology. hence when my code runs, it names the version of the objects that it is using over the network. so when people create new versions of objects, my code is guaranteed stable. all kinds of interesting embellishments on this system can be put in place that might allow automation of software jobs and chores that take a very long time in our current system, some of which I will describe. imagine the problem of some code being revised, and the designer must spend time integrating the new changes into his system. what I propose would be that when people create objects, they also include an "intention" field that indicates things like: 1. how long this version is likely to stick around, if new versions are in the pipeline 2. how long this version will be kept around after new versions of the object are created, i.e. "expiration date" 3. whether new versions is/are going to be backward compatible this kind of information could be in fact applied on a method-per-method basis. now imagine that I run a program associated with my Widget X called "update". this program goes out into the object hierarchy and notifies me of new versions of my objects that are in existence. it might automatically adjust versions to new versions of the objects if they are supposed to be "backward compatible". it could tell me things like "so-and-so object that you are using is going to be replaced in [x] days", or "so-and-so version was replaced with a newer version". with this kind of information, combined in ingenious ways, I can actually measure the overall "stability" of my program based on the "stability" of all the parts. I can actually make design decisions about using different objects "out there" that are likely to be more stable, if that is my preference, or more "state-of-the-art" but buggy (the basic tradeoff going on here). now, here is where the fun can really begin. when all of these systems are formalized and standardized, you can write software that automates some of the very difficult tasks that many programmers face. I would wager the majority of time spent in large programming tasks is dedicated to some basic problems: 1. regression testing. adding new components and making sure the "whole" still works when you add new parts (objects). 2. locating bad modules when a regression test fails. imagine that these time consuming processes that take days of the lives of programmers could be *automated*! that is precisely what I am proposing would be possible with a very good DOORCS. here's how it would work: a person that creates an object also creates "assertions" or regression tests built into the object. these tests are run to make sure they pass for some version of all the objects that this object comprises. these assertions should be code that can be run with an exit status of "code passed" or "code failed". now, when new versions of the other objects are created, an automated "packager" could test the new versions of code automatically, and also isolate bad versions of the new objects that aren't backward compatible or introduce new bugs (i.e. "regress"). the automated "tester" would be similar to a binary search algorithm: it would start by adding all new modules, and then running the regression tests. if it passes, the new modules are considered trustworthy. if it fails, it can switch back and forth between previous and new versions of the modules, rerunning the regression tests, and automatically find the bad modules possibly very rapidly!! I claim that this is exactly what programmers often spend many of the hours in their day doing, and an automated means of doing this could possibly be quite revolutionary. furthermore, adding the "distributed" aspects of associated with cyberspace, and you have a sort of "holographic programming environment" in which everyone on the Net effectively becomes a cooperative programmer in the same company!! == now, consider some other interesting problems. often people have different ideas about where they want code to "go" in the future. a DOORCS system might actually track the geneology of a piece of code, and allow anyone, not merely the original creator, to create a new "branch" of development of any object on the net. viewed in this way, we have a sort of "object commune" in which everyone contributes what they want to the development of software, and it simply moves in the directions that are decided by mass consensus. you might have "breakings" and "mergings" as people diversify and unify different algorithms. anyone can decide to use any version of the object in the existing tree, or modify it accordingly. in fact this creates a sort of "software breeding ground" in which different objects are crossed, intermixed, and combined by programmers, the trees or geneology of which are tracked by the DOORCS. one concept to bring out in all this: what I am proposing is also a hierarchical method of revision control in which the granularity of control is very narrow, i.e. that of individual objects. it is this granularity or resolution that allows all the neat tricks and very streamlined version management. (today, most companies do RCS on the level of entire programs or files in those programs, which would not fully support all of these capabilities I've delineated.) in the view I am proposing, every piece of software is an "object" composed of other "objects". these objects all have their own versions, and some fixed combination of these versions, plus additional modifications can be named a unique version of the encompassing object. also, I like the idea of every object having a "maintainer" or an email address of where to send bug reports to. it seems that I am eternally finding bugs in other people's software when I try to write my own software, and in some ways this is an impossible fate to avoid (users invariably become bug finders). at least this way I would have somewhere to complain to. an object might actually store all of the bug reports or enhancements that have been sent to it from the net, and when the maintainer goes to modify that object, he can automatically call up all the associated comments! the maintainer may even find that various enhancements have already been added to his objects by others "out there" and he might take the task of "authorizing" (i.e. integrating into his "official" version) all the ones he finds most relevant and useful to his software. note that some of the things I am proposing can be handled by inheritance properties in language, and there is some similarity, but I don't consider current concepts of inheritance in general the proper mechanism for dealing with revision control, although it may be that new concepts of "inheritance" that combine it with the above revision control ideas find their way into languages. note also that I am very explicitly abandoning the idea that some programmers have, "if someone's new software doesn't work, then they should fix it, and not distribute buggy software". the whole concept and premise here is that BUGGY SOFTWARE EXISTS and cannot necessarily be detected by the PRODUCER of that software, and that a system ought to be devised in which the CONSUMER can have total freedom over what versions of the software he uses based on his own perceptions of its value or bugginess. the more that bugs and program development are seen as an inherent part of the process, the more beneficial the overall system in my view. == (there will be many people who object to all this as fantasy based on MONEY. "who will pay for it??" ask the unimaginative. I don't want to get into the economics of all this in this paper, only to say that I did explore this in an earlier paper, where I said that microcurrency combined with per-use-charges on objects could lead to a very interesting "vending machine software environment".) while all of these ideas may sound "pretty but unnecessary" at this moment, I think they will be seen as increasingly critical when distributed objects begin to catch hold on the Internet with the Java paradigm. many programs such as Makefiles were invented for the sole purpose of dealing with the associated complexity of programming, not the programming itself, and I think this trend will be continuing. increasingly, programming environments are not merely going to be programming languages, which is a very minor part of program development, but entire systems for the development of code. many programmers tend to oppose these new systems, insisting that "I could do all that by hand in the old days". but they really will save tremendous labor if done properly, and not create new limitations and burdens but instead give new freedoms and options to the programmer, From jya at pipeline.com Tue Apr 23 21:33:03 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Apr 1996 12:33:03 +0800 Subject: EYE_suk Message-ID: <199604232323.TAA16732@pipe3.nyc.pipeline.com> Responding to msg by adam at lighthouse.homeport.org (Adam Shostack) on Tue, 23 Apr 2:26 PM >Isn't the CIA forbidden from doing anything on US soil? Probably the CIA officers are linguists or analysts, maybe even cryptographers, who will be doing that they do at Langley and other US stations: processing foreign (non-US-citizen) intelligence coming into the country from a variety of sources. These roles would fit this paragraph of the article: To keep tabs on such potential foreign threats, around 25 CIA officers will be stationed alongside officers from the Defense Intelligence Agency the National Security Agency, and the FBI at an "all-source" intelligence command post to be established at an undisclosed location in the Atlanta area. Any CIA officers or agents or contractors here want to comment, top secretly? We're all compartmentalized, yes? From sjb at universe.digex.net Tue Apr 23 21:37:57 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 24 Apr 1996 12:37:57 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <Pine.BSI.3.91.960422151102.19963B-100000@wichita.fn.net> Message-ID: <199604231954.PAA22836@universe.digex.net> Bruce Marshall writes: >On Mon, 22 Apr 1996, Mark Aldrich wrote: >> The term "virus" connotes a pathogenic quality in the mind of >> many. Unfortunately, this tendency continues in the use of the word >> 'virus' within our community. > > Personally, I can see many useful functions for viruses. But I find the >viruses that simply destroy data--which tends to be the majority--to be >quite boring and childish. A non-destructive and innovative virus is >very interesting and comparable to any good software hack in my eyes. > >> While I understand that "intent" is something with which lawyers have to >> contend when they defend or prosecute a case, I don't think that the >> notion of intent to commit harm extrapolates correctly into the field of >> virus writing. O.W. Holmes suggested out in "The Common Law" that the law delineates a certain minimum level of competence in forseeing the outcomes of our actions which all members of society are expected to attain. We'll hold you responsible for actions a "reasonable person" should have avoided because of their danger. As such, persons with limited training in manipulating biological viruses are expected to avoid doing so. Individuals *with* training are expected to take adequate precautions to avoid their spread. I see no reason why electronic viruses shouldn't be treated similarly. If you're going to write them, you *better* take steps to prevent their release, or you are liable for the damages. From unicorn at schloss.li Tue Apr 23 21:42:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 12:42:45 +0800 Subject: EYE_suk In-Reply-To: <199604231926.OAA26127@homeport.org> Message-ID: <Pine.SUN.3.93.960423181900.10274B-100000@polaris.mindport.net> On Tue, 23 Apr 1996, Adam Shostack wrote: > | security operation. At its heart will be an estmated > | 3,000 Army troops, 6,300 National Guardsmen, and at > | least 10,000 other police and private security guards at > | peak strength, with an additional force of agents from > | the FBI, ATF, DIA, CIA, NSA and FEMA. > > Isn't the CIA forbidden from doing anything on US soil? Were that true they would have to move out of Virginia. What you are refering to is the provision in their charter (basically) forbidding intelligence activities in the United States. The National Security Act of 1947 defines the duties of the CIA. It does so primarily in terms of "intelligence" or "intelligence relating to the national security." Legislative history indicates that the intent of Congress was to grant a mandate for Foreign intelligence. Consider also the provision: "the Agency shall have no police, subpoena, law enforcement powers, or internal-security functions," 50 U.S.C. section 403(d)(3). It was contemplated that the CIA would be limited to foreign intelligence operations and conduct very few of its operations in the United States. The Agency was specifically permitted to be headquartered in the United States and conduct what acts may be necessary to administer that facility. "In public and private it was generally agreed among legislators and representatives of the Executive that the CIA would be 'confined out of the continental limits of the United States and in foreign fields,' that it should have no 'police power or anything else within the confines of this country,' and that it was 'supposed to operate only abroad.'" Select Committee to Study Governmental Operations with Respect to Intelligence Activities, Foreign an Military Intelligence, S. Rep. No. 755, Book I, 94th Cong., 2d Sess. 136-139 (1976); See Also, Stephen Dychus et. al., National Security Law (1990). The CIA has relied in past on section 102(d)(3) to authorize its limited activities in the United States. (Generally charging the Director with the protection of sources and methods). > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 21:52:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 12:52:29 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <01I3W57WCR2C8Y500P@mbcl.rutgers.edu> From: IN%"richieb at teleport.com" "Rich Burroughs" 23-APR-1996 17:19:45.60 >On Tue, 23 Apr 1996, E. ALLEN SMITH wrote: >[snip] >> However, one reference in this report to Weaver's calling for a meeting >> to oppose the "Zionist Occupation Government" does provide an argument for >> calling him a racist of the anti-Semitic variety. On the other hand, the >> only person claiming this is the FBI's informant; the truth of his >> statements has been called into doubt. >I'm sure it has been. That doesn't mean his report is untrue. Is the >standard of proof the same for both of these issues? We need proof to >establish that Weaver is a racist, but not to establish that the FBI >informant is lying? I require a higher standard of proof for worse accusations. I consider calling someone a racist a worse insult than calling them a liar. Furthermore, that this is an FBI _informant_ is a strike against the person to begin with in terms of trustworthiness. >Separatist/supremacist... I don't see much difference between them, and I >believe the former is largely just a cover story for the latter. Weaver >is no hero, IMHO, though I believe the govt. fucked up big at Ruby Ridge. I don't approve of either separatists or supremacists; I just see the former as not quite as evil as the latter. Calling Weaver a supremacist is most common among the organizations that seem to believe that such actions as at Ruby Ridge are just fine, so long as they are against their enemies; it appears to be a public relations ploy (although the evidence is admittedly uncertain). I don't call Weaver a hero, either, but the most evil ones at Ruby Ridge were the governmental types. -Allen From unicorn at schloss.li Tue Apr 23 21:54:43 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 12:54:43 +0800 Subject: Bernstein ruling meets the virus law In-Reply-To: <199604231954.PAA22836@universe.digex.net> Message-ID: <Pine.SUN.3.93.960423183933.10274D-100000@polaris.mindport.net> On Tue, 23 Apr 1996, Scott Brickner wrote: > Bruce Marshall writes: > >On Mon, 22 Apr 1996, Mark Aldrich wrote: > >> The term "virus" connotes a pathogenic quality in the mind of > >> many. Unfortunately, this tendency continues in the use of the word > >> 'virus' within our community. > > > > Personally, I can see many useful functions for viruses. But I find the > >viruses that simply destroy data--which tends to be the majority--to be > >quite boring and childish. A non-destructive and innovative virus is > >very interesting and comparable to any good software hack in my eyes. > > > >> While I understand that "intent" is something with which lawyers have to > >> contend when they defend or prosecute a case, I don't think that the > >> notion of intent to commit harm extrapolates correctly into the field of > >> virus writing. > > O.W. Holmes suggested out in "The Common Law" that the law delineates a > certain minimum level of competence in forseeing the outcomes of our > actions which all members of society are expected to attain. We'll > hold you responsible for actions a "reasonable person" should have > avoided because of their danger. With you so far. (Though Holmes is by no means the litmus by which today's legal world tests its process). > As such, persons with limited > training in manipulating biological viruses are expected to avoid doing > so. Individuals *with* training are expected to take adequate > precautions to avoid their spread. I see no reason why electronic > viruses shouldn't be treated similarly. If you're going to write them, > you *better* take steps to prevent their release, or you are liable for > the damages. Now you jumped the argument a bit. There is a difference in holding someone to a reasonable standard generally, and defining several standards based on the experience of the person to which the standard is being applied. This latter approach is often called (jokingly by some) the Objective Subjective Standard. (Objective standard being without consideration of the view of the individual being judged, subjective including that view, and object subjective being the consideration of what the general class of individual would do without consideration of the individual's specific view). (What would a reasonable virus writer do is distinct from what a reasonable Bob Dwyer, Ph.D. Computer science might do is distinct from what a reasonable person might do). Many courts reject higher (or lower- there are arguments for this too) standards of care for experts than for lay persons or other non-experts in tort cases, prefering to impose the "reasonable person" (Reasonable man for those of you who went to law school before 1985) standard universially. If there is interest, I will post exerpts of the arguments on both sides of this issue with the header [Noise]. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 22:01:08 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 13:01:08 +0800 Subject: Nazis on the Net Message-ID: <01I3W5EWYFRC8Y500P@mbcl.rutgers.edu> From: IN%"nobody at REPLAY.COM" 23-APR-1996 18:33:53.11 [Neo-nazi holocaust revisionist bullshit deleted] My grandfather was among the people collecting the documents used at Nurenburg, and among those organizing the documents in question that were used in the trials. Look in the records for the Paris Documents Center, and you'll see his name - William H. Smith. (He would have been a major or a lieutenant colonel at the time, I believe). Anyone who tries to deny that the Holocaust happened - by which I mean that the Nazi government, probably with the complicity of the German people, comitted mass genocide, rape, and torture - is a fanatic, a moron, an ignoramus, or some combination of the above. It would have been better if the atomic bomb had been ready in time to use against Germany and Stalinist Russia. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Tue Apr 23 22:06:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 13:06:37 +0800 Subject: Rabbi Hier Testimony Message-ID: <01I3VYLGPR4W8Y4ZTJ@mbcl.rutgers.edu> People might want to take a look at Rabbi Hier (the founder of the Weisental Center)'s statements on "hate groups" and the Internet. While he (unlike Biden) does recognize that outlawing bomb-making information would be unconstitutional, he doesn't appear to approve of anonymnity on the Internet (nor, depending on how one interprets his statements, of encrypted communications without GAK). The first is to his (and the Weisenthal Center's) credit; the second is not. The URL is: http://www.wiesenthal.com/itn/hiertest.htm I came across it while looking for information re: militias and racism. As my previous information had caused me to believe, some militias are racist (or anti-Semitic), some are racial separatist, and some are neither. -Allen From llurch at networking.stanford.edu Tue Apr 23 22:12:07 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 13:12:07 +0800 Subject: Rabbi Hier Testimony In-Reply-To: <01I3VYLGPR4W8Y4ZTJ@mbcl.rutgers.edu> Message-ID: <Pine.GUL.3.93.960423140624.10574P-100000@Networking.Stanford.EDU> On Tue, 23 Apr 1996, E. ALLEN SMITH wrote: > People might want to take a look at Rabbi Hier (the founder of the > Weisental Center)'s statements on "hate groups" and the Internet. Why should they? They've already made up their minds. > While he (unlike Biden) does recognize that outlawing bomb-making > information would be unconstitutional, he doesn't appear to approve of > anonymnity on the Internet Where? He says: "We need to keep in mind that the obscene or threatening phone caller has neither his privacy nor his speech protected when he threatens a member of the community via phone - why are those protections afforded if he launches the same attack via the Internet?" I think Rabbi Heir is aware of the legal definitions of "obscene" and "threatening." Assuming we agree on those definitions, I agree with the above language. For example, I've received quite a lot of anonymous email and phone calls that are threatening by the colloquial definition, but which do not meet the legal definition of threatening or obscene attacks. I am personally interested in tracking these folks down, but I know better than to try to make it a legal issue, and if I do succeed in tracking them down, all that will be used against them is speech. On the other hand, if someone makes a clear and specific bomb threat through an anonymous remailer, then I would hope that attempts would be made to track him down. I would also hope that tracking him down would be extremely difficult and resource-intensive, and that the remailer operators would not actively help the trackers, because I strongly support the anonymity option when it is used nonviolently -- even and especially by people with whom I disagree. I feel I can have a much better conversation with an enemy if he knows that his talking to me doesn't make it easier for me to put a gun to his head. Openness is good. > (nor, depending on how one interprets his statements, of encrypted > communications without GAK). In such cases, I usually find it helpful to ask. Bcc'd to a couple of affiliates in the hopes that they'll clarify. I seriously doubt that they have any clue what Government Access to Keys means, though. > The first is to his (and the Weisenthal Center's) credit; the second is > not. The URL is: > > http://www.wiesenthal.com/itn/hiertest.htm My take is that Rabbie Hier is around the center of the SWC leadership. Rabbi Cooper is more likely to support censorship; Eaton is much less; Mark Weitzman is also in the center (of the SWC, not of the mainstream Jewish/anti-"revisionist" community, which is very supportive of free speech). On January 29th, the SF Chronicle (and probably other papers) carried this piece from Weitzman: http://www.wiesenthal.com/itn/oped10.htm In light of the fact that Michael Loomis's Zundelmirror continues to make the charge that the Simon Wiesenthal Center was in favor of censoring Zundel, a charge that not even Zundel has made, it's worth highlighting this: "The recent decision made by the German government to block certain providers was made without any participation by the Center. We have never requested either the German government or Deutsche Telekom to take such drastic steps. To assume that we have the power to control the German government is to renew the myth of International Jewry pulling the strings of various governments. The reality is that the German government, as a legally constituted government of a recognized democracy, has every right to create its own laws. As long as those laws, and their method of adoption, fall into the generally accepted range associated with democracies, then any attempt by foreigners to alter those laws is an intrusion and smacks of cultural imperialism.... To disagree with the German government (as the Center does on the arbitrary nature of the actions by Deutsche Telekom and Compuserve - we believe that laws should be applied only to those breaking the law, not to entire systems) and to inform the German government of such disagreement, as we have done, is quite different from attempts to break the law by aiding Nazi propagandists under the banner of free speech." Of course, I disagree. I think it's vitally important to help Nazi propagandists under the banner of free speech. As long as that's what you're doing. -rich From stevenw at best.com Tue Apr 23 22:48:07 1996 From: stevenw at best.com (Steven Weller) Date: Wed, 24 Apr 1996 13:48:07 +0800 Subject: RISKS: Java security/privacy bug Message-ID: <v01540b00ada322012ce5@[206.86.1.35]> >From RISKS: ---------------------------------------------------------------------- Date: Mon, 22 Apr 96 17:37:54 +0200 From: goldstei at iamexwi.unibe.ch (TERMINATOR) Subject: Java security/privacy bug We have found a privacy/security bug in the Java implementation of the Netscape Navigator. It is very easily possible for an applet to find out the pathname of the directory in which the Netscape Navigator was started. This information could then be sent back to a CGI program for logging. Clearly this information should not be available to an applet, as is indicated by the fact that applets are prevented from reading the "user.home" and "user.dir" system properties. When the Netscape Navigator is run under the Windows 95 OS, the pathname usually does not contain any critical information. However, when the Navigator is run under a multi-user network OS, such as UNIX, the pathname often contains the e-mail and/or login name of the user. In addition, the pathname might reveal details about the topology of the user's network, which an experienced hacker might be able to exploit. There are two ways to protect yourself from this problem: Either start up the Netscape Navigator in a directory whose pathname does not reveal any critical information, or disable Java altogether (Options | Security Preferences | General). A system administrator can protect his network by configuring the HTTP proxy server not to retrieve Java ".class" files. This bug is present in at least the following versions of the Navigator: 2.0 2.01 3.0b2 2.0GoldB1 2.01Gold and in the implementations for at least the following platforms: SunOS 4.1.2, 4.1.3, 4.1.4 SunOS 5.3, 5.4, 5.5 Windows 95, Windows NT IRIX 5.2, 5.3 HP-UX A.0903, A.0905 Linux 1.2.10, 1.2.13 FreeBSD 2.1.0-RELEASE OSF1 V3.2 We have not tested whether this bug also exists in Sun's HotJava browser. We will release full details of the bug as soon as Sun and Netscape have issued patches which fix the problem. Full details have been sent to Sun and Netscape. This announcements has also been posted to the "comp.lang.java" newsgroup and has been sent to CERT. Daniel Abplanalp and Stephan Goldstein (goldstei at iamexwi.unibe.ch) Berne, Switzerland ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From rah at shipwright.com Tue Apr 23 23:15:06 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 24 Apr 1996 14:15:06 +0800 Subject: PEP Announcement (fwd) Message-ID: <v03006600ada332adbb79@[199.0.65.105]> Hey, Amos! Talk to me about using your spiffy chain-remailing script button with the new Eudora... It asks me for a directory in an open box now, and urps... Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From asgaard at sos.sll.se Wed Apr 24 14:17:18 1996 From: asgaard at sos.sll.se (Asgaard) Date: Wed, 24 Apr 1996 14:17:18 -0700 (PDT) Subject: "Separate but equal" as a racist doctrine In-Reply-To: <199604240441.AAA07568@pipe5.nyc.pipeline.com> Message-ID: <Pine.HPP.3.91.960424175845.18742A-100000@cor.sos.sll.se> On Wed, 24 Apr 1996, tallpaul wrote: > People who wish to organize for racist ideology behind this doctrine while > proclaiming they are not racists merely place themselves in the old racist > camp. Their organizing for (and their denials of) racist ideology does not > make them less racist, just less honest. I agree that separatism smells of true racism. Perhaps it's no use trying to adhere to the original interpretation of the term racism, since it has broadened with time to include everyone who is not a strong supporter of affirmative action and such. But debatings would gain from a strict definition of racism: Believing that races are significantly genetically different visavi intelligence or moral standards. I regard myself as not the slightest racist (if a Bantu is adopted into Swedish culture as an infant he becomes a Swede, regardless of skin colour) but a bit of a _culturist_: Believing that all cultures are _not_ equal in terms of collective intellectual inheritage and moral standards. Currently, the politically correct refuse to distinguish between racism and culturism, thus confusing a lot of issues. Asgaard PS The supreme culture is the Nordic, pre-Christian anarchy, of course. :-) From weidai at eskimo.com Wed Apr 24 14:23:16 1996 From: weidai at eskimo.com (Wei Dai) Date: Wed, 24 Apr 1996 14:23:16 -0700 (PDT) Subject: Golden Key Campaign In-Reply-To: <199604241415.HAA02557@jobe.shell.portal.com> Message-ID: <Pine.SUN.3.93.960424141313.12174A-100000@eskimo.com> On Wed, 24 Apr 1996, Hal wrote: > Rabin encryption would have the advantage that it could be used with > existing RSA keys as long as the modulus is a Blum modulus. PGP at least > has always used Blum moduli, perhaps for this eventuality. So an > alternative encryption program could use Rabin encryption and work with > the existing infrastructure of PGP keys. It would not of course be > compatible with PGP for encryption and decryption. > > This doesn't solve the signature problem; I'm not sure if there is a > signature algorithm which could use RSA public keys but which is not > covered by the RSA patent. In any case since PGP key certificates use > RSA signatures it would not appear to be possible to validate key > signatures without infringing on the RSA patents, so that cancels out a > lot of the advantages of using existing PGP keys. You can do signatures with Rabin too. I have a version of it in Crypto++ 2.0. It's been out for a while and RSA hasn't bothered me about it. Does anyone want to explain why, given the alternatives, people continue to use RSA and pay for it? Wei Dai From nobody at REPLAY.COM Wed Apr 24 14:25:22 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 24 Apr 1996 14:25:22 -0700 (PDT) Subject: Cashless Society and the Coming Collapse Message-ID: <199604242124.XAA14247@utopia.hacktic.nl> http://www.jcave.com/~whedonr/news2.htm The Cashless Society The October 31 issue of Information Week featured an article on the October 13 acquisition of Intuit Inc. by Microsoft Corporation for 1.5 billion dollars. Their vision is to create a world where all financial transaction are performed electronically. "Microsoft's vision of the future is clearly a world in which the majority of consumer and business transactions will take place online". Other companies are also rushing to enter the electronic transaction market place. Soon, there will simply be no need for cash, everything will be done on line. Automatic debits and credits from your bank and credit accounts will be performed in a few milliseconds. You will be able to purchase nearly anything in the world from your home via the electronic transaction. (Since the original writing of this article, Microsoft did not receive approval to make this merger with Intuit. However, the vision of Microsoft stays the same). America is already now seeing a widespread use of the "intelligent" smart cards. These cards are being used for telecommunications, medical information purchases, identification, and more. Western Union now offers a smartcard that you can purchase to make long distance telephone calls. The military has been issuing smartcards for some time now to all of it's personnel. California is issuing smartcards to all recipients of state benefits, including Social Security and welfare benefits. The federal government is considering plans to implement a smartcard for it's 3.1 million members for payroll purposes. This proliferation of smartcards has not been without it's perceived benefits. However, this new technology has created another problem, namely security. The security offered by the smartcard is not sufficient. Fraud, theft and abuse of smartcard technology has prompted for many officials to call for a more secure and personal means of transactions. A single card, useable anywhere in the world is being considered. But even this presents problems with the issue of security and privacy. An improvement on smartcard technology is now being formulated. For several years, microchips have been tested in animals to learn their effects, efficiencies and drawbacks. This technology is now perfected for use in humans. Instead of carrying several different types of smartcards, credit cards and identification, we are soon to be offered a single implanted chip that can contain information about us that anybody ever needs to know. Not until the last few years, has technology advance to the point where implantation of a microchip was possible within human flesh. This is a fulfillment of prophecy, for the Bible says "And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their forehead" (Rev. 13:16). Only very recently has technology made it possible to make such a mark in human flesh. With the widespread usage of computers and databases, tracking individuals and every financial transaction has now become a reality. These tiny chips are already being produced by the millions and millions today for a variety of electronic devices, including smartcards. We are on the verge of having these chips implanted in every human being. Are you prepared to take your mark? The Coming Collapse Another deceptive lie being propagated by the government and the media is our economy. The rate of unemployed workers in this country is being reported to us at only 3%. However, many private sources of information have this number much higher, closer to 9-10%. Some goes so far as to say unemployement is really 20%! Our government cannot afford the bad publicity of a recession. Statistics prove that nearly every major corporation has been downsizing staff by the thousands and thousands. Nearly 1 million positions have been abolished since the first of the year. Yet in the face of all this, our government continues to tell us that our economy is booming. Our federal deficit is also much higher then is being commonly reported. Deficit spending under President Clinton is at an all time high. Simply put, our nation cannot afford to continue on it's present course of overspending. In a report presented to President Reagan, a commission of 31 Congressmen stated that the United States would experience a financial collapse by the year 2012. Some forecasted that this coming collapse would happen by the year 2005. Consumer debt in America is the highest consumer debt in the history of the world, bar none. Many Americans live off of credit cards, always getting deeper and deeper into debt. The media portrays a fictitious world where we can "afford" anything. And if we don't want to "buy, buy, buy", then we are somehow dysfunctional or inadequate. The average American family has to work two jobs just to make ends meet. While our purchasing power continues to decline for every dollar we earn, there's always something new to buy. We are beset by self centeredness, self grandizement and narcissistic "needs". In a never ending downward spiral, we chase the holy grail of material wealth, urged on by the prophets of the press. Financial ruin, broken families, despair, hopelessness and stress related disease are often the end results. Thousands turn to alternate realities, including drugs, alcohol, adulterous relationships and other means of "release" from these financial pressures. America has been teetering on the brink of a financial disaster, unparalleled in human history. Efforts to avoid this collapse include the establishment of a new monetary system, including the issuing of new money. Currently, entire caravans of this newly minted money are being distributed around the country. A national and international recall of $100 dollar bills was proposed by Senators Patrick Leahy and John Kerry. This recall may quite possibly trigger the greatest financial collapse the world has ever seen. This financial collapse could be triggered overnight when mass panic, fear and distrust in the new monetary system becomes widespread. From unicorn at schloss.li Wed Apr 24 14:34:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 14:34:19 -0700 (PDT) Subject: [NOISE- Legal Theory] Reasonable people In-Reply-To: <199604241648.MAA05361@universe.digex.net> Message-ID: <Pine.SUN.3.93.960424150105.25996G-100000@polaris.mindport.net> On Wed, 24 Apr 1996, Scott Brickner wrote: > Black Unicorn writes: > >On Tue, 23 Apr 1996, Scott Brickner wrote: > >> As such, persons with limited > >> training in manipulating biological viruses are expected to avoid doing > >> so. Individuals *with* training are expected to take adequate > >> precautions to avoid their spread. I see no reason why electronic > >> viruses shouldn't be treated similarly. If you're going to write them, > >> you *better* take steps to prevent their release, or you are liable for > >> the damages. > > > >Now you jumped the argument a bit. There is a difference in holding > >someone to a reasonable standard generally, and defining several standards > >based on the experience of the person to which the standard is being > >applied. > > I'd argue that I'm holding everyone to the same standard: either know > the safe ways of handling viruses and follow them, or don't handle them > at all. Now you have to get into the question of who is a trained virus handler. This is a subjective analysis. The court is going to have to do this case by case. And below in your message its clear you do not hold everyone to the same standard. The virus/CPR expert is held to a different standard in your example. It is the same standard in that you punish everyone if they "Do something stupid." But "stupid" is different for each person. > You seem to imply that I'd hold the untrained virus writer > harmless. No way. He's reckless and *should* be liable. I indicated only that the standards you had for trained and untrained virus writers were different. > When one has > training, it's no longer reckless to simply handle (or write) the > virus, but disregarding safe procedures is negligent. See my above position. Three standards. One for those with training, one for those without and some kind of standard for determining what is 'enough' training. Given the traditional institutional costs of courts, particularly their 'catch up' chase with technology, I don't think I'd want courts doing these calculations. > >This latter approach is often called (jokingly by some) the Objective > >Subjective Standard. (Objective standard being without consideration of > >the view of the individual being judged, subjective including that view, > >and object subjective being the consideration of what the general class of > >individual would do without consideration of the individual's specific > >view). > > > >(What would a reasonable virus writer do is distinct from what a > >reasonable Bob Dwyer, Ph.D. Computer science might do is distinct from > >what a reasonable person might do). > > > >Many courts reject higher (or lower- there are arguments for this > >too) standards of care for experts than for lay persons or other > >non-experts in tort cases, prefering to impose the "reasonable person" > >(Reasonable man for those of you who went to law school before 1985) > >standard universially. > > I assume that a canonical example of the lower-standard case is the > "Good Samaritan" laws which reduce the liability of a trained person > performing rescue activities (e.g., administering CPR). Yes. > It seems to me that the "reasonable person" isn't the real issue > there. Someone with training ought to be expected to do the "right" > thing. If you're trained to administer CPR, and you do it *wrong*, you > shouldn't be absolved of liability -- you're negligent. But the other argument goes that we have to give the people who know what they are doing more leeway because they will be judged by people who don't know about the subject and because if we want to encourage good samaritans the way to do it is not by increasing their liability. (You effectively do increase their liability above by implying that you would like to impose a stricter negligence standard for trained CPR types). Keep in mind that doing the "wrong" thing isn't always negligence either. Doing the wrong thing because you were careless, that's negligence. Also note that you can be negligent without harming anyone. It could be argued that it's folly to impose a lower standard on the CPR 'idiot' and thus encourage him to run out and do CPR. One can imagine a scene where the CPR trained fellow pulls an idiot out of the crowd and gives instructions for the idiot to preform the CPR so as to take advantage of both his increased knowledge and the idiot's limited liability (reasonable person standard, not reasonable CPR expert standard). > If you don't > know anything about CPR (except what you've seen on "Baywatch"), then > we're back to what a "reasonable person" should do. That probably includes not trying to preform CPR... no? > If you're trained > and you do it right, but the person is still injured by your actions, > limiting your liability is society's way of encouraging you to use > your training for the common good. This begins to look like the partial abortion debate, where the argument goes something like this: Yes, it's criminal to preform the procedure, but you can absolve yourself after the fact by showing us (medical morons) that the mother's life was in danger. That's not encouraging in the least to doctors. (Which in the abortion example, is precisely the point). The trick is in your concept of "and you do it right." That's a subjective analysis. > In my mind, the difference between the objective standard and the > subjective one marks the difference between recklessness and > negligence. If an objective "reasonable person" wouldn't do it, it's > reckless. If a subjective "reasonable person" wouldn't, it's > negligent. This makes it REALLY tough. Reckless usually means extensive punative damages are on the way. Simple negligence doesn't always trigger them. By using these terms on the same facts the idiot gets simple negligence, the expert gets expanded liability and potential punative damages. Because the expert will be at significant disadvantage at trial (if he's an expert, if he knew what he was doing, why did the victim get hurt) what you've done is moved closer to the realm of strict liability for all experts. (Strict liability simply eliminates the negligence calculation. If you were doing the activity, (CPR) and someone got hurt, you're liable. Period. No calculation of fault). What this system does is create something like a rebuttable presumption of negligence on the expert. That starts to look like strict liability. > Perhaps these aren't the "legalese" usages of the terms, but it seems > reasonable to me. It creates systemic problems though. (Like the burden of overcoming the assumption that the expert must have erred). > >If there is interest, I will post exerpts of the arguments on both sides > >of this issue with the header [Noise]. > > I'd be interested. In an economic sense you want a negligence rule that balances a few interests. First, you want to either encourage or discourage the activity. (Virus work or CPR by the side of the road have different calculations). Second, you want to give injured persons the chance to recover damages. Third, you want to decrease the total number of accidents or injuries as much as possible. A lot of the decision whether to apply strict liability or negligence is going to be based on where you believe the costs should be shifted. Strict liability shifts the costs onto the person engaging the activity. The actor will increase his own costs to the extent he can still conduct the activity and still reduce the number of times he is called into court and damages are awarded against him. He will, of course, take no more care than his damages might be. If the largest ever award for a CPR related injury is $500,000, no one is going to spend more than that in increased care. The same calculation will be made with negligence, but the costs will more often be shifted to the victim. "The defendant will just take those precautions that minimize the sum of accidents and the costs of their prevention, whether negligence or strict liability is in place." Epstein, Torts 5d., 166 (1990). What you really want to do, economically, is shift the cost onto the party most able to bear the cost. ("Least Cost Avoider"). This will allow the return of damages with the least economic impact after the fact, and increase the amount of care exerted by the next Least Cost Avoider ex ante. It's interesting to note the argument that in the age of insurance, it really makes no difference who you put the costs on as society as a whole ends up footing the bill anyway. While holding experts to a higher standard makes some sense where experts are holding themselves out to be experts for marketing and reputation, when they are preforming acts like CPR and such you have to consider the possibility that a careless expert is better than a competent layman. For full treatments, See e.g., Shavell, Economic Analysis of Accident Law (1987); Rosenbaum, The Degree of Skill and Care Legally Required of a Medical or Surgial Specialist, 49 Medico-Legal J. 85 (1932); Eddy, Professional Negligence (1955); D. Parlett, Professional Negligence (1985); Comment: Professional Negligence, 121 U.Pa.L.Rev. 627 (1973). --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From stewarts at ix.netcom.com Wed Apr 24 14:37:31 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 24 Apr 1996 14:37:31 -0700 (PDT) Subject: RISKS: Compuserve "secure" login Message-ID: <199604242010.NAA02828@cygnus.com> >Date: Thu, 04 Apr 1996 19:34:12 +0200 >From: Heinz-Bernd Eggenstein <eggenste at noether.informatik.uni-dortmund.de> >Subject: CompuServe's "secure login protocol": two steps forward, one back >Summary: a new CompuServe Information Service (CIS) logon protocol was >designed to prevent passive and active attacks (where the attacker >impersonates a CompuServe node) but a flawed implementation in the >WinCIM 2.0(.1) client software still allows active attacks. ... > .... HR=UR=MD5(S|Z|RA|RB|S) .... >I notified CIS about these weaknesses and I was informed that they are >"fixed" now, no details were given about the fix (source: Britta Herbst, >German customer support (11111.754 at compuserve.com)). ... >I think this a good example how to half-ruin a good protocol by embedding it >into carelessly written code. In addition to the posted weaknesses (which were mainly implementation issues), there's another major problem with this - it means that the user's passwords have to be stored on the Host machine (or an authentication server) in _plaintext_, rather than storing a hash (e.g. like Unix passwords.) This means that if the host's password file is cracked, the entire system loses. You can do a little better than this by having the password file encrypted with a key which the login process / authentication server has, requiring theft/cracking of that key (difficult) as well as theft of the password file; the encryption could either be a symmetric-key system or public-key if you're willing to spend the decryption time, which CompuServe probably isn't. A couple years ago I found an obvious application of Diffie-Hellman which avoids this problem; unfortunately it turned out to be patented by someone from Siemens (first as a German patent and then a US patent, so it's definitely too much trouble to try to overturn the patent...) The basic approach is to use a commutative hash function, which lets both sides calculate HA(B) == HB(A) ; modular exponentiation worked fine. Of course, if you're allowing active attacks, there's always session hijacking... # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From wb8foz at nrk.com Wed Apr 24 14:37:48 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 24 Apr 1996 14:37:48 -0700 (PDT) Subject: EYE_suk In-Reply-To: <pKnfx8m9LANQ085yn@netcom.com> Message-ID: <199604241938.PAA07049@nrk.com> > > (BTW, it's worth wondering what restrictions there'd be if it were > > not for an ENORMOUS turf battle between them & Jill Edgar Hoover.) > > Or, if Hoover had won that battle and acquired control of foreign > intelligence, just how much more like Lavrenti Berya he would have > become. Hoover did win, AFAICAT. He got domestic contelpro. James Jesus was shut out.... FI? I doubt anyone outside of JEH ever thought he'd get that. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From abostick at netcom.com Wed Apr 24 14:37:52 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 24 Apr 1996 14:37:52 -0700 (PDT) Subject: EYE_suk In-Reply-To: <199604240503.BAA04064@nrk.com> Message-ID: <pKnfx8m9LANQ085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604240503.BAA04064 at nrk.com>, David Lesher <wb8foz at nrk.com> wrote: > (BTW, it's worth wondering what restrictions there'd be if it were > not for an ENORMOUS turf battle between them & Jill Edgar Hoover.) Or, if Hoover had won that battle and acquired control of foreign intelligence, just how much more like Lavrenti Berya he would have become. - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX5zjuVevBgtmhnpAQE13wL+Lsh+r1qZut8Ohb9q5nO2KfK9/S2+zcih vZeztr17+zKpvAyde8IV7gKvqxNWHS661bVmRqgXn7dhOdFFRnxFVeqZkJIEPx/H xjDTFz6gCIqM+l5HDJ2uZwr8m1eEhvU+ =rdPr -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Wed Apr 24 14:37:54 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 14:37:54 -0700 (PDT) Subject: Militias, reputation capital, unfounded rumor-mongering, and the DNS Message-ID: <Pine.GUL.3.93.960424121254.19618H-100000@Networking.Stanford.EDU> Anatomy of a paranoid troll: http://fight-censorship.dementia.org/fight-censorship/dl?thread=FBI+monitoring+Freemen+FTP+sites,+snooping+on+%22patriot%22+email?&after=2275&type=short Someone sent a message to Declan alleging that the FBI, with the cooperation of ISPs, was reading/disrupting/censoring the email of people interested in "patriot" movements. Declan said hmm, I can see the FBI doing that, and forwarded the message to fight-censorship. I pointed out that the story was complete bullshit, which is easily verified (yvv.com's incompetence in managing their DNS affects all users, including postmaster at yvv.com, not just the paranoid), but evidently my reputation capital on the moderated fight-censorship list is so low that instead of my objections, subscribers to the fight-censorship list got to read another, more paranoid rant. I do not expect this story to die, even though it's completely false -- it's too good. The meme in the subject line is awfully strong, lots of people won't take the time to read more than the title, and who really listens to a FUCKING STATIST anyway. Truth is indeed stranger than fiction, but seldom in the way you think. -rich From abostick at netcom.com Wed Apr 24 14:37:57 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 24 Apr 1996 14:37:57 -0700 (PDT) Subject: "You have been deleted" In-Reply-To: <ada2fe6f030210045e74@[205.199.118.202]> Message-ID: <Gvnfx8m9LAUU085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <ada2fe6f030210045e74@[205.199.118.202]>, tcmay at got.net (Timothy C. May) wrote: > Theory 1: > > While working through the examples for Day Eight of "Teach Yourself Java > for Macintosh in 21 Days," I accidentally created a rogue applet which > enabled a virus developed in Bulgaria to enter my system. From there, it > infected several other computer systems, including a Sony PlayStation, a > Foonley, and several Exidy Sorcerers. Service to Northern California is > only now being restored. > > Theory 2: > > The Men in Black finally had enough, especially of my theft of their domain > name (Blacknet). At 9:09 a.m., PDT, Clinton's black helicopter detoured on > its route and landed on my hill, abducting me for medical experiments I am > too embarrassed to describe (except that Chelsea was also involved). I am > back now, albeit subtly changed (for the better). > > Theory 3: > > My ISP, got.net, had a router failure on its "ZNEt" link to the outside world. > > > > Take your pick. Or maybe we should vote? The social construction of > reality, and all. > > Alas, sometimes the truth is too banal. It's a clever piece of misdirection, "Tim", but it just won't work. You know as well as I that that was no router failure at all, but an unavoidable side-effect of putting the man-in-the-middle connection that directs all electronic communications to or from the real Tim May through the Blue Cube at Onizuka Air Force Base. Poor Tim - getting a sanitized, innocuous Internet feed. Possibly none the wiser for it. I bet you're having fun, whoever you are, with the chance to make a monkey out of Tim. But we're on to you, and it's only a matter of time before Tim is, too. - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX5/neVevBgtmhnpAQE8cAMAutAs59yLLJDj7Z7FDc4j2kZzky5GgmdV 0A2m+FTyhSgdj5ZydHqh4Dp2JteMBOibjIT5LJbOKRF4QAGneHJcLPKp84CNST5m ucVuHpa5Wq22jGul4rUYoAIoeLqhu0LN =HWUG -----END PGP SIGNATURE----- From sjb at universe.digex.net Wed Apr 24 14:38:07 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 24 Apr 1996 14:38:07 -0700 (PDT) Subject: arbiter/escrow agent for hire In-Reply-To: <199604241149.NAA27753@digicash.com> Message-ID: <199604241913.PAA12632@universe.digex.net> bryce at digicash.com writes: >3. My fee per bet is USD5.00 or FIM50.00, or cyb7000.00. >This is for "simple", winner-take-all bets. For other >arrangements, make me an offer. Wouldn't it be more reasonable for the fee to be something like 2%? It seems odd that to have a $2 bet settled you'd need to pay $5. And since the ante is required before the bet is formalized, why not just take your cut out of the winnings? From attila at primenet.com Wed Apr 24 14:38:13 1996 From: attila at primenet.com (attila) Date: Wed, 24 Apr 1996 14:38:13 -0700 (PDT) Subject: You have been deleted Message-ID: <199604241904.MAA20012@primenet.com> To: Black Unicorn <unicorn at schloss.li> From: attila <attila at primenet.com> Reply-To: attila <attila at primenet.com> Subject: Re: "You have been deleted" Addressed to: Black Unicorn <unicorn at schloss.li> Tim May <tcmay at got.net> ** Reply to note from Black Unicorn <unicorn at schloss.li> 04/24/96 03:01am -0400 = On Tue, 23 Apr 1996, Timothy C. May wrote: = = > its route and landed on my hill, abducting me for medical experiments I am = > too embarrassed to describe (except that Chelsea was also involved). I am = > back now, albeit subtly changed (for the better). = = That a medical experiment including Chelsea could improve a man is beyond = the bounds of reason. = = Mr. May, are you making this up? = attila sez: Not necessarily. it may be speculation or wishful thinking on the part of Chelsea, or even Bubba and Hillary. -- Obscenity is a crutch for inarticulate motherfuckers. Fuck the CDA! cc: Tim May <tcmay at got.net> Cypherpunks <cypherpunks at toad.com> From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 14:38:16 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 14:38:16 -0700 (PDT) Subject: Anonymous banking Message-ID: <01I3X9YJ35NE8Y50LP@mbcl.rutgers.edu> Speaking of the below information, what is anonymous banking like in Austria, Colombia, Venezuela, and Thailand? -Allen >Copyright 1996 Nando.net >Copyright 1996 Reuter Information Service >VIENNA (Apr 24, 1996 11:18 a.m. EDT) - The United Nations, fighting a >rearguard action against illegal drugs and money laundering, on Wednesday >turned its fire on sloppy banking laws and called on all states to ban a>nonymous accounts. [...] >Experts say anonymous bank accounts are a safe haven for drugs money and >are an ideal vehicle for laundering cash. >They say the drugs trade must be attacked at its roots by cracking down on >transfers of narcotics-based "dirty money." [...] >Drug barons use a number of ruses including anonymous bank accounts and >specially set up front businesses, such as restaurants, to channel large >sums of money and obscure its origins. The money comes out "clean," or >laundered. >Helmut Butke, who chaired the meeting of the 53-member Commission of >Narcotic Drugs, said the United States was the main sponsor of the >resolution which seeks to streamline and increase international cooperation >against money laundering. >The draft resolution, which was shown to Reuters, "urges states to prohibit >banks and other financial institutions from offering accounts identified >only by a number, anonymous accounts or accounts in obviously false names." >It also urges states "to take all reasonable measures to ensure that such >institutions are informed of the identities of beneficial customers in all >transactions." [...] >Austria, the only country in the EU which allows anonymous bank accounts, >was adamant its current legislation did not run counter to the resolution. [...] >The Vienna government is clinging on to its banking system, saying the >accounts were useless for money laundering as they do not extend to >deposits over 200,000 schillings ($19,000). >But Washington last year ranked Austria alongside Colombia, Venezuela and >Thailand in a league table of nations that tolerate money laundering. From cypherpunks at count04.mry.scruznet.com Wed Apr 24 14:38:16 1996 From: cypherpunks at count04.mry.scruznet.com (cypherpunks at count04.mry.scruznet.com) Date: Wed, 24 Apr 1996 14:38:16 -0700 (PDT) Subject: EYE_suk In-Reply-To: <199604241225.IAA05345@nrk.com> Message-ID: <199604251859.LAA28220@count04.mry.scruznet.com> >Subject: Re: EYE_suk >To: ses at tipper.oit.unc.edu (Simon Spero) >Date: Wed, 24 Apr 1996 08:25:23 -0400 (EDT) >Cc: cypherpunks at toad.com (Cypherpunks) >In-Reply-To: <Pine.SOL.3.91.960423221718.19976A-100000 at chivalry> from "Simon Spero" at Apr 23, 96 10:18:37 pm >Reply-To: wb8foz at nrk.com >Content-Type: text >Sender: owner-cypherpunks at toad.com >Precedence: bulk > >> >> >> > Isn't the CIA forbidden from doing anything on US soil? >> >> That'd make cointel a little tricky :-) >> Simon > >Errr, >That is the Feeb's department, & they guard it like the family >jewels..... > BZZT!!! wrong answer since 1981 on december 4 when president reagan signed it into Executive Order #12333 TLA's(those intelligence agencies having strictly offshore charters CIA,NSA others) have been permitted to operate domestically in cases of National Security(or involvement with persons suspected of being agents for foreign entities) and Drug War issues. Formerly it was simply illegal but since the intel community had taken such a hard hit during the church subcommittee hearings of the 1970's the new tactic was to acquire legitimacy for black ops on domestic fronts thus the above EO was shoved under reagans nose quickly... The reference to the above EO may be found in the "CIA off Campus" booklet by the Bill of Rights Foundation on page 134-135 ISBN 0-89608-404-3 (c) 1991 by Amy Chen Mills and the Bill of Rights foundation. Get it its a fascinating read!!.. cheers From jsw at netscape.com Wed Apr 24 14:38:32 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 24 Apr 1996 14:38:32 -0700 (PDT) Subject: Golden Key Campaign In-Reply-To: <199604241540.IAA03214@atropos.c2.org> Message-ID: <317E73AD.2362@netscape.com> sameer at c2.org wrote: > > > The key at the bottom of the Netscape window is not the RSA logo, and > > doesn't even look much like it. Our key is meant to convey the > > absence or presence of encryption via a metaphor that is understandable > > to the average home user, not as an advertisement for RSA. > > The RSA key *does* appear on the flash screen though, > remember. Yes, this screen does appear on startup on the unix version, but on Mac and Windows (90% of installations) it only appears when you select "About Netscape" from the "Help" menu. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 14:38:34 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 14:38:34 -0700 (PDT) Subject: arbiter/escrow agent for hire Message-ID: <01I3X9N6RA1W8Y50LP@mbcl.rutgers.edu> From: IN%"bryce at digicash.com" 24-APR-1996 10:05:20.14 >1. Acceptable digital signature upon the "bet statement" >from each bettor. (Note that PGP signatures from PGP key >pairs which are not connected to me via the Web of Trust, or >which are not verifiable by me via an out-of-band >connection, are not acceptable digital signatures. This is >because of the MITM attack problem, not because I need True >Names to be connected to the signatures.) IIRC, currently Black Unicorn doesn't have any signatures on his public key of others. Therefore, this requirement, while understandable, could cause a bit of a difficulty in the current situation. >3. Amount of the bet from each bettor. This chunk of money >will be known as the "ante". Note that depending upon the >details of the "bet statement", each bettor may submit a >different ante. (Yes, up front. Yes, I get antes from both >bettors. Yes, I keep them while the bet is being settled. >Why do you think my fee is so low?) Chuckle. -Allen From declan+ at CMU.EDU Wed Apr 24 14:39:41 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 24 Apr 1996 14:39:41 -0700 (PDT) Subject: Rabbi Hier Testimony In-Reply-To: <01I3VYLGPR4W8Y4ZTJ@mbcl.rutgers.edu> Message-ID: <AlTadgO00YUvERbGhW@andrew.cmu.edu> Excerpts from internet.cypherpunks: 23-Apr-96 Re: Rabbi Hier Testimony by Declan McCullagh at CMU.EDU > The EF Canada web pages also detail how the SWC has been trying to get > the Canadian equivalent of the FCC to regulate the Internet. The ACLU > reports at the URL above how the SWC has tried the same trick here in > the U.S. While I'm at it, I should offer my prediction that the Southern Poverty Law Center likely will become active in attempts to regulate and control the Net. To the SPLC, bomb-building and other, um, incendiary information should be restricted. In today's Washinton Post, Morris Dees, the Center's co-founder, indicates that a book Timothy McVeigh read influenced him to bomb the Oklahoma City building. -Declan From llurch at networking.stanford.edu Wed Apr 24 14:41:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 14:41:45 -0700 (PDT) Subject: GIV_way In-Reply-To: <199604241316.JAA09448@pipe4.nyc.pipeline.com> Message-ID: <Pine.GUL.3.93.960424095109.19618B-100000@Networking.Stanford.EDU> On Wed, 24 Apr 1996, John Young wrote: > 4-24-96: "US prosecutor attacks bank secrecy laws." > > A US federal prosecutor yesterday told banks that they > are no better than prostitutes if they transmit money > without knowing their customers or the purpose of the > transaction. I agree with this completely. I'm sure that I disagree with said US prosecutor on the criminalization of sexual entrepreneurship (tm), though, so our agreement is meaningless. -rich From tcmay at got.net Wed Apr 24 14:41:50 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 14:41:50 -0700 (PDT) Subject: Kill Files Message-ID: <ada3a7bf02021004232e@[205.199.118.202]> At 2:04 PM 4/24/96, s1113645 at tesla.cc.uottawa.ca wrote: >One must note that capital punishment is an excellent means of >unsuvscription. > > >(Ps. Just joking, Jason or whoever you are.) On a serious note, I hereby predict that the term "kill file" will soon be picked up by the clueless media and/or Congress as a sign that the Internet is dangerous. (I'm sure it already has been used as a negative, but I'm predicting a more visible focus on this term, however briefly. To the average American, it conjures up images closely related to Jim Bell's ideas!) I had one of our "unsubscrive" newbies asking me what I meant by "putting him in my kill file," and saying he was planning to let his site manager know about "your threat." --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 14:41:50 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 14:41:50 -0700 (PDT) Subject: Nazis on the Net Message-ID: <01I3X4VRLZJ08Y50EU@mbcl.rutgers.edu> From: IN%"tallpaul at pipeline.com" 24-APR-1996 00:24:46.89 >> It would >>have been better if the atomic bomb had been ready in time to use against >>Germany and Stalinist Russia. >It was ready "in time" to use against "Stalinist Russia" (which, BTW, was >Stalinist "Soviet Union,"). It was not ready to use against the USSR/Russia (as should probably be evident from current nationalist movements in the non-Russian portions of the USSR, Russia tended to dominate that union) before the USSR was an ally of the United States. (I refer you to the Molotov-Ribbentrop pact between the USSR and Nazi Germany.) After the war, they were still tied by various agreements; by the time that it became obvious that Russia had broken those agreements, it had nuclear weapons and an attack would have been suicidal. -Allen From tcmay at got.net Wed Apr 24 14:41:54 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 14:41:54 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <ada3a446010210045243@[205.199.118.202]> At 2:07 PM 4/24/96, jamesd at echeque.com wrote: >At 11:45 PM 4/23/96 -0700, Timothy C. May wrote: >> And so the back-and-forth continues...taking up even more list space >> arguing, waffling, finessing, rebutting, disputing, and on an on. >> >> Exactly as several of us have predicted. > >True, but one should note that it is Jim Bell that is weaseling, >and that Unicorn is not weaseling. It doesn't matter too much who's mainly to blame--the result is the same. And game-theory-wise, there is little incentive to quickly push the wager to a well-defined final state. These "bets" are largely tail-feather displays, anyway, so the posturing and weaseling serves the purpose of one or more of the parties. Which is precisely why these bets take up so much list bandwidth. On the Extropians list, during the last few months I was on it, a huge fraction of the list traffic was devoted to such arguments (along with "pending court cases" involving one party filing charges against another, searches for mediators, countersuits, judgments, arguments about punishments, and on and on). Frankly, I thought that Black Unicorn claimed to have seen the error of his ways (in terms of debating with Bell) and was going to stop? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sjb at universe.digex.net Wed Apr 24 14:41:57 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 24 Apr 1996 14:41:57 -0700 (PDT) Subject: [NOISE] Reasonable people In-Reply-To: <Pine.SUN.3.93.960423183933.10274D-100000@polaris.mindport.net> Message-ID: <199604241648.MAA05361@universe.digex.net> Black Unicorn writes: >On Tue, 23 Apr 1996, Scott Brickner wrote: >> O.W. Holmes suggested out in "The Common Law" that the law delineates a >> certain minimum level of competence in forseeing the outcomes of our >> actions which all members of society are expected to attain. We'll >> hold you responsible for actions a "reasonable person" should have >> avoided because of their danger. > >With you so far. (Though Holmes is by no means the litmus by which >today's legal world tests its process). I know. I've no formal legal training, and picked up "The Common Law" to try to get an understaning of "lawyer-think", not to learn the law. You use what you know, though. >> As such, persons with limited >> training in manipulating biological viruses are expected to avoid doing >> so. Individuals *with* training are expected to take adequate >> precautions to avoid their spread. I see no reason why electronic >> viruses shouldn't be treated similarly. If you're going to write them, >> you *better* take steps to prevent their release, or you are liable for >> the damages. > >Now you jumped the argument a bit. There is a difference in holding >someone to a reasonable standard generally, and defining several standards >based on the experience of the person to which the standard is being >applied. I'd argue that I'm holding everyone to the same standard: either know the safe ways of handling viruses and follow them, or don't handle them at all. You seem to imply that I'd hold the untrained virus writer harmless. No way. He's reckless and *should* be liable. When one has training, it's no longer reckless to simply handle (or write) the virus, but disregarding safe procedures is negligent. >This latter approach is often called (jokingly by some) the Objective >Subjective Standard. (Objective standard being without consideration of >the view of the individual being judged, subjective including that view, >and object subjective being the consideration of what the general class of >individual would do without consideration of the individual's specific >view). > >(What would a reasonable virus writer do is distinct from what a >reasonable Bob Dwyer, Ph.D. Computer science might do is distinct from >what a reasonable person might do). > >Many courts reject higher (or lower- there are arguments for this >too) standards of care for experts than for lay persons or other >non-experts in tort cases, prefering to impose the "reasonable person" >(Reasonable man for those of you who went to law school before 1985) >standard universially. I assume that a canonical example of the lower-standard case is the "Good Samaritan" laws which reduce the liability of a trained person performing rescue activities (e.g., administering CPR). It seems to me that the "reasonable person" isn't the real issue there. Someone with training ought to be expected to do the "right" thing. If you're trained to administer CPR, and you do it *wrong*, you shouldn't be absolved of liability -- you're negligent. If you don't know anything about CPR (except what you've seen on "Baywatch"), then we're back to what a "reasonable person" should do. If you're trained and you do it right, but the person is still injured by your actions, limiting your liability is society's way of encouraging you to use your training for the common good. In my mind, the difference between the objective standard and the subjective one marks the difference between recklessness and negligence. If an objective "reasonable person" wouldn't do it, it's reckless. If a subjective "reasonable person" wouldn't, it's negligent. Perhaps these aren't the "legalese" usages of the terms, but it seems reasonable to me. >If there is interest, I will post exerpts of the arguments on both sides >of this issue with the header [Noise]. I'd be interested. From EALLENSMITH at ocelot.Rutgers.EDU Wed Apr 24 14:42:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 24 Apr 1996 14:42:07 -0700 (PDT) Subject: [NOISE] Re: Nazis on the Net Message-ID: <01I3X4HW9GTI8Y50EU@mbcl.rutgers.edu> From: IN%"bryce at digicash.com" 24-APR-1996 06:43:13.96 >For what it's worth, Webster's defines: >rac.ism \'ra--.siz-*m\ \-s*st\ n 1: a belief that race is > the primary determinant of human traits and capacities and > that racial differences produce an inherent superiority of > a particular race 2: RACIALISM - rac.ist n [...] >Thus no two of "racists", "separatists" and "race-haters" >would be identical sets of people. ? >But with a high degree of overlap, I'd warrant. Fully agreed. I don't dispute that most people calling themselves separatists are racists; it's just that I'd prefer not to call someone a racist who isn't one.... just as I'd prefer not to call a liberal a Communist unless they are one. (Communist referring to the whole dictatorship of the proletariat business, not just state socialism - the former, which is not classical Marxism, is where the abuses of rights other than private property come in). >This means that Abraham Lincoln was a racist, by the way. Abraham Lincoln is one reason I _don't_ use the above definition; by mine, he'd be a separatist (wanted to move Blacks to Liberia, if I recall correctly). I trust that everyone involved in this discussion (with the exception of the neo-Nazi) would agree that Abraham Lincoln was better than those in the South who wanted to keep blacks enslaved? >(That definition isn't too good, though. "_The_ primary >determinant"? I would have to classify as racist those who >believe that race is _a_ primary determinant of those >qualities.) The definition is bad enough that I checked a concise OED for comparison; see the results and my commentary below. >Sorry to be off-topic, but if a thing is going to be >discussed I might as well try to add signal. (The "[NOISE]" >tag that I left in the subject line doesn't indicate noise, >but off-topicness.) Perhaps we could just drop the >"Cc: cypherpunks" part and continue this discussion? Thank you. The dropping of the cc:cypherpunks part would be rather inconvenient. This phenomenon is one reason that I'd like to see a list server capable of setting up mini-lists on demand, easily. >Concise Oxford Dictionary, 8th Ed., Copyright 1991 Oxford Univ. Press >/racism/ <<"reIsIz(@)m>> n. >1. > a. a belief in the superiority of a particular race; prejudice based on > this. > b. antagonism towards other races, esp. as a result of this. >2. the theory that human abilities etc. are determined by race. This has some differences from the Webster definition, specifically the inclusion of prejudice as a definer. The latter definition is silly. It is scientifically well-proven that different races have different physical attributes - blacks tend to have higher blood pressures, for instance. Is this definition saying that believing what is known is racism? Of course, with this definition I can see why Herrnstein and Murray keep being called racists. (Incidentally, I don't believe they are correct regarding the genetic component of intelligence as having a racial correlation - the existing (and unfortunate) environmental differences are a perfectly adequate explanation. Unfortunately, we can't tell the existence or non-existence of such differences until the genes affecting intelligence are significantly better understood; until then, the most pragmatic assumption is the lack of any such difference, given the lack of any obvious evolutionary cause for it. In other words, I call _The Bell Curve_ mistaken in its conclusions on race - not racist. Incindentally, I also believe that such differences are environmental for the emotional reason that I would be very uncomfortable believing otherwise. I don't think this is biasing my evaluation of the science, however.) Both of these definitions involve "superior" and "superiority"; I thus also looked this up. >/superior/ <<su:"pI at rI@(r)>>, <<sju:->>, <<sU->> adj. & n. >adj. >1. in a higher position; of higher rank ("a superior officer"; "a superior > court"). >2. > a. above the average in quality etc. ("made of superior leather"). > b. having or showing a high opinion of oneself; supercilious ("had a > superior air"). >3. (often foll. by "to") > a. better or greater in some respect ("superior to its rivals in speed"). > b. above yielding, making concessions, paying attention, etc. ("is > superior to bribery"; "superior to temptation"). I don't think anyone would disagree that blacks are currently (and unfortunately) in a lower position in US society overall. Moreover, the 2nd and 3rd part of the definition make "racism" as defined above a rather over-inclusive term. For instance, it would call any scientist who does a study and finds lower IQs among members of some race a racist. Such differences are well-known to exist, and (as I state above) are probably environmental in origin. In other words, unless one makes the "prejudice" and/or "antagonism" parts mandatory (in which case it would be narrower than my definition of racist, which essentially hinges on definite prejudice existing), the Webster definition of racism is over-inclusive by any reasonable standard. -Allen From jonl at well.com Wed Apr 24 14:56:05 1996 From: jonl at well.com (Jon Lebkowsky) Date: Wed, 24 Apr 1996 14:56:05 -0700 (PDT) Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <m0uBttS-000918C@pacifier.com> Message-ID: <199604242150.OAA17194@well.com> > The government spent about $1.5 million to get a minor, first-time (alleged) > criminal. There is no obvious or logical basis for such extreme interest, > even in hindsight based on what we now know. An objective person analyzing > this would have to conclude that the government's interest in Weaver was > entirely different than what it was claimed to be, and if it was that > important it is logical to conclude that fraud was not beyond their > capability and motivation. Given the fact that the > government actually faked evidence in the trial (photographs of shell > casings), a fact that was brought out during trial, anything they say is not > believable. Could it be that the operatives at Ruby Ridge were simply incompetent? -- Jon Lebkowsky <jonl at wired.com> http://www.well.com/~jonl Electronic Frontiers Forum, 7PM PST Thursdays <http://www.hotwired.com/eff> From travis at EvTech.com Wed Apr 24 15:04:24 1996 From: travis at EvTech.com (Travis Hassloch x231) Date: Wed, 24 Apr 1996 15:04:24 -0700 (PDT) Subject: Crypto Software Review Wanted Message-ID: <199604242204.RAA03889@tahiti.evtech.com> There's a ton of only semi-organized stuff out there. I would like structured info... more that just a filename, without having to install it myself, etc... Review of the packages would be real nice. PS: I heard CFS requires having NFS installed (ick!) and someone mentioned this opens you up to "portmapper assisted attacks"... I've avoided NFS and RPC until now so I don't know... does this have any credibility? Will I have to install a firewall to protect NFS just so I can use CFS to encrypt on disk? :) CC me in the replies please, since I'm not on the list... although I might get on coderpunks if the volume is small. Hmm, I just noticed the cypherpunks-ratings list, I wonder if this is what I'm looking for... too bad it doesn't have a description or an info file. -- travis at evtech.com | Virtual Reality Bites | P=NP if (P=0 or N=1) There's a thin line between an email message and its signature. From declan+ at CMU.EDU Wed Apr 24 00:06:44 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 24 Apr 1996 15:06:44 +0800 Subject: Rabbi Hier Testimony In-Reply-To: <01I3VYLGPR4W8Y4ZTJ@mbcl.rutgers.edu> Message-ID: <ElTIvnG00YUxMjiZxC@andrew.cmu.edu> Excerpts from internet.cypherpunks: 23-Apr-96 Rabbi Hier Testimony by "E. ALLEN SMITH"@ocelot. > People might want to take a look at Rabbi Hier (the founder of the > Weisental Center)'s statements on "hate groups" and the Internet. While he > (unlike Biden) does recognize that outlawing bomb-making information would be > unconstitutional, he doesn't appear to approve of anonymnity on the Internet > (nor, depending on how one interprets his statements, of encrypted > communications without GAK). The first is to his (and the Weisenthal Center's) The Simon Wiesenthal Center and the ADL would love to outlaw anonymity on the Net. Here's some info on their attempts to restrict online speech: CDT report on Hier's testimony at Senate hearing last May: http://www.cdt.org/publications/pp130512.html ACLU's *detailed* reporting on SWC's longtime net-censorship attempts: http://fight-censorship.dementia.org/dl?num=618 ADL decries "web of hate": http://fight-censorship.dementia.org/dl?num=1509 ADL research analyst's personal position on Internet hate speech: http://fight-censorship.dementia.org/dl?num=1600 ADL claims information is seductive, needs to be censored: http://fight-censorship.dementia.org/dl?num=1727 IHR (biased) reporting on SWC/ADL net-censorship attempts: http://fight-censorship.dementia.org/dl?num=628 How ADL tries to recruit hackers to sabotage enemies' computers: http://fight-censorship.dementia.org/dl?num=856 SWC tries to muzzle critics in Argentina, Canada: http://fight-censorship.dementia.org/dl?num=618 SWC exaggerates "hate speech" threat for funding and self-perpetuation: http://fight-censorship.dementia.org/dl?num=1311 http://fight-censorship.dementia.org/dl?num=582 The EF Canada web pages also detail how the SWC has been trying to get the Canadian equivalent of the FCC to regulate the Internet. The ACLU reports at the URL above how the SWC has tried the same trick here in the U.S. -Declan From unicorn at schloss.li Wed Apr 24 00:12:52 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 15:12:52 +0800 Subject: [Wager: Seeming Resolution] In-Reply-To: <m0uBu6w-000951C@pacifier.com> Message-ID: <Pine.SUN.3.93.960423230132.343B-100000@polaris.mindport.net> On Tue, 23 Apr 1996, jim bell wrote: > Black Unicorn wote: > > JamesD wrote: > >> Now if Unicorn had proposed a bet for one hundred dollars, then > >> I would sit up and take notice. A hundred dollars is real money. > > > >US$ 100.00 it is. Mr. Bell? > > As I recall from a message a day ago, you claimed that you saw no way that > we could come to any kind of agreement as to the terms and conditions. I'm > willing to accept your word on this prediction. I note for the record that I never predicted that the terms and conditions would be complex or unresolved, but that you would alter the claim and the logistics of the wager to the point where you might evade the consequences of loss. I note for the record that it was your post that originally supported its accuracy with a call for wagering. I note for the record that your claim, as you originally put it, was quite clear. There is no dispute of terms or conditions. This is an uncomplicated issue. If your claim, as written, is correct, I shall pay to you or your appointed agent US$ 100. If it is false, you shall pay to me or my appointed agent US$ 100. The only issue is how you wish to modify that claim for the purposes of the wager so as to bring it within a semblence of accuracy. Absent further interest on your part, I consider the matter closed and your claim retracted. > > Jim Bell > jimbell at pacifier.com > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From nobody at REPLAY.COM Wed Apr 24 15:14:01 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 24 Apr 1996 15:14:01 -0700 (PDT) Subject: The Iron Mountain Report Message-ID: <199604242213.AAA18326@utopia.hacktic.nl> Some years ago the federal government set up a special [inaudible] group. For two-and-a-half years they met in secret at Iron Mountain, New York. Their findings were called "Report from Iron Mountain on the Possibility and Desirability of Peace." Their document, by some of the leading thinkers, was suppressed. Later, it was printed in a limited edition, with the *names* removed. Some were shocked by what they read. Throughout history, permanent peace was dangerous to established governments. War, and the threat of war, are the principal organizing force for most societies. They divert attention from *other* economic and political problems. War keeps the factories going, wasting government manpower and material that would otherwise be of surplus. Peace brings unemployment, the collapse of prices of goods and property, and knocks down the government. In simple terms, war prevents [economic] depression. (By the way, sooner or later, whatever nation loses a war is overthrown. So it has been all the centuries. The American ruling circles lost the Vietnam War. The aftermath is bound to scatter the rulers to the winds.) As the report says, in Europe, over the years, the typical standing army consisted of troops unfit for employment in commerce, industry or agriculture, led by officers unfit to practice any legitimate profession or to conduct a business enterprise. A large standing army is a form of social welfare program; a form of control of the population. War, and the threat of war, keep all levels of society busy. The newspapers are kept rich reporting it. Pundits are employed to mouth off. Wars speed up so-called scientific development. War goods do not have to show a profit or be the lowest price. In permanent peace there are vast cutbacks in research and development. And yes, wars kill off surplus population; young men with no good job waiting for them. The [Iron Mountain] report points out that the war system makes stable government of society possible. The end of war means the end of national sovereignty. Without an identified enemy, why would the CIA have a large secret budget to assassinate political leaders and overthrow other governments the White House does not like? To promote their secret agenda, the CIA has taken over a part of the savings and loan system to funnel men and money for "dirty tricks" here and overseas. The CIA likewise manipulates the federal bankruptcy courts to grab up companies for use as covert action fronts. In Chicago, this is done with the help of foreign intelligence agencies, such as Mossad. Chicago bankruptcy trustee William A. Brand (sp?) jr. is a top honcho of the CIA and other spy shops. In the name of national security, the mass media have been *ordered* to "soft pedal" or "stay shut" about spy agencies doing such things. The CIA involvement in bankruptcy court should have made headlines as the number one item on the evening TV news. Yet not one word is said by the liars and whores of the press. Play it again: Fermilab and weather modification. (312) 731-1505. New message Monday; we change it several times a week. Donations appreciated. Citizens' Committee to Clean Up the Courts, 9800 S. Oglesby (sp?), Chicago, 60617. For the latest on courts, banks, espionage agencies, political assassinations and the news media. On 24 hours. From rah at shipwright.com Wed Apr 24 00:37:08 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 24 Apr 1996 15:37:08 +0800 Subject: PEP Announcement (fwd) In-Reply-To: <v03006600ada332adbb79@[199.0.65.105]> Message-ID: <v03006608ada34ee61f5f@[199.0.65.105]> > Hey, Amos! ...and the rest of the planet. Sorry, folks. Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From sjb at universe.digex.net Wed Apr 24 15:43:40 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 24 Apr 1996 15:43:40 -0700 (PDT) Subject: [NOISE- Legal Theory] Reasonable people In-Reply-To: <Pine.SUN.3.93.960424150105.25996G-100000@polaris.mindport.net> Message-ID: <199604242243.SAA22982@universe.digex.net> Black Unicorn writes: >On Wed, 24 Apr 1996, Scott Brickner wrote: >> I'd argue that I'm holding everyone to the same standard: either know >> the safe ways of handling viruses and follow them, or don't handle them >> at all. > >Now you have to get into the question of who is a trained virus handler. >This is a subjective analysis. The court is going to have to do this case >by case. And below in your message its clear you do not hold everyone to >the same standard. The virus/CPR expert is held to a different standard >in your example. It is the same standard in that you punish everyone if >they "Do something stupid." But "stupid" is different for each person. I don't agree with this. I expect everyone who handles viruses to know what they're doing and take precautions. By handling the virus at all you are effectively claiming such expertise, as I see it. The court needn't consider formal training at all. A "reasonable person" ought to know if his training is adequate, after all. The court may choose to examine this claim, and find it to be in error, thus making the handling of the virus reckless. If the court accepts the claim, then it should examine the actual procedures. If the procedures are found wanting, there is negligence (though I suspect my "non-legalese" usage of these terms has them reversed --- negligence is a worse fault, in my estimation: you had the knowledge but failed to act in accordance with it; recklessness means you acted without fully appreciating the consequences, and thus didn't know better.) >> You seem to imply that I'd hold the untrained virus writer >> harmless. No way. He's reckless and *should* be liable. > >I indicated only that the standards you had for trained and untrained >virus writers were different. I guess "trained" may have been inappropriate. How about "knowledgable"? >> When one has >> training, it's no longer reckless to simply handle (or write) the >> virus, but disregarding safe procedures is negligent. > >See my above position. Three standards. One for those with training, >one for those without and some kind of standard for determining what is >'enough' training. Given the traditional institutional costs of courts, >particularly their 'catch up' chase with technology, I don't think I'd >want courts doing these calculations. Formal training implies that one is knowledgable, but such knowledge may be acquired without formal training (or new fields would never come about). Certain actions are clearly acceptable for knowledgable people but are dangerous for those without the knowledge --- handling a biological virus is one of them. The court need to nothing more than determine whether the precautions were adequate. >> It seems to me that the "reasonable person" isn't the real issue >> there. Someone with training ought to be expected to do the "right" >> thing. If you're trained to administer CPR, and you do it *wrong*, you >> shouldn't be absolved of liability -- you're negligent. > >But the other argument goes that we have to give the people who know what >they are doing more leeway because they will be judged by people who don't >know about the subject and because if we want to encourage good samaritans >the way to do it is not by increasing their liability. (You effectively >do increase their liability above by implying that you would like to >impose a stricter negligence standard for trained CPR types). I'm not sure I'm imposing stricter negligence on trained CPR types, see my comments below. What I *am* doing is imposing a stricter recklessness standard on untrained types. >Keep in mind that doing the "wrong" thing isn't always negligence either. >Doing the wrong thing because you were careless, that's negligence. Doing the wrong thing willfully is reckless or even malicious. >Also note that you can be negligent without harming anyone. But is it actionable? Doesn't the law have a sort of "no harm, no foul" interpretation? According to Holmes, if I believe that an enemy is trying to kill me, and I arrange things so that when he thinks he's shooting me, he's really shooting a mannekin, he has *not* committed attempted murder. Similarly, if a pickpocket puts his hand in my pocket, but there's nothing there, he hasn't committed a crime. >It could be argued that it's folly to impose a lower standard on the CPR >'idiot' and thus encourage him to run out and do CPR. One can imagine a >scene where the CPR trained fellow pulls an idiot out of the crowd and >gives instructions for the idiot to preform the CPR so as to take >advantage of both his increased knowledge and the idiot's limited >liability (reasonable person standard, not reasonable CPR expert >standard). The expert shouldn't get reduced liability for this. The 'idiot' is effectively a tool in the expert's hands. Too, the 'idiot' has no way of assuring himself that the supposed expert is, in fact, qualified. It's no more appropriate for him to administer CPR under the guidance of a stranger than to do it on his own judgement. >> If you don't >> know anything about CPR (except what you've seen on "Baywatch"), then >> we're back to what a "reasonable person" should do. > >That probably includes not trying to preform CPR... no? Dunno. Is it "reasonable" for an untrained person to attempt CPR? That's for a court to decide. >> If you're trained >> and you do it right, but the person is still injured by your actions, >> limiting your liability is society's way of encouraging you to use >> your training for the common good. > >This begins to look like the partial abortion debate, where the argument >goes something like this: > >Yes, it's criminal to preform the procedure, but you can absolve yourself >after the fact by showing us (medical morons) that the mother's life was >in danger. > >That's not encouraging in the least to doctors. (Which in the abortion >example, is precisely the point). > >The trick is in your concept of "and you do it right." That's a >subjective analysis. Actually, I'd say the error in this abortion argument is that there's a presumption of guilt, which runs counter to a basic tenet of common law. In the virus case, I'd expect the plaintiff/prosecutor to prove that the precautions were inadequate. Not merely that they were ineffective in the specific case, but that a "reasonable person" would have known the activity to be dangerous without adequate precautions, and that a "resonable expert" would have considered the precautions taken inadequate. Without such proof, the defendant need only indicate what precautions were taken, and claim that they are adequate. >> In my mind, the difference between the objective standard and the >> subjective one marks the difference between recklessness and >> negligence. If an objective "reasonable person" wouldn't do it, it's >> reckless. If a subjective "reasonable person" wouldn't, it's >> negligent. > >This makes it REALLY tough. Reckless usually means extensive punative >damages are on the way. Simple negligence doesn't always trigger them. >By using these terms on the same facts the idiot gets simple negligence, >the expert gets expanded liability and potential punative damages. I see it the other way around. The "objective" reasonable standard says "don't handle the virus unless you're and expert". Handling the virus and being found incompetent to do so (the idiot case) means you're reckless and subject to those punitive damages. Being found competent to handle them and found not to have taken adequate steps leaves you at least negligent, but reckless if it wasn't accidental. Competent with adequate precautions means you weren't even negligent. >Because the expert will be at significant disadvantage at trial (if he's >an expert, if he knew what he was doing, why did the victim get hurt) what >you've done is moved closer to the realm of strict liability for all >experts. (Strict liability simply eliminates the negligence calculation. >If you were doing the activity, (CPR) and someone got hurt, you're liable. >Period. No calculation of fault). What this system does is create >something like a rebuttable presumption of negligence on the expert. That >starts to look like strict liability. Precautions don't necessarily eliminate danger, they simply reduce it to acceptable levels. Licensed drivers are, in some sense, driving experts. Why do they get in accidents? Often because of liability, but often there are merely unpredictable circumstances --- junk in the road, sudden ice storms, etc. The burden of proving negligence must remain with the one claiming injury. >> Perhaps these aren't the "legalese" usages of the terms, but it seems >> reasonable to me. > >It creates systemic problems though. (Like the burden of overcoming the >assumption that the expert must have erred). It's a faulty assumption, and a common law court ought to stick to its philosophical origins --- innocent until proven guilty. From llurch at networking.stanford.edu Wed Apr 24 16:03:51 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 16:03:51 -0700 (PDT) Subject: Rabbi Hier Testimony In-Reply-To: <AlTadgO00YUvERbGhW@andrew.cmu.edu> Message-ID: <Pine.GUL.3.93.960424160212.19618N-100000@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- On Wed, 24 Apr 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 23-Apr-96 Re: Rabbi Hier Testimony > by Declan McCullagh at CMU.EDU > > The EF Canada web pages also detail how the SWC has been trying to get > > the Canadian equivalent of the FCC to regulate the Internet. The ACLU > > reports at the URL above how the SWC has tried the same trick here in > > the U.S. The majority of what you said in that message was misleading at best, but I haven't said anything because that's off topic, and who listens to a FUCKING STATIST anyway. I know you don't have time to correct any acknowledged errors on you web pages, so why should I waste my time pointing them out? Since we all agree that the SWC is in the wrong, we need something to talk about. Let's just agree up front that the size of your dick is proportional to the fervor of your denunciation of the Simon Wiesenthal Center, facts notwithstanding. So far, I believe Tim wins because he called them "Jew Nazis," but keep working at it. Maybe if you're lucky, you'll earn the George Orwell Free Speech Award: http://www.almanac.bc.ca/cgi-bin/ftp.pl?people/b/botting.gary > While I'm at it, I should offer my prediction that the Southern Poverty > Law Center likely will become active in attempts to regulate and control > the Net. Sure, why not. It's probably true that they'll try. Being a bunch of idealogues, I don't imagine that they'll realize, as Sameer points out, that *they* are considered an anti-government group. > In today's Washinton Post, Morris Dees, the Center's co-founder, > indicates that a book Timothy McVeigh read influenced him to bomb the > Oklahoma City building. Morris Dees is certainly not the only person to speak of this influence. Try Terry Nichols and McVeigh's sister. Said book being The Turner Diaries, which, like the Goebbels book that your web page says is "banned," is being published without censorship. It tells the story of The Order, a white supremacist group that overthrows the US government through random acts of terror and violence against political, cultural, and economic targets. There happens to have been a real terrorist organization that called itself The Order, led by a bunch of National Alliance members. You may have heard of Bob Mathews. Now The Order has resurfaced in Spokane Valley; some bombings and bank robberies went down in early April, to some applause on the Neo-Nazi lists. The Turner Diaries has always been available through the National Alliance Neo-Nazi criminal organization, whose leader wrote it. If you want to read this book, I will personally send you a copy of the National Alliance edition. The Turner Diaries is now going to be published by the more mainstream Barricade Books as well. Good for them. I really don't like the idea of sending the National Alliance any more money. There was a flurry of controversy about the new edition, to which the publisher, Lyle Stewart, responded in, of all places, Liz Smith's widely syndicated "Grapevine" column, thusly: "I couldn't help recall a similar controversy that raged when a major American publishing house issued Adolf Hitler's 'Mein Kampf.' Should such a book be published? To me the answer was self-evident. Of course, it should have been. People should be able to read and understand what Hitler was about. "By the same reasoning, I believe most people think militias and related groups like the Freemen are fun-loving, beer-drinking gun fanatics who like to shoot rabbits and deer. Not so. They hate democracy. They hate our government and all officials who represent it. They practice racism and terrorism. Is this something that only the Drug Enforcement Agency and the FBI and CIA should know, or do you have a right to know and understand it, too?" So yes, Morris Dees is a fool, and so are you. - -rich http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMX6y0I3DXUbM57SdAQFtdgP/WtwaNLaStTpVazuNLNUBbswGcvrRf8s2 ybwLMyMYxZamLwvjv45Zz+tT8AiSaZj3R1ACPDppR7s4UDC9/JrecIUeufVOGara fVK8q8j1qwiyvLNqT+nffa2SqCPHIZMIvagv+yFu8I9zBrNwu2h9aKNYRr8OXS88 ifiTEzJDmNA= =UAMc -----END PGP SIGNATURE----- From unicorn at schloss.li Wed Apr 24 16:23:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 16:23:09 -0700 (PDT) Subject: [NOISE- Legal Theory] Reasonable people In-Reply-To: <199604242243.SAA22982@universe.digex.net> Message-ID: <Pine.SUN.3.93.960424184735.3252D-100000@polaris.mindport.net> On Wed, 24 Apr 1996, Scott Brickner wrote: > Black Unicorn writes: > >On Wed, 24 Apr 1996, Scott Brickner wrote: > >> I'd argue that I'm holding everyone to the same standard: either know > >> the safe ways of handling viruses and follow them, or don't handle them > >> at all. > > > >Now you have to get into the question of who is a trained virus handler. > >This is a subjective analysis. The court is going to have to do this case > >by case. And below in your message its clear you do not hold everyone to > >the same standard. The virus/CPR expert is held to a different standard > >in your example. It is the same standard in that you punish everyone if > >they "Do something stupid." But "stupid" is different for each person. > > I don't agree with this. I expect everyone who handles viruses to know > what they're doing and take precautions. By handling the virus at all > you are effectively claiming such expertise, as I see it. The court > needn't consider formal training at all. A "reasonable person" ought > to know if his training is adequate, after all. The court may choose > to examine this claim, and find it to be in error, thus making the > handling of the virus reckless. If the court accepts the claim, then > it should examine the actual procedures. As I understand it, your test goes like this: Is handler an "expert"? Yes? : Examine procedures to determine liability. No? : Handler is liable. That's two standards. One standard of strict liability (for the non-expert) and one of negligence (for the expert). > If the procedures are found > wanting, there is negligence (though I suspect my "non-legalese" usage > of these terms has them reversed --- negligence is a worse fault, in my > estimation: you had the knowledge but failed to act in accordance with > it; recklessness means you acted without fully appreciating the > consequences, and thus didn't know better.) Other way around. Negligence is milder. Negligence is merely the absence of due care. Recklessness: The state of mind accompanying an act, which either pays no regard to its probably or possibly injurious consequences, or which, though forseeing such consequences, persists in spite of such knowledge. Recklessness is a stronger term than mere or ordinary negligence... Black's Law Dictionary 6d., (1990). > >> You seem to imply that I'd hold the untrained virus writer > >> harmless. No way. He's reckless and *should* be liable. > > > >I indicated only that the standards you had for trained and untrained > >virus writers were different. > > I guess "trained" may have been inappropriate. How about "knowledgable"? Ok. The standards you have created for knowledgeable and unknowledgeable people are different. My key objection to your position was your view that it was 1> an objective determination and 2> a single standard. It is neither. > >See my above position. Three standards. One for those with training, > >one for those without and some kind of standard for determining what is > >'enough' training. Given the traditional institutional costs of courts, > >particularly their 'catch up' chase with technology, I don't think I'd > >want courts doing these calculations. > > Formal training implies that one is knowledgable, but such knowledge > may be acquired without formal training (or new fields would never come > about). Certain actions are clearly acceptable for knowledgable people > but are dangerous for those without the knowledge --- handling a > biological virus is one of them. > > The court need to nothing more than determine whether the precautions > were adequate. Adequate for who? You've already said that the court has to determine if someone is knowledgeable first. (And thus in your test bypass the automatic finding of liability). This is a very complicated test you're designing. > I'm not sure I'm imposing stricter negligence on trained CPR types, see > my comments below. What I *am* doing is imposing a stricter > recklessness standard on untrained types. Above you say "Someone with training ought to be expected to do the 'right' thing." That sounds like a stricter standard on CPR types. i.e., someone without training ought not to be expected to do the right thing. In this good faith helper at the side of the road example, do you want to punish the CPR type for doing his best despite his ignorance? (You might, I'm just trying to clarify your position, which seems internally inconsistant to me). > >Keep in mind that doing the "wrong" thing isn't always negligence either. > >Doing the wrong thing because you were careless, that's negligence. > > Doing the wrong thing willfully is reckless or even malicious. I didn't know you ment willfully. I don't see that anywhere. > >Also note that you can be negligent without harming anyone. > > But is it actionable? Doesn't the law have a sort of "no harm, no > foul" interpretation? No. Not exactly. It's more of a "wrong without a remedy" deal. > According to Holmes, if I believe that an enemy > is trying to kill me, and I arrange things so that when he thinks he's > shooting me, he's really shooting a mannekin, he has *not* committed > attempted murder. Similarly, if a pickpocket puts his hand in my > pocket, but there's nothing there, he hasn't committed a crime. Both of those are crimes today. > >It could be argued that it's folly to impose a lower standard on the CPR > >'idiot' and thus encourage him to run out and do CPR. One can imagine a > >scene where the CPR trained fellow pulls an idiot out of the crowd and > >gives instructions for the idiot to preform the CPR so as to take > >advantage of both his increased knowledge and the idiot's limited > >liability (reasonable person standard, not reasonable CPR expert > >standard). > > The expert shouldn't get reduced liability for this. The 'idiot' is > effectively a tool in the expert's hands. Too, the 'idiot' has no > way of assuring himself that the supposed expert is, in fact, qualified. > It's no more appropriate for him to administer CPR under the guidance > of a stranger than to do it on his own judgement. The point is that allowing that disparity seems silly. > >> If you don't > >> know anything about CPR (except what you've seen on "Baywatch"), then > >> we're back to what a "reasonable person" should do. > > > >That probably includes not trying to preform CPR... no? > > Dunno. Is it "reasonable" for an untrained person to attempt CPR? That's > for a court to decide. But under your test it doesn't matter. He didn't know how to attempt CPR, he's liable. > >> If you're trained > >> and you do it right, but the person is still injured by your actions, > >> limiting your liability is society's way of encouraging you to use > >> your training for the common good. > > > >This begins to look like the partial abortion debate, where the argument > >goes something like this: > > > >Yes, it's criminal to preform the procedure, but you can absolve yourself > >after the fact by showing us (medical morons) that the mother's life was > >in danger. > > > >That's not encouraging in the least to doctors. (Which in the abortion > >example, is precisely the point). > > > >The trick is in your concept of "and you do it right." That's a > >subjective analysis. > > Actually, I'd say the error in this abortion argument is that there's > a presumption of guilt, which runs counter to a basic tenet of common > law. And in your test there is a presumption of fault on the non-expert. If he did everything right purely by accident or from what he saw on "baywatch" and the victim dies anyway, under your test he's cooked. > In the virus case, I'd expect the plaintiff/prosecutor to prove that > the precautions were inadequate. Not merely that they were ineffective > in the specific case, but that a "reasonable person" would have known > the activity to be dangerous without adequate precautions, and that a > "resonable expert" would have considered the precautions taken > inadequate. Without such proof, the defendant need only indicate > what precautions were taken, and claim that they are adequate. Woah. Ok. So you want a reasonable person determination of the activity and if the activity falls within a dangerous defintion. (This is called ultrahazardous activity in tort law). Then you want strict liability on a non-expert who engages in that activity, and a "reasonable expert" standard on the expert who engages in that activity? Putting aside for a moment my already voiced concerns, doesn't the idea of having a "reasonable person" standard on the classification of an ultrahazardous activity seem silly? Does nuclear physics seem dangerous to Joe Sixpack? What about Cold Fusion experimentation? Microwave repair? Seems there's a tremendous opportunity for error in that kind of standard. It also has the effect of making the scope of the definition of "ultrahazardous" very large. The larger it is, the more interference and common law regulation you're going to have on the economy. _Particularly_ so where you are imposing a strict liability standard. > >This makes it REALLY tough. Reckless usually means extensive punative > >damages are on the way. Simple negligence doesn't always trigger them. > >By using these terms on the same facts the idiot gets simple negligence, > >the expert gets expanded liability and potential punative damages. > > I see it the other way around. The "objective" reasonable standard > says "don't handle the virus unless you're and expert". Handling the > virus and being found incompetent to do so (the idiot case) means > you're reckless and subject to those punitive damages. Being found > competent to handle them and found not to have taken adequate steps > leaves you at least negligent, but reckless if it wasn't accidental. > Competent with adequate precautions means you weren't even negligent. Just legally, an objective standard is when you hold everyone to a reasonable person standard. Everyone is Joe Blow. Would Joe Blow have done this that or the other thing. As soon as you start talking "experts" you're out of the objective field. > >Because the expert will be at significant disadvantage at trial (if he's > >an expert, if he knew what he was doing, why did the victim get hurt) what > >you've done is moved closer to the realm of strict liability for all > >experts. (Strict liability simply eliminates the negligence calculation. > >If you were doing the activity, (CPR) and someone got hurt, you're liable. > >Period. No calculation of fault). What this system does is create > >something like a rebuttable presumption of negligence on the expert. That > >starts to look like strict liability. > > Precautions don't necessarily eliminate danger, they simply reduce it > to acceptable levels. Licensed drivers are, in some sense, driving > experts. Why do they get in accidents? Often because of liability, > but often there are merely unpredictable circumstances --- junk in the > road, sudden ice storms, etc. The burden of proving negligence must > remain with the one claiming injury. Then why impose it without an examination into fault on non-experts? In your test the non-expert bears the burden of showing he's an expert if he wishes to prevail. The victim need only say "He was doing CPR, I got hurt, he's a non-expert." Wham, liability under your test. That's not a burden at all. It's certainly not a burden of showing negligence. > >> Perhaps these aren't the "legalese" usages of the terms, but it seems > >> reasonable to me. > > > >It creates systemic problems though. (Like the burden of overcoming the > >assumption that the expert must have erred). > > It's a faulty assumption, and a common law court ought to stick to its > philosophical origins --- innocent until proven guilty. Or under your test, liable until proven expert. As for faulty assumptions, go to court someday. They are common. In designing systems one _must_ assume them. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From tallpaul at pipeline.com Wed Apr 24 01:23:40 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 24 Apr 1996 16:23:40 +0800 Subject: Nazis on the Net Message-ID: <199604240425.AAA06395@pipe5.nyc.pipeline.com> On Apr 23, 1996 19:44:00, '"E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU>' wrote: [misc. material against holocaust revisionism snipped] > > It would >have been better if the atomic bomb had been ready in time to use against >Germany and Stalinist Russia. > -Allen > It was ready "in time" to use against "Stalinist Russia" (which, BTW, was Stalinist "Soviet Union,"). Both your sense of history and geography continue to be deficient. --tallpaul PS: Since T.C. May and others wrote of the atomic bomb being used in the Pacific theater I see no reason however why E.A. Smith can't discuss the bomb in Europe. And, when I asked about the cypherpunk relevance to the Bell/May concern over atomic weapons I was told it was relevant because the Japanese Purple Code was involved. I infer that the new discussion on Europe is equally relevant to cypherpunks because of Enigma and VERONA. From philip at cs.brandeis.edu Wed Apr 24 01:39:21 1996 From: philip at cs.brandeis.edu (Philip Trauring) Date: Wed, 24 Apr 1996 16:39:21 +0800 Subject: What's the best Mac crypto program? In-Reply-To: <199604232059.NAA24322@toad.com> Message-ID: <v03006601ada3670bb3a8@[129.64.2.182]> What is the best free/shareware program for protecting(and I mean government-strength encryption) a Mac folder or creating a protected Mac volume? Additionally, are any of the commercial products available safer than these free/shareware ones? Thanks, Philip --=--=====--=--=====--=--=====--=--=====--=--=====--=-- Philip Trauring philip at cs.brandeis.edu 617-736-6702 "knowledge is my addiction, information is my drug" http://www.cs.brandeis.edu/~philip/ --=--=====--=--=====--=--=====--=--=====--=--=====--=-- From hfinney at shell.portal.com Wed Apr 24 01:40:03 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 24 Apr 1996 16:40:03 +0800 Subject: Golden Key Campaign Message-ID: <199604232353.QAA13608@jobe.shell.portal.com> From: "Dave Banisar" <banisar at epic.org> > WASHINGTON, DC -- A new coalition today urged support for strong technologies > to protect privacy and security on the rapidly growing Internet. The Internet > Privacy Coalition said that new technologies were critical to protect private > communications and on-line commerce, and recommended relaxation of export > controls that limit the ability of US firms to incorporate encryption in > commercial products. > > Phil Zimmermann, author of the popular encryption program Pretty Good Privacy, > expressed support for the effort of the new coalition. "It is time to change > crypto policy in the United States. I urge those who favor good tools for > privacy to back the efforts of the Internet Privacy Coalition." I see that a lot of good people are involved in this, and it sounds like a worthwhile cause. But I have one thing I want to get off my chest. (Long time list readers will know that this is one area where I have trouble being completely rational.) The thing that worries me when I put crypto software up at my site is not the export restrictions. I can make people click a button promising that they are USA citizens or otherwise legal. A lot of other people do it and while it might get me into trouble eventually I think it demonstrates good faith. (There has also been some discussion on the cyberia list with regard to the communications decency amendment that "I am not a minor" buttons would be adequate defenses for that law, and this seems like a similar situation.) No, the thing that worries me most is patent infringement. And the main company I worry about is RSA, one of the sponsors of this golden key effort. Note that RSA's logo is a key, and we see the RSA key at the bottom of our Netscape screens all the time. I don't remember if it's golden. It seems ironic for RSA to be casting itself as a friend of the principle of availability of privacy tools when its own lawyers patrol the net to make sure there are no unauthorized encryption programs out there. They fought against PGP for years until Phil trumped them by going over their heads to MIT. Look what happened when Wei Dai announced his fine crypto library. It wasn't the NSA which come down on him. It was RSA lawyers who demanded that he pull his library off the net until he had it clean enough for them. I have not actually seen the new logo because I don't have a graphical browser here, but I hope it is not too similar to RSA's key. I hate to see that company rewarded when it is acting counter to the interests of people who need access to privacy tools. Hal From tallpaul at pipeline.com Wed Apr 24 01:41:06 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 24 Apr 1996 16:41:06 +0800 Subject: "Separate but equal" as a racist doctrine Message-ID: <199604240441.AAA07568@pipe5.nyc.pipeline.com> For some considerable period of time the doctrine of "separate but equal" was one of the major racist theories in the U.S. People who wish to organize for racist ideology behind this doctrine while proclaiming they are not racists merely place themselves in the old racist camp. Their organizing for (and their denials of) racist ideology does not make them less racist, just less honest. --tallpaul PS: Oh yes, for all the other rightwingers on the net who remain silent when rightwing views are presented but tell those who challenge the rightwing material to stop posting because it isn't "cypher" relevant: perhaps we could call the thread something like "Racist Code Talkers" or "Why Don't 'Americans' Learn History." Both of those seem to have resembled past on-topic threads. From sandfort at crl.com Wed Apr 24 16:45:15 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 24 Apr 1996 16:45:15 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <2.2.32.19960424234500.006b43ec@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, Tim May wrote: >Frankly, I thought that Black Unicorn claimed to have seen >the error of his ways (in terms of debating with Bell) and >was going to stop? Since declaring victory, Unicorn has said far less about the wager than has Tim. When it comes to wasting bandwidth, Tim might consider removing the boulder in his own eye before going after the mote in someone else's. As far as I can see, the wager had its intended effect. I only hope that future undocumented pronouncements are dealt with as effectively. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From declan+ at CMU.EDU Wed Apr 24 01:48:53 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 24 Apr 1996 16:48:53 +0800 Subject: [NOISE] [Wager: Seeming Resolution] In-Reply-To: <Pine.SUN.3.93.960423230132.343B-100000@polaris.mindport.net> Message-ID: <glTPGm200YUu5iTVd2@andrew.cmu.edu> Excerpts from internet.cypherpunks: 23-Apr-96 [Wager: Seeming Resolution] by Black Unicorn at schloss.li > The only issue is how you wish to modify that claim for the purposes of > the wager so as to bring it within a semblence of accuracy. > > Absent further interest on your part, I consider the matter closed and > your claim retracted. I confess I had a good laugh at Jim Bell's expense. His attempt at weaseling was sadly uninspired, and Black Unicorn was quite right to move in for the kill. But to be fair to Jim Bell, perhaps $100 is still too high? I mean this in complete seriousness: I have to come up with nearly $2,000 cash by this weekend, and I wouldn't be able to make such a wager at this time, no matter how right I felt I was. -Declan From declan at eff.org Wed Apr 24 16:49:18 1996 From: declan at eff.org (Declan McCullagh) Date: Wed, 24 Apr 1996 16:49:18 -0700 (PDT) Subject: Electronic Freedom March postponed to Fall 1996 Message-ID: <Pine.SUN.3.91.960424164757.1379C-100000@eff.org> I'm glad to see that Keith Glass has taken the helm of the Electronic Freedom March. Moving the date back to late September is a good idea: * We can hold the March before Congress adjourns in early October. * The date is close to the November elections. * The Supreme Court will return on October 7 and will, I hope, decide to hear our lawsuit challenging the CDA soon after. Now we have time to organize... -Declan // declan at eff.org // I do not represent the EFF // declan at well.com // ---------- Forwarded message ---------- News Release 24 April 1996 6 PM Contact: Keith A. Glass 703-354-1737 Changes to the Electronic Freedom March The Electronic Freedom March on Washington, currently scheduled for June 30th, 1996, has been re-scheduled to the fall, tentatively the weekend of 28-29 September. With the current state of the case against the CDA, ACLU vs. Reno, and several organizational factors, it's been concluded that it would be far more effective to focus the political power of the citizens of the Net closer to the November elections. We are currently looking for people to assist us in organizing and sustaining the Electronic Freedom March on Washington. Specifically, we need assistance in fundraising and publicity, assistance in obtaining corporate and non-profit sponsorships, people familiar with stage and sound systems, crowd logistics, first aid, and security. Please refer all inquiries to Keith A. Glass, 703-354-1737, salgak at dcez.com -- * Keith A. Glass, Annandale, Virginia, USA, Filker/punster at large * * Washington Coordinator, Electronic Freedom March * * 30 June 1996, Washington DC URL: http://www.efm.org * * Note: the following line is an intentional act of Civil Disobedience: * * FUCK THE TELECOMMUNICATIONS DECENCY ACT--DEFEND THE FIRST AMENDMENT ! * From wb8foz at nrk.com Wed Apr 24 01:50:22 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 24 Apr 1996 16:50:22 +0800 Subject: EYE_suk In-Reply-To: <Pine.SUN.3.93.960423181900.10274B-100000@polaris.mindport.net> Message-ID: <199604240503.BAA04064@nrk.com> > It was contemplated that the CIA would be limited to foreign intelligence > operations and conduct very few of its operations in the United States. > The Agency was specifically permitted to be headquartered in the United > States and conduct what acts may be necessary to administer that facility. [Overseas Headquarters brings to mind the French Foreign Legion.] The Agency does lots of things domestically to support their 'overseas' charter. They pay the Skunk Works to design U-2's & Blackbirds. They run (or did...) a rather large training operation at Camp Perry. They keep safehouses for defectors; sometimes expensive ones. [There was a great story in the WSJ a few years back about a white elephant of one they wanted to sell...] They have a rather unique warehouse of James Bond-ish gadgets. I once met the logistics guy who had to account for it all, even when he had no idea what much of it was! They have domestic field offices. (BTW, it's worth wondering what restrictions there'd be if it were not for an ENORMOUS turf battle between them & Jill Edgar Hoover.) But they don't even keep their own domestic guard force; that is all FPS, same as NSA. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From tcmay at got.net Wed Apr 24 01:54:34 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 16:54:34 +0800 Subject: "You have been deleted" Message-ID: <ada2fe6f030210045e74@[205.199.118.202]> Moroni worried: ... >Date: Tue, 23 Apr 1996 15:24:36 -0400 >From: Mail Delivery Subsystem <MAILER-DAEMON at locrian.scranton.com> >To: moroni at locrian.scranton.com >Subject: Returned mail: User unknown ... > ----- The following addresses had delivery problems ----- >tcmay at got.net (transient failure) > > ----- Transcript of session follows ----- >tcmay at got.net... Deferred: Connection refused by mail.got.net. >Warning: message still undelivered after 4 hours Theory 1: While working through the examples for Day Eight of "Teach Yourself Java for Macintosh in 21 Days," I accidentally created a rogue applet which enabled a virus developed in Bulgaria to enter my system. From there, it infected several other computer systems, including a Sony PlayStation, a Foonley, and several Exidy Sorcerers. Service to Northern California is only now being restored. Theory 2: The Men in Black finally had enough, especially of my theft of their domain name (Blacknet). At 9:09 a.m., PDT, Clinton's black helicopter detoured on its route and landed on my hill, abducting me for medical experiments I am too embarrassed to describe (except that Chelsea was also involved). I am back now, albeit subtly changed (for the better). Theory 3: My ISP, got.net, had a router failure on its "ZNEt" link to the outside world. Take your pick. Or maybe we should vote? The social construction of reality, and all. Alas, sometimes the truth is too banal. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Wed Apr 24 02:00:25 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 24 Apr 1996 17:00:25 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <199604240516.WAA10983@dns1.noc.best.net> At 02:20 PM 4/23/96 -0700, Rich Burroughs wrote: >I'm sure it has been. That doesn't mean his report is untrue. Is the >standard of proof the same for both of these issues? We need proof to >establish that Weaver is a racist, but not to establish that the FBI >informant is lying? I have read that we already have proof that the FBI informant lied on numerous matters. I am not familiar with this proof, but it is consistent with the other facts surrounding this incident. Let us put this in its proper context: The FBI murdered Weaver's dog, his wife, and his son, and did their damndest to murder Weaver. They shot his wife while she was holding a fully loaded assault baby in her arms. They lied about this extensively on oath. The judge and the jury rejected their story during the prosecution of Randy Weaver. Later, when inconvenient facts came out, they pleaded the fifth amendment. Give a dog a bad name and hang him. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From rah at shipwright.com Wed Apr 24 17:02:41 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 24 Apr 1996 17:02:41 -0700 (PDT) Subject: (fwd) Statement on Merchants - Mark Twain Banks Message-ID: <v0300660cada46eba2372@[199.0.65.105]> I knew it! There *is* an echo in here... ;-). Cheers, Bob Hettinga --- begin forwarded text X-Sender: merchant at 172.16.1.10 Mime-Version: 1.0 Date: Wed, 24 Apr 1996 14:16:17 -0500 To: ecash at digicash.com From: Ecash Merchants <merchants at marktwain.com> Subject: Statement on Merchants - Mark Twain Banks Sender: owner-ecash at digicash.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Ecash - Its Your Money! Mark Twain Bank both supports and promotes free speech. Our adoption of the Ecash secure payment system written by DigiCash is one of the most important statements we think we can make about our belief in privacy. We believe that all sites should have the ability to publish or promote as they choose, and to do business with whom they choose. Mark Twain is a public company regulated by multiple governmental entities. In the ordinary course of business, the company chooses with whom it does business every day. The company has no obligation to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ conduct business with anyone it deems to be inappropriate. The ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;-). company will decline to accept any web site that sells graphics or items that would, in the sole and conservative judgement of the Bank, be offensive to the primary constituents of the Bank and other online vendors. Defining what is acceptable is an ongoing process of the Bank's Oversight Review Committee. Anyone with questions about specific acceptability should contact the committee by email. At this time the regulatory framework for Ecash and other online payment mechanisms is not established. We expect that we will be required to present the case for this new payment mechanism before legislative and regulatory bodies. This means that the ultimate success of Ecash will depend, in part, on our ability to provide regulatory bodies with a rational argument why current restrictive regulations should be broadened. If opposing parties are able to divert the discussion away from these essential elements into an argument about controversial products that may be available, then the goal of universal acceptance may not be met. As banks from around the world adopt Ecash, customers will be able to use their Mark Twain issued Ecash to make purchases globally without restriction. Mark Twain believes that all Ecash issuing banks should be inter-operable, and that such purchase transactions are private matters of the individuals utilizing Ecash. One could certainly imagine that merchants not acceptable to Mark Twain could be acceptable elsewhere. Thank you for your patience, and your comments. Mark Twain Bank merchants at marktwain.com www.marktwain.com "Ecash" is a trademark of DigiCash bv "Mark Twain Banks" is a trademark of Mark Twain Bancshares, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMX59ttsWVQQCavb7AQGnwQP+PedLsJjUsdiZ+XW8qoyTmWjBtFGVBnqE sOkVm9ZFPK/Sgny13iYJdjyjpNe/XgFaQO8hSfV1aZyBln4U3pFhH9aIqJzAyFmU Fo9iyLXf3CowWRYieI0OXzG5xYk+nQPKLJLeCdwebxit1bS7m/5iYuASyF3DQs3x fs7X94LQHeg= =0vvc -----END PGP SIGNATURE----- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From unicorn at schloss.li Wed Apr 24 02:02:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 17:02:51 +0800 Subject: EYE_suk In-Reply-To: <199604240503.BAA04064@nrk.com> Message-ID: <Pine.SUN.3.93.960424010701.343D-100000@polaris.mindport.net> On Wed, 24 Apr 1996, David Lesher wrote: [On CIA] > > But they don't even keep their own domestic guard force; that is all > FPS, same as NSA. Guard force begins to look like "police powers." > > -- > A host is a host from coast to coast.................wb8foz at nrk.com > & no one will talk to a host that's close........[v].(301) 56-LINUX > Unless the host (that isn't close).........................pob 1433 > is busy, hung or dead....................................20915-1433 > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Wed Apr 24 02:06:24 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 17:06:24 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <01I3W57WCR2C8Y500P@mbcl.rutgers.edu> Message-ID: <Pine.GUL.3.93.960423180035.15353B-100000@Networking.Stanford.EDU> On Tue, 23 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"richieb at teleport.com" "Rich Burroughs" 23-APR-1996 17:19:45.60 > > >I'm sure it has been. That doesn't mean his report is untrue. Is the > >standard of proof the same for both of these issues? We need proof to > >establish that Weaver is a racist, but not to establish that the FBI > >informant is lying? > > I require a higher standard of proof for worse accusations. I > consider calling someone a racist a worse insult than calling them a > liar. Furthermore, that this is an FBI _informant_ is a strike against > the person to begin with in terms of trustworthiness. Interesting. Thanks for explaining your terms. I disagree with everything you're saying. :-) I consider "racist" to be an ideological label, not an insult at all (though personally, I find them sick and wrong). There's a lot of people out there who proudly call themselves racists, at least in private. Many of them I can have a civilized discussion with. For me, liar is a stronger word. I think it's good to keep the FBI informed, in general terms only. Keeps the FBI from wigging out, you know. Self-conscious "infiltrators" and especially "provocateurs" I would consider to be liars, but someone who merely keeps the lines of communication open is a friend of mine. > >Separatist/supremacist... I don't see much difference between them, and I > >believe the former is largely just a cover story for the latter. Weaver > >is no hero, IMHO, though I believe the govt. fucked up big at Ruby Ridge. > > I don't approve of either separatists or supremacists; I just see the > former as not quite as evil as the latter. Calling Weaver a supremacist is > most common among the organizations that seem to believe that such actions as > at Ruby Ridge are just fine, so long as they are against their enemies; it > appears to be a public relations ploy (although the evidence is admittedly > uncertain). Who has defended the government's lies and shoot-at-sight rules of engagement at Ruby Ridge? Please be specific. I think you're talking about some straw man you read about in an NRA or militia pamplet. -rich From ses at tipper.oit.unc.edu Wed Apr 24 02:09:55 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 24 Apr 1996 17:09:55 +0800 Subject: EYE_suk In-Reply-To: <199604231926.OAA26127@homeport.org> Message-ID: <Pine.SOL.3.91.960423221718.19976A-100000@chivalry> On Tue, 23 Apr 1996, Adam Shostack wrote: > Isn't the CIA forbidden from doing anything on US soil? That'd make cointel a little tricky :-) Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jya at pipeline.com Wed Apr 24 17:15:58 1996 From: jya at pipeline.com (John Young) Date: Wed, 24 Apr 1996 17:15:58 -0700 (PDT) Subject: Rabbi Hier Testimony Message-ID: <199604250015.UAA15015@pipe2.nyc.pipeline.com> To see today's WaPo about "The Turner Diaries" publishing controversy that Declan cites: TUM_ult For William Pierce, "Diaries" author, by NYT, June, 1995: TUR_ner From jimbell at pacifier.com Wed Apr 24 17:35:23 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 17:35:23 -0700 (PDT) Subject: [NOISE] [Wager: Seeming Resolution] Message-ID: <m0uC7oO-00092NC@pacifier.com> At 12:57 AM 4/24/96 -0400, Declan B. McCullagh wrote: >Excerpts from internet.cypherpunks: 23-Apr-96 [Wager: Seeming >Resolution] by Black Unicorn at schloss.li >> The only issue is how you wish to modify that claim for the purposes of >> the wager so as to bring it within a semblence of accuracy. >> >> Absent further interest on your part, I consider the matter closed and >> your claim retracted. > >I confess I had a good laugh at Jim Bell's expense. His attempt at >weaseling was sadly uninspired, and Black Unicorn was quite right to >move in for the kill. > What "kill"? Unicorn claimed a few days ago that he THOUGHT that his challenge would never be accepted, ostensibly because of haggling by me. I interpret this as unwillingness to bargain in good faith (sandbagging), which is reasonable given Unicorn's track record. Given this thinly-veiled warning of dishonesty, it is only realistic that I would not want to accept his challenge. Notice that he hasn't presented what he would claim to be the scope of the conditions, which suggests that he's going to try to spring them on me later. I, for one, am not going to accept the legal equivalent of a witch-doctor's example, and I don't think anyone else here would find that to be acceptable either. Further, all this is merely an attempt to distract from the issue that I raised, one that Unicorn hasn't dared to talk about yet: I claimed that of the examples quoted in that SC decision, which were cited as exceptions to 5th amendment protections in the US, all of them represent examples which were only considered technologically useful in the last 100 years, the oldest being fingerprinting. Given this, it is easy to conclude that there is no realistic basis for an interpretation that they are genuinely exceptions to 5th amendment protections, and were allowed simply because they were useful. Isn't it interesting how Unicorn always seems to dodge the analysis and replace it with precedent? Jim Bell jimbell at pacifier.com From unicorn at schloss.li Wed Apr 24 17:37:50 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 17:37:50 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues In-Reply-To: <ada3a446010210045243@[205.199.118.202]> Message-ID: <Pine.SUN.3.93.960424203650.3252I-100000@polaris.mindport.net> On Wed, 24 Apr 1996, Timothy C. May wrote: > > Frankly, I thought that Black Unicorn claimed to have seen the error of his > ways (in terms of debating with Bell) and was going to stop? I closed what I thought was the only outstanding issue I had with him. No more. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From tcmay at got.net Wed Apr 24 02:38:10 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 17:38:10 +0800 Subject: Golden Key Campaign Message-ID: <ada30736040210046e87@[205.199.118.202]> At 11:53 PM 4/23/96, Hal wrote: >effort. Note that RSA's logo is a key, and we see the RSA key at the >bottom of our Netscape screens all the time. I don't remember if it's >golden. ... >I have not actually seen the new logo because I don't have a graphical >browser here, but I hope it is not too similar to RSA's key. I hate to ... The "Golden Key" appears to be a photograph of an old-style "skeleton key" (hope this is not symbolic of what happens to users...). The key sits on top of an envelope in the image I saw. The "RSA Key(s)" is/are modern keys, a la Schlage or similar lock keys. They normally are shown in a kind of gold/yellow/bronze, from memory of RSA literature and a Web page I just looked at to double-check. I don't know if the use of a key is to endorse RSADSI directly, or subliminally. But there are not a lot of symbols which are evocative. The "Cypherpunks rose" hasn't exactly become the new symbol of whatever it is we believe in, and other symbols are no better. I note that that the NSA also uses a key in its logo. (On the larger issue of the campaign itself....I'm not much of a joiner, and PR campaigns fatigue me. I'm with Whoopi Goldberg on the Blue Ribbons, the Red Ribbons, the Yellow Ribbons, the Green Ribbons, the Gold Key, the Silver Key, the Chartreuse Diskette, and the Maltese Falcon.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Apr 24 02:47:57 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 17:47:57 +0800 Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <ada312fb050210043275@[205.199.118.202]> At 3:14 AM 4/24/96, jim bell wrote: >As I recall from a message a day ago, you claimed that you saw no way that >we could come to any kind of agreement as to the terms and conditions. I'm >willing to accept your word on this prediction. And in another message, Black Unicorn wrote: >I note for the record that I never predicted that the terms and >conditions would be complex or unresolved, but that you would alter >the claim and the logistics of the wager to the point where you might >evade the consequences of loss. > >I note for the record that it was your post that originally supported its >accuracy with a call for wagering. > >I note for the record...... And so the back-and-forth continues...taking up even more list space arguing, waffling, finessing, rebutting, disputing, and on an on. Exactly as several of us have predicted. Give it a rest. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From minow at apple.com Wed Apr 24 17:48:07 1996 From: minow at apple.com (Martin Minow) Date: Wed, 24 Apr 1996 17:48:07 -0700 (PDT) Subject: The Iron Mountain Report Message-ID: <v02140b00ada47b37a48c@[17.202.12.102]> >Some years ago the federal government set up a special >[inaudible] group. For two-and-a-half years they met in secret at >Iron Mountain, New York. Their findings were called "Report from >Iron Mountain on the Possibility and Desirability of Peace." >Their document, by some of the leading thinkers, was suppressed. >Later, it was printed in a limited edition, with the *names* >removed. Some were shocked by what they read. > I've read the Report from Iron Mountain (I bought it about 20 years ago, and I believe that it's currently available in paperback). While it *could* be legitimate, I think it may be more approprately filed next to Johnathan Swift's Irish cookbook. Martin Minow minow at apple.com From tcmay at got.net Wed Apr 24 17:52:08 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 17:52:08 -0700 (PDT) Subject: Crypto Software Review Wanted Message-ID: <ada419df11021004f390@[205.199.118.202]> At 10:04 PM 4/24/96, Travis Hassloch x231 wrote: >There's a ton of only semi-organized stuff out there. >I would like structured info... more that just a filename, without having >to install it myself, etc... >Review of the packages would be real nice. Let's see. You'd like structured info, and reviews. How much are you offering? >CC me in the replies please, since I'm not on the list... Well, I make it a point _not_ to do this. Those wanting people on the CP list to generate stuff for them should at least be reading and contributing to the list. "Hey, like I'm not on the list, but, like, send me kewl stuff." > although I might get on coderpunks if the volume is small. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wombat at mcfeely.bsfs.org Wed Apr 24 02:57:41 1996 From: wombat at mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 24 Apr 1996 17:57:41 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <01I3VQJGR4JK8Y4Y01@mbcl.rutgers.edu> Message-ID: <Pine.BSF.3.91.960423215115.11936D-100000@mcfeely.bsfs.org> > I assume that you are thinking I'm incorrect? Incidentally, I classify > a racist as someone who says "this race is evil and should be > killed/enslaved/tortured/whatever." Someone who says that different races > shouldn't live together is a separatist; it's only when they start having > seperate but equal being anything but equal (e.g., apartheid) that it crosses > the line into racism. Thus, I don't regard Charles Murray or Richard > Herrnstein as racist, for instance. I'm typing green letters on a black background. All you people with black characters on a white background should go talk on another 'net. Think about it. - r.w. From unicorn at schloss.li Wed Apr 24 18:07:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 18:07:58 -0700 (PDT) Subject: Anonymous banking In-Reply-To: <01I3X9YJ35NE8Y50LP@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.93.960424205627.3252L-100000@polaris.mindport.net> On Wed, 24 Apr 1996, E. ALLEN SMITH wrote: > Speaking of the below information, what is anonymous banking like in > Austria, Not too bad, but there are crackdowns on anonymous and pseudonym accounts. MLAT's exist with the United States. Austria has been the focus of careful investigations and a lot of diplomatic pressure. EC membership will require compliance with standards for client identification. The article is somewhat in error. Anonymous accounts are no longer easy to open and generally require the voucher of a local attorney. Colombia, Do not travel to or use Colombian banks for your financial needs. Columbia is essentially lawless outside of the tourist areas and the concentration on drug investigations combined with the presence of the military for the purposes of law enforcement makes banking secrecy a near impossibility. Given a moderate budget I could have the banking information of any depositor in Columbia in short order. So could you. Venezuela, Banking secrecy is dependent on connections with local officials or 'corrupt' bankers. I don't find that Venezuela properly protects banking secrecy from a statuatory prespective. and Thailand? Better, but still subject to some criminal investigations and limited statuatory protection. In general adding a country to the money laundering offender list is a political decision and NOT demonstrative of a country's actual money laundering use. (Note that Vanuatu is not included, nor is Isle of Man). Mostly its a question of countries with corrupt officials who will look the other way, not of countries which strict banking privacy. > >Austria, the only country in the EU which allows anonymous bank accounts, > >was adamant its current legislation did not run counter to the resolution. This is nearly irresponsible reporting. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Wed Apr 24 18:18:41 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 18:18:41 -0700 (PDT) Subject: EYE_suk In-Reply-To: <199604251859.LAA28220@count04.mry.scruznet.com> Message-ID: <Pine.SUN.3.93.960424210747.3252M-100000@polaris.mindport.net> On Thu, 25 Apr 1996 cypherpunks at count04.mry.scruznet.com wrote: > >>Isn't the CIA forbidden from doing anything on US soil? > >Errr, > >That is the Feeb's department, & they guard it like the family > >jewels..... > > > BZZT!!! wrong answer since 1981 on december 4 when president reagan > signed it into Executive Order #12333 TLA's(those intelligence > agencies having strictly offshore charters CIA,NSA others) have been permitted > to operate domestically in cases of National Security(or involvement with > persons suspected of being agents for foreign entities) and Drug War issues. Only if the agents involved are attached to the FBI and report directly to the FBI during the investigation. Note that they were permitted about this same amount of autonomy under 50 U.S.C. 102(d)(3). > Formerly it was simply illegal but since the intel community had taken > such a hard hit during the church subcommittee hearings of the 1970's > the new tactic was to acquire legitimacy for black ops on domestic fronts > thus the above EO was shoved under reagans nose quickly... The above paragraph is a bit light on facts. Actually, today to do domestic black ops you just let E-Systems handle it. No need to use agency personal when 7/8 of E-System's employees are former agency. The CIA doesn't bother to do local black ops anymore. Look to other organizations. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Wed Apr 24 03:33:21 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 18:33:21 +0800 Subject: 5th protect password? Message-ID: <m0uBu6w-000951C@pacifier.com> At 01:59 PM 4/23/96 -0400, Black Unicorn wrote: >On Tue, 23 Apr 1996 jamesd at echeque.com wrote: > >> At 06:19 AM 4/23/96 -0700, Sandy Sandfort wrote: > >> > didn't Unicorn offer Mr. Bell a >> > wager on this issue? Isn't the ball in Mr. Bell's court to put >> > his money where his mouth is? >> >> Yeah: fifty thousand dollars. > >[...] > >> Now if Unicorn had proposed a bet for one hundred dollars, then >> I would sit up and take notice. A hundred dollars is real money. > >US$ 100.00 it is. Mr. Bell? As I recall from a message a day ago, you claimed that you saw no way that we could come to any kind of agreement as to the terms and conditions. I'm willing to accept your word on this prediction. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Wed Apr 24 03:35:18 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 18:35:18 +0800 Subject: [NOISE] Re: Nazis on the Net Message-ID: <m0uBttS-000918C@pacifier.com> At 02:20 PM 4/23/96 -0700, Rich Burroughs wrote: >On Tue, 23 Apr 1996, E. ALLEN SMITH wrote: >[snip] >> However, one reference in this report to Weaver's calling for a meeting >> to oppose the "Zionist Occupation Government" does provide an argument for >> calling him a racist of the anti-Semitic variety. On the other hand, the only >> person claiming this is the FBI's informant; the truth of his statements has >> been called into doubt. > >I'm sure it has been. That doesn't mean his report is untrue. Is the >standard of proof the same for both of these issues? We need proof to >establish that Weaver is a racist, but not to establish that the FBI >informant is lying? I see no contradiction, here. Weaver's credibility, at least to his telling the truth, is apparently unchallenged. The FBI, however, has been caught in numerous lies about Ruby Ridge, and the believability of its informants (at least, to the extent that the FBI itself can be trusted to relay their reports accurately) is highly in doubt. The government spent about $1.5 million to get a minor, first-time (alleged) criminal. There is no obvious or logical basis for such extreme interest, even in hindsight based on what we now know. An objective person analyzing this would have to conclude that the government's interest in Weaver was entirely different than what it was claimed to be, and if it was that important it is logical to conclude that fraud was not beyond their capability and motivation. Given the fact that the government actually faked evidence in the trial (photographs of shell casings), a fact that was brought out during trial, anything they say is not believable. Jim Bell jimbell at pacifier.com From declan+ at CMU.EDU Wed Apr 24 18:37:11 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 24 Apr 1996 18:37:11 -0700 (PDT) Subject: Rabbi Hier Testimony In-Reply-To: <Pine.GUL.3.93.960424160212.19618N-100000@Networking.Stanford.EDU> Message-ID: <olThP1C00YUv9WTGAs@andrew.cmu.edu> I was waiting for Rich to whine about my message criticizing the Simon Wiesenthal Center. He was good enough to oblige, being the FUCKING STATIST that he is: > The majority of what you said in that message was misleading at best, but > I haven't said anything because that's off topic, and who listens to a > FUCKING STATIST anyway. I know you don't have time to correct any > acknowledged errors on you web pages, so why should I waste my time > pointing them out? Funny, that. The links I provided were primarily to reports from the ACLU, CDT, wire dispatches, and firsthand reports by respected journalists. They must be part of the FUCKING STATIST conspiracy to oppress the poor, beleaguered -- and sadly misunderstood -- free speech advocates at the Simon Wiesenthal Center! > So yes, Morris Dees is a fool, and so are you. A stinging blow! I can hardly wait for the next. -Declan From declan+ at CMU.EDU Wed Apr 24 18:38:11 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 24 Apr 1996 18:38:11 -0700 (PDT) Subject: Militias, reputation capital, unfounded rumor-mongering, and the DNS In-Reply-To: <Pine.GUL.3.93.960424121254.19618H-100000@Networking.Stanford.EDU> Message-ID: <AlThRTa00YUvFWTHUE@andrew.cmu.edu> Excerpts from internet.cypherpunks: 24-Apr-96 Militias, reputation capita.. by Rich Graves at networking.s > I do not expect this story to die, even though it's completely false -- > it's too good. The meme in the subject line is awfully strong, lots of > people won't take the time to read more than the title, and who really > listens to a FUCKING STATIST anyway. Wow. Rich has surprised me by demonstrating that even he can be insightful -- for a FUCKING STATIST! -Declan From unicorn at schloss.li Wed Apr 24 03:38:24 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 18:38:24 +0800 Subject: What's the best Mac crypto program? In-Reply-To: <v03006601ada3670bb3a8@[129.64.2.182]> Message-ID: <Pine.SUN.3.93.960424031759.343F-100000@polaris.mindport.net> On Wed, 24 Apr 1996, Philip Trauring wrote: > What is the best free/shareware program for protecting(and I mean > government-strength encryption) a Mac folder or creating a protected Mac > volume? CryptDisk looks pretty secure. Shareware as I recall. > > Additionally, are any of the commercial products available safer than these > free/shareware ones? As far as I know, most commercial encryption for the mac is trash. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From cp at proust.suba.com Wed Apr 24 03:52:33 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 24 Apr 1996 18:52:33 +0800 Subject: Golden Key Campaign In-Reply-To: <199604232353.QAA13608@jobe.shell.portal.com> Message-ID: <199604240707.CAA06398@proust.suba.com> I know you feel strongly about this, and I don't expect to change your mind. But sometimes in politics you have to play the angles. I don't think most people care about their civil liberties as much as they should. If it were just a question of censorship and wiretapping, I think we'd probably lose the political fight. Sure we're right. But that's not enough. We don't have any clout. But fortunatly big business has come to the conclusion that it's going to have to kill the crypto parts of ITAR in order to do business overseas. And that means the export restrictions are as good as dead. The other side of the debate has been raising the spectres of the four horsemen, and that argument has to be addressed, at least nominally. RSA can't say, "We know that law enforcement is concerned about terrorism, drugs, and child pornography. But we need the rules changed anyway so we can make buckets of money." So they say stand on civil liberties. Yes, it's disingenuous. But if they win, we'll all come out ahead. In order to make the money, they're going to secure our civil liberties. The patents won't last forever. They're going to expire, and when they do, the war will be over, because ITAR's crypto restrictions will be dead. And it will be due, in large part, to the cypherpunks who made corporate customers afraid to use 40 bit keys. Security isn't the only thing that's economics. So's politics. From unicorn at schloss.li Wed Apr 24 03:52:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 18:52:33 +0800 Subject: "You have been deleted" In-Reply-To: <ada2fe6f030210045e74@[205.199.118.202]> Message-ID: <Pine.SUN.3.93.960424030022.343E-100000@polaris.mindport.net> On Tue, 23 Apr 1996, Timothy C. May wrote: > its route and landed on my hill, abducting me for medical experiments I am > too embarrassed to describe (except that Chelsea was also involved). I am > back now, albeit subtly changed (for the better). That a medical experiment including Chelsea could improve a man is beyond the bounds of reason. Mr. May, are you making this up? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From Buck213 at aol.com Wed Apr 24 03:56:07 1996 From: Buck213 at aol.com (Buck213 at aol.com) Date: Wed, 24 Apr 1996 18:56:07 +0800 Subject: ? Message-ID: <960424032712_381601600@emout19.mail.aol.com> ? From llurch at networking.stanford.edu Wed Apr 24 04:04:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 19:04:15 +0800 Subject: ? In-Reply-To: <960424032712_381601600@emout19.mail.aol.com> Message-ID: <Pine.GUL.3.93.960424004054.17306A-100000@Networking.Stanford.EDU> On Wed, 24 Apr 1996 Buck213 at aol.com wrote: > ? No! I won't! From unicorn at schloss.li Wed Apr 24 04:20:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 24 Apr 1996 19:20:45 +0800 Subject: EYE_suk In-Reply-To: <Pine.SOL.3.91.960423221718.19976A-100000@chivalry> Message-ID: <Pine.SUN.3.93.960424033150.343G-100000@polaris.mindport.net> On Tue, 23 Apr 1996, Simon Spero wrote: > On Tue, 23 Apr 1996, Adam Shostack wrote: > > > Isn't the CIA forbidden from doing anything on US soil? > > That'd make cointel a little tricky :-) The FBI is exclusively responsible for CoIntel within the United States. The CIA is permitted no CoIntel activities at all in the U.S. excepting internal investigations which must be turned over to the FBI after organic review. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From J.Roissetter at plymouth.ac.uk Wed Apr 24 04:44:54 1996 From: J.Roissetter at plymouth.ac.uk (Jason Roissetter) Date: Wed, 24 Apr 1996 19:44:54 +0800 Subject: No Subject Message-ID: <1002C5F271A@cs_fs15.csd.plym.ac.uk> UNSUBSCRIVE From abostick at netcom.com Wed Apr 24 19:52:28 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 24 Apr 1996 19:52:28 -0700 (PDT) Subject: EYE_suk In-Reply-To: <199604241938.PAA07049@nrk.com> Message-ID: <o2tfx8m9LwLL085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604241938.PAA07049 at nrk.com>, David Lesher <wb8foz at nrk.com> wrote: > > > (BTW, it's worth wondering what restrictions there'd be if it were > > > not for an ENORMOUS turf battle between them & Jill Edgar Hoover.) > > > > Or, if Hoover had won that battle and acquired control of foreign > > intelligence, just how much more like Lavrenti Berya he would have > > become. > > Hoover did win, AFAICAT. He got domestic contelpro. > James Jesus was shut out.... > > FI? I doubt anyone outside of JEH ever thought he'd get that. He *had* some FI, in Central and South America, during the war. During the war he worked assiduously to undermine Wild Bill Donovan and the OSS and succeeded in having that organization eliminated in September 1945. Upon doing so he immediately presented a plan to Attorney General Tom Clark for expanding the FBI's South American intelligence network worldwide. The spook community counterattacked and persuaded Harry Truman to reign the FBI back, eliminating its foreign activities entirely and clearing the path for the creation of the CIG (later CIA) in 1946. Hoover's only victory in this debacle was his preventing his arch-rival Donovan from heading the new agency. (See Curt Gentry's J. EDGAR HOOVER: THE MAN AND THE SECRETS, Norton, 1991, pp. 326-27) - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX7h/OVevBgtmhnpAQE5YgL/SJqk2Lp8cQOr3ajrF8tMbLq0b2be1pCj eY9qWagdZSpfQIzPrfkSIOU/KIJuokfTJpIpftWS71wt8OYDXXPIG4lvXoghbhQU Gm0T/z7k+nV/oLhkeOiH87xG95NMUvCP =jrEw -----END PGP SIGNATURE----- From jimbell at pacifier.com Wed Apr 24 19:56:03 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 19:56:03 -0700 (PDT) Subject: crypto in .ja (fwd) Message-ID: <m0uCGuD-0009OsC@pacifier.com> At 12:07 PM 4/24/96 -0400, David Lesher wrote: >Forwarded message: > >X-URL: http://www.us.net/~steptoe/276915.htm > >> Emerging Japanese Encryption Policy >> >> By Stewart A. Baker >{} >> Summary: The emerging Japanese consensus on cryptography > quoted from article: >In the United States and Europe, encryption policy is formed by a mix of >interests. Advocates of business, national security agencies, and more >recently the police -- all play a large role in the policy debate. Notice that Stewart Baker didn't include as one of those groups, "The public." In a typical Freudian slip, he reveals that the interests of the public don't seem to count for much, according to government-types like he used to be. >And Japanese police face severe political and constitutional constraints on >wiretapping, so the prospect of losing this criminal investigative tool >seems not to be as troubling to the Japanese government as to the United >States and many European nations. Why is it that I suspect that there are no greater "constitutional restraints" on wiretapping in Japan; just more concern to maintaining constitutional behavior? >Others suggested that the solution was to have two levels of encryption -- >reserving the most powerful >for government and national security while encouraging commercial encryption >standards that are less strong. This approach, however, has proven to be a >dead end in the United States, where any cryptographic strength deemed >exportable has immediately been condemned as insufficient by business and >cryptography experts. More distortions. Baker tries to imply that the decision on what is exportable bears no relationship to what is considered sufficient, whereas in fact we know that export approval practically requires an insecure system. >All in all, the emerging Japanese consensus on cryptography could pose a >major challenge to U.S. (and perhaps European) government hopes of striking >a compromise between commercial and governmental interests with respect to >cryptographic policy. He continues to ignore public interest... And lest he try to imply that government represents that "public interest," I should hasten to add "individual interest." >If Japan puts the weight of its government and industry behind strong, >unescrowed encryption, competitive pressure will quickly doom any attempt to >influence this technology through export controls and standard-making. >Governments will be forced to choose between overt regulation in the Russian >and French manner or laissez-faire policies of the sort that now prevail in >the domestic markets of countries like the United States, Great Britain, and >Germany. I would hardly characterize the US's policy towards encryption as "laissez faire." The moment the patents on public-key encryption were granted, that presented a substantial impediment towards the use of that system by the public. That ain't "laissez faire"! The act of proposing Clipper was intended to deter competing systems of unescrowed encryption. That ain't "laissez fair." >Whether Japanese policy will in fact coalesce around a purely commercial >approach to cryptography remains to be seen. In response to the analysis >above, one senior MPT official stated that the U.S. and European concerns >had not been well understood in Japan until the OECD meeting and that the >MPT's study group would be giving special importance to the issue in its >review of electronic payment systems. Thus, it is apparently still >possible that Japan will join with the U.S. and European governments in >seeking to shape a more accessible encryption standard. A "more accessible encryption standard"? War is peace. Freedom is slavery. Plaintext is encrypted. >Because the same key pair may be used for encryption as for signature, >escrowing signature keys would also allow access to encrypted communications >that use the same key pair. The problem with this approach is that it would >also add a layer of insecurity to the entire digital signature structure, >allowing those with access to the escrow system not just to decrypt but also >to forge messages from registered users. Since there is little >law-enforcement reason for being able to conduct such forgeries, adding this >layer of insecurity has been rejected in U.S. policy circles. "Little law enforcement reason"??? Uh, pardon me, but could you mention what that little reason is? >While MITI formally supports discussions of cryptography policy on an >international basis, the Clipper Chip was highly unpopular in Japan for a >variety of reasons. There's a strong antipathy to wiretaps among the >Japanese people. Wiretaps are lawful with a warrant, but remain >controversial. Therefore, the Clipper Chip's law >enforcement rationale did not resonate in Japan. What Baker forgot to say is that there may be an equally strong antipathy to wiretaps among Americans, according to polls I've heard of. The difference is, the people aren't getting their way WRT wiretaps. And the Clipper proposal was DOA here, as well. Jim Bell jimbell at pacifier.com From jim at smallworks.com Wed Apr 24 20:21:24 1996 From: jim at smallworks.com (Jim Thompson) Date: Wed, 24 Apr 1996 20:21:24 -0700 (PDT) Subject: RISKS: Compuserve "secure" login In-Reply-To: <199604242010.NAA02828@cygnus.com> Message-ID: <9604250317.AA20026@butthead.SmallWorks.COM> > A couple years ago I found an obvious application of Diffie-Hellman which > avoids this problem; unfortunately it turned out to be patented by someone > from Siemens (first as a German patent and then a US patent, so it's > definitely too much trouble to try to overturn the patent...) > The basic approach is to use a commutative hash function, which lets > both sides calculate HA(B) == HB(A) ; modular exponentiation worked fine. Any chance that you're willing to discuss this further? -- Jim Thompson / Smallworks, Inc. / jim at smallworks.com 512 338 0619 phone / 512 338 0625 fax The Internet is Microsoft's Vietnam... From steve at edmweb.com Wed Apr 24 05:40:13 1996 From: steve at edmweb.com (Steve Reid) Date: Wed, 24 Apr 1996 20:40:13 +0800 Subject: Golden Key Campaign In-Reply-To: <199604232353.QAA13608@jobe.shell.portal.com> Message-ID: <Pine.BSF.3.91.960424014017.535A-100000@kirk.edmweb.com> > No, the thing that worries me most is patent infringement. And the main > company I worry about is RSA, one of the sponsors of this golden key > effort. Note that RSA's logo is a key, and we see the RSA key at the > bottom of our Netscape screens all the time. I don't remember if it's > golden. The logo they have at www.rsa.com is two modern-style keys (like we all have on our keychains) fit together at the teeth. The key on the "Golden Key Campaign" and on Netscape looks more like an old-style thing, a circle on the end of a long bar with two teeth at the end. I'd say the RSA logo (the one at their web site) looks nothing like the one on the envelope. > They fought against PGP for years until Phil trumped them by going > over their heads to MIT. Yes, but from the previous post, it sounds like PRZ supports this. > I hate to see that company rewarded when it is acting counter to the > interests of people who need access to privacy tools. Financially, RSA *does* have a hell of a lot to gain from relaxed export controls. OTOH, I would think that other companies would be able to sell RSA-patented encryption, just not to inside the USA (IANAL). Of course, that inside-the-USA factor is a very big one. IMNSHO, relaxed export controls would be much better than the status quo, even if R$A does have exclusive milking rights to that global cow. One company selling crypto, even with a monopoly, is better than no companies selling crypto. Besides, the patent on public-key crypto won't last forever. I think I'll put the golden key on my web pages, right alongside the blue ribbon. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From grafolog at netcom.com Wed Apr 24 21:16:18 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Wed, 24 Apr 1996 21:16:18 -0700 (PDT) Subject: [NOISE] [Wager: Seeming Resolution] In-Reply-To: <m0uC7oO-00092NC@pacifier.com> Message-ID: <Pine.3.89.9604250415.A19922-0100000@netcom17> Jim: On Wed, 24 Apr 1996, jim bell wrote: > Notice that he hasn't presented what he would claim to be the scope of the > conditions, which suggests that he's going to try to spring them on me I haven't seen a list of your conditions yet. How about placing your minimally acceptable requirements for accepting Black Unicorn's Wager. > the examples quoted in that SC decision, which were cited as exceptions to > 5th amendment protections in the US, all of them represent examples which > were only considered technologically useful in the last 100 years, the > oldest being fingerprinting. Given this, it is easy to conclude that there Which makes it interesting that he provides an Ecclesiastical Court Decision from the Seventeenth Century. It isn't the US, but you haven't made an limitations as to which legal system is acceptable. > Isn't it interesting how Unicorn always seems to dodge the analysis and > replace it with precedent? Almost as interesting as your not admitting your errors when they are pointed out to you. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From llurch at networking.stanford.edu Wed Apr 24 21:33:28 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 21:33:28 -0700 (PDT) Subject: The Iron Mountain Report In-Reply-To: <v02140b00ada47b37a48c@[17.202.12.102]> Message-ID: <Pine.GUL.3.93.960424212754.22644A-100000@Networking.Stanford.EDU> The author of the Iron Mountain Report was interviewed on PBS a few weeks ago. It was a really over-the-top parody published in 1967. A quick AltaVista search turns up several references to the Iron Mountain thing being a hoax, and at least two militia-type conspiracy wacko pages insisting that it's true. Every once in a while, I get mail asking whether I really have contacts in Sendero Luminoso, since a bit of satire I wrote was quoted in the Web Review (which made no attempt to contact me before printing the satire as my position). Truth is far more fragile than fiction. -rich On Wed, 24 Apr 1996, Martin Minow wrote: > >Some years ago the federal government set up a special > >[inaudible] group. For two-and-a-half years they met in secret at > >Iron Mountain, New York. Their findings were called "Report from > >Iron Mountain on the Possibility and Desirability of Peace." > >Their document, by some of the leading thinkers, was suppressed. > >Later, it was printed in a limited edition, with the *names* > >removed. Some were shocked by what they read. > > > > I've read the Report from Iron Mountain (I bought it about 20 > years ago, and I believe that it's currently available in > paperback). While it *could* be legitimate, I think it may be > more approprately filed next to Johnathan Swift's Irish cookbook. > > Martin Minow > minow at apple.com From llurch at networking.stanford.edu Wed Apr 24 21:42:06 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 21:42:06 -0700 (PDT) Subject: [Yadda Yadda :-)] Re: Rabbi Hier Testimony In-Reply-To: <olThP1C00YUv9WTGAs@andrew.cmu.edu> Message-ID: <Pine.GUL.3.93.960424213332.22644B-100000@Networking.Stanford.EDU> On Wed, 24 Apr 1996, Declan B. McCullagh wrote: > I was waiting for Rich to whine about my message criticizing the Simon > Wiesenthal Center. He was good enough to oblige, being the FUCKING > STATIST that he is: No, I refused to reply to your obvious troll the first time, or to the various Nazi tracts that have been posted anonymously recently. You had to repeat the off-topic smears twice before I decided to humor you. > Funny, that. The links I provided were primarily to reports from the > ACLU, CDT, wire dispatches, and firsthand reports by respected > journalists. All presenting one point of view, stated less strongly than your link text. There have been all sorts of opposing points of view, letters to the editor, clarifications, and retractions since then. If you want to know what I think, look it up in DejaNews. This was all covered in early February. As I told you on February 9th, I am win-announce at metrics.com. -rich From jsw at netscape.com Wed Apr 24 06:47:16 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 24 Apr 1996 21:47:16 +0800 Subject: Golden Key Campaign In-Reply-To: <199604232353.QAA13608@jobe.shell.portal.com> Message-ID: <317DD5D2.6284@netscape.com> Hal wrote: > No, the thing that worries me most is patent infringement. And the main > company I worry about is RSA, one of the sponsors of this golden key > effort. Note that RSA's logo is a key, and we see the RSA key at the > bottom of our Netscape screens all the time. I don't remember if it's > golden. The key at the bottom of the Netscape window is not the RSA logo, and doesn't even look much like it. Our key is meant to convey the absence or presence of encryption via a metaphor that is understandable to the average home user, not as an advertisement for RSA. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From frissell at panix.com Wed Apr 24 06:48:32 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 24 Apr 1996 21:48:32 +0800 Subject: Internet Watchdog Message-ID: <2.2.32.19960424103903.00d1f244@panix.com> >But other firms are selling snoop software designed for network use. >Much of it was developed to ensure that workers aren't using pirated >programs on the job, but it can also be used to analyze every move you >make on your computer. And the rise of the Internet has given >companies a big new reason to track corporate computer use. Which is why I boot a clean session without network drivers before I do anything interesting. DCF From jimbell at pacifier.com Wed Apr 24 21:54:39 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 21:54:39 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <m0uCIti-00094cC@pacifier.com> At 07:07 AM 4/24/96 -0700, jamesd at echeque.com wrote: >At 11:45 PM 4/23/96 -0700, Timothy C. May wrote: >> And so the back-and-forth continues...taking up even more list space >> arguing, waffling, finessing, rebutting, disputing, and on an on. >> >> Exactly as several of us have predicted. > >True, but one should note that it is Jim Bell that is weaseling, >and that Unicorn is not weaseling. Who says? Unicorn started by making an unbelievable challenge (especially given the fact that he, unlike I, is anonymous) and THEN he claimed that he didn't believe we'd ever agree to terms, etc. This sounds like weaseling to me. Let Unicorn FIRST identify himself. Then we'll see who's "weaseling." From llurch at networking.stanford.edu Wed Apr 24 21:56:12 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 21:56:12 -0700 (PDT) Subject: [Yadda Yadda :-)] Re: Militias, reputation capital, unfounded , rumor-mongering, and the DNS In-Reply-To: <AlThRTa00YUvFWTHUE@andrew.cmu.edu> Message-ID: <Pine.GUL.3.93.960424214240.22644C-100000@Networking.Stanford.EDU> On Wed, 24 Apr 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 24-Apr-96 Militias, reputation > capita.. by Rich Graves at networking.s > > I do not expect this story to die, even though it's completely false -- > > it's too good. The meme in the subject line is awfully strong, lots of > > people won't take the time to read more than the title, and who really > > listens to a FUCKING STATIST anyway. > > Wow. Rich has surprised me by demonstrating that even he can be > insightful -- for a FUCKING STATIST! I could read your answer three ways. Which is it? 1. I'm right, and you're making light of our public disagreement. Cool. As I keep telling you, I'm 95% behind 95% of what you're doing, and I hate to disagree publicly. 2. I'm right, but you don't care, because the propaganda advantage of leaving the idea of the FBI's snooping private email is good for the cause. Not cool -- you really don't strike me as a propagandist. 3. You're trying to say that I'm wrong, or you're saying, "I know you are, but what am I?" Inconclusive. -rich From tcmay at got.net Wed Apr 24 22:00:06 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 24 Apr 1996 22:00:06 -0700 (PDT) Subject: Mindshare and Java Message-ID: <ada43daa150210045c4d@[205.199.118.202]> "Krakatoa--East of Java" I gather that those interested in software and programming have migrated, a la "Blood Music," to the so-called coderpunks mailing list, leaving we the preterite to discuss the Turner Diaries, Zundelsites, the wisdom of nuking the Japs, racism, banking privacy laws, bets about the meaning of the 5th Amendment, and so on. Well, I was not invited to join the elite and secret coderpunks list, but I still have some thoughts on coding and, especially, on the opportunities offered by Java. Sorry if this interferes with discussions of Rabbi Heir and Morris Dees. Others still on the Cypherpunks list are more expert at Java than I, but they seem to be saying little (maybe all of their words are on the coderpunks list?), so I'll say what's on my mind here. [It is my firm opinion that the creation of a separate mailing list to discuss only coding or software issues is a mistake. For several reasons, which I can discuss at lenght in a separate message. Basically, it is easier to filter-reduce a large group, such as with "[CODE]" prefixes or by reputations, than it is to filter-expand a moribund group! :-} I've seen many sub-critical mass list become moribund. And there is another important point, that the Cypherpunks/Coderpunks split is producing the expected result: the Cypherpunks are rapidly losing any remaining anchors to technical/programming issues and are thus becoming almost wholly politics-driven. While I am of course highly motivated by political issues, they must be grounded in technical issues (else we are just another anti-CDA, anti-censorship, anarcho-capitalist, libertarian ranting group). I can't say what's happening on the coderpunks list, but my suspicion is that many of the coderpunks-only readers are analogously disconnected from ideological/political issues and think, perhaps, that the main purpose of the list (and of Cypherpunks) is to discuss compiler optimizations for PGP source code. It is sad to see the Cypherpunks lose its grounding. Maybe in a few months, the coderpunks will simply declare victory, dissolve the Cypherpunks list, and rename themselves, a la coderpunks = cypherpunks++.) But I come not to bury Cypherpunks, I come to praise Java. Some points: 1. Java is of course not a perfect language, nor even the best for specific applications. Other languages will continue to thrive. Critics of the language and related items (applet model, JDK, JITs, etc.) may point to various problems (e.g. security). 2. However, the "big picture" is compelling. Java arrives at a time when a Babel of languages and platforms threatens interoperability. C++ is despised by many (though, to be fair, liked by many, too), and developers are adopting Visual Basic (and the vbx widgets, etc.), PowerBuilder, Delphi, flavors of Smalltalk (no pun intended), and scripting languages (Perl, TCL, Python, etc.). 3. The Java/Virtual Machine/applet model is not altogether new (remember P-Code?), but this implementation arrives at the right time. Sun's support, the support by Netscape, Microsoft, Novell, etc., further buttresses the building momentum. The "mindshare" race is essentially over. Platform-independence is compelling for many apps. Speed is often not critical, especially when many Pentium- or PowerPC-class machines are basically idling most of the time. (Peak performance, when a user is actually _doing_ something at the machine, is still an issue...nobody wants to wait 10 minutes for a bytecode version of a Java program to run while its C brother completes in 15 seconds! For these more time-critical apps, either native code (in C or C++) is likely, or normally compiled Java (losing some platform-independence), or just-in-time (JIT) compilation of dowloaded applets will be needed. 4. What is so compelling, to me, is that Java programs have an excellent chance of running on various flavors of Unix, on Windows-95 and NT systems, on Macs, and on other systems without changes, and without any special compilers bought by the users! (Netscape browsers, and even Microsoft browsers, are able to view applets, or soon will be. And cheap or free applet viewers are available.) 5. Again, the speed may or may not be up to what C or C++ offers. But, as I noted, speed is in most cases less important than other factors. (At least in the very important domain of new apps, or low-volume apps. While "Excel" has to run at a rapid clip, "NoiseSphere" clearly does not. Nor, I contend, do most text-oriented crypto programs. The proliferation of 133-MHz Pentia, for example, means that even a 5x slowdown is probably acceptable (maybe even 10x?). [Before people note that some Java programs are running at 3-5% of their C brethren, think of where things will be in a year, not just today. JIT compilers should narrow the gap, and even full-blown compilers are likely.] 6. One can imagine several applets of interest to Cypherpunks. The ability to fairly transparently run them on multiple platforms, effectively bypassing the platform dependencies, is very important. Check out Hal Finney's site for some "crytographic primitive" applets he's written. 7. The Web-centric orientation also fits in closely with Cypherpunk-type plans. Who will do the first remailer in Java? Remailers operating on Web sites? (For example, where a browser connects to a site, picks up messages marked as being for him, or perhaps picks up (copies) all messages, and then runs an applet to PGP-decrypt, then deposits the outgoing messages at another Web site....just a possible approach.) 8. Personal note. I've had a version of Smalltalk called "Smalltalk Agents," running on my PowerMac. Lots of problems, with support and with the limited number of other users...essentially, no other users to talk to, no books, little documentation, sub-critical mass. And, worst of all, I know that anything I write will not be usable by others, unless they have Smalltalk and can successfully port over to their version of Smalltalk my program. Not likely, of course. (Where some of these big packages fit nicely is in large apps, such as air traffic control systems, reengineering of legacy code, etc.) So, I was faced with a heart-rending choice: get an Intel box, put Linux on it, and try to "get in the mainstream" by writing something in Perl, or TCL, etc. (Though I note that the early success with writing remailers in Perl has not been followed by any other stunning applications of a similarly revolutionary nature...and I don't know of anybody doing anything Cypherpunkly-interesting in TCL, for example.) However, it now appears that the definition of "in the mainstream" is changing, so that Cypherpunkly-interesting applications need not be confined to C or Perl programs running on Unix or Linux boxes! Rather, it looks like Java applets running on various platforms will be able to lever most of the same advantages. (Modulo some other issues; I'm not, for example, claiming that my opportunistically-connected PowerMac, connecting at 28.8, will be the equivalent of a SPARCstation running the usual complement of tools.) 9. I won't comment here on the various other claims about Java, about safety and security features. Improvements will be made, either in forthcoming fixes and releases, or in extensions such as "E" (Electric Communities, having several Cypherpunks as members, including Doug Barnes, Jim McCoy, others.). I don't know if these "extensions" will hurt the language, as it sort of depends on how the extensions are handled, how widespread the extensions become, etc. (Not being versed in "E," I can't see why the extensions aren't handled as a another class library, or automatically downloaded with any applet that needs the extensions....if E must be a separate package, then of course it must be in the various users' systems, and getting this kind of "buy-in" by the browser makers may be problematic.). 10. "Mindshare" is the real story. Java arrives at the right time. Cypherpunks needs--those needs that go beyond just the "sealed envelopes and signatures" level which PGP provides so well--are likely to fit in with this Net-centric communications model. (I'm already thinking in terms of Java applets for building blocks for Cypherpunk sorts of things.) 11. I was in the Homebrew Computer Club, the _legendary_ Homebrew Computer Club, in the mid-70s. (I several times handed out free samples of Intel 8080s, which I was working with at the time...) Not since then have I seen the same level of opportunity. I've seen a lot of hyped fads come and go. This one may be hyped, but it looks very real to me. The Web was obviously of incredible importance as a self-publishing medium, and its importance can scarcely be overstated. But in terms of Cypherpunks sorts of goals, which require more than just self-publishing and expanded channels of communication, the Web was lacking in terms of active objects, programs, etc. that could be deployed by programmers. Java and the things related to it appear to be the tools necessary to really spice things up on the Web. (And by "spiced up" I don't mean dancing logos on Web pages!) 12. So, there you have it. I see great opportunities for us. A set of class libraries for Java, and a set of Java applets, could be important. (Wei Dei's crypto library is extremely well-regarded here, but the pieces are not being integrated into new, higher-level building blocks....lots of issues here.) 13. In any case, I have no real interest in the Zundelsite vs. Southern Poverty Legal Whatever, nor the other such rants, so I am immersing myself in this area. (The archives should reveal my articles about "the ontology of money," a topic Bob Hettinga and others have also talked about, and this is one of the places I would like to go with this Java business.) 14. There are a _lot_ of resources on Java. Many Web sites, many papers, many FAQs, many, many things. Search engines will reveal vast numbers of hits. This is the first major introduction of a language since the explosion of the Web, so it may be that many or most people rely on the Web almost exclusively for documentation. There are also several implementations of Java. The JDK (Java Development Kit) is bundled with several available books on Java. Consult your bookstore. I'm using a slightly-crippled version of "Roaster," a Mac development package from Natural Inteligence. (The development tools will differ from platform to platform, naturally enough.) Other Mac versions, from both Metrowerks and Symantec, are coming (or are imminent). I'll say what my experiences are with the more-final versions. I believe usable development packages for Windows are cheap or free, and even Symantec's "Cafe Lite" is in the $100 range. Thus, it's easy to get started. My wager is that more students and others will learn Java over the next few years than have learned C++ in the past ten years. 15. Your mileage may vary. Enough for now. I now return control of your monitor to your regularly scheduled political debate. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Wed Apr 24 22:13:18 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 24 Apr 1996 22:13:18 -0700 (PDT) Subject: [NOISE] [Wager: Seeming Resolution] Message-ID: <m0uCJ4L-000916C@pacifier.com> At 04:16 AM 4/25/96 +0000, Jonathon Blake wrote: > > Jim: > >On Wed, 24 Apr 1996, jim bell wrote: > >> Notice that he hasn't presented what he would claim to be the scope of the >> conditions, which suggests that he's going to try to spring them on me > > I haven't seen a list of your conditions yet. > > How about placing your minimally acceptable requirements > for accepting Black Unicorn's Wager. At the very least, he'd have to IDENTIFY himself at least to the extent that I have done so. Name, address, telephone number, etc. >> the examples quoted in that SC decision, which were cited as exceptions to >> 5th amendment protections in the US, all of them represent examples which >> were only considered technologically useful in the last 100 years, the >> oldest being fingerprinting. Given this, it is easy to conclude that there > > Which makes it interesting that he provides an Ecclesiastical > Court Decision from the Seventeenth Century. > > It isn't the US, but you haven't made an limitations > as to which legal system is acceptable. As you quoted me above, you are aware that my point was that the SC-listed exceptions to the 5th amendment were recent and didn't have older US precedent. I claimed that there was no logical reason to believe that such claimed exceptions were anything other than comparatively recent excuses given to allow violations of the 5th amendment. While I am not totally disinterested in foreign examples, that was NOT the area under discussion. A foreign example is irrelevant because it does not challenge my claim. Notice that Unicorn has studiously avoided my original observation. From richieb at teleport.com Wed Apr 24 22:31:56 1996 From: richieb at teleport.com (Rich Burroughs) Date: Wed, 24 Apr 1996 22:31:56 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues Message-ID: <2.2.32.19960425053227.006a09e4@mail.teleport.com> At 09:42 PM 4/24/96 -0800, Jim Bell wrote: [snip] >Let Unicorn FIRST identify himself. Then we'll see who's "weaseling." ROTFL. This is getting too predictable... Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon New EF zine "cause for alarm" - http://www.teleport.com/~richieb/cause From llurch at networking.stanford.edu Wed Apr 24 22:49:05 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 24 Apr 1996 22:49:05 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <ada43daa150210045c4d@[205.199.118.202]> Message-ID: <Pine.GUL.3.93.960424222517.22644F-100000@Networking.Stanford.EDU> [Tim, didn't you once tell me that long opera were bad?] I agree that the major innovation, and cypherpunk opportunity, of Java is in its cross-platform nature, not its vaunted ability to run untrusted code safely. I'm sorry, I'm just not interested in running untrusted code. Give me digitally signed code that I can trust, or for which the author can at least be held accountable, and I'll be happy. As cool as many of the people on the Java team are, though, I am dubious that Java is going to live up to the hype. It is still not clear to me that Microsoft is going to support it seriously in their browser, which by mid-1997 will be so tightly integrated with the lowest-common-denominator operating system that there will be no room for Netscape. NT scares me, too. Even major universities with huge investments in UNIX, kerberos, and AFS are flirting with NT. I believe they're fucking nuts, but they're doing it. I think it's prudent to hold your nose and accept that Visual Basic is here to stay. Microsoft isn't going to let Java fulfill its promises. If you're talking *mind*share, it's all Java. All the best minds are working on it. But if you're talking *market* share, like what people spend money on, and get money for, it's VB. I'm not saying that Microsoft is going to take over the world. We're going to have a balkanized computing world for some time. But Microsoft can and will prevent Java from subverting their share of the world. Has Microsoft even licensed Java, or are they still at the vague December 7th "letter of intent" stage? You know that the early press reports that Microsoft had licensed Java were wrong, didn't you? You know that the Internet Explorer 3.0 beta supports VB and not Java, don't you? [Gee, was that *Tim* complaining about a proponderance of off-topic posts? I wholly agree, so I've been *trying* to ignore all the trolls. I invite people to alt.revisionism and other appropriate forums for the Nazi stuff. Unfortunately, alt.censorship is a Grubor cesspool, and the fight-censorship list is subject to content-based moderation. But I digress...] -rich http://www.c2.org/~rich/ From abostick at netcom.com Wed Apr 24 23:27:38 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 24 Apr 1996 23:27:38 -0700 (PDT) Subject: The Iron Mountain Report In-Reply-To: <199604242213.AAA18326@utopia.hacktic.nl> Message-ID: <5bvfx8m9Loje085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604242213.AAA18326 at utopia.hacktic.nl>, nobody at REPLAY.COM (Anonymous) wrote: > Some years ago the federal government set up a special > [inaudible] group. For two-and-a-half years they met in secret at > Iron Mountain, New York. Their findings were called "Report from > Iron Mountain on the Possibility and Desirability of Peace." > Their document, by some of the leading thinkers, was suppressed. > Later, it was printed in a limited edition, with the *names* > removed. Some were shocked by what they read. Some "limited edition"! The first edition of Leonard C. Lewin's delightful and insightful satire was a trade hardcover widely distributed by The Dial Press in 1967 that has remained in print ever since. That elements of the lunatic fringe of the American right take this book on face value, as the suppressed report of a secret think-tank, would make veteran trollers like James "Kibo" Parry gulp with envy. Why stop here? There is a document ("Protocols") that PROVE that the world is secretly run by a conspiracy of Jewish elders. (The rumors that this document was a fabrication by the Czarist Russian secret police are obviously the handiwork of that same conspiracy.) YHBT. HAND.(*) Alan "Remember Carcosa!" Bostick - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick (*)You Have Been Trolled. Have A Nice Day. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX8JpuVevBgtmhnpAQEYfQMAopQ55+UeNn6egqoukfioOmbQLFyHmWbH FEDZjHDMcqyPpZPgedEKlYOF7PS8ArkIlh9Q843+hO5GSyCpC8InWK4yK8dOQLlN P5oo2LdnDnh2fly7z0AmIAfv1Izyj/Bw =UKZz -----END PGP SIGNATURE----- From abostick at netcom.com Wed Apr 24 23:27:40 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 24 Apr 1996 23:27:40 -0700 (PDT) Subject: [Yadda Yadda] Poker (was Re: [NOISE] [Wager: Seeming Resolution]) In-Reply-To: <m0uC7oO-00092NC@pacifier.com> Message-ID: <Hrwfx8m9LgyH085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <m0uC7oO-00092NC at pacifier.com>, jim bell <jimbell at pacifier.com> wrote: > What "kill"? Unicorn claimed a few days ago that he THOUGHT that his > challenge would never be accepted, ostensibly because of haggling by me. I > interpret this as unwillingness to bargain in good faith (sandbagging), > which is reasonable given Unicorn's track record. Given this thinly-veiled > warning of dishonesty, it is only realistic that I would not want to accept > his challenge. Jim Bell's ignorance apparently knows no boundaries. That's not what "sandbagging" means. In poker, to sandbag is to raise a bet after having opened that betting round by checking. It's frowned upon in some poker games, but completely acceptable in others - check the house rules before trying it. Try as I might, I can't see how Black Unicorn's statements qualify as sandbagging. He certainly didn't open the betting by checking! - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX8PwuVevBgtmhnpAQHf3wL/VWAPk8uF8p9hsUKp9q6OLd8TpRKN4N0Y aE3t2ECHB1unfjtSAeQxF1PeGhJdv53XWvcRyS44dgHNaylovpbJSXN3IEUg0GeT 9JyaieZ02EHBlHeNrUjCWTNfJAtSLVdX =AGof -----END PGP SIGNATURE----- From alano at teleport.com Wed Apr 24 23:40:20 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 24 Apr 1996 23:40:20 -0700 (PDT) Subject: No Subject Message-ID: <2.2.32.19960425063922.00b3ba08@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- Here is a reminder on the Cyperpunks meeting in Portland, OR on the 27th of April, 1996. The meeting will be held at Powell's Technical Books at 33 SW Park (Right off of Burnside) in Portland, Or at 5:23pm. We will have people speaking on a couple of topics, a key signing if we can get enough interested individuals, and general conversation on cryptography and other things on and off topic. For more information, send me e-mail at alano at teleport.com. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMX8dVOQCP3v30CeZAQHY4gf+PtKUM4HRuAZV0Myy4y22jw5t/PXLaLlk DXCSjE5qAI/F/zO1JXwiHsjfOd5O8dWkZ8EYbJc8gdMo5/cFs0ItLKGbRyPI8oqv zdTGNix9cjkhKF+a5wHoaJVVU5trcba0HIkrCgUfkEtLfmEg/8KyLqfCyI8dIPMK ub9Xgmzkj3yglF75jDycfKEDAxcugQAEgI10ju+VSKDhm+l11ECQsEhN5dv20p0A JRjP+1DKzCsrEbgky6bzZNKGUltgL5OrFBEQi2Udq+6AOUjgAC9UEvt+CAOVM5Bl wORavRYp7hy5sP2uI++s6+MYzx55CUSOZfTMHRFE4IKq4zEDijFTUw== =eLbH -----END PGP SIGNATURE----- --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From frantz at netcom.com Wed Apr 24 23:41:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 24 Apr 1996 23:41:46 -0700 (PDT) Subject: [NOISE- Pratical Application] Reasonable people Message-ID: <199604250641.XAA17824@netcom9.netcom.com> I have stopped to offer first aid after two traffic accidents, one in Nevada and one in California. Both states have a "Good Samaritan" law which protects people who offer first aid from legal liability. While I have an extensive background in first aid, none of my credentials are current. The practical result is that in neither case did anyone ask me my name. I believe that the police enforce the Good Samaritan laws by making no records which would identify people who might be sued. This applies to rank amateurs or Professors of Emergency Medicine. In the final analysis, I would rather take the chance of being hurt by someone who didn't know what he was doing than take chance that someone would be deterred from stopping by threat of liability. It appears to me that the law also takes this view. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ml3e+ at andrew.cmu.edu Wed Apr 24 23:42:07 1996 From: ml3e+ at andrew.cmu.edu (Michael Loomis) Date: Wed, 24 Apr 1996 23:42:07 -0700 (PDT) Subject: No Subject Message-ID: <glTlu=W00iWUIK4JcS@andrew.cmu.edu> unsubscrive From grafolog at netcom.com Wed Apr 24 23:46:30 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Wed, 24 Apr 1996 23:46:30 -0700 (PDT) Subject: [NOISE] [Wager: Seeming Resolution] In-Reply-To: <m0uCJ4L-000916C@pacifier.com> Message-ID: <Pine.3.89.9604250600.A21477-0100000@netcom8> Jim: On Wed, 24 Apr 1996, jim bell wrote: > > for accepting Black Unicorn's Wager. > At the very least, he'd have to IDENTIFY himself at least to the extent that > I have done so. Name, address, telephone number, etc. One way to weasel out of it. > >> the examples quoted in that SC decision, which were cited as exceptions to > >> 5th amendment protections in the US, all of them represent examples which > >> were only considered technologically useful in the last 100 years, the > >> oldest being fingerprinting. Given this, it is easy to conclude that there > > > > Which makes it interesting that he provides an Ecclesiastical > > Court Decision from the Seventeenth Century. > > > > It isn't the US, but you haven't made an limitations > > as to which legal system is acceptable. > > As you quoted me above, you are aware that my point was that the SC-listed > exceptions to the 5th amendment were recent and didn't have older US > precedent. I claimed that there was no logical reason to believe that such So your conditions are US Supreme Court rulings, that handwriting exemplars are not fifth amendment violations. Those only occured in the middle of the Twentieth Century. I don't think anybody is going to come up with an earlier citation than that. However, there are citations in US Court Cases, from C18 & C19, which made such a ruling. It was only in C20 that somebody fought it to the Supreme Court, and the court decided to hear it. > claimed exceptions were anything other than comparatively recent excuses 200 years is recent, in comparison to China's 7 000 years of civilization, or the 2 000 years of Roman Law. << Mental note --- see whether the Roman Courts could demand handwriting exemplars, or not --- they did use Questioned Document Examiners. >> > given to allow violations of the 5th amendment. While I am not totally > disinterested in foreign examples, that was NOT the area under discussion. A I guess British Cases pre-1700 don't count. Pity. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From unicorn at schloss.li Thu Apr 25 00:02:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 25 Apr 1996 00:02:33 -0700 (PDT) Subject: arbiter/escrow agent for hire In-Reply-To: <01I3X9N6RA1W8Y50LP@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.93.960425030044.3252P-100000@polaris.mindport.net> On Wed, 24 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"bryce at digicash.com" 24-APR-1996 10:05:20.14 > > >1. Acceptable digital signature upon the "bet statement" > >from each bettor. (Note that PGP signatures from PGP key > >pairs which are not connected to me via the Web of Trust, or > >which are not verifiable by me via an out-of-band > >connection, are not acceptable digital signatures. This is > >because of the MITM attack problem, not because I need True > >Names to be connected to the signatures.) > > IIRC, currently Black Unicorn doesn't have any signatures on > his public key of others. Therefore, this requirement, while understandable, > could cause a bit of a difficulty in the current situation. Please obtain a copy of my current key by finger. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From tomw at netscape.com Thu Apr 25 00:16:39 1996 From: tomw at netscape.com (Tom Weinstein) Date: Thu, 25 Apr 1996 00:16:39 -0700 (PDT) Subject: Netscape Export + 128bits SSL (?) In-Reply-To: <01BB2F9B.1F300E20@JPKroepsli.S-IP.EUnet.fr> Message-ID: <317F26AD.4487@netscape.com> Jean-Paul Kroepfli wrote: > > Do you know if it's possible to use Netscape client (export = 40bits > RC4) on an external SSL layer (i.e., with full encryption, RC4 long > keys or IDEA)? > Use extra-US implantation (SSL-Leavy or AppacheSSL, etc.) the IDEA > option? Nope. > It seems that IDEA is no longer supported by SSL 3 (in the cipher > suite we see IDEA with RSA but not with D-H). IDEA is in no way deprecated in SSL 3.0. We were just trying to prune the list of cipher suites to what we thought was useful. The cipher suites specified in the SSL 3.0 protocol document are only a beginning. All cipher suites beginning with 0xFF are reserved for experimental use. As part of the IETF standards process, I'd like to see an IANA registry set up for registering new cipher suites. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From loki at obscura.com Thu Apr 25 00:17:49 1996 From: loki at obscura.com (Lance Cottrell) Date: Thu, 25 Apr 1996 00:17:49 -0700 (PDT) Subject: Mixmaster to DOS Yet? Message-ID: <ada4d57d0a021004fafd@[206.170.115.3]> Yes, it works. I am trying to get my cross compiler to compile the code before I certify that it is good, and attach my signature. I am recompiling gcc as I write, hopefully that will solve the problem. -Lance At 8:12 PM 4/20/96, John Erland wrote: >[Please respond netmail - I do not see this list regularly...thanks!] > >Time to ask again: Has anyone ported Mixmaster to DOS yet? > >Thanks for any info. > > JE >-- >: Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. >: Internet: kdf at gigo.com ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From llurch at networking.stanford.edu Thu Apr 25 00:17:50 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 00:17:50 -0700 (PDT) Subject: [DETWEILING?] Re: The Iron Mountain Report In-Reply-To: <5bvfx8m9Loje085yn@netcom.com> Message-ID: <Pine.GUL.3.93.960425000631.22644H-100000@Networking.Stanford.EDU> On second thought, this is so *obviously* a troll that it *must* be intended to be obvious. Of course there are a lot of really stooooopid Nazis out there, but this last round is too much. Did you see the one about Smart Cards being the Mark of the Beast? Follow the URL that message gave -- it's even loonier than it looks. Only nobody at replay.com knows... Possibilities: 1. Some anti-Nazi (such as Tallpaul -- note this is *not* an accusation!) trying to make the Nazis look bad. 2. Some really, really stupid Nazi who doesn't realize that he looks bad (if you don't believe sich people exist, look up just about any Usenet post from Les Griswold or A HUBER). 3. Some Detweiler tentacle/clone trolling just for kicks. 4. Declan, trying to troll me. 5. Me, trying to troll Declan, or myself. <pot-kettle-black=on> In any case, the person doing it is an asshole, and there is little call for substantive replies. Don't feed the animals. </pot-kettle-black> -rich From llurch at networking.stanford.edu Thu Apr 25 00:24:03 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 00:24:03 -0700 (PDT) Subject: arbiter/escrow agent for hire In-Reply-To: <Pine.SUN.3.93.960425030044.3252P-100000@polaris.mindport.net> Message-ID: <Pine.GUL.3.93.960425001832.22644I-100000@Networking.Stanford.EDU> So are there any arbiters out there who would deal in non-digital cash? Or someone who would launder US$ to Ecash for a smalle fee? I'd like to arbitrate a few minor disagreements with my 95% friend Declan. Clearly, neither private email nor restrained public flames have worked for three months. (I don't have TIME for this shit...) -rich http://www.c2.org/~rich/ From stewarts at ix.netcom.com Thu Apr 25 01:14:26 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 25 Apr 1996 01:14:26 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604250814.BAA07715@toad.com> At 02:22 PM 4/24/96 -0700, Wei Dai <weidai at eskimo.com> wrote: >On Wed, 24 Apr 1996, Hal wrote: >You can do signatures with Rabin too. I have a version of it in >Crypto++ 2.0. It's been out for a while and RSA hasn't bothered me about >it. >Does anyone want to explain why, given the alternatives, people continue >to use RSA and pay for it? Sure. Because 1) it's a good algorithm for the job, 2) we've learned it, and have a PGP base behind our inertia, 3) The legalities of RSA are well-defined, 4) the Stanford patents mostly run out in 1997, unless Roger's suit succeeds first, 5) the price of RSA is fairly low, once free RSAREF came out 6) the price of licensing Cylink patents is high and/or unpredictable # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From holovacs at styx.ios.com Thu Apr 25 03:31:06 1996 From: holovacs at styx.ios.com (Jay Holovacs) Date: Thu, 25 Apr 1996 03:31:06 -0700 (PDT) Subject: The Iron Mountain Report In-Reply-To: <199604242213.AAA18326@utopia.hacktic.nl> Message-ID: <Pine.3.89.9604250640.A7838-0100000@styx.ios.com> [The Iron Mountain report] was along ago admitted to be a parody by its real authors. ----------------------------------------------------------------------- Jay Holovacs <holovacs at ios.com> ----------------------------------------------------------------------- PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 From ddt at lsd.com Thu Apr 25 04:31:01 1996 From: ddt at lsd.com (Dave Del Torto) Date: Thu, 25 Apr 1996 04:31:01 -0700 (PDT) Subject: [PASSWD] good MCI password..."1234"? Message-ID: <v03006600ada4eb0338ee@[192.187.167.52]> [from RISKS 18.06] ................................. cut here ................................. Date: 19 Apr 1996 21:07:06 GMT From: chadm at unhinged.engr.sgi.com (Chad Ray McDaniel) Subject: MCI recommending bad security practices Taking advantage of yet another incentive offer, I recently switched my long distance carrier to MCI. They sent me the standard yet-another-piece-of-plastic-to-stick-in-my-wallet calling cards. The way these cards work is that you call an 1-800 number and type in your code consisting of your phone number followed by your PIN (Personal Identification Number) which happens to be printed on the card. Enclosed with the cards was a piece of paper in which MCI wisely suggests that you change your PIN to something other than what they assigned to you and printed on the card: Customizing your PIN Choosing your own four-digit number is the best way to assure you'll never forget your PIN. Make it the month and year of a loved one's birthday or use the same password you have for your voice mail or computer. We'll quickly replace the PIN we assigned you with any four digits you choose - just call 1-800-476-7306 For some strange reason MCI is recommending you to do exactly the opposite of what good security practices would proscribe! Not only do they suggest that you use an easily-breakable password such as an important date, but they recommend a practice that would weaken the security of potentially more sensitive information in a voice-mail or computer system. Of course, what probably prompted note from MCI was a desire to prevent MCI's customer service department from being inundated with calls from people who forgot their PINs. This alludes to the associated risk of requiring people to remember Yet Another Password (YAP). -chad From jya at pipeline.com Thu Apr 25 04:36:30 1996 From: jya at pipeline.com (John Young) Date: Thu, 25 Apr 1996 04:36:30 -0700 (PDT) Subject: NYT on MS Java, Net Radio Message-ID: <199604251136.HAA06962@pipe4.nyc.pipeline.com> April 25, 1996 "Edge for Sun as Microsoft Embraces Java." By John Markoff http://www.nytimes.com/library/cyber/week/0425license.html ---------- "FCC Backs Cheap Link to Internet by Radio." By Edmund L. Andrews http://www.nytimes.com/library/cyber/week/0425radio.html From nobody at REPLAY.COM Thu Apr 25 06:08:06 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 25 Apr 1996 06:08:06 -0700 (PDT) Subject: [NOISE] Re: Nazis on the Net Message-ID: <199604251236.OAA09404@utopia.hacktic.nl> EALLENSMITH at ocelot.Rutgers.EDU writes: | Abraham Lincoln is one reason I _don't_ use the above definition; by mine, | he'd be a separatist (wanted to move Blacks to Liberia, if I recall correctly). | I trust that everyone involved in this discussion (with the exception of the | neo-Nazi) would agree that Abraham Lincoln was better than those in the South | who wanted to keep blacks enslaved? Do we have a neo-Nazi in this discussion?? Are you implying that any sceptic of a few Holocaust `facts' is a neo-Nazi?? Do you infer that all pro-lifers are Republicans?? It is because of such baseless inferences, I have to remain anonymous. I would dearly love to debate under my real name, but am prevented from doing so by the neo-Nazi name-calling. Yes you are correct, I disagree that Abraham Lincoln was better than those in the South, not for racial reasons (remember, the Civil War was *not* about slavery, because the slavery issue only arised *after* the war started), but because I believe that a diverse set of countries is `better' than one. I believe that countries that want independence (such as Chechnya) should have it. (Yes, I am likening Abe Lincoln to Boris Yeltsin). [ You may also like to consider that blacks as well as whites fought for the South. ] --- ``The believer is happy. The doubter is wise''. - Hungarian proverb From hieronym at desk.nl Thu Apr 25 06:39:25 1996 From: hieronym at desk.nl (t byfield) Date: Thu, 25 Apr 1996 06:39:25 -0700 (PDT) Subject: The Iron Mountain Report In-Reply-To: <v02140b00ada47b37a48c@[17.202.12.102]> Message-ID: <v03006602ada52da5e85a@[193.0.0.2]> 6:33 AM +0200 4/25/96, Rich Graves: > The author of the Iron Mountain Report was interviewed on PBS a few weeks > ago. It was a really over-the-top parody published in 1967. Leonard Lewin wrote it, evidently with some inspiration and help from Victor Navasky, how head ed of _The Nation_. Any credulous right-wing kooks looking for a "deeper understanding" of the _Iron Mountain Report_ might want to check out a session on it being held by the Learning Alliance: Lewin, Navasky, and a couple of others'll be yakking about it (in New York, I assume). Ted From perry at piermont.com Thu Apr 25 07:02:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Apr 1996 07:02:49 -0700 (PDT) Subject: Cypherpunks: Cesspit? (was Re: Mindshare and Java) In-Reply-To: <ada43daa150210045c4d@[205.199.118.202]> Message-ID: <199604251402.KAA27368@jekyll.piermont.com> Timothy C. May writes: > Well, I was not invited to join the elite and secret coderpunks > list, It is neither elite nor secret. It is fairly high signal to noise. I think only about one in every fifty or so cypherpunks messages has any content at all worth mentioning. > but I still have some thoughts on coding and, especially, on the > opportunities offered by Java. Sorry if this interferes with > discussions of Rabbi Heir and Morris Dees. You have no right to grumble about the situation here. It is exactly what you wanted. Here you were, a person of some personal gravitas and moral authority, and you put your stamp on the "post whatever you like; don't let the grumbling censors stop you". Well, as you sow, so shall you reap. Its your fault, more than anyone else's. > [It is my firm opinion that the creation of a separate mailing list to > discuss only coding or software issues is a mistake. Unfortunately, most of the smart coders had been driven out of this cesspit by the noise levels, so it was the only choice left. > Basically, it is easier to filter-reduce a large group, such as with > "[CODE]" prefixes or by reputations, Actually, it isn't easier. I've tried filtering cypherpunks and its damn hard. Doing it right would require much more AI than we have access to. > And there is another important point, that the > Cypherpunks/Coderpunks split is producing the expected result: the > Cypherpunks are rapidly losing any remaining anchors to > technical/programming issues and are thus becoming almost wholly > politics-driven. While I am of course highly motivated by political > issues, they must be grounded in technical issues As I recall, Mr. May, you were arguing against my continued attempts to keep some semblance of technical discussion continuing on Cypherpunks. The occassional attempt by me to turn things in a technical direction was met by posts from you to the effect of "this isn't coderpunks, get that technical stuff out of here". In jest or no, I got sick of dealing with it. I didn't want to see the split, but at least now there is a place I can have discussions with smart crypto software coders. None of them could tolerate Cypherpunks any longer. If Cypherpunks has become a cesspit, well, its YOUR cesspit, Tim. Its the list you always strove to create, but it appears that you now don't like the smell of your own wallow. Well, sorry. Deal with it. > I can't say what's happening on the coderpunks list, but my suspicion is > that many of the coderpunks-only readers are analogously disconnected from > ideological/political issues and think, perhaps, that the main purpose of > the list (and of Cypherpunks) is to discuss compiler optimizations for PGP > source code. No, most of them are highly political. They just don't see any reason to blather on about the same stuff over and over and over and over when there is work to be done. Those that never do work may not understand this principle, of course. Perry From sandfort at crl.com Thu Apr 25 07:14:43 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 25 Apr 1996 07:14:43 -0700 (PDT) Subject: Meta: The Arguing about the Terms of the Wager Continues In-Reply-To: <m0uCIti-00094cC@pacifier.com> Message-ID: <Pine.SUN.3.91.960425070028.7156A-100000@crl10.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 24 Apr 1996, jim bell wrote: > ... Let Unicorn FIRST identify himself. Then > we'll see who's "weaseling." What has identity got to do with it? If Jim is so worried about it (as opposed to just trying to cover up his own weaseling), then I will cover Black Unicorn's wager. I have a persistant identity on this list. Hell, Eric Hughes has keys to my house. I stand ready to hand Eric a postal money order made out to "Jim Bell or Sandy Sandfort" and let him or Tim May or any of a dozen other Cypherpunks decide this issue once and for all. Is Bell willing to do the same? Jim, take the damned bet or shut the fuck up. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From hfinney at shell.portal.com Thu Apr 25 07:28:02 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 25 Apr 1996 07:28:02 -0700 (PDT) Subject: NYT on MS Java, Net Radio Message-ID: <199604251426.HAA05778@jobe.shell.portal.com> From: John Young <jya at pipeline.com> > "Edge for Sun as Microsoft Embraces Java." > > By John Markoff > > http://www.nytimes.com/library/cyber/week/0425license.html >From the article: > SAN FRANCISCO -- Sun Microsystems Inc., already a stock-market favorite > on the strength of its Internet products, has secured a significant > endorsement from Microsoft Corp., which plans to announce next week > that it will incorporate Sun's Java software programming language into > the Microsoft Windows 95 personal computer operating system. > The companies would not comment, but industry executives said > Microsoft, whose Windows operating system is used on some 80 percent of > the world's PCs, will join IBM and Novell, among other companies, in > announcing plans to embed Java into their software operating systems. > Those moves, and the possibility of a similar endorsement by Apple > Computer Inc., should go a long way toward making Java an industry > software standard in the rapidly expanding Internet market. In other Java news, the report from the Princeton scientists who have found many security weaknesses in Java is now available at <URL: http://www.cs.princeton.edu/sip/pub/secure96.html >. It is very critical of the language design and implementation. I don't fully agree with the thrust of their criticisms, because I don't think provability is a practical matter with programs complex enough to be useful. But they have certainly identified an alarming number of problems. I will post later today a list of the issues they have identified. Hal From frissell at panix.com Thu Apr 25 07:36:32 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 25 Apr 1996 07:36:32 -0700 (PDT) Subject: International Capital Flows Called Criminal Message-ID: <2.2.32.19960425143051.0071b1bc@popserver.panix.com> Financial Times, April 24, 1996, p. 8. US prosecutor attacks bank secrecy laws By Clay Harris Mr John Moscow, assistant district attorney for Manhattan: "Bank secrecy statutes in international finance are used by crooks, tax evaders, securities fraudsters, and capital flight fellows; they are used by narcotics dealers. But they are not needed by honest folks engaged in honest transactions." Now the last time I looked, 'Capital Flight' was as legal as church on a Sunday. Or is this a proposal for exchange controls. Is this guy a state or federal prosecutor? He was also unable to come up with legitimate reasons for $3 Billion to go from Egypt to the Bahamas. I can think of any one of a number of legal reasons, one being "International Tax Planning." DCF From blake at bcdev.com Thu Apr 25 08:08:47 1996 From: blake at bcdev.com (Blake Coverett) Date: Thu, 25 Apr 1996 08:08:47 -0700 (PDT) Subject: Mindshare and Java Message-ID: <01BB3297.78880050@bcdev.com> > I agree that the major innovation, and cypherpunk opportunity, of Java is > in its cross-platform nature, not its vaunted ability to run untrusted > code safely. I'm sorry, I'm just not interested in running untrusted code. > Give me digitally signed code that I can trust, or for which the author > can at least be held accountable, and I'll be happy. Absolutely! > As cool as many of the people on the Java team are, though, I am dubious > that Java is going to live up to the hype. It is still not clear to me > that Microsoft is going to support it seriously in their browser, which by > mid-1997 will be so tightly integrated with the lowest-common-denominator > operating system that there will be no room for Netscape. There was an official announcement at their Professional Developers Conference a few weeks back. In short, full support in the browsers (and apparently MS is now the keeper of the reference implementation on Win32) and also a full blown Java development environment code-named 'Jakarta'. -Blake From shamrock at netcom.com Thu Apr 25 09:00:00 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 25 Apr 1996 09:00:00 -0700 (PDT) Subject: arbiter/escrow agent for hire Message-ID: <v02120d00ada551bbae9b@[192.0.2.1]> At 0:23 4/25/96, Rich Graves wrote [paraphrased] >So are there any arbiters out there who would deal in non-digital cash? Or >someone who would convert US$ to Ecash for a smalle fee? I will be happy to do USD to Ecash conversions for a nominal fee. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From abostick at netcom.com Thu Apr 25 09:41:35 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 25 Apr 1996 09:41:35 -0700 (PDT) Subject: An idea for refining penet-style anonymous servers Message-ID: <Uc5fx8m9LojB085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Does the world need to have the anon.penet.fi model of anonymous email and news posting refined, given the existence of Cypherpunks remailers and Mixmaster digital mixes, not to mention nymservers? I will listen respectfully to the arguments of the people who say "no", and they're very likely right. But penet *is* the most widely used means of anonymous communication on the Internet - largely because of its ease of use compared to genuinely secure remailers and mixes. The other night, while sick and feverish with the flu, a scheme popped into my head that would seem to make penet-style anonymous servers less vulnerable to compromise through seizure of the remailer equipment or of the address database. In the cold light of day and normal temperature, it still seems like a sound idea to me, and I wondered what other people would think of it. My scheme is the design of the address database. It consists of two hash tables, one for sending messages (which maps anonymous IDs onto sender's addresses), and one for receiving them (mapping recipient's addresses onto anonymous IDs). A cryptographically secure hash (say, MD5) is used for the index of both tables. The index of the sending message table is the MD5 hash of the sender's address. The table entry the index points to is the sender's anonymous ID, encrypted by a symmetric algorithm (maybe IDEA). The encryption key would be a different hash, by another algorithm (let's suppose it's SHA), of that same address. In forwarding a message, the server MD5-hashes the sender's address and looks at the table. If it doesn't find a corresponding entry, it creates one. If it *does* find an entry, it SHA-hashes the sender's address and uses this key to decrypt the anonymous ID. In the unlikely event of collision the decrypted ID will be gibberish and the server does something sensible (like appending padding to the address and trying again). The header information is filtered and the anonymous ID inserted in the From: line. The receiving message hash table is designed similarly, in reverse. The index of the hash table is the MD5 hash of the anonymous ID; the entry in the table is the recipient's email address, encrypted with the SHA hash of the anonymous ID. When a message comes in, the anon ID is hashed and looked up in the table. If nothing is found, the message is bounced. If an entry is found, the anon ID is SHA hashed and the table entry decrypted. If it is gibberish, a collision has taken place and handled appropriately. The message is then forwarded to its intended recipient. What all this accomplishes is to obscure more information from attackers and from honest operators. In the event of abuse it is a simple matter to find out who the abusers are and block them out. If the operator is subject to subpoena, anyone named in the subpoena can be easily identified . . . *but nobody else can!* Authorities cannot use a search for one identity as an excuse for a fishing expedition in the address database. (Obscuring information from honest operators can protect the operator when questions of liability or even conspiracy come up.) There is a way that attackers who have seized or copied the database can search it - by trying it out on anonymous IDs, or user addresses, until they hit paydirt. And of course such an anonymous server can be no more trustworthy than its operator; and the fundamental security limitations of the penet-style anonymous server are well-understood. So what do people think of this scheme of mine? Are there drawbacks or weaknesses that I'm not seeing? Is it a good idea? I'd really like it if *something* good came out of being laid up with the flu. - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMX+n0OVevBgtmhnpAQFkrwL+N+CklsLNsqHXNPnCOs1mogNydNnCtvGs cUqK9rG3xpTYFsPMH6lhWq8wfPfKtQ88xs3RC/JE8ypcDZBugifNDf7hTuGeLZ8n Q8RDvnAq0qNz9rxqHiMuyOQ3kf6YEVys =g5SU -----END PGP SIGNATURE----- From rkmoore at iol.ie Thu Apr 25 09:58:44 1996 From: rkmoore at iol.ie (Richard K. Moore) Date: Thu, 25 Apr 1996 09:58:44 -0700 (PDT) Subject: Anonymous banking Message-ID: <v0211010eada565770ee0@[194.125.43.36]> 4/24/96, E. ALLEN SMITH wrote: >>But Washington last year ranked Austria alongside Colombia, Venezuela and >>Thailand in a league table of nations that tolerate money laundering. Ha ha! The U.S. and Panama probably exceed all of the above in laundering, but of course the USA/CIA doesn't notice those, since they're "in the family". -rkm From us028272 at interramp.com Thu Apr 25 10:54:34 1996 From: us028272 at interramp.com (Jeffrey C. Flynn) Date: Thu, 25 Apr 1996 10:54:34 -0700 (PDT) Subject: trusting the processor chip Message-ID: <v01530502630b72c54a12@[38.12.221.41]> On Fri, 29 Mar 1996, JEFF C FLYNN wrote: > Does anyone know of articles regarding the possibility of subverting > processor chips? Is this a realistic threat? Is it possible to hack vhdl > compilers to embed intentional security flaws in silicon? Known cases? > Attempts? > TIA, > Jeff I received several responses to this question. My favorite was as follows... >This is probably science fiction, particularly at the VHDL level. >Maybe someone could make a crime of opportunity out of a microcode >flaw, but there's a risk of it being found out during testing. > >To do it right would require collusion of the design and test teams. >They need to ensure the back door stays closed, isn't tickled by >"normal" testing and only opens when really requested. So a lot of >people are in on the secret even before it gets exploited for >nefarious purposes. > >And what nefarious purposes would pay for the risks and costs of this? >If the secret got out, the design team, product line, and company >would be dead in the marketplace and probably spend the rest of their >lives responding to lawsuits. What could you use this for that is >worth the risk? > >Trying to do it to the compiler (like Thompson inserting a back door >in login using the Unix C compiler) is, again, theoretically possible. >But the only reason to hack the compiler would be to do the deed >without involving the processor development team. Risky in terms of >building a reliable back door and the risk of detection. It might not >work and the changes might be detected. To do it right would probably >involve as many technical people as the processor development itself. >Even "high grade threats" have finite resources -- there aren't that >many processor design gurus in the world to start with. > >At best, this might make a good plot element for Tom Clancy.> > >Rick. >smith at sctc.com secure computing corporation Still, I'm left feeling a little uneasy. My reasons for this are 1) Trusting the processor means trusting something I don't fully understand. 2) Processors these days are extremely complex. 3) On April 3rd, at Interop, Peter Neumann (in his keynote presentation) disclosed that a random number generator chip used in slot machines had been compromised. This lead to a huge bogus jackpot, and an investigation that revealed the scheme. It looks like I may have no other option than to give some processor some degree of trust. Which processor I should choose, and why that one? TIA, Jeff _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Specializing in the Design and Implementation of SECURE NETWORKS JEFF FLYNN & ASSOCIATES NETWORK SECURITY CONSULTING 19 PERRYVILLE IRVINE, CALIF. 92720 JEFF FLYNN TELEPHONE (714)551-6398 PRINCIPAL _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From frantz at netcom.com Thu Apr 25 11:10:22 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Apr 1996 11:10:22 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604251810.LAA17469@netcom9.netcom.com> At 1:11 AM 4/25/96 -0700, Bill Stewart wrote: >At 02:22 PM 4/24/96 -0700, Wei Dai <weidai at eskimo.com> wrote: >>On Wed, 24 Apr 1996, Hal wrote: >>You can do signatures with Rabin too. I have a version of it in >>Crypto++ 2.0. It's been out for a while and RSA hasn't bothered me about >>it. >>Does anyone want to explain why, given the alternatives, people continue >>to use RSA and pay for it? > >Sure. Because 1) it's a good algorithm for the job, >2) we've learned it, and have a PGP base behind our inertia, >3) The legalities of RSA are well-defined, >4) the Stanford patents mostly run out in 1997, unless Roger's suit > succeeds first, >5) the price of RSA is fairly low, once free RSAREF came out >6) the price of licensing Cylink patents is high and/or unpredictable I will add to Bill's list: 7) RSA is the best known and vetted of the Public Key algorithms. Some people say that the millennium comes on Jan 1, 2000. Others say it comes on January 1, 2001. I say it comes on September 20, 2000 when the RSA patent expires. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From hfinney at shell.portal.com Thu Apr 25 11:10:46 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 25 Apr 1996 11:10:46 -0700 (PDT) Subject: coderpunks not elite Message-ID: <199604251714.KAA22305@jobe.shell.portal.com> From: tcmay at got.net (Timothy C. May) > Well, I was not invited to join the elite and secret coderpunks list, but I > still have some thoughts on coding and, especially, on the opportunities > offered by Java. As far as I know, the coderpunks list is neither secret nor elite. I joined it about a month ago, andd there wasn't any problem. Just send mail to majordomo at toad.com saying "subscribe coderpunks". It's just as easy as cypherpunks. According to majordomo, coderpunks has 355 subscribers, compared to 1284 for cypherpunks. These numbers are hardly representative of an elite list. The biggest difference between the lists is volume. Some days coderpunks gets a dozen or more messages, but for the last two or three days for example there haven't been any at all. The other difference of course is that coderpunks is for technical discussions. Where philosophy comes up it is more in terms of issues of security and reliability than politics. I do share Tim's concern about the political views of coderpunks subscribers. Despite the "punks" in the name it seems to be somewhat more of a mainstream group. Nevertheless I am determined to act as though the group favors unlimited access to privacy tools by individuals and to post under that assumption. If it comes to the point that someone complains there may have to be some air clearing but I don't think it's likely to come up. If the archives at hks.net ever come back people could take a look and see if they would be interested in subscribing. Mostly the discussions are pretty dry. A lot of them are on specific issues that are of interest probably to only a few people. It remains to be seen really whether the list can sustain itself. This has been the problem in the past with offspring lists. Cypherpunks continues to have a lot of vitality. What I object to most is the back and forth arguments people get into. I don't mind reading one message off-topic, but to have the thread drag on for days, with dozens of messages, is wasteful. People should just make their points and let them stand. They shouldn't feel they have to keep coming back and refuting the other guy. Hal From hfinney at shell.portal.com Thu Apr 25 11:44:38 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 25 Apr 1996 11:44:38 -0700 (PDT) Subject: Java security weaknesses Message-ID: <199604251842.LAA27897@jobe.shell.portal.com> This is a quick summary of the attacks listed in "Java Security: From HotJava to Netscape and Beyond", by Drew Dean, Edward W. Felten, and Dan S. Wallach, Department of Computer Science, Princeton University. <URL: http://www.cs.princeton.edu/sip/pub/secure96.html >. Only attacks on Netscape will be listed here. Several more were found in HotJava, but that product is moribund at present. The version of Netscape used is 2.0. Denial of service attacks Busy-wait to consume CPU cycles Allocate memory until no more is available Lock crucial system classes, e.g. java.net.INetAddress. Blocks all hostname lookups. Several other classes are suitable for this attack. Denial of service attacks can be moderated to degradation of service, possibly after a time delay, to make someone else's product look bad. Covert Channels Can send mail via an SMTP port on server Lookup fictitious DNS name to send out info Tell browser to access fictitious URL (can be redirected back) Information available to applets Can benchmark machine by reading system clock Java hashcode() defaults to address of object, might leak some info Implementation errors DNS hack allowing connections to any machine (has been patched) Java disassembler (javap) has buffer overflows (not normally run by users) Inter-Applet security Applets running from previous pages can learn of new applets by getting a handle to the top-level ThreadGroup and enumerating every thread running in the system. Can then call stop() and setPriority() on threads belonging to other applets, making them appear slow and unreliable. Bytecode problem The big one: Java bytecode safety checker doesn't detect illegality of constructor() { try { super() } catch (Exception e) {} } This is not legal in the language - super() must not be called in a try clause. But the bytecode checker erroneously allows it. This allows subclasses of privileged system classes to be created. Normally those classes throw an exception in their constructor so they can't be instantiated. But this trick allows it. This way users can create their own ClassLoaders, SecurityManagers, etc. By creating a hacked ClassLoader the Java class type system can be defeated by resolving different classes against each other. Any non static variable can be set, any public method can be called, including native methods. The security is gone. Package name problem If the first character of a package name is / the system will attempt to load code from an absolute path, which would be trusted since it comes from the local disk. Any Java class which the attacker can get onto the user's disk can then be loaded in trusted mode. Classes can be gotten onto disk simply by fetching URL's in Netscape, which puts them into its cache. If you can figure out Netscape's class naming scheme you can then run any class, trusted. (I think this one has been patched.) From vznuri at netcom.com Thu Apr 25 11:49:47 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 25 Apr 1996 11:49:47 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <ada43daa150210045c4d@[205.199.118.202]> Message-ID: <199604251849.LAA16561@netcom11.netcom.com> TCM: > >Well, I was not invited to join the elite and secret coderpunks list, but I >still have some thoughts on coding and, especially, on the opportunities >offered by Java. Sorry if this interferes with discussions of Rabbi Heir >and Morris Dees. hey, that's horrible. well, consider this an invitation. "we" would love to see you post there. but you've written disparagely about people that like to code in the past here, so "we're" not sure how much you will like the list. >[It is my firm opinion that the creation of a separate mailing list to >discuss only coding or software issues is a mistake. For several reasons, >which I can discuss at lenght in a separate message. Basically, it is >easier to filter-reduce a large group, such as with "[CODE]" prefixes or by >reputations, than it is to filter-expand a moribund group! :-} that's pretty amusing. I thought I saw a long msg from you about how these prefixes were mostly a waste of time based on your experience on the Extroprian list. I've seen >many sub-critical mass list become moribund. And there is another important >point, that the Cypherpunks/Coderpunks split is producing the expected >result: the Cypherpunks are rapidly losing any remaining anchors to >technical/programming issues and are thus becoming almost wholly >politics-driven. whoa, you don't know that. a little bit of a leap of faith there. the cpunk list has always been awash in froth almost from its beginning. people are always whining about its loss of S/N but it has always been an awful lot of flotsam and jetsam. While I am of course highly motivated by political issues, >they must be grounded in technical issues (else we are just another >anti-CDA, anti-censorship, anarcho-capitalist, libertarian ranting group). hee, hee. the pendulum swings back. first message I have seen in which you get out of the defensive, "anti-CDA, anti-censorship, anarcho-capitalist, libertarian rants are right on target here on the cpunk list and don't let boneheads like PM argue with you about it." >I can't say what's happening on the coderpunks list, but my suspicion is >that many of the coderpunks-only readers are analogously disconnected from >ideological/political issues and think, perhaps, that the main purpose of >the list (and of Cypherpunks) is to discuss compiler optimizations for PGP >source code. suspicion is a funny thing. people who are paranoid can be manipulated to channel their fears into useful effects. in a place where a lot of people are paranoid, you can even get a sort of chain reaction of paranoia. (as in the recent message, "YAAAAH!! we're being DETWEILED!!!") It is sad to see the Cypherpunks lose its grounding. Maybe in >a few months, the coderpunks will simply declare victory, dissolve the >Cypherpunks list, and rename themselves, a la coderpunks = cypherpunks++.) cypherpunks, a barely "grounded" thing to begin with, "lose its grounding"? what about you, the premiere advocate of free choice and letting a thousand mailing lists bloom? oh, when one becomes SUCCESSFUL, then its a problem. I see. I thought there was "no such thing as the cypherpunks"? there is no "group" to begin with? I never thought I would see you cheerleeding for "cypherpunk unity." >But I come not to bury Cypherpunks, I come to praise Java. the rest of your post was not interesting to me so I'll refrain from commenting. <g> From hfinney at shell.portal.com Thu Apr 25 12:09:53 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 25 Apr 1996 12:09:53 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604251908.MAA29335@jobe.shell.portal.com> From: frantz at netcom.com (Bill Frantz) > Some people say that the millennium comes on Jan 1, 2000. Others say it > comes on January 1, 2001. I say it comes on September 20, 2000 when the > RSA patent expires. It is traditional to commemorate big events with annual observances. I say there's no reason the observances can't predate the event when it is known in advance. So I propose that September 20 be known as Crypto Freedom Day, and an annual celebration be held on that day. With each year closer to 2000 the party gets bigger, culminating on the day that the patent actually expires. We can all run our RSA in three lines of Java that Adam Back will have prepared, and taste for the first time the freedom which the rest of the world will have known for the past 17 years. Hal From inetannc at microsoft.com Thu Apr 25 12:13:04 1996 From: inetannc at microsoft.com (Microsoft Internet Announcements) Date: Thu, 25 Apr 1996 12:13:04 -0700 (PDT) Subject: ANNOUNCE: new Microsoft Code Signing mailing list Message-ID: <c=US%a=_%p=msft%l=RED-89-MSG-960425191031Z-15313@tide21.microsoft.com> CodeSign on ListAdmin at lists.msn.com CodeSign is a mailing list (discussion list) for discussions on Microsoft's Windows Trust Verification Services, a set of API's which determine whether a software component contains digital certificates that identify it as being authentic software released by a publisher trusted on the local user's system. For more information about Code Signing, see <http://www.microsoft.com/intdev/>. You can subscribe to the regular mailing list or a digest version. To subscribe, send e-mail to ListAdmin at lists.msn.com with the following text in the message body (not subject line): subscribe CodeSign your at email.address or digest CodeSign your at email.address where your at mail.address is your actual e-mail address (don't just use "your at mail.address"). To unsubscribe, send e-mail to ListAdmin at lists.msn.com with the following text in the message body (not subject line): unsubscribe CodeSign your at email.address To send a message to the subscribers of the list, send e-mail to CodeSign at lists.msn.com. From perry at piermont.com Thu Apr 25 12:27:48 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Apr 1996 12:27:48 -0700 (PDT) Subject: Golden Key Campaign In-Reply-To: <199604251810.LAA17469@netcom9.netcom.com> Message-ID: <199604251927.PAA27960@jekyll.piermont.com> Bill Frantz writes: > I will add to Bill's list: > > 7) RSA is the best known and vetted of the Public Key algorithms. Nota at all, Mr. Frantz. There are no proofs of security associated with RSA. Rabin has excellent proofs that breaking a message is strictly equivalent to factoring. .pm From jlasser at rwd.goucher.edu Thu Apr 25 12:53:34 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Thu, 25 Apr 1996 12:53:34 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <ada43daa150210045c4d@[205.199.118.202]> Message-ID: <Pine.SUN.3.91.960425153148.12377C-100000@rwd.goucher.edu> On Wed, 24 Apr 1996, Timothy C. May wrote: > So, I was faced with a heart-rending choice: get an Intel box, put Linux on > it, and try to "get in the mainstream" by writing something in Perl, or > TCL, etc. (Though I note that the early success with writing remailers in > Perl has not been followed by any other stunning applications of a > similarly revolutionary nature...and I don't know of anybody doing anything > Cypherpunkly-interesting in TCL, for example.) Actually, I'm just starting such a project in TCL... The first phase is as a shell for Matt Blaze's Crypto File System, so it can be run, and changes made, without opening up a shell or dealing with command-line options. The next phase will be to write (what I beleive to be) the first graphical PGP shell for X. While this isn't a seriously cypherpunks-relevant app, as most people running X are capable of dealing with the command line (I am, too, but I don't want to open up a shell every time I load up my encrypted partition), but I'm using it as a jumping-off point. I don't think TCL is suited to heavy-duty crypto applications, except as an interface. Mostly because it is interpreted, though I'm not sure how "everything is a string" would affect bignums. (And I wouldn't want to write a TCL bignum library...) It might be possible to write a remailer front-end in TCL, and that might be a near-future project, if the frontend project proves successful. (Which it has, in a sense, because the first phase (though it isn't where I'd want to distribute it far and wide) is done to the point where I can load my CFS partition and disconnect it without opening a shell... (early Alpha code is available upon request, and suggestions/help/co-writing is most certainly welcome...) Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From llurch at networking.stanford.edu Thu Apr 25 12:54:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 12:54:15 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <01BB3297.78880050@bcdev.com> Message-ID: <Pine.GUL.3.93.960425125045.27532C-100000@Networking.Stanford.EDU> On Thu, 25 Apr 1996, Blake Coverett wrote: > There was an official announcement at their Professional Developers > Conference a few weeks back. In short, full support in the browsers > (and apparently MS is now the keeper of the reference implementation on > Win32) and also a full blown Java development environment code-named > 'Jakarta'. Yes, I had the misfortune to post that skeptical bit at precisely the same moment that the public press releases were proving me wrong :-( My source at the PDC indicated that Microsoft was still pushing Visual Basic, but I'll accept that there's been a change... Still, integrating Java and Internet browsing into the OS does not bode well for Netscape. -rich From frantz at netcom.com Thu Apr 25 13:23:18 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Apr 1996 13:23:18 -0700 (PDT) Subject: Mindshare and Java Message-ID: <199604252023.NAA00294@netcom9.netcom.com> At 10:47 PM 4/24/96 -0700, Rich Graves wrote: >I agree that the major innovation, and cypherpunk opportunity, of Java is >in its cross-platform nature, not its vaunted ability to run untrusted >code safely. I'm sorry, I'm just not interested in running untrusted code. >Give me digitally signed code that I can trust, or for which the author >can at least be held accountable, and I'll be happy. I, for one, am interested in running untrusted code. If I can run untrusted code, I can greatly reduce my exposure to Trojan horses and bugs. It bothers me that if I run Microsoft Word, it can trash my MacWrite files. Even if I get these programs from reputable dealers, in original shrink-wrap boxes, so I have good reason to believe I know who the author is, I am still exposed to these problems. I should note that Java's one-straitjacket-fits-all approach to running untrusted programs is not adequate to satisfy my desires. However, it is a start, and it does run in todays complex Input Output Control Systems that have been misnamed "Operating Systems". (If it can't enforce a security policy, it isn't an Operating System.) I would rather use technological means to prevent damage than legal means. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From declan+ at CMU.EDU Thu Apr 25 13:48:18 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 25 Apr 1996 13:48:18 -0700 (PDT) Subject: Anti-porn activists' old memo on alt.sex.*, anonymous remailers Message-ID: <4lTy_wq00YUvMge4Am@andrew.cmu.edu> This is a note I came across in my archives hinting at how anti-porn groups used the content of the alt.sex.* groups to pass the CDA, and how they may not exactly be a fan of anonymous remailers. Attached is a memo from Deen Kaplan, previously a vice president at the then-named National Coalition Against Pornography, to other anti-porn activists. Note that John McMickle soon afterwards became a member of Sen. Chuck Grassley's staff and helped recruit witnesses for the July 1995 cyberporn hearings. (You may recall that Grassley was pushing for a law even worse than the CDA.) Some of the names on the To: line are easy to identify, like Rice-Hughes and Jepsen from Enough is Enough! And Cathy Cleaver from the Family Research Council, whom I'm debating in a few weeks. The others I haven't figured out yet. (The FRC is run by Gary Bauer, a former policy assistant to Reagan and a former undersecretary at the Department of Education. Now Bauer heads the FRC, the DC-based lobbying extension of James Dobson's Focus on the Family." Dobson's history includes serving on the Attorney General's Commission on Pornography, aka the Meese Commission. Bauer also embraced Marty Rimm's cyberporn study as gospel, calling the ACLU and EFF "porn industry apologists" who are "taking cheap shots at this comprehensive study.") I'm passing this along as an FYI. -Declan My Rimm web site: http://www.cs.cmu.edu/~declan/rimm/ The attached article and followup: http://www.cs.cmu.edu/~declan/rimm/asst/anti_porn_group_11_22_94.letter Cleaver's op-ed on CDA: "Kids Need Protection in Cyberspace, Too" http://fight-censorship.dementia.org/dl?num=1153 ---------------------------------------------------------------------- Note for Donna Rice-Hughes From: Deen Kaplan Date: Tue, Nov 22, 1994 1:43 PM Subject: Alt.sex.pedophilia To: Cathy Cleaver; Dee Jepson; Dianna Denney; Dixie Sanner; Donna Rice-Hughes; Jan LaRue/Lillian; John McMickle; Lori Fender; Maryam Kubasek; Monique/Ginny/Stacy; Paul Maurer; Rick Schatz Here's an anonymous message posted last night on the Usenet Board Alt.sex.pedophilia. REALLY sick and a good example (even if the person is kidding, which is unlikely in this area.). I'll do a demo of how the USENET boards work in the office for D.C. people after Thanksgiving. ---------------------------- Receiving information ... 1. Help I'm here with you and must know more about this group 2. Now what? 3. Now what? --> 4. fun at the hospital Message-ID:<090418Z21111994 at anon.penet.fi> Path:msuinfo!uwm.edu!math.ohio-state.edu!howland.reston.ans.net!pipex!demon!kaa rna.cc.jyu.fi!news.funet.fi!news.eunet.fi!anon.penet.fi Newsgroups: alt.sex.pedophile.mike-labbe From: an141380 at anon.penet.fi X-Anonymously-To: alt.sex.pedophile.mike-labbe Organization: Anonymous contact service Reply-To: an141380 at anon.penet.fi Date: Mon,21 Nov 1994 09:02:17 UTC Subject: fun at the hospital Lines: 10 Those orphan kids in the terminally ill section of the hospital are so fun at night when they are drugged out. I love sucking on their tiny finger-sized cocks and probing their tight holes. Their slender little bodies are completely smooth. They're going to die pretty soon so they won't come back to me several years from now as hairy grown up men blaming me for why they are all mentally messed up. And since they are orphans with no one to look over them except for overworked staff, I could get away with just about anything. ------------------------------ To find out more about the anon service, send mail to help at anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin at anon.penet.fi From stewarts at ix.netcom.com Thu Apr 25 13:49:13 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 25 Apr 1996 13:49:13 -0700 (PDT) Subject: [NOISE] The Iron Mountain Report Message-ID: <199604252049.NAA22863@toad.com> At 09:33 PM 4/24/96 -0700, Rich Graves wrote: >The author of the Iron Mountain Report was interviewed on PBS a few weeks >ago. It was a really over-the-top parody published in 1967. That's _Nationalized_ Public Radio; any conspiracy that couldn't get somebody on their denying that they were the secret power behind the government is obviously not competent to be the _real_ secret power behind the government. The interview just shows how pervasive they are. :-) Meanwhile, Robert Ludlum's got a new book out, doing another "hidden Nazis-will-rise-again" conspiracy. It's ok, though not as good as his best work. Among other events, the disinformation leaked out by the Neo-Nazis frames many prominent people as Nazis, a critical few of whom really are. And there's a bad parody of a fat talk-show host somewhat to the right of Attila the Hun (Caller: "Double whippo, Arnie!") who gets framed on the air... >Every once in a while, I get mail asking whether I really have contacts in >Sendero Luminoso, since a bit of satire I wrote was quoted in the Web >Review (which made no attempt to contact me before printing the satire as >my position). Foo - even I've had contacts in the Sendero Luminoso, though they all would have strictly denied it - they were just "good Socialist college students" and "immigrant refugees" from Peru, which _does_ have a fairly brutal and sleazy elected dictator. Not everybody in the anti-war business is pro-peace. >Truth is far more fragile than fiction. Sure, cause fiction's supposed to make sense. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From frantz at netcom.com Thu Apr 25 13:54:36 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Apr 1996 13:54:36 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604252054.NAA03146@netcom9.netcom.com> At 3:27 PM 4/25/96 -0400, Perry E. Metzger wrote: >Bill Frantz writes: >> I will add to Bill's list: >> >> 7) RSA is the best known and vetted of the Public Key algorithms. > >Nota at all, Mr. Frantz. There are no proofs of security associated >with RSA. Rabin has excellent proofs that breaking a message is >strictly equivalent to factoring. I do not equate good vetting with proofs of security. Given the Verona intercepts, I don't think there are any valid proofs of the security of complete crypto-systems. While anyone who can factor RSA keys can break RSA, factoring has been intensively studied since RSA was published. The public information says that in spite of improvements, factoring is still a hard problem. If people in Maryland can factor big RSA keys, they're Not Saying Anything. So far, I'll stand by my two contentions: 7a) RSA is the best known public key algorithm. 7b) RSA is the best vetted public key algorithm. Do you have any counter examples to help me change my mind? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Thu Apr 25 13:55:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 25 Apr 1996 13:55:02 -0700 (PDT) Subject: US law - World Law - Secret Banking In-Reply-To: <199604251135.NAA07136@utopia.hacktic.nl> Message-ID: <Pine.SUN.3.93.960425165304.2700D-100000@polaris.mindport.net> -----BEGIN PGP SIGNED MESSAGE----- On Thu, 25 Apr 1996, Anonymous wrote: > Financial Times, April 23, 1996, p. 8. > Long arm of US law threatens business > By Clay Harris > > The extra-territorial reach of US law poses a growing > threat to non-US companies doing business, even indirectly, > with that country, an expert on money laundering said > yesterday. It amazes me that this is new news. I've been watching this since the mid 80s. > Mr Rowan Bosworth-Davies, senior consultant at London > solicitors Titmuss Sainer Dechert, told a conference in > Lisbon that US courts had been "consistent in concluding > that US law enforcement interests outweigh a foreign > nation's interests in preserving the confidentiality of its > banking or its business records". The earliest of these decisions dates back to the 60s. Good morning reporters. Have a nice nap? [...] > The due diligence required was "truly awesome," Mr > Bosworth-Davies said. "Any new proposed business client who > is a US citizen, who proposes to do business on US > exchanges, buy US property, transfer money from a US > institution, pass money through a US institution or return > money to a US institution must become subject to a level of > investigation not hitherto contemplated." What has consistently alarmed me is the United States trend of extending her own moral and ethical standards world wide. Granted the United States is the foremost world economic power, but the power to control markets and the political power to invade the sovereignty of other states are two distinct issues. The United States is, in one form or another, attempting to homogonize the legal systems of the world to comply with her own concept of what is "right" or "fair." This is disturbing. I will not go so far as to propose that this is some grand conspiracy or some "one world government" plot. I will comment, however, that what started with concepts of anti-trust, and progressed into the field of securities regulation, has (publically) become an issue of banking secrecy and cryptography. By no means are the states of the world united on the meaning of anti-trust, the appropriate levels of regulation therein, or the manner in which to enforce these segments of the law. That the United States should seek to impose her own will and concepts on foreign states strikes me as the antithesis of this once noble power's call, indeed the central focus of her foreign policy, for the self determination of all nation states. One sees a larger trend. The dream of European unification, many times attempted attempted militarily (France, Napoleon, Germany), then politico-economically (The European Union) has become a global legal financial reform effort led by the United States. While from the prespective of the United States, the position seems rational, what is constantly ignored is the imposition on foreign states, particularly those with a long culture of independent and unintrusive legal regimes. (Switzerland, Austria, Sweden have all felt the pressure from the United States of late). Perhaps unwittingly, under the guise of protecting her shores from 'Money Laundering,' 'Narco-Terrorism,' Terrorism and any number of international criminal problems, the United States appears to be a united front for worldwide financial legal reform. It is my prediction that this policy, which ignores the international comity between nations, will severely disadvantage the country in the years and decades to come. Mr. May (I believe) on this list predicted the inevitable clash between strong cryptography and the technologies and capacities it creates and statist trends. I join in his assesment. Private banking in cyberspace is in its infancy. At the moment institutions are identified, have a geographical base, and depend on the graces of a single host state to exist. Many or most institutions hold significant assets within the borders of the United States, and still others derive a large portion of their income from U.S. branches. These days will not last forever. The introduction of a geographically diverse, multi-jurisdiction, crypto and secret sharing institution with completely blinded assets assured and accountable merely through blind digital signatures is around the corner. Such an institution will be impervious to the whims of the United States or any other power. She may even hold stock secretly in U.S. institutions, offer mutual funds investing in U.S. stocks, and yet remain beyond the reach of the legal systems and intelligence apperatus of the western world. It is my vision to create such a system. > A former legal adviser to the UK intelligence agencies MI5 > and MI6, meanwhile, told the conference that organised > criminals should be declared "illegal international > organisations" (IIOs) and made subject to administrative > sanctions similar to those applying to "rogue states". Any individual understanding the jargon of intelligence will appreciate the meaning of this statement. What is being called for here is the application of the full brunt of intelligence assets and even covert actions to enforce that which cannot be enforced by law alone. > Mr David Bickford, deputy chairman of Strategy > International UK, said organised criminals planned their > crimes to take advantage of different national legal > systems and mutual legal assistance treaties. As do tax attornies, multi-national corporations, wealthy individuals, and import-export traders. The United States has become expert in the process of criminalizing the act of being a criminal. > A solution, he said, was to treat them as organisations, > not individuals. Once they were identified as IIOs, assets > would be subject to seizure and forfeiture. > > The system would require strict oversight and a forum to > determine complaints and claims. Revenue provided by > forfeited assets could be applied to the cost of > investigation and to the parties which lost revenue as a > result. A dangerous, frightening concept. Akin to worldwide application of the RICO act. > Financial Times, April 24, 1996, p. 8. > US prosecutor attacks bank secrecy laws > By Clay Harris > Mr Moscow, who since 1989 has been assigned to prosecute > cases related to Bank of Credit and Commerce International > said: "In the BCCI case, we had $3bn going from Egypt, > through New York, to Nassau in the Bahamas and back. I > don't suppose that there has been $3bn in trade between > Egypt and the Bahamas in all recorded history. A prudent > banker would have asked what business his customers were > in." And that prudent banker might have been told by the CIA to shut up or take a walk. BCCIs problem was that the prosecutors in Miami and the Federal system never bothered to do any work until the Iran Contra scandal. This despite constant allegations and indications of major frauds. BCCI is a poor example because it involved corrupt bankers who formed the bank with the intent of defrauding depositors and investors, not a bank which was merely annoying to the tax authorities of the United States. > In a strong attack on bank secrecy laws, he said: "The > ancient concept that bank secrecy must be preserved to keep > a gentleman's financial affairs confidential -- dating back > to the days when only gentlemen had cheque accounts, and > their servants did not -- must give way to the current > reality. Which reality? That the United States wants access to the financial records of anyone and everyone on the planet? > "Bank secrecy statutes in international finance are used by > crooks, tax evaders, securities fraudsters, and capital > flight fellows; they are used by narcotics dealers. But > they are not needed by honest folks engaged in honest > transactions." Neither are walls, envelopes, whispers or any other manner of secret keeping. Correct? Haven't we seen this before? If prosecutors would do their job and concentrate on the crimes themselves as opposed to reforming the entire international financial system to make their work a bit easier, noone would be concerned. Financial investigations are a crutch for poor prosecutors. > He added: "There is no reason why the people in Vanuatu > cannot have rigid bank secrecy laws. I do not care what > they do among themselves, so long as they are consenting > adults. I do care, however, if they try to merchant their > sovereign status and impose their sovereignty on New York > (along with rest of the civilised world), to protect the > narco dollars from detection... As we see it, if the money > goes through Manhattan, we may well have jurisdiction." Jurisdiction over the Manhattan bank, fine. What are you going to do? Invade Vanatu? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMX/lzy1onm9OaF05AQHYfAgAj99lS+cdF8Nn4oTSu6IukBzTgdQf97em GtAWp2N47RwA5GEtRl/b/zGBMPOHdsUh6OLklpy4MIeurPYlMAWH49nJlT2viV0e MBU9q9/9q5w+7wGMHci76hRzb1gYYqBEvT9fGRhQx+fkL4Be8ZxuyYnhanapisZL zFdqMhRJa1o6lKXA9MQjmJ42A2SR74HnjzuTkpjzc3Wq3V1jdByhs57xZj+gJWB1 fP1w4ii43zI54ZlWR6P88zYyYc5UYeYoaGVqe1hYGUEJ+2J+K/px2/AgH5p8LQAa 9zVTXMqLPwBxb8JDfV7ThcQilVTKTQKSfj2I8RRwHF4lI5cvIG4W/A== =SZov -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From leefi at microsoft.com Thu Apr 25 13:55:46 1996 From: leefi at microsoft.com (Lee Fisher) Date: Thu, 25 Apr 1996 13:55:46 -0700 (PDT) Subject: Hack MSN anyone? Message-ID: <c=US%a=_%p=msft%l=RED-09-MSG-960425205348Z-73431@tide19.microsoft.com> I was curious about the below message, and checked... MSN uses CHAP (PPP's challenge-response handshake) for network layer authetication, and NTLM (Windows NT's challenge-response handshake) for application-layer authentication. The password is never sent in across the network. Challenge-responses encrypted with the password are sent. Lee Fisher | The names have been changed to protect the innocent... | I need say no more I'm sure. | || Yes, windows95 dialup networking uses compression to send the password || when connecting. Thanks for using the Microsoft Network || ||| Problem Description: Microsoft being security conscious and all, I ||| would hope that when I connect to MSN over the Internet, that my MSN ||| client has the decency to ENCRYPT my password when it sends it over the ||| net, yes? This is the first time I couldn't get through to a dial-up ||| connection and had to access MSN using my ISP. Having done so, I find ||| it extrememly convenient, and would like to continue to do so. Thanks. From declan+ at CMU.EDU Thu Apr 25 13:58:11 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 25 Apr 1996 13:58:11 -0700 (PDT) Subject: Brock Meeks: "The Encryption Clock" Message-ID: <ElTyQ0W00YUvIjvUwF@andrew.cmu.edu> [Near end, Mike Nelson is quoted insisting that White House wants voluntary key escrow, etc. --Declan] http://www.hotwired.com/muckraker/ The Encryption Clock When US Attorney General Janet Reno held a high-profile news conference crowing about the first successful use of an "Internet wiretap," she set the "Encryption Clock" in motion. The Encryption Clock (my own invention) is shamelessly stolen from the "Doomsday Clock" ginned up by nuclear scientists during the Cold War. Since 1947 the Bulletin of Atomic Scientists has moved the minute hand on the Doomsday Clock forward or backward; the placement was a guess by the planet's top minds as to how close the world was to full-scale nuclear holocaust. Midnight signaled the end of humanity. At the height of Reagan's "Evil Empire" rhetoric, the clock was 3 minutes from striking 12. It was only after the USSR self-destructed that the clock was rolled back from the brink, and it now sits at 14 minutes from 12. If the Encryption Clock strikes midnight, we will see the FBI's crypto wet dream realized: A ban on encryption schemes that were not developed or endorsed by the government. The ban will be swift and brutal and will come without public debate. It will cover the FBI's encryption "hat trick," outlawing private encryption during all phone calls, modem communications, and even of files stored on your hard disk. [...] From perry at piermont.com Thu Apr 25 14:19:33 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 25 Apr 1996 14:19:33 -0700 (PDT) Subject: Golden Key Campaign In-Reply-To: <199604252054.NAA03146@netcom9.netcom.com> Message-ID: <199604252118.RAA28185@jekyll.piermont.com> Bill Frantz writes: > At 3:27 PM 4/25/96 -0400, Perry E. Metzger wrote: > >Bill Frantz writes: > >> I will add to Bill's list: > >> > >> 7) RSA is the best known and vetted of the Public Key algorithms. > > > >Not at all, Mr. Frantz. There are no proofs of security associated > >with RSA. Rabin has excellent proofs that breaking a message is > >strictly equivalent to factoring. > > I do not equate good vetting with proofs of security. Given the Verona > intercepts, I don't think there are any valid proofs of the security of > complete crypto-systems. In that case, why do you think that an RSA system would be better implemented as a matter of necessity than a Rabin system? > While anyone who can factor RSA keys can break > RSA, factoring has been intensively studied since RSA was published. The > public information says that in spite of improvements, factoring is still a > hard problem. If people in Maryland can factor big RSA keys, they're Not > Saying Anything. You didn't hear what I said. There is no proof that RSA is equivalent to factoring -- only a strong belief. There may exist ways to break RSA that do not involve factoring. Rabin, however, is provably equivalent to factoring. > So far, I'll stand by my two contentions: > > 7a) RSA is the best known public key algorithm. Meaningless and unimportant. > 7b) RSA is the best vetted public key algorithm. Again, false. RSA has no proofs of security, and other systems have far better proofs. RSA also leaks small bits of information like parity that other systems do not leak. This is not to say that RSA is bad, but its choice over, say, Rabin, at least for encryption, is fairly abitrary. Perry From llurch at networking.stanford.edu Thu Apr 25 14:45:26 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 14:45:26 -0700 (PDT) Subject: [NOISE] The Iron Mountain Report In-Reply-To: <199604252049.NAA22863@toad.com> Message-ID: <Pine.GUL.3.93.960425143326.27532H-100000@Networking.Stanford.EDU> On Thu, 25 Apr 1996, Bill Stewart wrote: > Meanwhile, Robert Ludlum's got a new book out, doing another > "hidden Nazis-will-rise-again" conspiracy. It's ok, though not > as good as his best work. Among other events, the disinformation > leaked out by the Neo-Nazis frames many prominent people as Nazis, > a critical few of whom really are. And there's a bad parody of a > fat talk-show host somewhat to the right of Attila the Hun > (Caller: "Double whippo, Arnie!") who gets framed on the air... That's funny; maybe I'll check it out in my spare time. Yeah, right. The scary thing is, there are people who actually BELIEVE that shit. Or, from the "other side," Clancy's rants, or The Turner Diaries, or Marx's poor algebra in Das Kapital. You shouldn't base your life on fiction. I'd guess that there are no more than 5,000 serious Nazis left in the whole world who actually favor totalitarianism and genocide. It's quite obvious who they are. They're not a threat, but it's probably good to harry them, because otherwise, they might become a threat. (The 5K estimate does *not* include other totalitarian/genocidal movements, and I'm not interested in debating parallels. When I say "Nazi," which is pretty rare, I mean "Nazi," someone who has read and agrees with the "Nation and Race" chapter of Mein Kampf.) Disinformation is stronger than a lot of people think. Or maybe I'm just saying that :-) > Foo - even I've had contacts in the Sendero Luminoso, though they > all would have strictly denied it - they were just "good Socialist > college students" and "immigrant refugees" from Peru, which _does_ have > a fairly brutal and sleazy elected dictator. Not everybody in the > anti-war business is pro-peace. My academic work involved Latin American revolutionary movements. I have some idea. > >Truth is far more fragile than fiction. > Sure, cause fiction's supposed to make sense. Never thought of it that way, but I believe that's the crux of the problem... -rich http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html From llurch at networking.stanford.edu Thu Apr 25 14:56:11 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 14:56:11 -0700 (PDT) Subject: Hack MSN anyone? In-Reply-To: <c=US%a=_%p=msft%l=RED-09-MSG-960425205348Z-73431@tide19.microsoft.com> Message-ID: <Pine.GUL.3.93.960425145006.27532I-100000@Networking.Stanford.EDU> On Thu, 25 Apr 1996, Lee Fisher wrote: > I was curious about the below message, and checked... > > MSN uses CHAP (PPP's challenge-response handshake) for network layer > authetication, and NTLM (Windows NT's challenge-response handshake) for > application-layer authentication. The password is never sent in across > the network. Challenge-responses encrypted with the password are sent. Thanks; that's what I thought. Never believe anything you're told by tech support. It was pretty clear to me that the poor undereducated sod had the words "compression" and "encryption" confused. NTLM isn't perfect, but it's difficult enough to be secure enough for MSN. You're not doing anything IMPORTANT on MSN, are you? Due to Win95's open memory model, there's probably some system call that a virus/trojan can use to ask politely for the username and password; in fact, isn't it the same API that has already been demonstrated? But if you let such a beast on your machine, all bets are off anyway. -rich From frantz at netcom.com Thu Apr 25 15:46:11 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Apr 1996 15:46:11 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <199604252245.PAA14156@netcom9.netcom.com> At 5:18 PM 4/25/96 -0400, Perry E. Metzger wrote: >Bill Frantz writes: >> I do not equate good vetting with proofs of security. Given the Verona >> intercepts, I don't think there are any valid proofs of the security of >> complete crypto-systems. > >In that case, why do you think that an RSA system would be better >implemented as a matter of necessity than a Rabin system? I don't imply that. I do think that the use of proof is of limited applicability in demonstrating security. Complex proofs can be as much in doubt as complex computer programs. Used within its limitations, proof is very valuable, but too often its value is asserted beyond those limitations. The Varona case applies because of the common statement that one time pads are the only provably secure crypto-system. >> 7a) RSA is the best known public key algorithm. > >Meaningless and unimportant. Not in terms of why people use RSA rather than some other algorithm. >> 7b) RSA is the best vetted public key algorithm. > >Again, false. RSA has no proofs of security, and other systems have >far better proofs. RSA also leaks small bits of information like >parity that other systems do not leak. This is not to say that RSA is >bad, but its choice over, say, Rabin, at least for encryption, is >fairly abitrary. Thanks for the information. Schneier (V2) says that while Rabin and Williams are provably as secure as factoring. They, like RSA, are completely insecure against a chosen cyphertext attack. Correcting this problem by using a one-way hashing function makes them no longer provably as secure as factoring, although adding a random string does not have this defect. Rabin also has the problem, which Williams corrects, that each message has four possible decypherments, and the user must select the correct one. While these systems have a small theoretical advantage over RSA (their provability), how much effort has been expended in examining them compared with RSA? Level of effort is important in determining "best vetted". (I realize that some efforts, such as research into factoring, apply to both systems.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Thu Apr 25 16:12:50 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 25 Apr 1996 16:12:50 -0700 (PDT) Subject: trusting the processor chip Message-ID: <m0uCa4r-00094aC@pacifier.com> At 01:53 PM 4/25/96 -0400, Jeffrey C. Flynn wrote: >I received several responses to this question. My favorite was as follows... > >>This is probably science fiction, particularly at the VHDL level. >>Maybe someone could make a crime of opportunity out of a microcode >>flaw, but there's a risk of it being found out during testing. >> >>To do it right would require collusion of the design and test teams. >>They need to ensure the back door stays closed, isn't tickled by >>"normal" testing and only opens when really requested. So a lot of >>people are in on the secret even before it gets exploited for >>nefarious purposes. >> >>And what nefarious purposes would pay for the risks and costs of this? >>If the secret got out, the design team, product line, and company >>would be dead in the marketplace and probably spend the rest of their >>lives responding to lawsuits. What could you use this for that is >>worth the risk? This analysis seems to assume that the entire production run of a standard product is subverted. More likely,I think, an organization like the NSA might build a pin-compatible version of an existing, commonly-used product like a keyboard encoder chip that is designed to transmit (by RFI signals) the contents of what is typed at the keyboard. It's simple, it's hard to detect, and it gets what they want. Jim Bell jimbell at pacifier.com From hfinney at shell.portal.com Thu Apr 25 16:23:29 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 25 Apr 1996 16:23:29 -0700 (PDT) Subject: US law - World Law - Secret Banking Message-ID: <199604252321.QAA17568@jobe.shell.portal.com> From: Black Unicorn <unicorn at schloss.li> > What has consistently alarmed me is the United States trend of extending > her own moral and ethical standards world wide. Granted the United States > is the foremost world economic power, but the power to control markets and > the political power to invade the sovereignty of other states are two > distinct issues. The United States is, in one form or another, attempting > to homogonize the legal systems of the world to comply with her own > concept of what is "right" or "fair." This is disturbing. I was encouraged to read the description by former NSA lawyer Stewart Baker of Japan's attitudes towards crypto policy (from the URL posted here by wb8foz at nrk.com, http://www.us.net/~steptoe/276915.htm). We can all take heart in what Baker finds alarming: In the United States and Europe, encryption policy is formed by a mix of interests. Advocates of business, national security agencies, and more recently the police -- all play a large role in the policy debate. This policy triumvirate is difficult to see in Japan. For a variety of reasons, commercial interests are predominant in Japanese government thinking about encryption. Time after time during my interviews, I was reminded that Japan was an island nation that has not had to defend itself for fifty years and so has not had to confront the national security concerns associated with encryption. And Japanese police face severe political and constitutional constraints on wiretapping, so the prospect of losing this criminal investigative tool seems not to be as troubling to the Japanese government as to the United States and many European nations. [...] All in all, the emerging Japanese consensus on cryptography could pose a major challenge to U.S. (and perhaps European) government hopes of striking a compromise between commercial and governmental interests with respect to cryptographic policy. If Japan puts the weight of its government and industry behind strong, unescrowed encryption, competitive pressure will quickly doom any attempt to influence this technology through export controls and standard-making. Governments will be forced to choose between overt regulation in the Russian and French manner or laissez-faire policies of the sort that now prevail in the domestic markets of countries like the United States, Great Britain, and Germany. I love the description of the choice facing the government, between laissez-faire policies versus the kind of system prevailing in Russia. This is a remarkably clear and frank description of the policy directions which are available. Hal From ses at tipper.oit.unc.edu Thu Apr 25 16:35:29 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 25 Apr 1996 16:35:29 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <199604252023.NAA00294@netcom9.netcom.com> Message-ID: <Pine.SOL.3.91.960425162433.22627B-100000@chivalry> On Thu, 25 Apr 1996, Bill Frantz wrote: > At 10:47 PM 4/24/96 -0700, Rich Graves wrote: > >code safely. I'm sorry, I'm just not interested in running untrusted code. > >Give me digitally signed code that I can trust, or for which the author > >can at least be held accountable, and I'll be happy. > > I, for one, am interested in running untrusted code. If I can run > untrusted code, I can greatly reduce my exposure to Trojan horses and bugs. > It bothers me that if I run Microsoft Word, it can trash my MacWrite Both policies make sense in different circumstances; however, refusing to run unsigned code, even though it reeks of FUCKING STATISM is easier verify, and harder to circumvent; We're experimenting with both approaches in Solid Oak (one classloader that rejects unsigned classes, another that works with the security manager to use the signed IDs to make policy decisions where necessary. That approach is the more flexible, but it remains vulnerable to flaws in the policy manager if it is somehow possible to do naughty things without going through the security manager. If you require even untrusted code to be signed you at least have a target-id to send to blacknet for attitude adjustment. One thing that could be retroactively added to the vm pretty easily would be the ability to add capability requirements to methods, and have the class loader automatically generate code to check for those requirements before executing the body of the method Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From mccoy at communities.com Thu Apr 25 16:50:02 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 25 Apr 1996 16:50:02 -0700 (PDT) Subject: Golden Key Campaign Message-ID: <v02140b00ada5c85554fb@[205.162.51.35]> Bill Frantz writes: > At 1:11 AM 4/25/96 -0700, Bill Stewart wrote: [...why do people continue to promote the RSA method?...] > > > >Sure. Because 1) it's a good algorithm for the job, And there are other equally good algorithms which can also do the job. > >2) we've learned it, and have a PGP base behind our inertia, A pretty insignificant base actually (at least compared to the internet as a whole) and supposedly PGP 3.0 will support multiple encryption methods so maybe the RSA reliance can die the ignoble death it deserves. One point left out from the original posting is that a Rabin exchange can use a RSA public key provided that the p and q in the public key are Blum integers (which also lets you use the public key for probabalistic PKE, as well as a few other neat tricks), so changing PGP to support Rabin would not be much of an inconvenience... > >3) The legalities of RSA are well-defined, Yes, and the most well-defined point is that until September in the year 2000 you will pay an arm and both legs to use RSA. > >4) the Stanford patents mostly run out in 1997, unless Roger's suit > > succeeds first, A point in favor of non-RSA public-key methods. > >5) the price of RSA is fairly low, once free RSAREF came out You must be joking. Have you ever tried to deal with RSA lawyers? > >6) the price of licensing Cylink patents is high and/or unpredictable True, but Cylink needs to milk their patents for all they are worth for the remaining 481 days they have left. In a little more than one year they will not be left with much more than a footnote in the crypto history books. > > I will add to Bill's list: > > 7) RSA is the best known and vetted of the Public Key algorithms. Best known perhaps, but ElGamal and Rabin have also been studied in depth (in fact, Rabin is provably as secure as factoring, RSA has not been proven this secure, it is only assumed that it is.) Most public key methods fall back to only a handful of real trap-doors, so there is only a limited amount of vetting to be done (esp. when compared to symmetric encryption methods.) > Some people say that the millennium comes on Jan 1, 2000. Others say it > comes on January 1, 2001. I say it comes on September 20, 2000 when the > RSA patent expires. Nope, it starts on August 19, 1997. After that point it becomes possible to deploy systems using secure public-key crypto worldwide without needing to pay someone royalties... :) jim From llurch at networking.stanford.edu Thu Apr 25 17:00:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 17:00:40 -0700 (PDT) Subject: Mindshare and Java In-Reply-To: <Pine.SOL.3.91.960425162433.22627B-100000@chivalry> Message-ID: <Pine.GUL.3.93.960425164813.27532L-100000@Networking.Stanford.EDU> On Thu, 25 Apr 1996, Simon Spero wrote: > On Thu, 25 Apr 1996, Bill Frantz wrote: > > > At 10:47 PM 4/24/96 -0700, Rich Graves wrote: > > >code safely. I'm sorry, I'm just not interested in running untrusted > > >code. Give me digitally signed code that I can trust, or for which > > >the author can at least be held accountable, and I'll be happy. > > > > I, for one, am interested in running untrusted code. If I can run > > untrusted code, I can greatly reduce my exposure to Trojan horses and bugs. > > It bothers me that if I run Microsoft Word, it can trash my MacWrite > > Both policies make sense in different circumstances; however, > refusing to run unsigned code, even though it reeks of FUCKING STATISM is It doesn't have to, reek I mean. By "held accountable" I mean by me, the user, not the coercive power of the FUCKING STATE. For me, the digital signatures would not be the imprimatur of "good, safe code." The digital signature would mean, "Rich Graves <rich at c2.org> accepts blame for this code." Or "This code is an official (or whatever the unofficial official unofficial word would be) part of the GNU project." Or "The Black Unicorn nym says 'Two Thumbs Up.'" Or "This is an accurate copy of the code discussed on comp.windows.emulators.wine." In my fantasy world, signatures would be verified by the web of trust, not the FUCKING STATE or FUCKING MICROSOFT. I guess "trusted" isn't the right word, thanks. I don't "trust" anything that comes from Microsoft to be bug-free. I do expect it to be free from exogenous viruses and trojans, though, so that the bugs would be reproducible, and have a chance of being fixed. In my fantasy world, I'm not asking you to verify signatures every time you run something. Maybe you can tune how often you want stuff checked, so you have a tradeoff between security and performance. Sort of like COPS or Tripwire, but transparent to the user. -rich From JC6452 at FS2HOST.CCCCD.EDU Thu Apr 25 17:05:50 1996 From: JC6452 at FS2HOST.CCCCD.EDU (James Childers) Date: Thu, 25 Apr 1996 17:05:50 -0700 (PDT) Subject: Mindshare and Java Message-ID: <96Apr25.190047cdt.9739@cricket.ccccd.edu> > > As cool as many of the people on the Java team are, though, I am dubious > > that Java is going to live up to the hype. Same here. If someone writes a secure electronic-wallet type system with Java, then I'll be impressed. Until then, all I've seen implemented is kEWL text graphics. > There was an official announcement at their Professional Developers Conference > a few weeks back. In short, full support in the browsers (and apparently MS > is now the keeper of the reference implementation on Win32) and also > a full blown Java development environment code-named 'Jakarta'. Didn't MS ditch their proprietary Java-like language? Interesting, if so... From llurch at networking.stanford.edu Thu Apr 25 17:09:50 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 25 Apr 1996 17:09:50 -0700 (PDT) Subject: US law - World Law - Secret Banking In-Reply-To: <199604252321.QAA17568@jobe.shell.portal.com> Message-ID: <Pine.GUL.3.93.960425170147.27532M-100000@Networking.Stanford.EDU> On Thu, 25 Apr 1996, Hal wrote: > I was encouraged to read the description by former NSA lawyer Stewart > Baker of Japan's attitudes towards crypto policy (from the URL posted > here by wb8foz at nrk.com, http://www.us.net/~steptoe/276915.htm). We can > all take heart in what Baker finds alarming: Yeah, that's sweet. I'm concerned that it might paint too glowing a picture of Japanese civil liberties, though. NOTE: -LOlsen (I'm speaking beyond my experience) It was my impression that the Japanese response to the Aum Shinrikyo terrorist gassing was more draconian and one-sided than the US response to the Oklahoma City bombing. For all the doomsday talk, you must acknowledge that the "anti-terrorism" bill was stalled for a full year by an odd coalition of right-wing and civil-liberties groups. I have not heard about such political discussions in Japan. The police seemed to have carte blanche to ban the cult, seize its assets, and investigate and/or arrest anyone associated with it. If I'm misinformed, please enlighten me. It's certainly true that internationalization usually means openness, which usually means privacy and freedom. -rich From markm at voicenet.com Thu Apr 25 17:22:40 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 25 Apr 1996 17:22:40 -0700 (PDT) Subject: Mixmaster message formats Message-ID: <Pine.LNX.3.92.960425200950.1060A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- I was thinking about how Mixmaster needs a separate message format so it can make messages a fixed size and add a packet ID. However, couldn't all this be done with PGP? With PGP, the length of the file being encrypted is encrypted itself, so it would be possible to append random data to the end of the file to make the message a fixed length like Mixmaster. Also, the packet-ID could be implemented by putting a line such as the following in the message: :: Packet-ID: foobar The only other thing that would have to be taken care of is chaining. The way I could see this working is to have a header in the encrypted message that tells the remailer whether it should de-armor the message at the next layer, append random data, then re-armor, and pass it to the next remailer. Am I missing something? - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMYAXxLZc+sv5siulAQG5CwP/Qbgune3sjNyB7Y8xNxNW6hCahtgBNJDk oT+hZHdlmcB6CZXjgDUSczIfAnygS71PBBysB4DJnugluMTMTGfqmgeikXdvL1zt vnwx5xlG0HQeTbVE2+c1uW4uamkdb0MZmNLR06S9M+2i0ROaWzGwNO6WEHqoEL3W qwXZ7zPtId0= =MaO4 -----END PGP SIGNATURE----- From jya at pipeline.com Thu Apr 25 17:24:17 1996 From: jya at pipeline.com (John Young) Date: Thu, 25 Apr 1996 17:24:17 -0700 (PDT) Subject: ROC_poc Message-ID: <199604260022.UAA05445@pipe1.nyc.pipeline.com> 4-25-96. WaPo: "Israelis Eye U.S. Laser As Anti-Rocket Defense. Nautilus High-Energy Laser Beam Burns Surface of Weapon." Two months ago, in a test at the White Sands Missile Range in New Mexico, the U.S. Army used the laser to shoot down two Katyusha rockets that earlier had been seized by Israel. The test caught the attention of the aerospace community because it offered evidence of Nautilus's efficacy, especially its new tracking system upgraded with more sophisticated computer software. The laser, beamed at a rocket for only a second or two, disables it by melting its surface, causing it to explode and crash to Earth. "Spy Chief's Grasp Reaches Other Pockets." The Senate intelligence committee yesterday approved a major expansion in power for the director of central intelligence (DCI) by giving the director authority not only over the CIA budget but also over all intelligence spending, most of which currently is controlled by the Pentagon. Such a radical change is likely to run into strong opposition not only from the military services themselves, but also from other congressional committees with Pentagon oversight. ROC_poc From frantz at netcom.com Thu Apr 25 17:56:34 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 25 Apr 1996 17:56:34 -0700 (PDT) Subject: Capability Security in Java Message-ID: <199604260056.RAA00833@netcom9.netcom.com> At 4:38 PM 4/25/96 -0700, Simon Spero wrote: >One thing that could be retroactively added to the vm pretty easily would >be the ability to add capability requirements to methods, and have the >class loader automatically generate code to check for those requirements >before executing the body of the method Now there is a statement that makes me sit up and take notice. I certainly havn't thought this subject thru carefully, but to start, I think I would like capabilities to be held by a specific object, so if I give a Java object permission to read a file, that permission is not automatically inherited by other objects, or instances of the same object which use the common method. There would also have to be a technique where capabilities could be passed from object to object to allow subcontracting. Having the capabilities held by objects means that access the objects needs to be controled as well. I notice some items on Hal's list of Java security problems which indicate weaknesses in this area, but it is not clear if they are bugs (which will be fixed) or "features". Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From Majordomo at toad.com Thu Apr 25 18:25:40 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Fri, 26 Apr 1996 09:25:40 +0800 Subject: Welcome to cypherpunks Message-ID: <199604260125.SAA29798@toad.com> -- Welcome to the cypherpunks mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at toad.com" with the following command in the body of your email message: unsubscribe cypherpunks Cypherpunks Mailing List <cypher at infinity.nus.sg> Here's the general information for the list you've subscribed to, in case you don't already have it: About cypherpunks ----------------- I. Administrivia (please read, boring though it may be) The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. If you don't know how to do something, like unsubscribe, send mail to majordomo at toad.com and the software robot which answers that address will send you back instructions on how to do what you want. If you don't know the majordomo syntax, an empty message to this address will get you a help file, as will a command 'help' in the body. Even with all this automated help, you may still encounter problems. If you get really stuck, please feel free to contact me directly at the address I use for mailing list management: cypherpunks-owner at toad.com Please use this address for all mailing list management issues. Hint: if you try to unsubscribe yourself from a different account than you signed up for, it likely won't work. Log back into your old account and try again. If you no longer have access to that account, mail me at the list management address above. Also, please realize that there will be some cypherpunks messages "in transit" to you at the time you unsubscribe. If you get a response that says you are unsubscribed, but the messages keep coming, wait a day and they should stop. For other questions, my list management address is not the best place, since I don't read it every day. To reach me otherwise, send mail to eric at remailer.net This address is appropriate for emergencies (and wanting to get off the list is never an emergency), such as the list continuously spewing articles. Please don't send me mail to my regular mailbox asking to be removed; I'll just send you back a form letter. Do not mail to the whole list asking to be removed. It's rude. The -request address is made exactly for this purpose. To post to the whole list, send mail to cypherpunks at toad.com If your mail bounces repeatedly, you will be removed from the list. Nothing personal, but I have to look at all the bounce messages. There is no digest version available. There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. Mail to cypherpunks-announce-request at toad.com if you want to be added or removed to the announce list. All announcements also go out to the full cypherpunks list, so there is no need to subscribe to both. II. About cypherpunks The cypherpunks list is not designed for beginners, although they are welcome. If you are totally new to crypto, please get and read the crypto FAQ referenced below. This document is a good introduction, although not short. Crypto is a subtle field and a good understanding will not come without some study. Please, as a courtesy to all, do some reading to make sure that your question is not already frequently asked. There are other forums to use on the subject of cryptography. The Usenet group sci.crypt deals with technical cryptography; cypherpunks deals with technical details but slants the discussion toward their social implications. The Usenet group talk.politics.crypto, as is says, is for political theorizing, and cypherpunks gets its share of that, but cypherpunks is all pro-crypto; the debates on this list are about how to best get crypto out there. The Usenet group alt.security.pgp is a pgp-specific group, and questions about pgp as such are likely better asked there than here. Ditto for alt.security.ripem. The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as "medusa", "pseudospoofing", "treachery", "poison", or "black lies", it's probably him, no matter what the From: line says. The policy is to ignore these postings. Replies have never, ever, not even once resulted in anything constructive and usually create huge flamewars on the list. Please, please, don't feed the animals. III. Resources. A. The sci.crypt FAQ anonymous ftp to rtfm.mit.edu:pub/usenet-by-group/sci.crypt The cryptography FAQ is good online intro to crypto. Very much worth reading. Last I looked, it was in ten parts. B. cypherpunks ftp site anonymous ftp to ftp.csua.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany. There is a glossary there that all new members should download and read. Also recommended for all users are Hal Finney's instructions on how to use the anonymous remailer system; the remailer sources are there for the perl-literate. C. Bruce Schneier's _Applied Cryptography_, published by Wiley This is required reading for any serious technical cypherpunk. An excellent overview of the field, it describes many of the basic algorithms and protocols with their mathematical descriptions. Some of the stuff at the edges of the scope of the book is a little incomplete, so short descriptions in here should lead to library research for the latest papers, or to the list for the current thinking. All in all, a solid and valuable book. It's even got the cypherpunks-request address. IV. Famous last words My preferred email address for list maintenance topics only is hughes at toad.com. All other mail, including emergency mail, should go to hughes at ah.com, where I read mail much more regularly. Enjoy and deploy. Eric ----------------------------------------------------------------------------- Cypherpunks assume privacy is a good thing and wish there were more of it. Cypherpunks acknowledge that those who want privacy must create it for themselves and not expect governments, corporations, or other large, faceless organizations to grant them privacy out of beneficence. Cypherpunks know that people have been creating their own privacy for centuries with whispers, envelopes, closed doors, and couriers. Cypherpunks do not seek to prevent other people from speaking about their experiences or their opinions. The most important means to the defense of privacy is encryption. To encrypt is to indicate the desire for privacy. But to encrypt with weak cryptography is to indicate not too much desire for privacy. Cypherpunks hope that all people desiring privacy will learn how best to defend it. Cypherpunks are therefore devoted to cryptography. Cypherpunks wish to learn about it, to teach it, to implement it, and to make more of it. Cypherpunks know that cryptographic protocols make social structures. Cypherpunks know how to attack a system and how to defend it. Cypherpunks know just how hard it is to make good cryptosystems. Cypherpunks love to practice. They love to play with public key cryptography. They love to play with anonymous and pseudonymous mail forwarding and delivery. They love to play with DC-nets. They love to play with secure communications of all kinds. Cypherpunks write code. They know that someone has to write code to defend privacy, and since it's their privacy, they're going to write it. Cypherpunks publish their code so that their fellow cypherpunks may practice and play with it. Cypherpunks realize that security is not built in a day and are patient with incremental progress. Cypherpunks don't care if you don't like the software they write. Cypherpunks know that software can't be destroyed. Cypherpunks know that a widely dispersed system can't be shut down. Cypherpunks will make the networks safe for privacy. [Last updated Mon Feb 21 13:18:25 1994] From Majordomo at toad.com Thu Apr 25 18:38:05 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Fri, 26 Apr 1996 09:38:05 +0800 Subject: Your Majordomo request results Message-ID: <199604260125.SAA29797@toad.com> -- Your request of Majordomo was: >>>> subscribe cypherpunks Succeeded. Your request of Majordomo was: >>>> end END OF COMMANDS From blake at bcdev.com Fri Apr 26 01:07:19 1996 From: blake at bcdev.com (Blake Coverett) Date: Fri, 26 Apr 1996 16:07:19 +0800 Subject: Mindshare and Java Message-ID: <01BB32F0.873B2240@bcdev.com> > Yes, I had the misfortune to post that skeptical bit at precisely the same > moment that the public press releases were proving me wrong :-( [shrug] Happens to all of us. Sometimes just keeping up on press releases seems to be a full time job. > My source at the PDC indicated that Microsoft was still pushing Visual > Basic, but I'll accept that there's been a change... They are, but not exclusively. They are supporting both JavaScript and VBScript in IE3. For that sort of work I think Basic might be more appropriate anyway. (Added to the fact that they have committed to making the reference source for VBScript available online with a free for whatever you want type of license.) The spin at TechEd last week seemed to be a complete spectrum running C++ -- Java -- VB depending on the desired speed/control vs. easy of development. > Still, integrating Java and Internet browsing into the OS does not bode > well for Netscape. <CRYSTALBALL> My bet is that five years from now Netscape will be remembered as the company that forced MS to give it away for free. </CRYSTALBALL> -Blake (who's keeping all his irons in the fire anyway :-) From jya at pipeline.com Fri Apr 26 01:19:42 1996 From: jya at pipeline.com (John Young) Date: Fri, 26 Apr 1996 16:19:42 +0800 Subject: VENONA followup Message-ID: <199604260215.WAA14321@pipe1.nyc.pipeline.com> Last year DCI Deutch said that as part of the new "openness" for intelligence archives and as followup to the release of VENONA documents, a conference was planned on Soviet intelligence attempts to penetrate the USG in the 1940s and 1950s. (See excerpt below.) Has anyone heard more on this conference? ---------- http://www.odci.gov/cia/public_affairs/speeches/dci_speech_71195. html DCI Speech 7/11/95 DCI John M. Deutch at VENONA Press Conference [Snip] Next year we will sponsor a conference on Soviet Intelligence attempts to penetrate the United States government during the 1940s and 1950s and our efforts to counter those efforts. We hope that all scholars will attend, including Russian scholars. From tcmay at got.net Fri Apr 26 01:51:22 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 16:51:22 +0800 Subject: coderpunks not elite Message-ID: <ada588071e021004fa40@[205.199.118.202]> At 5:14 PM 4/25/96, Hal wrote: >From: tcmay at got.net (Timothy C. May) >> Well, I was not invited to join the elite and secret coderpunks list, but I >> still have some thoughts on coding and, especially, on the opportunities >> offered by Java. > >As far as I know, the coderpunks list is neither secret nor elite. I >joined it about a month ago, andd there wasn't any problem. Just send >mail to majordomo at toad.com saying "subscribe coderpunks". It's just as >easy as cypherpunks. My reference was maybe a tad unfair. It was based on a reading of the hks archives of the coderpunks archives covering the December 1995 foudning. The hks archives no longer being available to me, I can't quote the specific messages, but the secretive and elite nature was discussed in the first dozen or so messages. Widespread knowledge of this list did not become available until February. My conclusion: keeping such a list secret and invitation-only for a couple of months, until L. Todd Masco let the cat out of the bag by announcing that hks was archiving it, is not a "cypherpunkish" thing to do. Having a list oriented toward code is fine, but keeping it elite and secret is a "cabal"-like thing to do. In my opinion, of course. >I do share Tim's concern about the political views of coderpunks >subscribers. Despite the "punks" in the name it seems to be somewhat >more of a mainstream group. Nevertheless I am determined to act as >though the group favors unlimited access to privacy tools by individuals >and to post under that assumption. If it comes to the point that someone >complains there may have to be some air clearing but I don't think it's >likely to come up. I don't disagree _necessarily_ about separate lists. But I think some discussion beforehand would have been nice....were any of you reading this involved in such discussions? I know I wasn't, nor was there any public list discussion that I saw. There are lots of issues we could consider about future directions for our main group, or for sublists, etc. The "by invitation only" nature of the Coderpunks list, at least before the L. Todd Masco announcement of its existence, seems like rather a harsh way of avoiding off-topic posts. It does distress me that the main list is now so bogged down in back-and-forth flames, ad nauseum. And contrary to Perry straw man assertions, I have never argued for this as a desirable thing. My main objection to Perry's objections is that he rarely posts essays or work results, preferring instead to send "perrygrams" stating his unhappiness with some topic. My preference, and I think my posts generally show it, is to avoid "timgrams" saying a topic if off-charter and simply lead by example, as it were, by writing articles and essays I think are germane. Those who don't like my choice of topics are free to delete them. But this is a different thing than saying the current banality of the list discussion is _caused_ by me, as both Perry and Detweiler seem to think is the case. Basic errors of logic covered in Logic 101. >Cypherpunks continues to have a lot of vitality. What I object to most >is the back and forth arguments people get into. I don't mind reading >one message off-topic, but to have the thread drag on for days, with >dozens of messages, is wasteful. People should just make their points >and let them stand. They shouldn't feel they have to keep coming back >and refuting the other guy. I of course agree with Hal on this. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From lzirko at isdn.net Fri Apr 26 01:58:23 1996 From: lzirko at isdn.net (Lou Zirko) Date: Fri, 26 Apr 1996 16:58:23 +0800 Subject: Golden Key Campaign Message-ID: <199604260335.WAA10521@rex.isdn.net> Ok! OK! I expect to get hit for this, but maybe we could set up a graphic on our pages with the "broken Key" from the lower left corner of Netscape to commersate the RSA date. > Date: Thu, 25 Apr 1996 12:08:08 -0700 > From: Hal <hfinney at shell.portal.com> > To: cypherpunks at toad.com > Subject: Re: Golden Key Campaign > From: frantz at netcom.com (Bill Frantz) > > Some people say that the millennium comes on Jan 1, 2000. Others say it > > comes on January 1, 2001. I say it comes on September 20, 2000 when the > > RSA patent expires. > > It is traditional to commemorate big events with annual observances. I > say there's no reason the observances can't predate the event when it is > known in advance. > > So I propose that September 20 be known as Crypto Freedom Day, and an > annual celebration be held on that day. With each year closer to 2000 > the party gets bigger, culminating on the day that the patent actually > expires. We can all run our RSA in three lines of Java that Adam Back > will have prepared, and taste for the first time the freedom which the > rest of the world will have known for the past 17 years. > > Hal > > Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzFseHQAAAEH/2gtDJSlsDvTo7m+Caj5zKuLO4dVl6L9e4xxFOAqKMtkHDIh 2z6NqqGnAKDai3eDXInBuOTGoyb82pkV7wD7naQDx7bppfwmJNguOPvlrErOZHcA NbAkyXCoKHgDxeXLq0MMcyC8+kBxYNKhMPm17g7tny4DKD+fzat4k3UiSAves6Y7 jLgQwwQ7TLYIGg7iPAsbMTnOF5iP51Ib47Ozjb3suJvJjUOTSUdl4V3e9EHWiniH G6kI1cfOdUmLXIgNZ34utTwwb2H/LhEDYrydmXJG6FfUolAThCwCbTG++Hq7/Ywr BOawFj3BhySTvpp/bSCJt1Mz/eELEq9xwQCaVD0ABRG0G0xvdSBaaXJrbyA8bHpp cmtvQGlzZG4ubmV0PokBFQMFEDFsfBcSr3HBAJpUPQEBRHoH/R+rkuMa9Vw+Civd 5QQM0tBMEPDUa7G2qNLKO0FBmVHoqq+VGeD9X2X+EBld0AwuWvshQfsViG2uBNxk Cr44y+Q0tXByCZqR8snTZG12BtFaCZv51XVieo2ygWQdmNp5DyMEyIOXUByORT2m 2Jx2VngcFt5rpzZLRALqwBDkV00Xcm8MPQzqGq8ZQA3nmExQkdpnSJIJX0irWjDM OueDrn9mBz2NwIZmddShYGUdhRXgpLYPHLMpo2fxE0dXiWkaDlyx47k4MIWaDoF4 nnTXxmEcS98AkT2PfqU4dT3UfZpZnHqkWQ7d4JqvXs9RmmH9K/NyBB+LykOvA1/t W6deAaWJAJUDBRAxbHtD30Eh39zrXZUBAYPsA/0dIEjlSuc8wrX5KJzAhXqUKBbg e3toQJk8RZwm4f80SC2DopEXYdmwAVrhOou7vezeu29mYVunKaDKg5xjnUfVR1WS ZXy54ZfYEG4Zrdi4vJgydb96AwoF3VAYyAbV45XBTfy3ujZjZRxpZS96X7iKk+6l quslrTmMFLhju4vWKw== =wksf -----END PGP PUBLIC KEY BLOCK----- From hfinney at shell.portal.com Fri Apr 26 02:16:11 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 26 Apr 1996 17:16:11 +0800 Subject: US law - World Law - Secret Banking Message-ID: <199604260406.VAA07851@jobe.shell.portal.com> Another thing Baker said in that report about Japanese crypto policy was interesting. He was talking about key escrow and how he thought the Japanese discussions about it were on the wrong track. Apparently the Japanese idea of key escrow combines it with a government Certification Authority (CA) infrastructure. You get certified keys which you will use in commerce, and these keys are escrowed. (Japan is not showing much enthusiasm for the escrow idea, to Baker's displeasure, but they are discussing it.) Baker's problem was that the keys would be used for signing as well as for encryption. He said that in the U.S. they had been careful to separate these functions in their plans. That's why we have DSS for signatures and Clipper (Capstone, Skipjack, etc.) for encryption. Only the Clipper keys get escrowed. The DSS keys are kept private. The problem with using one set of keys for both functions (as for example when RSA keys are used for both encryption and signing a la PGP) is that the escrow people can not only defeat encryption, they can forge signatures. If escrowed keys were stolen, not only would privacy be lost but also the reliability of signatures. Now at first this seems strange. Why would it be more of a problem that a broken escrow could forge signatures than break privacy? Well, from the corporate point of view it could be a lot worse. When you get a signature on a business document you want to be able to trust it. If a company can hope to get out of a commitment by saying that hackers must have broken in and stolen the keys, the value of digial signatures is much reduced. Privacy, on the other hand, at least from the point of view of someone like Baker, is not as important. His people eavesdropped all the time, and it wasn't that bad. So from his perspective it is reasonable that a possibly insecure escrow system is acceptable for encryption, but not for signatures. And that is apparently a principle behind the US crypto policies as they have unfolded over the last few years. This may shed light on the battle a few years back over whether RSA signatures would be adopted as the digital signature standard rather than the discrete log system which was finally chosen. It also suggests that the government has long realized the difficulties of keeping the escrowed key database secure. Hal From tcmay at got.net Fri Apr 26 02:27:17 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 17:27:17 +0800 Subject: Mindshare and Java Message-ID: <ada599332402100402fc@[205.199.118.202]> At 1:45 AM 4/26/96, Blake Coverett wrote: >> Still, integrating Java and Internet browsing into the OS does not bode >> well for Netscape. > ><CRYSTALBALL> >My bet is that five years from now Netscape will be remembered as the >company that forced MS to give it away for free. ></CRYSTALBALL> > >-Blake (who's keeping all his irons in the fire anyway :-) I tend to agree with Blake on this, as one might expect. Speaking as a longterm Mac user, I certainly feel no compulsion to drop my Mac/Netscape package and switch to Microsoft. Bundling Java in with Windows (which actually was reported as long ago as last Friday, on C/NET's page, http://www.cnet.com/) may be a near-necessity for Microsoft, and for other OS vendors. Apple is also reported to be planning to make its next OS major release, "Copeland," an "Internet-savvy" release. Its "CyberDog" (dumb name) will be bundled with Java as part of Copeland. Metrowerks (the Code Warrior people) is said to be a partner in this. Symantec's "Cafe" JIT compiler for Java is reported to have a 13x speedup over JDK code, and is only slightly slower than compiled C code. Borland is also working on JIT stuff, reportedly for Sun itself. How it all shakes out remains unclear, but I stand by my "mindshare" point of view, that Java is fast-becoming a lingua franca for Web-centric use. (C certainly was, in a different sense, not for cross-platform easy use.) I'll bet, however, that Microsoft will not be "winner-take-all" in this. They're doing some impressively nimble rearrangements of plans, but there is little indication they'll be able to dominate things. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Fri Apr 26 02:40:35 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 26 Apr 1996 17:40:35 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <199604260403.VAA23917@netcom9.netcom.com> > The Washington Post, April 25, 1996, p. A12. > > > Israelis Eye U.S. Laser As Anti-Rocket Defense > > 'Nautilus' Beam Burns Surface of Weapon > > By John Mintz > >... > Moreover, a laser shot costs $3,000, compared to several > million dollars for a missile. Army officials envision the > Nautilus would be beamed from a truck capable of firing 50 > shots before requiring more laser material. Does anyone have any idea what "more laser material" means? ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ses at tipper.oit.unc.edu Fri Apr 26 02:52:30 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Apr 1996 17:52:30 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.GUL.3.93.960425164813.27532L-100000@Networking.Stanford.EDU> Message-ID: <Pine.SOL.3.91.960425210631.23458A-100000@chivalry> On Thu, 25 Apr 1996, Rich Graves wrote: > In my fantasy world, I'm not asking you to verify signatures every time > you run something. Maybe you can tune how often you want stuff checked, so > you have a tradeoff between security and performance. In SolidOak, the verification is more or less free of charge, as it runs the signature code in a separate low priority thread, which often gets to complete during network induced latencies when fetching sub-classes, which can be initiated on class download before the code is instantiated.It also allows multiple classes to verified with just one PKOP, so the cpu cost is amortised over a lot of stuff Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Fri Apr 26 03:48:46 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 18:48:46 +0800 Subject: Capability Security in Java Message-ID: <ada5a45428021004a064@[205.199.118.202]> At 12:58 AM 4/26/96, Bill Frantz wrote: >At 4:38 PM 4/25/96 -0700, Simon Spero wrote: >>One thing that could be retroactively added to the vm pretty easily would >>be the ability to add capability requirements to methods, and have the >>class loader automatically generate code to check for those requirements >>before executing the body of the method > >Now there is a statement that makes me sit up and take notice. I certainly >havn't thought this subject thru carefully, but to start, I think I would >like capabilities to be held by a specific object, so if I give a Java >object permission to read a file, that permission is not automatically >inherited by other objects, or instances of the same object which use the >common method. > >There would also have to be a technique where capabilities could be passed >from object to object to allow subcontracting. ... There are two major security enhancements of a "fundamental nature" that are being discussd, that I know of: 1. Sun and JavaSoft are talking about "signed classes," using full-blown digital signatures, in a future release. Some of the Java developers talked at a Cypherpunks meeting last June or so about this (before Java became so hot and they would only speak at Moscone Center before crowds of 1000 and up). 2. Electric Communities has developed a superset of Java called E, available for downloading and whatnot at http://www.communities.com/. It offers a set of capability-based security features which are quite interesting. (Several Cypherpunks work at EC, of course.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri Apr 26 03:58:27 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 18:58:27 +0800 Subject: US law - World Law - Secret Banking Message-ID: <ada59fc1270210048d39@[205.199.118.202]> On the issue of "money leaving the country illegally" (the general notion that people taking money out of the country in suitcases or in charged-up smartcards are doing something Evil and Unclean). Just as we (and Phil Zimmermann, who widely made this point) were able to convince a lot of people about strong crypto by talking about "sealed letters" vs. "postcards," so, too, do we need to make the same points about "untraceable cash flows" and even about "taking money out of the country." I imagine this conversation with my father: Dad: "But if the government needs to trace the spending of illegal money, then these anonymous transfers you've been telling me about need to be outlawed." Me: "Can the government track that $100 you spent last week? Should it?" Dad: "Well, no, that's my money and it's none of the government's damned business what I spend it on." Me: "So, we agree." Dad: "Well, but the drug dealers have to be tracked." Me: "First, the drug dealers are likely dealing in such mega-quantities that they'll simply find compliant banks and other ways to hide the transfers. It's unlikely that any of the proposed tracking schemes will be effective. Second, how can the government possibly know which funds are drug-related and which are not? Their scheme involves sacrificing fundamental liberties for the dubious possibility that _some_ drug dealers will be caught. Random raids on houses would probably work better, but of course would be just as unconstitutional." Dad: "But then what do we do about the drug dealers?" Me: "You and me don't do drugs. So what's the problem?" Dad: "But..." Me: "Name a drug that kills more people per year than alcohol. Or nicotine." Dad: "Well...." [My father, at age 72, has come around to the "legalize all drugs" position, a view also supported by noted thinkers and former politicians, including former Secretary of State George Schulz (or Shultz, or some variant).] I 'm convinced that a similar argument applies to those transferring funds. Many funds transfers are not even tax evasion; I am one of many people who are researching ways to expatriate some or all of my funds to jurisdictions friendlier than the U.S. So long as I fill out the proper boxes on my 1040, and pay appropriate taxes, I am committing no crime by moving my wealth to some other country. Those on the list about a year or so ago may recall that there are proposals to in fact impose a "capital flight tax." This would make the U.S. a country very much like the former Soviet Union, which forbade such transfers of wealth without payment of heavy taxes. The recent FinCEN-friendly conference in San Francisco raised the alarm about digital cash and smartcards being used to make money transfers easier. Horrors! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Fri Apr 26 04:07:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Fri, 26 Apr 1996 19:07:00 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <199604260554.WAA05440@dns1.noc.best.net> >> The Washington Post, April 25, 1996, p. A12. >> >> Army officials envision the >> Nautilus would be beamed from a truck capable of firing 50 >> shots before requiring more laser material. At 09:05 PM 4/25/96 -0700, Bill Frantz wrote: > Does anyone have any idea what "more laser material" means? It is a chemically pumped laser. The lasing material is driven to population inversion by a shock wave passing through explosive material. There is a loud bang, and all the optics go to hell for a while. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From furballs at netcom.com Fri Apr 26 04:33:50 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Fri, 26 Apr 1996 19:33:50 +0800 Subject: trusting the processor chip In-Reply-To: <m0uCa4r-00094aC@pacifier.com> Message-ID: <Pine.3.89.9604252347.A18926-0100000@netcom13> On Thu, 25 Apr 1996, jim bell wrote: > At 01:53 PM 4/25/96 -0400, Jeffrey C. Flynn wrote: > > >I received several responses to this question. My favorite was as follows... > > > >>This is probably science fiction, particularly at the VHDL level. > >>Maybe someone could make a crime of opportunity out of a microcode > >>flaw, but there's a risk of it being found out during testing. > >> > >>To do it right would require collusion of the design and test teams. > >>They need to ensure the back door stays closed, isn't tickled by > >>"normal" testing and only opens when really requested. So a lot of > >>people are in on the secret even before it gets exploited for > >>nefarious purposes. > >> > >>And what nefarious purposes would pay for the risks and costs of this? > >>If the secret got out, the design team, product line, and company > >>would be dead in the marketplace and probably spend the rest of their > >>lives responding to lawsuits. What could you use this for that is > >>worth the risk? > > This analysis seems to assume that the entire production run of a standard > product is subverted. More likely,I think, an organization like the NSA > might build a pin-compatible version of an existing, commonly-used product > like a keyboard encoder chip that is designed to transmit (by RFI signals) > the contents of what is typed at the keyboard. It's simple, it's hard to > detect, and it gets what they want. > > Jim Bell > jimbell at pacifier.com > > This is getting more rediculous by the minute. If NSA wanted to find out what you were typing, they dont need to subvert microcode or chips on the board. Unless you have a tempest device - all they have to do is pull RF from your vicinty and they can *see* just exactly what your typing. >From the powerline, from the air - choose your poison. ...Paul ------------------------------------------------------------------------- "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everybody gets busy on the proof" -- John Kenneth Galbraith "Success is attending a funeral as a spectator" -- E. BonAnno ------------------------------------------------------------------------- From mpd at netcom.com Fri Apr 26 04:33:55 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 26 Apr 1996 19:33:55 +0800 Subject: The Joy of Java Message-ID: <199604260527.WAA02314@netcom8.netcom.com> > "Krakatoa--East of Java" An excellent Rant in which our Titular Leader, Tim May, sings the praises of Java and denounces an evil sect of Crypto Separatists, the self-described "Coderpunks." > Well, I was not invited to join the elite and secret > coderpunks list, but I still have some thoughts on coding > and, especially, on the opportunities offered by Java. Sorry > if this interferes with discussions of Rabbi Heir and Morris > Dees. Given the various parameters which determine the life and death of mailing lists, I fully expect Coderpunks to become moribund within six months, and its members to reunify with this list. Very few of these "I'm going to start my own list with less noise" adventures ever make it long term, absent the personalities and critical mass of interesting information which drove the list they spun off from. > 1. Java is of course not a perfect language, nor even the > best for specific applications. Other languages will > continue to thrive. Critics of the language and related > items (applet model, JDK, JITs, etc.) may point to various > problems (e.g. security). > 2. However, the "big picture" is compelling. Java arrives > at a time when a Babel of languages and platforms threatens > interoperability. C++ is despised by many (though, to be > fair, liked by many, too), and developers are adopting > Visual Basic (and the vbx widgets, etc.), PowerBuilder, > Delphi, flavors of Smalltalk (no pun intended), and > scripting languages (Perl, TCL, Python, etc.). I completely agree with this. Java incorporates the type of automatic corruption-proof memory management found in languages like APL, the basic notions of object oriented programming, fast dynamic linking, and a C-like program structure. This is powerful combination of features and gives Java the potential to do all the platform-independent things that were advertised for C before the rude reality of thousand line makefiles reared its ugly head. . The complete specification of the Java Virtual Machine means that the behavior of Java programs is perfectly well-defined, and one does not have to tweek anything which is processor or operating system dependent. In the future, I expect Java bytecode to become a significant channel for the distribution of popular applications, with compilation to fast native code on numerous platforms. Java is clean, and its concepts are easily understandable even by persons whose eyes glaze over after the first 30 pages of the C++ manual. > 4. What is so compelling, to me, is that Java programs have > an excellent chance of running on various flavors of Unix, > on Windows-95 and NT systems, on Macs, and on other systems > without changes, and without any special compilers bought by > the users! (Netscape browsers, and even Microsoft browsers, > are able to view applets, or soon will be. And cheap or free > applet viewers are available.) Expect NT to be a Unix-killer in the future. It can be ported to any machine, and its microkernel client-server design with pluggable third-party APIs permits it to manifest simultaneously the personalities of numerous different operating systems. Contrast this with the many different binary incompatible Unix flavors and its marketing advantage becomes clear. NT sales just broke one billion per year and are climbing steadily. NT and Java will be the big players in the future. If Netscape becomes its own OS, requiring no Microsoft software, it will probably capture the low-end "Web TV" market. > 6. One can imagine several applets of interest to > Cypherpunks. The ability to fairly transparently run them on > multiple platforms, effectively bypassing the platform > dependencies, is very important. Check out Hal Finney's site > for some "crytographic primitive" applets he's written. Indeed. One can imagine a nice set of Java classes and methods which interoperates with PGP, and has none of the fixed buffer allocation, limits, and awkward memory management present in PGP. Java tends to do the kinds of things PGP does very cleanly, and implementors can worry about the algorithms without being distracted by housekeeping. Any code produced can instantly be used by others in their applications. This is a powerful paradigm, encourages others to expand on existing work, and renders kludges like "PGPTools" unnecessary. > 10. "Mindshare" is the real story. Java arrives at the > right time. Cypherpunks needs--those needs that go beyond > just the "sealed envelopes and signatures" level which PGP > provides so well--are likely to fit in with this Net-centric > communications model. (I'm already thinking in terms of Java > applets for building blocks for Cypherpunk sorts of things.) Java Applets, mobile crypto agents, and the new Web-centric view of cyberspace will go a long way towards encouraging the planet-wide use of strong crypto, as well as effectively swatting annoying mosquitos like ITAR. Indeed, with Java, I can put up a Web page which teaches someone about a cryptographic algorithm, allows him to try it out and run sample data through it, and provides him with a platform-independent implementation of it to use as he wishes. All in one fell swoop. That's a pretty powerful concept. Java has come at the right time, and it will produce chaotic change in the existing order. Should be interesting. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ses at tipper.oit.unc.edu Fri Apr 26 04:49:16 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 26 Apr 1996 19:49:16 +0800 Subject: [NOISE] What is "laser material"? In-Reply-To: <199604260403.VAA23917@netcom9.netcom.com> Message-ID: <Pine.SOL.3.91.960425224319.23458D-100000@chivalry> �On Thu, 25 Apr 1996, Bill Frantz wrote: > >... > > Nautilus would be beamed from a truck capable of firing 50 > > shots before requiring more laser material. > > Does anyone have any idea what "more laser material" means? I think it's something nasty like a flouride of some kind (I seem to remember reading that the biggest problem with anti-missile lasers has been stopping them frm disolving the pongos firing it. Definitely sounds nice if it works. I've had scuds fired at me and I didn't enjoy it :) --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Fri Apr 26 05:04:34 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 20:04:34 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <ada5ab6d290210044b66@[205.199.118.202]> At 4:05 AM 4/26/96, Bill Frantz wrote: >> Moreover, a laser shot costs $3,000, compared to several >> million dollars for a missile. Army officials envision the >> Nautilus would be beamed from a truck capable of firing 50 >> shots before requiring more laser material. > >Does anyone have any idea what "more laser material" means? > Sure, most high-power lasers like this are chemical lasers, consuming reactive materials. (This is not the same as "gas lasers," a la the early CO2 lasers. And of course ruby and Nd-YAG lasers are not what is meant here, either.) P.S. I don't place much faith in laser weaponry. Some obvious countermeasures are: spin the projectile to minimize heating of any one spot, determine the wavelength of the planned laser and coat the projectile with a suitably reflective coating, apply ablative layers that can burn off without harm, etc. Such countermeasures are of course well-known to the laser builders, but they still make the game much tougher. All a matter of attack and counter-attack, and the costs of each. Like castles and siege engines. Or like crypto. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan+ at CMU.EDU Fri Apr 26 05:53:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 26 Apr 1996 20:53:26 +0800 Subject: Guardian angels, anonymity, and the decency brigade Message-ID: <UlU6CG_00YUuEDpc4t@andrew.cmu.edu> Attached is a message from the CyberAngels asking for rating volunteers. Jim Thomas published a fascinating and illuminating article documenting the seamier side of these self-appointed net.vigilantes in the Computer underground Digest earlier this year. (I vaguely remember some legal threats soon afterwards.) Their authoritarian and anti-privacy leanings are clear in their FAQ, at <http://www.safesurf.com/cyberangels/>: 9) What kinds of changes would the Guardian Angels / CyberAngels like to see? a) We would like to see an improvement in User identification. User ID is impossible to verify or trace back. The very anonymity of Users is itself causing an increase in rudeness, sexual abuse, flaming, and crimes like pedophile activity. We the Net Users must take responsibility for the problem ourselves. One of our demands is for more accountable User IDs on the Net. When people are anonymous they are also free to be criminals. In a riot you see rioters wearing masks to disguise their true identity. So much for anonymous remailers! But the CyberAngels, in a fit of almost painful hypocrisy, use anonymous remailers themselves, as Charles Platt recounts in his book _Anarchy Online_ (their web page also says how these virtues remain anonymous online): How would this decency crusade actually work in practice? Well, later in 1995, one net user received the following not-very-friendly, not-very-literate warning, sent via an anonymous remailer: The Net is out of control, sex crimes, hate crimes and felonies. Just as on the streets, CyberCrime is committed by a minority of criminals who destroy the quality of life for an innocent majority. And just like on the streets the Guardian Angels will combat it. We have good reason to believe that you are involved in unlawful, harmful, hateful, threatening and/or harassment, particularly relating to minors. We will be watching you. The netizen who found this in her mailbox was baffled and irritated. She had no idea what she'd done to provoke the warning, and since the message was anonymous, there was no way to _find out_ what she was supposed to have done. By November, the Angels claimed they had 200 volunteers working for them, busily searching for bad guys on the net. "We have reported a number of Child Pornographers (50) to Sysadmins [system administrators] this month," Colin Hatcher noted, although he was no longer signing his real name to his progress reports, perhaps in fear of reprisals from angry pedophiles. "Letters we have received back all share our concern and promise stern action. Remember, each electronic image represents a real life destroyed." [...] Some net users wondered, though, if Hatcher was qualified to draw a dividing line between good and bad, let alone ugly. They also worried that decency vigilantes might have a chilling effect on freedom of speech. A student at Rutgers University complained that some of the Angels' public statements "are threats to violate the civil liberties of users of the Internet." In addition, he said, "the record of the Guardian Angels suggests that they will step over even the bounds that they publicly set for themselves." And, as Steven Levy wrote in Newsweek last October: "After the issue of child safety in cyberspace came up on his radio talk show, [Curtis] Sliwa decided to pursue in his usual high-profile fashion... Though the CyberAngels cannot document a single case where one of their numerous reports led directly to an arrest, they have compiled a fat file of press clippings." In the attached piece, the Angels hold themselves up as the arbiter of what is appropriate for kids or not under the Safesurf system. So far so good -- but what criteria do they use when checking to see if a site is "genuinely kidsafe?" Where is it documented and published? What training do their self-selected vigilantes have? Will the cypherpunks list be blocked when we have messages like this one on it: http://www.cs.cmu.edu/~declan/rimm/asst/anti_porn_group_11_22_94.letter -------------------------------------------------------------------------- Those orphan kids in the terminally ill section of the hospital are so fun at night when they are drugged out. I love sucking on their tiny finger-sized cocks and probing their tight holes. Their slender little bodies are completely smooth. They're going to die pretty soon so they won't come back to me several years from now as hairy grown up men blaming me for why they are all mentally messed up. And since they are orphans with no one to look over them except for overworked staff, I could get away with just about anything. Since blocking software like Safesurf and SurfWatch is central to our case challenging the CDA, I believe we should support that software and PICS-like third paty rating systems. Fortunately, that doesn't mean we have to accept or support the efforts of their unfortunate and intemperate net-vigilante allies. But I still want to help rate some web pages, so ---- "Gabriel," I want to be a CyberAngel. Sign me up! -Declan (now a CyberSeraphim) ---------- Forwarded message ---------- Date: Thu, 25 Apr 1996 19:11:16 -0700 From: angels at wavenet.com Subject: ALERT FOR 20 VOLUNTEERS! APPEAL FOR VOLUNTEERS Hi again everyone. I have a project that requires 20 volunteers. Read on! Most of you I hope are familiar with Safesurf - if not go visit them at http://www.safesurf.com Safesurf are not a commercial software company but are a kidsafe organization who are very involved in the ratings issue for kids and adult material on the Net. Safesurf are also our allies, and it is thanks to them that we have our website at all as it was a donation from Ray and Wendy at Safesurf. Safesurf have a very positive approach to the screening debate - they have developed a rating system whereby instead of spending time rating adult sites you focus instead on rating the kids sites. Then your screening software only allows you to visit sites with the Safesurf rating on it. This is an excellent concept, not least because it doesn't then matter if new sites come onto the web that are not rated yet, because nothing can be included in your screened browser unless it registers itself as kidsafe by marking its site with a safesurf rating mark. Don't worry about my ramblings - just go to their site and read up on it. It's a really positive concept and has been adopted by a lot of sites already. Adopting the Safesurf mark is voluntary and means that you are identifying your site as suitable for e.g. kids. Now here comes the appeal. Several thousand sites have already marked themselves as Safesurf rated - and more are registering every day. The question is - what is to stop a site registering as a kidsafe site, but in reality being an adult site? The Safesurf rating method is that sites can obtain the rating from the Safesurf site and then write in and register themselves. Isn't it possible that a site could claim to be kidsafe but in reality was adult? The answer is yes. So how can Safesurf be sure that sites registered with them are indeed genuinely kidsafe? Simple - someone has to go and check out all the sites who register with Safesurf. Ray had a proposal for me. How about if we could say that all these sites were "Rated by Safesurf, and patrolled by CyberAngels"? I thought that was a great idea - for we CyberAngels to help Safesurf in this way, by checking their sites for them. Ray is proposing to send me 200 sites a week to check out and we will share them out to a CyberAngels team of 20 volunteers - that means that each one of us would volunteer to check out 10 sites per week. Easy right? I want to make something very clear - Safesurf are not a rich commercial company making money from rating sites. They are not selling software and their rating code is free to anyone who wants it. So it's not like they can hire 20 people and pay them to patrol the Safesurf Intranet - it's a volunteer job. So there you are - I am looking for 20 CyberAngel volunteers to make up a regular Safesurf "Intranet" Patrol, with the mission to visit 10 URLs a week and make sure that they are what they say they are. Who's ready? Once I have the team established I will then brief you all on how we do this. Write to me as soon as possible if this interests you. Let's show Safesurf how much we support their positive stand for our InterNet kids! I will take the first 20 volunteers who contact me (yes you will be suitably honored - publicly if you so choose!) Gabriel From jimbell at pacifier.com Fri Apr 26 06:32:06 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 26 Apr 1996 21:32:06 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <m0uCiBY-00094cC@pacifier.com> At 09:05 PM 4/25/96 -0700, Bill Frantz wrote: >> The Washington Post, April 25, 1996, p. A12. >> >> >> Israelis Eye U.S. Laser As Anti-Rocket Defense >> >> 'Nautilus' Beam Burns Surface of Weapon >> >> By John Mintz >> >>... >> Moreover, a laser shot costs $3,000, compared to several >> million dollars for a missile. Army officials envision the >> Nautilus would be beamed from a truck capable of firing 50 >> shots before requiring more laser material. > >Does anyone have any idea what "more laser material" means? Hydrogen and fluorine, possibly. Some of the more energetic lasers use this combination. Jim "He only talks about one thing" Bell jimbell at pacifier.com From cp at proust.suba.com Fri Apr 26 07:13:24 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Fri, 26 Apr 1996 22:13:24 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <199604252321.QAA17568@jobe.shell.portal.com> Message-ID: <199604260650.BAA11550@proust.suba.com> > In the United States and Europe, encryption policy is formed by a mix > of interests. Advocates of business, national security agencies, and > more recently the police -- all play a large role in the policy > debate. Someone's conspicuously absent here: us. The interests of citizens aren't taken into account, and the notion that civil liberties are relevant to the crypto debate is alien to NSA thinking. This is why the "golden key" campaign is important. Right now, in the short term, the interests of big business and our interests as citizens coincide. They have an acknowledged seat at the table, while we do not. This is not to say that we aren't playing a role -- a big role -- in the policy debate, despite what the NSA lawyer said. We (well, actually some of you) are demonstrating to corporate customers that they need strong crypto. Business is listening to us, and the government is listening to business. Nobody is paying any attention at all to the blue ribbons, though. As long as companies like Netscape continue to support open standards, we'll come out ahead if they pursue their own narrow interests. From ml3e+ at andrew.cmu.edu Fri Apr 26 07:49:06 1996 From: ml3e+ at andrew.cmu.edu (Michael Loomis) Date: Fri, 26 Apr 1996 22:49:06 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <ada59fc1270210048d39@[205.199.118.202]> Message-ID: <UlU8SES00iWV80j2lz@andrew.cmu.edu> Excerpts from internet.cypherpunks: 25-Apr-96 Re: US law - World Law - Se.. by Timothy C. May at got.net > I 'm convinced that a similar argument applies to those transferring funds. > Many funds transfers are not even tax evasion; I am one of many people who > are researching ways to expatriate some or all of my funds to jurisdictions > friendlier than the U.S. So long as I fill out the proper boxes on my 1040, > and pay appropriate taxes, I am committing no crime by moving my wealth to > some other country. > > Those on the list about a year or so ago may recall that there are > proposals to in fact impose a "capital flight tax." This would make the > U.S. a country very much like the former Soviet Union, which forbade such > transfers of wealth without payment of heavy taxes. I have been reading this list to get an idea where Declan gets some of his lunatic ideas and what Rich Graves says when he is not up to Holocaust fetishism. Despite Timothy's claim to the contrary, it seems that the basic point of this list is some libertarian notion that tax evasion is a good thing. While I am not clear how serious of threat, if one at all, to a system of fair taxiation, since much of the talk could be simply bluff, I have been made glad for the first time for the War on Drugs. This silly war--tragic in terms of its economic cost and its assault on liberty--at least has forces some government agencies to take you seriously enough to figure out how to derail your plans of tax evasion. Michael Loomis From pmonta at qualcomm.com Fri Apr 26 08:01:32 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Fri, 26 Apr 1996 23:01:32 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <199604260734.AAA05221@mage.qualcomm.com> > Does anyone have any idea what "more laser material" means? Well, you see, the lasing species is set in an argon matrix (yes, it's an excimer!); once the argon has evaporated, you need another rod. :-) Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From angels at wavenet.com Fri Apr 26 08:05:10 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Fri, 26 Apr 1996 23:05:10 +0800 Subject: Guardian angels, the decency brigade, and cyberseraphim Message-ID: <v01510104a9e0b3478ea3@[198.147.118.152]> Thanks Declan for forwarding your letter to me. I'll answer some of the points you refer to: >So much for anonymous remailers! But the CyberAngels, in a fit of almost > painful hypocrisy, use anonymous remailers themselves, as Charles Platt >recounts in his book _Anarchy Online_: Some of our members use anon remailers (although strictly speaking they are pseudo anon remailers and therefore the user can be traced). These are members who are also supporters of privacy and anonymity online. I do myself use an anon remailer. There is nothing hypocritical about it at all. We are not proposing to ban anon remailers, we are simply concerned about the abuse of them. > > How would this decency crusade actually work in > practice? Well, later in 1995, one net user received the > following not-very-friendly, not-very-literate warning, sent > via an anonymous remailer: > > The Net is out of control, sex crimes, hate crimes > and felonies. > Just as on the streets, CyberCrime is committed by > a minority of criminals who destroy the quality of life > for an innocent majority. And just like on the streets > the Guardian Angels will combat it. > We have good reason to believe that you are > involved in unlawful, harmful, hateful, threatening > and/or harassment, particularly relating to minors. We > will be watching you. This message was not from our organization at all. Surely you have heard of impersonation? The oldest trick in thebook. > > The netizen who found this in her mailbox was baffled > and irritated. She had no idea what she'd done to provoke the > warning, and since the message was anonymous, there was no > way to _find out_ what she was supposed to have done. Just goes to show what happens when people abuse anon remailers, right? But it was not me. > By November, the Angels claimed they had 200 volunteers > working for them, busily searching for bad guys on the net. > "We have reported a number of Child Pornographers (50) to > Sysadmins [system administrators] this month," Colin Hatcher > noted, although he was no longer signing his real name to his > progress reports, perhaps in fear of reprisals from angry > pedophiles. LOL, Gabriel is my nickname! I think the writer is thinking too hard about conspiracies... >And, as Steven Levy wrote in Newsweek last October: "After the issue of >child safety in cyberspace came up on his radio talk show, [Curtis] >Sliwa decided to pursue in his usual high-profile fashion... Though the >CyberAngels cannot document a single case where one of their numerous >reports led directly to an arrest, they have compiled a fat file of >press clippings." People also wish to evaluate the work of the Guardian Angels by asking how many arrests we have made. But this misses the point of the work entirely. We do not patrol to make arrests. We patrol to help others. And a good patrol means that nothing happens. As for press, we didnt even send a press release until 4 months after we started, and then only to announce our website. And we've only sent one more press release out since then. We do believe however that we have helped to bring the issue of children and the Internet to the forefront and that is a good thing too. > >In the attached piece, the Angels hold themselves up as the arbiter of >what is appropriate for kids or not under the Safesurf system. >So far so >good -- but what criteria do they use when checking to see if a site is >"genuinely kidsafe?" Where is it documented and published? What training >do their self-selected vigilantes have? The Safesurf system is a voluntary rating system that URLs undertake themselves. If you want to know more about the criteria you should check out Safesurf themselves at http://www.safesurf.com >Will the fight-censorship list >be blocked when we have messages like this one on it: > > http://www.cs.cmu.edu/~declan/rimm/asst/anti_porn_group_11_22_94.letter > -------------------------------------------------------------------------- > Those orphan kids in the terminally ill section of the hospital are so fun > at night when they are drugged out. I love sucking on their tiny > finger-sized cocks and probing their tight holes. Their slender little > bodies are completely smooth. They're going to die pretty soon so they > won't come back to me several years from now as hairy grown up men blaming > me for why they are all mentally messed up. And since they are orphans > with no one to look over them except for overworked staff, I could get > away with just about anything. Why ask? Clearly a site with a message like this would not be suitable for children to read. That would be an adult site rating. > >Since blocking software like Safesurf and SurfWatch is central to our >case challenging the CDA... Safesurf does not make software. It's not a software manufacturer at all. >Fortunately, that doesn't mean we >have to accept or support the efforts of their unfortunate and >intemperate net-vigilante allies. >But I still want to help rate some web pages, so ---- "Gabriel," I want >to be a CyberAngel. Sign me up! > >-Declan (now a CyberSeraphim) Declan I'm sorry to be the bearer of bad news but since you clearly are hostile to our mission I see no reason why we should invite you to help us. Of course you could always sign up as an anonymous volunteer from an anon remailer , or from another account, and pretend to believe in what we are doing ;) CyberAngels is about self-regulation. Let us not confuse the fight against internet crime with the criminalization of free speech. We propose the former not the latter. Gabriel ************************************************************************* "All that is required for the triumph of evil is that good men and women remain silent and do nothing" (Edmund Burke) "Congress shall make no law respecting an establishment of religion or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble and to petition the Government for a redress of grievances." (US First Amendment to the Constitution) "Those who sacrifice security for freedom, will have neither" ************************************************************************** From tcmay at got.net Fri Apr 26 08:16:18 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 23:16:18 +0800 Subject: The Joy of Java Message-ID: <ada5c3312c021004e096@[205.199.118.202]> At 5:27 AM 4/26/96, Mike Duvos wrote: >I completely agree with this. Java incorporates the type of >automatic corruption-proof memory management found in languages >like APL, the basic notions of object oriented programming, fast >dynamic linking, and a C-like program structure. > >This is powerful combination of features and gives Java the >potential to do all the platform-independent things that were >advertised for C before the rude reality of thousand line >makefiles reared its ugly head. . The complete specification of >the Java Virtual Machine means that the behavior of Java programs >is perfectly well-defined, and one does not have to tweek >anything which is processor or operating system dependent. Let's hope that this is really true. Your point about C is an excellent one, as certainly the "lingua franca" of C pretty much failed, except when enough work was done to properly port an application. (However, the bytecode/JVM approach exacts some performance penalty, albeit partially ameliorated with JIT compilers that are likely to be widely available. Some apps will just have to be tuned for speed. But when I look at most crypto apps such as we are ultimately interested in--digital money, mixes, crypto protocol building blocks, etc.--I see that first and foremost they aren't getting done and distributed. The applet model looks pretty good here.) >In the future, I expect Java bytecode to become a significant >channel for the distribution of popular applications, with >compilation to fast native code on numerous platforms. One interesting remark I read from someone was that the Java distribution model returns us to an era of easier distribution of small programs. The "application bloat" of very large programs may be at least partly fixed. We'll see. >Java is clean, and its concepts are easily understandable even by >persons whose eyes glaze over after the first 30 pages of the C++ >manual. My background in programming was in Lisp when I was with Intel (I started Intel's AI lab and was the first person to look at neural nets for them), and then Smalltalk for "fun." But, like I said recently, I knew that Smalltalk had about zero chance of becoming widely used, despite fairly impressive year-to-year growth rates. (I also got Lightspeed C in '86, but barely played with it over the years...good intentions, though.) Anyway, Mike is right that Java is a lot of fun. Enough good OO stuff to keep Smalltalk folks happy, but with familiar C syntax. And going to garbage collection/eliminating pointers is a major plus for reducing errors and headaches. A huge number of books are hitting the shelves. Besides the "Teach Yourself Java in 21 Days" book, I really like "Core Java," a hefty tome with lots of asides about how Java compares to C, C++, Lisp, and Smalltalk, and with more of the "rationale" than most of the other books. The "Java in a Nutshell" book is also well-regarded. And Peter van der Linden's "Just Java" is good. (These are the four I have, and my eyes haven't been glazing over yet.) Gosling's book arrives soon. I looked at an advanced draft and it looks excellent, too. >Java Applets, mobile crypto agents, and the new Web-centric view >of cyberspace will go a long way towards encouraging the >planet-wide use of strong crypto, as well as effectively swatting >annoying mosquitos like ITAR. > >Indeed, with Java, I can put up a Web page which teaches someone >about a cryptographic algorithm, allows him to try it out and run >sample data through it, and provides him with a >platform-independent implementation of it to use as he wishes. >All in one fell swoop. That's a pretty powerful concept. > >Java has come at the right time, and it will produce chaotic >change in the existing order. > >Should be interesting. I agree with all of Mike's points. Interestingly, I've been having an e-mail dialog with a friend who avers that Java is just another temporary fad, just another ho-hum interpreted language. He claims that Perl and TCL were similar fads, and didn't change the world. I disagree with him, of course. I think the flood of books, compilers, incorporations into browsers and operating systems, etc. is strong evidence that Java is a bit more than just this year's version of TCL. But, the great thing about a market anarchy is that people get to vote. By deciding what to buy, what to work on, what to build applications with, and so forth. The first "killer applet" (tm) will be what? (There's a fair chance it could be a digital commerce applet, something to exploit correctly the pent-up demand for online purchases....I can imagine folks on this very list becoming the Scott Cook's of this market....) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Fri Apr 26 08:23:04 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 26 Apr 1996 23:23:04 +0800 Subject: trusting the processor chip Message-ID: <m0uCiBa-00094jC@pacifier.com> At 11:14 PM 4/25/96 -0700, Paul S. Penrod wrote: > > >On Thu, 25 Apr 1996, jim bell wrote: >? >> >> This analysis seems to assume that the entire production run of a standard >> product is subverted. More likely,I think, an organization like the NSA >> might build a pin-compatible version of an existing, commonly-used product >> like a keyboard encoder chip that is designed to transmit (by RFI signals) >> the contents of what is typed at the keyboard. It's simple, it's hard to >> detect, and it gets what they want. >> >> Jim Bell >> jimbell at pacifier.com >> >> > >This is getting more rediculous by the minute. If NSA wanted to find out >what you were typing, they dont need to subvert microcode or chips on the >board. Unless you have a tempest device - all they have to do is pull RF >from your vicinty and they can *see* just exactly what your typing. You don't understand the subject, do you? While it is possible to determine a great deal of information from RF, there is an enormous difference in effort between analyzing the output of an uncooperative, inadvertent transmitter and a "cooperative" one. The most commonly understood source of RF signals come from CRT's, called Van Eck radiation. But passwords don't generally appear on CRT displays, so that is of limited value. I don't doubt that standard keyboards produce RF that might be analyzed, their output is probably not particularly easy to detect against a background of processor RFI. (It's short and low-amplitude) Far easier to analyze would be a chip that loudly and longly transmitted the current typed keyboard character, perhaps in some sort of serial binary code, possibly by driving the keyboard scanning lines according to a pre-arranged pattern designed to emit RF at a particular rate based on the clock oscillator. This transmission would be just about undetectable to anyone who didn't have a whole raft of sophisticated detection equipment. However, to those who know what to look for, it would probably be relatively easy to see. One particularly important reason for using such a chip, which you entirely overlooked, is that many computers are at sites with more than one, and in some cases many more than one computer. Their signals will mix, obviously, and will be very hard to separate. If it is possible to replace a keyboard chip with a Trojan Horse, the one desired target will be far more identifiable. Jim "He only talks about one thing" Bell jimbell at pacifier.com From tcmay at got.net Fri Apr 26 08:37:26 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 26 Apr 1996 23:37:26 +0800 Subject: Is the public involved in the crypto policy debate? Message-ID: <ada5d55c30021004254b@[205.199.118.202]> At 6:50 AM 4/26/96, Alex Strasheim wrote: >> In the United States and Europe, encryption policy is formed by a mix >> of interests. Advocates of business, national security agencies, and >> more recently the police -- all play a large role in the policy >> debate. > >Someone's conspicuously absent here: us. To be fair to Jim Bell, he made the same point a day or so ago. I don't necessarily sift Stewart Baker's words for hermeneutical signs of what the government is planning. He might just as well have included "public opinion" in his list, and nothing would change. And I'm quite sure that Baker, Denning, Nelson, et. al. are acutely aware of the role of the "public" in these matters. The "public" as made manifest in newspaper articles critical of Clipper, in "Wired" features against key escrow and in favor of Cypherpunks-type themes, and so on. While the "vocal minority" that rails against Administration policy in sci.crypt, talk.politics.crypto, comp.org.eff.talk, this list, etc., are not the public at large, we are certainly a part of the public. I think the rejection of Clipper by "the public" is proof of this. (If we were leftist theoreticians, we could debate for years or even decades whether our movement is truly a mass movement, or just a vanguard movement, etc.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sameer at c2.org Fri Apr 26 09:12:08 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 27 Apr 1996 00:12:08 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <UlU8SES00iWV80j2lz@andrew.cmu.edu> Message-ID: <199604260933.CAA28293@clotho.c2.org> > one at all, to a system of fair taxiation, since much of the talk could fair taxation. What a concept. Now why did this person appear in my "cypherpunks-people-to-read-file?" I should go figure this out and fix it. > be simply bluff, I have been made glad for the first time for the War on > Drugs. This silly war--tragic in terms of its economic cost and its > assault on liberty--at least has forces some government agencies to take > you seriously enough to figure out how to derail your plans of tax > evasion. > > Michael Loomis > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From llurch at networking.stanford.edu Fri Apr 26 09:17:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Apr 1996 00:17:25 +0800 Subject: [fight-censorship] Guardian Angels v. anonymous remailers Message-ID: <Pine.GUL.3.93.960425234353.940C-100000@Networking.Stanford.EDU> Interesting and well-written piece. Followups, if any, will be at http://fight-censorship.dementia.org/fight-censorship/top/ I assume that Declan is just observing how Safesurf operates. My view is that these private "decency" registries are a healthy part of the free market. Of course the "Angels" are a bunch of hypocrites, but the part about rating sites I support. Let the prudes censor themselves; it's a free net. If anyone tries to sabotage Safesurf by rating things the "wrong" way, then they're an asshole. (I am *not* accusing Declan of advocating this, because he isn't -- it's just something that crossed my mind. Tempting, but highly counterproductive.) -rich ---------- Forwarded message ---------- Date: Fri, 26 Apr 1996 01:43:25 -0400 (EDT) From: "Declan B. McCullagh" <declan+ at CMU.EDU> To: Fight Censorship Mailing List <fight-censorship+ at andrew.cmu.edu> Cc: angels at wavenet.com, mnemonic at well.com, cp at panix.com Subject: Guardian angels, the decency brigade, and cyberseraphim Attached is a message from the CyberAngels asking for rating volunteers. Jim Thomas published a fascinating and illuminating article documenting the seamier side of these self-appointed net.vigilantes in the Computer underground Digest earlier this year. (I vaguely remember some legal threats soon afterwards.) Their authoritarian and anti-privacy leanings are clear in their FAQ, at <http://www.safesurf.com/cyberangels/>: 9) What kinds of changes would the Guardian Angels / CyberAngels like to see? a) We would like to see an improvement in User identification. User ID is impossible to verify or trace back. The very anonymity of Users is itself causing an increase in rudeness, sexual abuse, flaming, and crimes like pedophile activity. We the Net Users must take responsibility for the problem ourselves. One of our demands is for more accountable User IDs on the Net. When people are anonymous they are also free to be criminals. In a riot you see rioters wearing masks to disguise their true identity. So much for anonymous remailers! But the CyberAngels, in a fit of almost painful hypocrisy, use anonymous remailers themselves, as Charles Platt recounts in his book _Anarchy Online_: How would this decency crusade actually work in practice? Well, later in 1995, one net user received the following not-very-friendly, not-very-literate warning, sent via an anonymous remailer: The Net is out of control, sex crimes, hate crimes and felonies. Just as on the streets, CyberCrime is committed by a minority of criminals who destroy the quality of life for an innocent majority. And just like on the streets the Guardian Angels will combat it. We have good reason to believe that you are involved in unlawful, harmful, hateful, threatening and/or harassment, particularly relating to minors. We will be watching you. The netizen who found this in her mailbox was baffled and irritated. She had no idea what she'd done to provoke the warning, and since the message was anonymous, there was no way to _find out_ what she was supposed to have done. By November, the Angels claimed they had 200 volunteers working for them, busily searching for bad guys on the net. "We have reported a number of Child Pornographers (50) to Sysadmins [system administrators] this month," Colin Hatcher noted, although he was no longer signing his real name to his progress reports, perhaps in fear of reprisals from angry pedophiles. "Letters we have received back all share our concern and promise stern action. Remember, each electronic image represents a real life destroyed." [...] Some net users wondered, though, if Hatcher was qualified to draw a dividing line between good and bad, let alone ugly. They also worried that decency vigilantes might have a chilling effect on freedom of speech. A student at Rutgers University complained that some of the Angels' public statements "are threats to violate the civil liberties of users of the Internet." In addition, he said, "the record of the Guardian Angels suggests that they will step over even the bounds that they publicly set for themselves." And, as Steven Levy wrote in Newsweek last October: "After the issue of child safety in cyberspace came up on his radio talk show, [Curtis] Sliwa decided to pursue in his usual high-profile fashion... Though the CyberAngels cannot document a single case where one of their numerous reports led directly to an arrest, they have compiled a fat file of press clippings." In the attached piece, the Angels hold themselves up as the arbiter of what is appropriate for kids or not under the Safesurf system. So far so good -- but what criteria do they use when checking to see if a site is "genuinely kidsafe?" Where is it documented and published? What training do their self-selected vigilantes have? Will the fight-censorship list be blocked when we have messages like this one on it: http://www.cs.cmu.edu/~declan/rimm/asst/anti_porn_group_11_22_94.letter -------------------------------------------------------------------------- Those orphan kids in the terminally ill section of the hospital are so fun at night when they are drugged out. I love sucking on their tiny finger-sized cocks and probing their tight holes. Their slender little bodies are completely smooth. They're going to die pretty soon so they won't come back to me several years from now as hairy grown up men blaming me for why they are all mentally messed up. And since they are orphans with no one to look over them except for overworked staff, I could get away with just about anything. Since blocking software like Safesurf and SurfWatch is central to our case challenging the CDA, I believe we should support that software and PICS-like third paty rating systems. Fortunately, that doesn't mean we have to accept or support the efforts of their unfortunate and intemperate net-vigilante allies. But I still want to help rate some web pages, so ---- "Gabriel," I want to be a CyberAngel. Sign me up! -Declan (now a CyberSeraphim) ---------- Forwarded message ---------- Date: Thu, 25 Apr 1996 19:11:16 -0700 From: angels at wavenet.com Subject: ALERT FOR 20 VOLUNTEERS! APPEAL FOR VOLUNTEERS Hi again everyone. I have a project that requires 20 volunteers. Read on! Most of you I hope are familiar with Safesurf - if not go visit them at http://www.safesurf.com Safesurf are not a commercial software company but are a kidsafe organization who are very involved in the ratings issue for kids and adult material on the Net. Safesurf are also our allies, and it is thanks to them that we have our website at all as it was a donation from Ray and Wendy at Safesurf. Safesurf have a very positive approach to the screening debate - they have developed a rating system whereby instead of spending time rating adult sites you focus instead on rating the kids sites. Then your screening software only allows you to visit sites with the Safesurf rating on it. This is an excellent concept, not least because it doesn't then matter if new sites come onto the web that are not rated yet, because nothing can be included in your screened browser unless it registers itself as kidsafe by marking its site with a safesurf rating mark. Don't worry about my ramblings - just go to their site and read up on it. It's a really positive concept and has been adopted by a lot of sites already. Adopting the Safesurf mark is voluntary and means that you are identifying your site as suitable for e.g. kids. Now here comes the appeal. Several thousand sites have already marked themselves as Safesurf rated - and more are registering every day. The question is - what is to stop a site registering as a kidsafe site, but in reality being an adult site? The Safesurf rating method is that sites can obtain the rating from the Safesurf site and then write in and register themselves. Isn't it possible that a site could claim to be kidsafe but in reality was adult? The answer is yes. So how can Safesurf be sure that sites registered with them are indeed genuinely kidsafe? Simple - someone has to go and check out all the sites who register with Safesurf. Ray had a proposal for me. How about if we could say that all these sites were "Rated by Safesurf, and patrolled by CyberAngels"? I thought that was a great idea - for we CyberAngels to help Safesurf in this way, by checking their sites for them. Ray is proposing to send me 200 sites a week to check out and we will share them out to a CyberAngels team of 20 volunteers - that means that each one of us would volunteer to check out 10 sites per week. Easy right? I want to make something very clear - Safesurf are not a rich commercial company making money from rating sites. They are not selling software and their rating code is free to anyone who wants it. So it's not like they can hire 20 people and pay them to patrol the Safesurf Intranet - it's a volunteer job. So there you are - I am looking for 20 CyberAngel volunteers to make up a regular Safesurf "Intranet" Patrol, with the mission to visit 10 URLs a week and make sure that they are what they say they are. Who's ready? Once I have the team established I will then brief you all on how we do this. Write to me as soon as possible if this interests you. Let's show Safesurf how much we support their positive stand for our InterNet kids! I will take the first 20 volunteers who contact me (yes you will be suitably honored - publicly if you so choose!) Gabriel From cwe at it.kth.se Fri Apr 26 09:24:05 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Sat, 27 Apr 1996 00:24:05 +0800 Subject: trusting the processor chip In-Reply-To: <Pine.3.89.9604252347.A18926-0100000@netcom13> Message-ID: <199604260901.LAA22411@piraya.electrum.kth.se> Take a look at the IEEE Symp on Security and Privacy Proceedings from 1995, I believe it was. There was a paper there about security bugs in the Intel processors, enumerating a number of them in 80386 for example. There where at least one or two byte sequences that plainly stopped the processor. [I'll find the reference, I have it back home.] The authors concluded that the number of released bugs reports had dimished over time for each processor model, and for the Pentium not a single one had been released. They speculated whether it was considered company confidential perhaps? They "promised" to build their own "processor tester" to try to find the most obvious ones at least. But it will be very hard to find all of these bugs, judging from the released bugs. Some of them are only appearing sporadically under a pretty complicated set of circumstances, like what is in the pipeline, the cache etc... The processor is ever important, if it is illdefined or flakey, it is almost impossible to build security on top of it. /Christian From llurch at networking.stanford.edu Fri Apr 26 09:43:52 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Apr 1996 00:43:52 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <UlU8SES00iWV80j2lz@andrew.cmu.edu> Message-ID: <Pine.GUL.3.93.960426013529.940H-100000@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- On Fri, 26 Apr 1996, Michael Loomis wrote: > I have been reading this list to get an idea where Declan gets some > of his lunatic ideas and what Rich Graves says when he is not up to > Holocaust fetishism. Despite Timothy's claim to the contrary, it seems > that the basic point of this list is some libertarian notion that tax > evasion is a good thing. That might be one view, but not mine. I think people who evade income taxes are bad -- they're stealing from the rest of society. But I believe that the growth of cryptoanarchy means that people who make far more money than we do can evade taxes with ever greater ease. The current system puts honest people at a disadvantage, which is never a good thing. The technical and economic analyses presented here are neither good or bad -- they're true or false. I tend to believe that they are more true than false. My semi-conclusion is that in a knowledge and services society like ours, a fair share of income tax cannot be collected from the very rich without imposing totalitarian controls; therefore, government needs to be more entrepreneurial, cut costs, divide labor, and raise revenue through somewhate harder-to-evade sales, real estate, and inheritance taxes. Such a system would probably be more regressive in theory, but not too different in practice -- and it would be honest. Globalization and network-based freedom further weaken the sovereign, geographically defined, vertically integrated nation-state. I don't necessarily see this as a bad thing. I agree with the crypto-anarchist analysis that the status quo is untenable, but I haven't made up my mind where we should go. My academic background is in Latin America. I've known a lot of governments that really suck, and a lot of revolutions that are even worse. > While I am not clear how serious of threat, if > one at all, to a system of fair taxiation, since much of the talk could > be simply bluff, I have been made glad for the first time for the War on > Drugs. This silly war--tragic in terms of its economic cost and its > assault on liberty--at least has forces some government agencies to take > you seriously enough to figure out how to derail your plans of tax > evasion. In what way has the War on Drugs derailed tax evasion? Please elaborate. On the contrary, I think it has demonstrated the ineffectiveness of attempts to control tax evasion and smuggling. Thank you for providing this rare insight into how you think. I haven't heard from you in three months; I was starting to wonder. Please drop by and have a beer some time. - -rich FUCKING STATIST and HOLOCAUST FETISHIST http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYCTRI3DXUbM57SdAQHLDQQAjg/jsvqt+xAfmXAysAQ/E8519SC57/Tk x46GoHv3ExVQcJNFu2MrePa8OygMzQZ5Iw0OFUhv9XRLJ05ClVUbyff6X5Y2oVyl ZlLb84NrGgl23Ksfi8QkRdlvGgEEEwfB0VFei9mte82HBQvULELM6KmNiBQIgW/R XG7xbWrneKI= =teBf -----END PGP SIGNATURE----- From m5 at vail.tivoli.com Fri Apr 26 13:40:36 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Sat, 27 Apr 1996 04:40:36 +0800 Subject: [NOISE] What is "laser material"? In-Reply-To: <199604260403.VAA23917@netcom9.netcom.com> Message-ID: <3180C174.4DC4@vail.tivoli.com> Bill Frantz wrote: > > Moreover, a laser shot costs $3,000, compared to several > > million dollars for a missile. Army officials envision the > > Nautilus would be beamed from a truck capable of firing 50 > > shots before requiring more laser material. > > Does anyone have any idea what "more laser material" means? It's this fluorescent goopy stuff, very sticky and tough to handle; I hear it smells *awful* too. They have to use big compressors to pack it into the laser tubes. That's one of the reason lasers require so much power. Curiously, the popular novelty product "Silly String" is in fact a scaled-down "domestic" version of real laser technology. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From gerhard at [192.96.77.1] Fri Apr 26 14:11:56 1996 From: gerhard at [192.96.77.1] (G Ackerman) Date: Sat, 27 Apr 1996 05:11:56 +0800 Subject: PGP + Pegasus Mail Message-ID: <m0uCmvi-0006wbC@pyrod.ovsod.co.za> Hi, I want to know if it is possible - and how to use PGP from within Pmail. (I want to use the Encrypt option in PMail with a method PGP - is it possible and what must I do to get it to work) (including Digital Signature, etc) Thanks |\/\/\/| | | | | | (o)(o) G Ackerman C _) Free State Education Department | ,____| gerhard at pyrod.ovsod.co.za | / +27 +(0)51 4074127 /__\ / \ DISCLAIMER: EXPRESSED OPINIONS ARE MY OWN AND MIGHT NOT BE SHARED BY MY EMPLOYER OR ANYONE ELSE. From byrd at ACM.ORG Fri Apr 26 16:16:53 1996 From: byrd at ACM.ORG (Jim Byrd) Date: Sat, 27 Apr 1996 07:16:53 +0800 Subject: PGP + Pegasus Mail Message-ID: <2.2.32.19960426134001.006b6c3c@tiac.net> At 02:50 PM 4/26/96 +0000, G Ackerman wrote: >Hi, > >I want to know if it is possible - and how to use PGP from within >Pmail. (I want to use the Encrypt option in PMail with a method PGP >- is it possible and what must I do to get it to work) (including Digital >Signature, etc) I don't know the answer to this question, but there is a pgp-users mailing list where someone might know. Here's how to subscribe: "To subscribe to the list, simply e-mail "pgp-users-request @rivertown.net" with the word "subscribe" in the subject **NOT THE BODY** of the e-mail and you will be automatically subscribed to the list. To subscribe to the digest, sent your request to "pgp-users-d- request at rivertown.net" and your subscription will be likewise processed. Depending on list volume, digests will go out from once a day to several times a day." From jya at pipeline.com Fri Apr 26 16:20:43 1996 From: jya at pipeline.com (John Young) Date: Sat, 27 Apr 1996 07:20:43 +0800 Subject: Bytes Message-ID: <199604261341.JAA01486@pipe4.nyc.pipeline.com> May BYTE reports on topics seen here: Peter Wayner's deft assay of "Entrust," Nortel's E-mail encryption program. "An easy tool for securing E-mail unlocks the door to managing public and private keys." Michael Shoffner on "Java's Busting Out All Over." Andrew Davis on "A Digital Signal Processor Sampler." Rex Baldazo on the Be Operating System -- multiprocessing, multi-threaded and object-oriented -- "buzzword-compliant." Doug Anderson on the high-speed Fibre Channel network system. Among several other fine pieces. From fletch at ain.bls.com Fri Apr 26 16:45:15 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sat, 27 Apr 1996 07:45:15 +0800 Subject: Tcl Crypto [Was Re: Mindshare and Java] In-Reply-To: <Pine.SUN.3.91.960425153148.12377C-100000@rwd.goucher.edu> Message-ID: <9604261417.AA20312@outland.ain_dev> > The next phase will be to write (what I beleive to be) the first graphical > PGP shell for X. Depends on what you mean by graphical PGP shell, but no. Exmh (Tk front end for the MH mail reader) has had PGP support for ages. > I don't think TCL is suited to heavy-duty crypto applications, except as > an interface. Mostly because it is interpreted, though I'm not sure how > "everything is a string" would affect bignums. (And I wouldn't want to > write a TCL bignum library...) IF you really wanted to do such a thing, the best aproach would be to do it as a C extension (so it could be dynamically loaded with the new dl support) or if you're a real massochist do it in [incr tcl] so that the bignums are objects (of a sort). --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From tallpaul at pipeline.com Fri Apr 26 17:10:49 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sat, 27 Apr 1996 08:10:49 +0800 Subject: Is the public involved in the crypto policy debate? Message-ID: <199604261433.KAA13991@pipe8.nyc.pipeline.com> On Apr 26, 1996 02:05:40, 'tcmay at got.net (Timothy C. May)' wrote: > >(If we were leftist theoreticians, we could debate for years or even >decades whether our movement is truly a mass movement, or just a vanguard >movement, etc.) > >--Tim May > I do not mind being trolled from time to time. Based on my anthropological, political, and journalistic researches, I look at cypherpunks as a heterogeneous, not homogenous, movement. By this, I mean that it can be examined in a variety of ways based on significantly different points. 1) Development (more accurately spread) of public key crypto: definitely vanguard. 2) Development and spread of anon remailers: definitely vanguard. 3) Opposition to CDA, etc.: Part of a smallish mass movement. Participation in the movement definitely limited to a small number of issues involved. E.G. good contributions to publicity; no contribution to issues of mass sexual hysteria around "kiddie porn," etc. 4) Other issues, like future role of e-cash, etc. Not vanguard, not mass movement, a "bunch of loons." --tallpaul From shamrock at netcom.com Fri Apr 26 17:56:52 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 27 Apr 1996 08:56:52 +0800 Subject: Mindshare and Java Message-ID: <v02120d0bada61e532f13@[192.0.2.1]> At 20:06 4/25/96, James Childers wrote: >> > As cool as many of the people on the Java team are, though, I am dubious >> > that Java is going to live up to the hype. > >Same here. If someone writes a secure electronic-wallet type system >with Java, then I'll be impressed. Until then, all I've seen >implemented is kEWL text graphics. Well, Sun just did unveil their Java Wallet. Specs are hazy at this time, but the slides I saw at the FSTC conference last week looked promising. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From froomkin at law.miami.edu Fri Apr 26 18:26:10 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sat, 27 Apr 1996 09:26:10 +0800 Subject: Mondex Message-ID: <Pine.SUN.3.91.960426114940.17586A-100000@viper.law.miami.edu> Seth Godin, Presenting Digital Cash (1995) reports on p. 94: Mondex "spent four years developing state-of-the-art protection against reverse engineering by finding the world's best reverse engineers and give them [sic] a shot a cracking the chip in their smart cards." ==details anyone? Elsewhere, in the interview in the Appendix, Tim Jones admits they are currently vulnerable to a MITM attack, but promises a fix real soon. <> In other Mondex news, the American Banker newspaper reports they are going to field test a card in a British university; it will do meals, copies, etc... Any other Mondex news around? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From stevenw at best.com Fri Apr 26 18:39:54 1996 From: stevenw at best.com (Steven Weller) Date: Sat, 27 Apr 1996 09:39:54 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <v01540b00ada697d870e0@[206.86.1.35]> >At 4:05 AM 4/26/96, Bill Frantz wrote: > >>> Moreover, a laser shot costs $3,000, compared to several >>> million dollars for a missile. Army officials envision the >>> Nautilus would be beamed from a truck capable of firing 50 >>> shots before requiring more laser material. >> >>Does anyone have any idea what "more laser material" means? >> > >Sure, most high-power lasers like this are chemical lasers, consuming >reactive materials. > >(This is not the same as "gas lasers," a la the early CO2 lasers. And of >course ruby and Nd-YAG lasers are not what is meant here, either.) > >P.S. I don't place much faith in laser weaponry. Some obvious >countermeasures are: spin the projectile to minimize heating of any one >spot, determine the wavelength of the planned laser and coat the projectile >with a suitably reflective coating, apply ablative layers that can burn off >without harm, etc. Such countermeasures are of course well-known to the >laser builders, but they still make the game much tougher. All a matter of >attack and counter-attack, and the costs of each. Like castles and siege >engines. Or like crypto. > >--Tim May Other problems include tracking the missile accurately for the one or two seconds (that's likely to be a mile or so if it's anything like a Scud) and handling the dispersive effect of the air temperature gradient caused by the laser itself. ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From bwern at jaxnet.com Fri Apr 26 18:47:07 1996 From: bwern at jaxnet.com (Ben Wern) Date: Sat, 27 Apr 1996 09:47:07 +0800 Subject: Private Idaho and MS Exchange Message-ID: <Pine.3.89.9604261241.A21602-0100000@jax.jaxnet.com> Has anyone has any experience with / tried to use Private Idaho with MS Exchange? I select the settings for Exchange, but it doesn't seem to transfer the message over properly. Ben Wern From s1113645 at tesla.cc.uottawa.ca Fri Apr 26 18:55:07 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Sat, 27 Apr 1996 09:55:07 +0800 Subject: The need for coderpunks In-Reply-To: <199604260527.WAA02314@netcom8.netcom.com> Message-ID: <Pine.3.89.9604261105.A17571-0100000@tesla.cc.uottawa.ca> On Thu, 25 Apr 1996, Mike Duvos wrote: > Given the various parameters which determine the life and death > of mailing lists, I fully expect Coderpunks to become moribund > within six months, and its members to reunify with this list. > > Very few of these "I'm going to start my own list with less > noise" adventures ever make it long term, absent the > personalities and critical mass of interesting information which > drove the list they spun off from. In this case, I hope not. There are people (not myself) who only want the coding-related material arriving in their mailboxes. Coderpunks serves that need. I think that particular list is more of a filter than a separate list. If you look at the archives (if they come back up) you'll see a few crypto bigwigs on coderpunks that haven't seen fit to post to cypherpunks in a very long time, if ever. It'd be nice to keep receiving their input without forcing them into tedious killfiling measures. Conversely, I don't see why the activists should have to deal with code. The main list, imho, has mostly become something of a watering hole for the primary crypto user community. Something quite different from the usenet crypto groups. And since the list is very active regardless of signal, it will still be a place to send out some signal on those occasions where the important thngs occur. They don't (and can't) every day. And usenet just doesn't perform this function properly. I really do think having archives alongside a cypherpunks archive is crucial for the survival of an offshoot list. Institutional memory is very useful, especially for time-insensitive things like technical discussions. If hks decides not to bring back the archives, I hope they tell us promptly and temporarily put the whole thing up for ftp so someone else can provide this valuable service. (Kudos to hks and Todd for having given to us up till now.) It's safe for you to unsubscribe now, Perry. From ptrei at ACM.ORG Fri Apr 26 18:59:39 1996 From: ptrei at ACM.ORG (Peter Trei) Date: Sat, 27 Apr 1996 09:59:39 +0800 Subject: [NOISE] Re: Guardian angels, the decency brigade, and cyberserap Message-ID: <199604261605.JAA20253@toad.com> [Moderately innocuous, self-justifying letter mostly deleted] > > CyberAngels is about self-regulation. Let us not confuse the fight against > internet crime with the criminalization of free speech. We propose the > former not the latter. > > Gabriel > > ************************************************************************* > "All that is required for the triumph of evil is that good men > and women remain silent and do nothing" (Edmund Burke) > > "Congress shall make no law respecting an establishment > of religion or prohibiting the free exercise thereof; or > abridging the freedom of speech, or of the press; or the > right of the people peaceably to assemble and to petition > the Government for a redress of grievances." > (US First Amendment to the Constitution) > > "Those who sacrifice security for freedom, will have neither" >*********************************************************************** It's this last sig-quote that bothers me. It's worth noting that, unlike the other two, it has no attribution. It looks like an inversion of Benjamin Franklin's: " They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Historical Review of Pennsylvania People usually put in their .sigs quotes they feel sum up their personal philiosophy. I guess soon we'll see 'Gabriel' give us some more words to live by; these may be right up his alley: "War is Peace" "Ignorance is Strength" "Freedom is Slavery" - Orwell, "1984" Gabriel's also misquoting Burke - the actual text is: "The only thing necessary for the triumph of evil is for good people to do nothing. " Peter Trei ptrei at acm.org From smith at sctc.com Fri Apr 26 19:35:15 1996 From: smith at sctc.com (Rick Smith) Date: Sat, 27 Apr 1996 10:35:15 +0800 Subject: trusting the processor chip Message-ID: <199604261557.KAA20525@shade.sctc.com> cwe at it.kth.se (Christian Wettergren) writes: >Take a look at the IEEE Symp on Security and Privacy Proceedings from >1995, I believe it was. There was a paper there about security bugs in >the Intel processors, enumerating a number of them in 80386 for example. >There where at least one or two byte sequences that plainly stopped >the processor. Yes, and this is where the real risks are. The original question was entirely about explicit subversion. The larger risk is accidental flaws. Same with software in most cases. Rick. smith at sctc.com secure computing corporation From s1113645 at tesla.cc.uottawa.ca Fri Apr 26 19:35:35 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Sat, 27 Apr 1996 10:35:35 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <UlU8SES00iWV80j2lz@andrew.cmu.edu> Message-ID: <Pine.3.89.9604261141.B17571-0100000@tesla.cc.uottawa.ca> On Fri, 26 Apr 1996, Michael Loomis wrote: > I have been reading this list to get an idea where Declan gets some > of his lunatic ideas and what Rich Graves says when he is not up to > Holocaust fetishism. Despite Timothy's claim to the contrary, it seems > that the basic point of this list is some libertarian notion that tax > evasion is a good thing. While I am not clear how serious of threat, if If Tim is claiming anything to the contrary it is the importance of defending tax evasion on this list. There isn't any. Its acceptance is a foregone conclusion around here. The place for debating the ethics of such things is on usenet political groups. The focus here is using crypto to build the institutions to escape the constraints of physical commerce and monitoring. Obviously, for the practical purposes of most people we aren't there yet. It's quite promising, though. It's not the "why" but the "how". It might be useful for you to browse the early portions of the archives when they come back or read Tim's and Eric's original manifestos (somewhere in the bowels of ftp.csua.berkeley.edu/pub/cypherpunks/rants) and Black Unicorn's essay on his love of cash from Detweiler's page (can't remeber the url, I'll dig it up if you're interested, it's got some nice outtakes from past discussions, though Det himself is rather out of it). The cyphernomicon is also instructive (it'll show up on search engines). There are tons of other good sources, too. Ps. I know there are other list archives, but none of the urls I dig up seem to work. Help! From jimbell at pacifier.com Fri Apr 26 20:05:56 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Apr 1996 11:05:56 +0800 Subject: trusting the processor chip Message-ID: <m0uCrFs-0008y2C@pacifier.com> At 10:50 AM 4/26/96 -0500, Rick Smith wrote: >Having penned the response to Jeffrey Flinn on the unlikelihood of >processor back doors, I'll comment on jim bell's response: >> More likely,I think, an organization like the NSA >>might build a pin-compatible version of an existing, commonly-used product >>like a keyboard encoder chip that is designed to transmit (by RFI signals) >>the contents of what is typed at the keyboard. It's simple, it's hard to >>detect, and it gets what they want. > >Simple, no. By NSA standards, it is simple. NSA has probably had its own semiconductor fabs for 30+ years. Even if we assume that their capabilities lag commercial production in terms of density or quality, keyboard encoder chips were trivial 20+ years ago and could presumably be easily duplicated/modified today by even the oldest operating fabs. They probably had far less than 10,000 transistors. Even modern keyboard controllers probably "waste" a microcontroller with far more capability than you'd need for the task, and microcontrollers usually have substantially more code area than would be necessary to add some sort of surreptitious function. >Hard to detect, somewhat. You'd have to know what to look for. >Gets what they want, unclear. If there was one single data stream you'd like to get, it's the keyboard. This doesn't get you everything, but close. From schneier at winternet.com Fri Apr 26 20:13:32 1996 From: schneier at winternet.com (Bruce Schneier) Date: Sat, 27 Apr 1996 11:13:32 +0800 Subject: APPLIED CRYPTOGRAPHY 2nd EDITION Errata version 1.3 Message-ID: <199604261718.MAA20147@parka> I just mailed a copy of the new errata to everyone on my mailing list. If you didn't get one, it means that you are not on my mailing list. Send me e-mail to correct that oversight immediately. Wiley has not yet committed to making an updated version of the book. If you want to complain to my editor, he is psutherl at jwiley.com. Bruce ************************************************************************** * Bruce Schneier APPLIED CRYPTOGRAPHY, 2nd EDITION is * Counterpane Systems available. For info on a 15% * schneier at counterpane.com discount offer, send me e-mail. * * For Blowfish C code, see ftp.ox.ac.uk:/pub/crypto/misc/blowfish.c.gz ************************************************************************** From tcmay at got.net Fri Apr 26 20:33:27 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Apr 1996 11:33:27 +0800 Subject: trusting the processor chip Message-ID: <ada655e33202100457c6@[205.199.118.202]> At 9:01 AM 4/26/96, Christian Wettergren wrote: ... >They "promised" to build their own "processor tester" to try to find >the most obvious ones at least. But it will be very hard to find all of >these bugs, judging from the released bugs. Some of them are only >appearing sporadically under a pretty complicated set of circumstances, >like what is in the pipeline, the cache etc... > >The processor is ever important, if it is illdefined or flakey, it is >almost impossible to build security on top of it. Maybe true in theory, under special circumstances, but not something of immediate importance. Finding bugs is important, but no modern processor chip set (including the peripheral chips) is likely to be "100% secure," whatever that means. (The NSA and its minions put out the "Rainbow Books" to define this, and few machines come close to the top rating...) There was a British plan some years back to develop a "provably secure" microprocessor for life-critical applications, e.g. train controllers. It was called "Viper." Last I heard, the project was not progressing. It seems that most people would rather use the hundreds of MIPS of processing power of a modern, high-density processor that the sub-MIPS power of a Viper-type chip. (I'm not of course saying that processing power and security are inverses of each other, only noting that they haven't gone together so far.) The most famed chip flaw of all time had no security implications, nor would it ever have affected a single life. (Except stock market lives.) I'm glad Intel offered a recall and fixed the bug, but the plain fact is that the bug truly was obscure and could only be demonstrated under contrived conditions. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vince at offshore.com.ai Fri Apr 26 20:57:31 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Sat, 27 Apr 1996 11:57:31 +0800 Subject: Click here to become an International Arms Trafficker Message-ID: <Pine.LNX.3.91.960426140208.31791A-100000@offshore.com.ai> "Click here to become an International Arms Trafficker" Offshore Information Services Ltd. has set up a web page to make it really easy for people to become International Arms Traffickers. All they have to do is fill in their name and email address and then click. Check out: http://online.offshore.com.ai/arms-trafficker/ If you think this is half as funny as I do, please make a link from one of your pages to this one. -- Vince From jimbell at pacifier.com Fri Apr 26 21:01:21 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 27 Apr 1996 12:01:21 +0800 Subject: US law - World Law - Secret Banking Message-ID: <m0uCsKG-000989C@pacifier.com> At 02:13 AM 4/26/96 -0700, Rich Graves wrote: >On Fri, 26 Apr 1996, Michael Loomis wrote: > >> I have been reading this list to get an idea where Declan gets some >> of his lunatic ideas and what Rich Graves says when he is not up to >> Holocaust fetishism. Despite Timothy's claim to the contrary, it seems >> that the basic point of this list is some libertarian notion that tax >> evasion is a good thing. > >That might be one view, but not mine. I think people who evade income >taxes are bad -- they're stealing from the rest of society. If a criminal mugs you for $10 each morning for a month, and on the 32nd day you decide you've had enough and pull a gun and defend yourself, does that mean that you're stealing from him?!? From raph at cs.berkeley.edu Fri Apr 26 21:06:58 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Sat, 27 Apr 1996 12:06:58 +0800 Subject: Mixmaster message formats In-Reply-To: <Pine.LNX.3.92.960425200950.1060A-100000@gak> Message-ID: <318104E5.2779929F@cs.berkeley.edu> Mark M. wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > I was thinking about how Mixmaster needs a separate message format so it > can make messages a fixed size and add a packet ID. However, couldn't all > this be done with PGP? With PGP, the length of the file being encrypted is > encrypted itself, so it would be possible to append random data to the end > of the file to make the message a fixed length like Mixmaster. Also, the > packet-ID could be implemented by putting a line such as the following in the > message: > > :: > Packet-ID: foobar > > The only other thing that would have to be taken care of is chaining. The > way I could see this working is to have a header in the encrypted message that > tells the remailer whether it should de-armor the message at the next layer, > append random data, then re-armor, and pass it to the next remailer. Am I > missing something? Yes. When an intermediate message is decrypted, the real message becomes readable, but the random bytes stay random. Thus, your proposal is secure against attacks on the link, but fails to attacks on the nodes (i.e. reveals just as information as if padding had not been used). I was suffering from the same confusion myself until fairly recently. I even made a proposal for text-based type-3 remailer formats, which contained this flaw. Raph From llurch at networking.stanford.edu Fri Apr 26 21:30:16 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Apr 1996 12:30:16 +0800 Subject: Fair Taxiation, credentials, guvmint interference In-Reply-To: <199604260933.CAA28293@clotho.c2.org> Message-ID: <Pine.SUN.3.93.960426123310.6710A-100000@elaine47.Stanford.EDU> On Fri, 26 Apr 1996 sameer at c2.org wrote: > > one at all, to a system of fair taxiation, since much of the talk could > > fair taxation. What a concept. Now why did this person appear > in my "cypherpunks-people-to-read-file?" I should go figure this out > and fix it. That's not what he wrote. He meant fair TAXIation. Michael is criticizing arbitrary government regulations on transportation systems. See part four of Hernando de Soto's _The Other Path_ and other publications from Instituto Libertad y Democracia (Lima, Peru). The original Spanish version is more complete, with a statistical appendix, but the US paperback edition, ISBN 0-06-091640-0, hits all the main points. The issue of taxis that lack government license has also been raised in New York City and San Franciso in recent years. Might also be in Gabriel Zaid's La Economia presidencial, but it's been a while since I read that, and I don't own a copy. Cypherpunk relevance? In theory at least, the "medallions" that identify legal taxis are a form of Chaum's credentials without identity. Loomis is in your "cypherpunks-people-to-read-file" because of the ZundeLooMirror. He's a good guy, if a bit abrasive. Unfortunately, I found out too late that the best way to get him to do something stupid and wrong is to tell him that it's stupid and wrong. That makes you an enemy, and not worth listening to. http://www.c2.org/~rich/Not_By_Me_Not_My_Views/rebuttal.html By the way, I think I know what you mean, but someone unfamiliar with cypherpunks or you might read this indication that you have a "people to read" file, and don't care to read people you disagree with, the wrong way. You're liable to be called a FUCKING CLOSED-MINDED CENSOR NAZI. -rich From smith at sctc.com Fri Apr 26 21:31:41 1996 From: smith at sctc.com (Rick Smith) Date: Sat, 27 Apr 1996 12:31:41 +0800 Subject: trusting the processor chip Message-ID: <199604261550.KAA20217@shade.sctc.com> Having penned the response to Jeffrey Flinn on the unlikelihood of processor back doors, I'll comment on jim bell's response: >This analysis seems to assume that the entire production run of a standard >product is subverted. Actually, I perceived two models: either all processors are subverted or a subset of them are. Both require a reasonably complete design team to reliably achieve the objective of a well hidden and reliable back door. The cost effective thing to do is use the original design team since they have the knowledge you need to pull it off. A different and/or much smaller team has a lower likelihood of success. > More likely,I think, an organization like the NSA >might build a pin-compatible version of an existing, commonly-used product >like a keyboard encoder chip that is designed to transmit (by RFI signals) >the contents of what is typed at the keyboard. It's simple, it's hard to >detect, and it gets what they want. Simple, no. Hard to detect, somewhat. Gets what they want, unclear. My experience with processor design and development is rather ancient and my knowledge of IC work is third hand, so I'll gladly defer to someone with closer knowledge of the process (Tim?). However, I've never heard anything to imply that a processor architecture can be cleverly and reliably dinked with in this manner without lots of expensive engineering. Where does the chip real estate come from? Is there room in the microcode for this? Will it destabilize other behaviors? Will the victim detect it through RFI testing? No, it's not impossible. The risk vs reward tradeoff is shaky. Rick. smith at sctc.com secure computing corporation From tcmay at got.net Fri Apr 26 21:34:17 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Apr 1996 12:34:17 +0800 Subject: trusting the processor chip Message-ID: <ada66cd5000210045f20@[205.199.118.202]> My 9th grade classmate Rick Smith wrote: >Having penned the response to Jeffrey Flinn on the unlikelihood of >processor back doors, I'll comment on jim bell's response: >> More likely,I think, an organization like the NSA >>might build a pin-compatible version of an existing, commonly-used product >>like a keyboard encoder chip that is designed to transmit (by RFI signals) >>the contents of what is typed at the keyboard. It's simple, it's hard to >>detect, and it gets what they want. > >Simple, no. Hard to detect, somewhat. Gets what they want, unclear. I haven't been commenting on this part of the thread, but since I am asked to (below), I'll say that I agree with Rick on these points. Though there have been fictional accounts--e.g. the French novel "Softwar"--about replacement of chips with TLA versions, this tack is very hard to pull off. (The Infoworld "April Fool's Day" 1991 report that the NSA had arranged for printers entering Iraq to be modified so as to send intelligence info was gullibly picked up by several outfits that should've known better and reported as fact.) >My experience with processor design and development is rather ancient >and my knowledge of IC work is third hand, so I'll gladly defer to >someone with closer knowledge of the process (Tim?). However, I've >never heard anything to imply that a processor architecture can be >cleverly and reliably dinked with in this manner without lots of >expensive engineering. Where does the chip real estate come from? Is >there room in the microcode for this? Will it destabilize other >behaviors? Will the victim detect it through RFI testing? For high-volume parts, such as the chips in the usual PCs we all use, such a replacement would almost certainly need the cooperation of the chip makers. Not impossible to obtain, but not easy. A new "stepping" of the chip would probably be needed, though I suppose a chip with downloadable microcode could be used. Much more like, in my opinion, would be subversion of the software, a la Thompson's point about subverting compilers. And the work already done on "subliminal channels" that leak information (deliberately in this case) is apropos. I know that such channels were a major concern during the discussions of nuclear arms treaties. Speculatively, if such a hardware replacement is likely, this is where I would look first; but of course the parties to nuclear arms agreements know this as well. Anyway, there are all sorts of "maybes" and "possibles" here. Certainly there is no _technical_ reason why a "Pentium--NSA-enabled" variant of the Pentium could not be made...all things are possible. But how likely? And where in the spectrum of real concerns does it lie? And would Intel dare to cooperate with such a plan? And so on. This'll have to be my last word on this topic. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan+ at CMU.EDU Fri Apr 26 21:56:54 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 27 Apr 1996 12:56:54 +0800 Subject: Guardian angels, anonymity, and the decency brigade Message-ID: <IlUDaSS00YUvIGtoNf@andrew.cmu.edu> Thanks, Colin, for replying. I'm glad to learn that you made no legal threats against Jim's CuD. I understand that SafeSurf does not make sofware; I meant that a PICS/SafeSurf-compliant browser is necessary to read and act on such ratings. A few months ago, I went through the back archives of the fight-censorship list and looked for possibly "indecent" material. I found relatively few examples of this language, and all of them had clearly socially redeeming value, like the American Reporter's rather heated essay. The alt.sex.pedophilia story I cited was circulated among the anti-porn groups who fought for the CDA; in context, it was perfectly appropriate for us to discuss here. Further, I believe quite strongly that minors should be allowed and encouraged to participate in discussions on this list -- overbroad net-censorship affects them as well as adults. Yet you write: "Clearly a site with a message like this would not be suitable for children to read." What if I rate <http://fight-censorship.dementia.org/top/> as suitable for children, and a CyberAngel volunteer visits and stumbles onto that alt.sex.pedophilia story. Will my rating be yanked? This is what bothers me -- the undocumented, arbitrary, and capricious nature of ratings by the CyberAngels volunteer decency brigade. I support your right to censor my web site, but I don't have to like it. -Declan (who still wants to be a CyberSeraphim) ---------------------------------------------------------------------- [Another reply attached] ---------------------------------------------------------------------- Date: Fri, 26 Apr 1996 11:20:12 -0400 From: Tom Betz <tbetz at pobox.com> Subject: Re: Guardian angels, the decency brigade, and cyberseraphim Colin Gabriel Hatcher wrote: > As for press, we didnt even send a press release until 4 months after we > started, and then only to announce our website. And we've only sent one > more press release out since then. We do believe however that we have > helped to bring the issue of children and the Internet to the forefront and > that is a good thing too. This claim is totally disingenuous. They have the biggest PR whore on the face of the Earth flacking their efforts almost daily on NYC talk radio, and they dare to pretend to have only sent out one press release? What kind of training do these people receive? I heard an NPR story on this organization where every telecommunications term of art a CyberAngel used was used incorrectly, always with a sick misinterpretation. I'll dig up citations if anyone is interested. Despite what they 'believe', CyberAngels have helped to do nothing but inflame the passions of the ignoranti against the Internet, and to make a nearly non-existent threat into a major political football. Oh, and to give Curtis Sliwa one more dead horse to flog on the air. The whole thing disgusts me. -- ---- Tom Betz --------- <http://www.pobox.com/~tbetz> ------ (914) 375-1510 -- tbetz at pobox.com | We have tried ignorance for a very long | tbetz at panix.com ------------------+ time, and it's time we tried education. +----------------- -- Computers help us to solve problems we never had before they came along. -- From cp at proust.suba.com Fri Apr 26 22:04:46 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 27 Apr 1996 13:04:46 +0800 Subject: The Joy of Java In-Reply-To: <ada5c3312c021004e096@[205.199.118.202]> Message-ID: <199604262004.PAA00293@proust.suba.com> > The first "killer applet" (tm) will be what? > > (There's a fair chance it could be a digital commerce applet, something to > exploit correctly the pent-up demand for online purchases....I can imagine > folks on this very list becoming the Scott Cook's of this market....) I'll bet the first one will be a mailer that communicates with a central mail server. There's a need for people who don't know how to telnet to have handy access to their mail from both home and work. Some of the work that's being done with pgp compatible java applets is very exciting -- I expect that the general public will get its first taste of secure email from java applets doled up by ssl servers. It would be really great if a gui and and some crypto guts could be reused for both a java pop client and an applet that could talk to a central mail server. From smith at sctc.com Fri Apr 26 22:19:21 1996 From: smith at sctc.com (Rick Smith) Date: Sat, 27 Apr 1996 13:19:21 +0800 Subject: trusting the processor chip Message-ID: <v01540b04ada6ca77a483@[172.17.1.61]> At 10:23 AM 4/26/96, jim bell wrote: > By NSA standards, it is simple. NSA has probably had its own > semiconductor fabs for 30+ years. Yep. Regardless of whether the fabs are government property or not, it's a sure thing that some contractors have appropriately SCIFfed fabs and appropriately cleared staffs. > Even if we assume that > their capabilities lag commercial production in terms of > density or quality, keyboard encoder chips were trivial 20+ > years ago and could presumably be easily > duplicated/modified today by even the oldest operating fabs. > They probably had far less than 10,000 transistors. Even > modern keyboard controllers probably "waste" a > microcontroller with far more capability than you'd need > for the task, and microcontrollers usually have > substantially more code area than would be necessary to add > some sort of surreptitious function. Agree. Keyboard controllers (and other peripheral components of a system) are a much more tractable target than the CPU and may be within the capbailities of such organizations. I'm more inclined towards disk controller subversion myself. Of course, there's also the apocryphal story of the so called "Iraqi printer virus" that disabled the Iraqi air defense system. Subverting the CPU is not simple even by NSA standards. Rick. smith at sctc.com secure computing corporation From alano at teleport.com Fri Apr 26 22:21:05 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 27 Apr 1996 13:21:05 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <2.2.32.19960426175657.00ae9254@mail.teleport.com> At 09:05 PM 4/25/96 -0700, Bill Frantz wrote: >> Moreover, a laser shot costs $3,000, compared to several >> million dollars for a missile. Army officials envision the >> Nautilus would be beamed from a truck capable of firing 50 >> shots before requiring more laser material. > >Does anyone have any idea what "more laser material" means? It means that the laser burns itself up when fired. Either they are pumping gas into the laser and eventually run out or they are using something that is solid or semi-solid (yes, you can make a laser out of Jello!) that becomes non-functional after a certain number of uses. The plans I have for a somewhat high powered laser (10 watts) requires nitrogen pumped through the tube. Run out of nitrogen and you run out of laser... The problem with laser based weapons is they are weather dependant. Try using a laser in the rain and see how coherent a beam you get. What this has to do with crypto, I have no idea... (Maybe they are going to try and etch RSA in four lines of Perl into the side of the whitehouse.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From frantz at netcom.com Fri Apr 26 22:21:17 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Apr 1996 13:21:17 +0800 Subject: An idea for refining penet-style anonymous servers Message-ID: <199604261849.LAA03012@netcom9.netcom.com> At 8:15 AM 4/25/96 -0700, Alan Bostick wrote: >The other night, while sick and feverish with the flu, a scheme popped >into my head that would seem to make penet-style anonymous servers less >vulnerable to compromise through seizure of the remailer equipment or of >the address database... > >My scheme is the design of the address database. It consists of two >hash tables, one for sending messages (which maps anonymous IDs onto >sender's addresses), and one for receiving them (mapping recipient's >addresses onto anonymous IDs). A cryptographically secure hash (say, >MD5) is used for the index of both tables. > >The index of the sending message table is the MD5 hash of the sender's >address. The table entry the index points to is the sender's anonymous >ID, encrypted by a symmetric algorithm (maybe IDEA). The encryption key >would be a different hash, by another algorithm (let's suppose it's >SHA), of that same address. > >... > >The receiving message hash table is designed similarly, in reverse. The >index of the hash table is the MD5 hash of the anonymous ID; the entry >in the table is the recipient's email address, encrypted with the SHA >hash of the anonymous ID... Assuming you have obtained the address database, it seems to me that this scheme is subject to known address attacks: (1) If you want to find out what newbie at slowresponse.com's anon ID is, you just look it up. (2) If you want to find out the real email addresses of all the users, you test all the anon-ids with the reverse lookup table. This attack could be defeated by using sufficiently long random anon-ids. If we assume 5 bits of information/character, a 96 bit anon-id (sufficient to preclude exhaustive search attacks) would require 19 character anon-ids. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Fri Apr 26 22:31:26 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Apr 1996 13:31:26 +0800 Subject: The Joy of Java Message-ID: <199604261849.LAA02981@netcom9.netcom.com> Tim May and Mike Duvos have expresses an enthusiasm for Java which I share. There are a few practical issues which should be addresses. Mike says: >Indeed, with Java, I can put up a Web page which teaches someone >about a cryptographic algorithm, allows him to try it out and run >sample data through it, and provides him with a >platform-independent implementation of it to use as he wishes. >All in one fell swoop. That's a pretty powerful concept. But with the #$%^& ITAR you have to do it outside the USA/Canada, or limit it to USA/Canadians. The patent situation with RSA doesn't help making applications inter-operate with the existing PGP based infrastructure. Perhaps all these applications will appear first on the outside, where these problems do not exist for the developers. (The patent problem would still exist for US/Canadian users. I will be interested to see the patent holder's response.) Tim says: >One interesting remark I read from someone was that the Java distribution >model returns us to an era of easier distribution of small programs. The >"application bloat" of very large programs may be at least partly fixed. >We'll see. I have my doubts about this one. I think application bloat comes from market forces and from the kind of bundling you see in XYZCorpOffice products where you get 4 applications packaged together. This marketing approach maximizes revenue by selling you products you don't need as a matter of convenience. But, we shall see. There are some features of Java which make it less than ideal for crypto applications. These features can be overcome, but they will affect implementors and users. (1) There are not many sources of high-quality entropy available to Java applets. Keystroke timings and scribble windows are probably the best sources, but may represent an inconvenience for users. (2) Java doesn't allow you to define operators as methods of classes. This feature has the advantage that you don't have strange uses of the operators, the classic example being the left shift operator being used to do output. However, if you need to do arithmetic on numbers larger than 64 bits, you can't use common, infix notation. This feature only affects developers, and at worst, qualifies as a pain in the rear and not a show stopper. I too hope to soon see high-quality crypto applications on my desktop in Java. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Fri Apr 26 22:36:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Apr 1996 13:36:55 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <Pine.3.89.9604261141.B17571-0100000@tesla.cc.uottawa.ca> Message-ID: <Pine.SUN.3.93.960426170924.6595D-100000@polaris.mindport.net> On Fri, 26 Apr 1996 s1113645 at tesla.cc.uottawa.ca wrote: > > On Fri, 26 Apr 1996, Michael Loomis wrote: > > > Holocaust fetishism. Despite Timothy's claim to the contrary, it seems > > that the basic point of this list is some libertarian notion that tax > > evasion is a good thing. While I am not clear how serious of threat, if > It might be useful for you to browse the early portions of the archives > when they come back or read Tim's and Eric's original manifestos > (somewhere in the bowels of ftp.csua.berkeley.edu/pub/cypherpunks/rants) > and Black Unicorn's essay on his love of cash from Detweiler's page > (can't remeber the url, I'll dig it up if you're interested, it's got > some nice outtakes from past discussions, though Det himself is > rather out of it). LD put my work on his page? How cute. I'll repost the work here if there is enough interest. No telling what LD might have done to the original. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From adam at lighthouse.homeport.org Fri Apr 26 22:39:09 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 27 Apr 1996 13:39:09 +0800 Subject: trusting the processor chip In-Reply-To: <199604261557.KAA20525@shade.sctc.com> Message-ID: <199604262137.QAA09079@homeport.org> Ross Anderson's "Programing Satans Computer" springs to mind. www.cl.cam.ac.uk/users/rja14/ Ross' papers are up there on my list of very worthwhile reading. Adam Rick Smith wrote: | | | cwe at it.kth.se (Christian Wettergren) writes: | | >Take a look at the IEEE Symp on Security and Privacy Proceedings from | >1995, I believe it was. There was a paper there about security bugs in | >the Intel processors, enumerating a number of them in 80386 for example. | >There where at least one or two byte sequences that plainly stopped | >the processor. | | Yes, and this is where the real risks are. The original question was | entirely about explicit subversion. The larger risk is accidental | flaws. Same with software in most cases. | | Rick. | smith at sctc.com secure computing corporation | -- "It is seldom that liberty of any kind is lost all at once." -Hume From merriman at arn.net Fri Apr 26 22:44:10 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 27 Apr 1996 13:44:10 +0800 Subject: [NOISE] What is "laser material"? Message-ID: <2.2.32.19960426061421.00688cec@gateway> -----BEGIN PGP SIGNED MESSAGE----- At 10:56 AM 04/26/96 -0700, Alan Olsen <alano at teleport.com> wrote: >>Does anyone have any idea what "more laser material" means? > >It means that the laser burns itself up when fired. Either they are pumping >gas into the laser and eventually run out or they are using something that >is solid or semi-solid (yes, you can make a laser out of Jello!) that >becomes non-functional after a certain number of uses. > >The plans I have for a somewhat high powered laser (10 watts) requires >nitrogen pumped through the tube. Run out of nitrogen and you run out of >laser... > >The problem with laser based weapons is they are weather dependant. Try >using a laser in the rain and see how coherent a beam you get. To _some_ extent, that's a function of the laser's frequency. An X-ray laser, for example..... :-) Dave "Do not look into laser with remaining eyeball" Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYBbiMVrTvyYOzAZAQEYogQAsmRIer5N2emPQ5t37WzzmMisHNbgduWS q80aA15xJLkZY62q2IGpvTqUDaY7D2ETfi1rUDs2CC1vYRRmjz5RathGAiLfzfmQ XWIXi1xHxwNxnsa5oPcm7xpQd8LWnZgsbRvvB4NIoU/1ScMZ+qhXQMaUanuU+kbZ KlvmTfom81A= =GYM8 -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From unicorn at schloss.li Fri Apr 26 22:48:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Apr 1996 13:48:33 +0800 Subject: US law - World Law - Secret Banking In-Reply-To: <UlU8SES00iWV80j2lz@andrew.cmu.edu> Message-ID: <Pine.SUN.3.93.960426164357.6595A-100000@polaris.mindport.net> On Fri, 26 Apr 1996, Michael Loomis wrote: > Excerpts from internet.cypherpunks: 25-Apr-96 Re: US law - World Law - > Se.. by Timothy C. May at got.net > > Those on the list about a year or so ago may recall that there are > > proposals to in fact impose a "capital flight tax." This would make the > > U.S. a country very much like the former Soviet Union, which forbade such > > transfers of wealth without payment of heavy taxes. > > I have been reading this list to get an idea where Declan gets some > of his lunatic ideas and what Rich Graves says when he is not up to > Holocaust fetishism. Despite Timothy's claim to the contrary, it seems > that the basic point of this list is some libertarian notion that tax > evasion is a good thing. Your observation about the primary point of the list is incorrect in my view and even if it were correct, you overlook several aspects of the U.S. taxation system when you class all efforts to reduce or otherwise mitigate taxation as "tax evasion." First of all, and as one of the only western powers to do so, the United States taxes its citizens on _worldwide income_. While this in itself, with a proper foreign tax credit system, is not offensive, when the Unites States adds to this a very wide scope of extraterratorial jurisdiction and compelled process, it becomes more than tax. Further, the United States implements policy it cannot directly legislate constiutionally through taxation. Now, all of the above might not be unusual, but when it is combined with proposals like the expatraition tax (leave the country and pay a tax for doing so- and by the way, there is a form of this on the books and applicable today in the US) and strict money laundering regulations you approach something like currency controls. It is also worth noting that your notion of tax evasion is by no means universal. Switzerland, Liechtenstein, the Cayman Islands, France, the United Kingdom, all define tax evasion differently. Who are you, or anyone else, to say what tax evasion is, especially when it regards income derrived outside of the geographical and economic boundries of the taxing state? The United States has asked for this problem by imposing a regime of worldwide taxation on income. I, for one, am not particularly sympathetic. > While I am not clear how serious of threat, if > one at all, to a system of fair taxiation, since much of the talk could > be simply bluff, I have been made glad for the first time for the War on > Drugs. This silly war--tragic in terms of its economic cost and its > assault on liberty--at least has forces some government agencies to take > you seriously enough to figure out how to derail your plans of tax > evasion. Unfortunately, and if you stick with the list long enough and absorb the ramifications of some of the technology, I think the government has a losing battle. At the moment it is estimated that 10% of tax evaders in the United States are ever caught. It is partly the arrogance of many U.S. citizens, and the view that their government knows the one single way to conduct economic and foreign affairs, that empowers the United States to impose her tax and economic policy on unconnected sovereigns thousands of miles away. I think you have a rather narrow view of the list in any event. Cypherpunks are about much more than the ramifications of new technologies on the tax systems of the world. But, if it's sexy to demonize the list by calling us all tax evaders, feel free. > Michael Loomis --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From roger at coelacanth.com Fri Apr 26 22:56:39 1996 From: roger at coelacanth.com (Roger Williams) Date: Sat, 27 Apr 1996 13:56:39 +0800 Subject: PGP + Pegasus Mail In-Reply-To: <m0uCmvi-0006wbC@pyrod.ovsod.co.za> Message-ID: <9604262202.AA6443@sturgeon.coelacanth.com> >>>>> "Bart" == "G Ackerman" <gerhard@[192.96.77.1]> writes: > Hi, I want to know if it is possible - and how to use PGP from > within Pmail. Yes, for WinPmail 2.23 and above. Check out the Pegasus Mail home page: http://www.cuslm.ca/pegasus/ John Navas' PGP Open Encryptor Interface home page: http://web.aimnet.com/~jnavas/ and the PMail mailing list (warning -- high volume): mail "subscribe pmail My Name" To: listserv at ua1vm.ua.edu -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From rah at shipwright.com Fri Apr 26 23:03:21 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 27 Apr 1996 14:03:21 +0800 Subject: What Wired proposes, NetlyNews Disposes ;-). Message-ID: <v03006602ada6f998c81a@[199.0.65.105]> I just sent a third (from scratch) iteration of the OpEd article Wired wanted this afternoon. Meanwhile, I sold the first (from scratch) iteration to NetlyNews, viz, http://www.netlynews.com/ I believe I'm having fun now... No. I'm *not* an economist. I don't even play one on the net... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From dm at amsterdam.lcs.mit.edu Fri Apr 26 23:03:35 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Sat, 27 Apr 1996 14:03:35 +0800 Subject: Golden Key Campaign In-Reply-To: <199604251810.LAA17469@netcom9.netcom.com> Message-ID: <199604262210.SAA27467@amsterdam.lcs.mit.edu> In article <199604251927.PAA27960 at jekyll.piermont.com> "Perry E. Metzger" <perry at piermont.com> writes: > From: "Perry E. Metzger" <perry at piermont.com> > cc: Bill Stewart <stewarts at ix.netcom.com>, cypherpunks at toad.com > Date: Thu, 25 Apr 1996 15:27:04 -0400 > Reply-To: perry at piermont.com > X-From-Line: cypherpunks-errors at toad.com Thu Apr 25 20:07:52 1996 > X-Authentication-Warning: jekyll.piermont.com: Host perry at localhost didn't use HELO protocol > X-Reposting-Policy: redistribute only with permission > Sender: owner-cypherpunks at toad.com > Precedence: bulk > Lines: 11 > Xref: amsterdam.lcs.mit.edu cypherpunks:8797 > > > Bill Frantz writes: > > I will add to Bill's list: > > > > 7) RSA is the best known and vetted of the Public Key algorithms. > > Nota at all, Mr. Frantz. There are no proofs of security associated > with RSA. Rabin has excellent proofs that breaking a message is > strictly equivalent to factoring. Isn't Rabin's algorithm patented, too? Perhaps the licensing terms are better. Does anyone know for sure? Thanks, David From dm at amsterdam.lcs.mit.edu Fri Apr 26 23:04:20 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Sat, 27 Apr 1996 14:04:20 +0800 Subject: RSAREF dos not give you access to RSA In-Reply-To: <199604250814.BAA07715@toad.com> Message-ID: <199604262148.RAA27065@amsterdam.lcs.mit.edu> > From: Bill Stewart <stewarts at ix.netcom.com> > Date: Thu, 25 Apr 1996 01:11:13 -0700 > > 5) the price of RSA is fairly low, once free RSAREF came out RSAREF does not give you RSA. Do not think that you can write and distribute free software that uses RSA encryption in the US just because of the existence of RSAREF. If you don't believe me, let me tell you a little story. The RSAREF license strictly requires that you only use the documented RSAREF interface, which does not include direct access to the RSA functions. The relevant portion of the RSAREF license is section 2d: Prior permission from RSA in writing is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. (See the "What is it? RSAREF Supports the Following Algorithms" and "What You Can (and Cannot) Do With RSAREF," paragraph 4, all incorporated herein by reference, for details.) RSA will grant all reasonable requests for permission to make such modifications. PGP got a such "prior permission" to call functions outside of the RSAREF interface. However, that is only because PGP was such a high-profile case with a lot of MIT people behind it. On July 10, 1995, Tatu Ylonen sent mail to RSA attempting to get permission for US users to use RSAREF with ssh. Since ssh requires double encryption, something impossible to achieve through the published RSAREF interface, it called two of the functions PGP also uses, namely RSAPublicEncrypt and RSAPrivateDecrypt. It took RSA until September to respond to the original request, at which point they told Tatu they could only consider such a request coming from a US citizen. On Monday, September 11, 1995, I therefore sent in my own request to be able to use ssh with RSAREF. After many many messages, I got bounced around from RSA to Consensys Corp. and back to RSA. I was never able to get permission to use ssh with RSAREF. For a while I was a bit optimistic about the situation. For example on February 16, 1996, I was told the permission letter "should be sent out next week." However, it's been a couple of months since then and still no letter. Even if I get the letter tomorrow, however, it still will have been 9 months since the first request to RSA went in. The RSA folks seemed particularly concerned that the permission letter might be used for more than one particular program, or even more than one particular version of a ssh if major changes occured. In one letter, for instance, someone from RSA said: We'd like to avoid granting open-ended permission like: SSH provides for all of your security needs and the RSA calls are used to provide any kind of security service deemed useful now and in the future. Not that we wouldn't grant permission to new function/feature requests, rather we'd like to incentivize you to keep us posted as ssh grows. That means if I got a permission letter tomorrow, but in several months ssh was modified to use a better MAC, I might have to wait another 9 months to use the latest version ssh (which might no longer be the latest version by that point). Even if you think 9 months is an acceptible amount of time to wait to release an application you have written, consider this: First of all, I don't have the permission letter yet. I might get it tomorrow, I might get it in a year, or I might not get it before the RSA patent expires. Second of all, the only reason I have gotten as far as I did with this permission letter is because someone from MIT helped get me in touch with someone at RSAREF who would actually read my mail. Before that, I was told by RSA that I could only deal with Consensys Corp., and Consensys Corp. told me they could not grant me the kind of permission letter I was requesting, so that I was basically stuck (well, in theory Jonathan Zamick from Consensys Corp. could still be working on getting permission from RSA, but I haven't heard back from him since Nov 9, [except when he wanted to license IDEA to me, which ssh fortunately already has permission to use]). Conclusion: You can't use the RSA algorithm in free software. The RSAREF interface is too restrictive, and when RSA says in the license that "RSA will grant all reasonable requests for permission to make such modifications" to the interface, it is either an outright lie, or something that only happens after so much delay that they might as well not give you such permission. David P.S. You can help fight software patents! Join the league for programming freedom (http://www.lpf.org). From olmur at dwarf.bb.bawue.de Fri Apr 26 23:07:45 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Sat, 27 Apr 1996 14:07:45 +0800 Subject: An idea for refining penet-style anonymous servers In-Reply-To: <Uc5fx8m9LojB085yn@netcom.com> Message-ID: <199604262029.WAA00905@dwarf.bb.bawue.de> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Alan" == Alan Bostick <abostick at netcom.com> writes: [.....] Alan> There is a way that attackers who have seized or copied the Alan> database can search it - by trying it out on anonymous IDs, or Alan> user addresses, until they hit paydirt. I think that's exactly where the problem lies. The advantage of your proposal is, that for an honest SysOp your system makes it easier not to look on the database, but I assume that Julf isn't interested in the contents of the database anyways.. But for a real attacker it's just a small inconvinience, nothing more. Alan> So what do people think of this scheme of mine? Are there Alan> drawbacks or weaknesses that I'm not seeing? I think it's similar to a postmaster running a script to automatically removing the actual message from a bounced mail, before she looks at it. But I don't think it's really making penet-style servers more secure. Have a nice day, and hope your flu cured now! Olmur - -- "If privacy is outlawed, only outlaws will have privacy" --- P. Zimmermann Please encipher your mail! Contact me, if you need assistance. finger -l mdeindl at eisbaer.bb.bawue.de for PGP-key Key-fingerprint: 51 EC A5 D2 13 93 8F 91 CB F7 6C C4 F8 B5 B6 7C -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMYEyKA9NARnYm1I1AQFZaQP/Q6jt+o1oDLysFTcxkitZF5aaQbwNa0Z6 Ud/oJqeTZvVtbltbJ7CIAIQCHydYLnBcxbeAw3EJDPpMYXaVz0Lsd00cdggD8Uh4 nY6dc4MaWvU0Kv1QUsdBlsIzpPwqvB9+WnXFQxcu/DONQT5pNkkzJWRGoHNj6+f4 kr31q2gniis= =M/jY -----END PGP SIGNATURE----- From carolann at censored.org Fri Apr 26 23:08:33 1996 From: carolann at censored.org (Censored Girls Anonymous) Date: Sat, 27 Apr 1996 14:08:33 +0800 Subject: You are now an International Arms Trafficker Message-ID: <199604262153.OAA01214@primenet.com> OK, I'm guilty.... :) http://online.offshore.com.ai/cgi-bin/munitions.pl?itar > You are now an International Arms Trafficker > > Thanks for the munitions package. > > You are trafficker number: 4 > > Offshore Information Services Ltd. -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS&<LS%3(Q&#W1"<]2%`H^;,]^1C$'HBN8PX$4SYAU^ MPGD<Q0ZLA0D+,`MCT!LA**4M[-JPAK9F?40!AJ,CW"'%DR#:'9?Q)3[%<DQ` ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From thecrow at iconn.net Fri Apr 26 23:12:59 1996 From: thecrow at iconn.net (Jack Mott) Date: Sat, 27 Apr 1996 14:12:59 +0800 Subject: [Fwd: SafE Mail Encryption] got this today, anyone heard of it? Message-ID: <31813D94.6A4A@iconn.net> anyone heard of this? it was just sent to me. -- thecrow at iconn.net "It can't rain all the time" RSA ENCRYPTION IN 3 LINES OF PERL --------------------------------------------------------- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) To: thecrow at iconn.net Subject: SafE Mail Encryption From: safemail at ntrnet.net (Mike Wagoner (1)) Date: Fri, 26 Apr 1996 16:45:29 -0400 HI! Please look at our web address; http://www.sfmc.com We are information security technoligy through encyption, compresion, error correction and we are compatible with any open network or electronic mailing system. We use a public/private key approach. We work on Windows/DOS platform. The gentleman, DR. Vladyslave Oleynik, who created this software moved to The Research Triangle Park from St. Petersburg, Russia. His unique mathematical approach gives this software the longest encryption key length on the market today. This software also offers compression of up to 85% of all computer generated files as well as correct statistical errors up to 30% in a file.Because of its encryption strength, the highest compression on the market today, its error correction capability that no one else offers, and it is one of the easiest to use, this Russian technoligy will prove to change the standard of software security as we know it. Our E-mail address is safemail at nternet.net 1-800-252-9938-office 1-919-676-3810-fax Thanks, we awaite your response! Randy Estridge/ Mike Wagoner From merriman at arn.net Fri Apr 26 23:24:27 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 27 Apr 1996 14:24:27 +0800 Subject: Click here to become an International Arms Trafficker Message-ID: <2.2.32.19960426091033.00688010@gateway> At 02:46 PM 04/26/96 -0400, Vince Cate wrote: > > "Click here to become an International Arms Trafficker" > >Offshore Information Services Ltd. has set up a web page to make it really >easy for people to become International Arms Traffickers. All they have to >do is fill in their name and email address and then click. Check out: > > http://online.offshore.com.ai/arms-trafficker/ > >If you think this is half as funny as I do, please make a link from >one of your pages to this one. > Well, I'm ITAR violator # 6 :-) Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From tcmay at got.net Fri Apr 26 23:28:08 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Apr 1996 14:28:08 +0800 Subject: The Joy of Java Message-ID: <ada697c601021004c3a0@[205.199.118.202]> At 6:51 PM 4/26/96, Bill Frantz wrote: >Tim May and Mike Duvos have expresses an enthusiasm for Java which I share. > There are a few practical issues which should be addresses. And bear in mind that "enthusiasm" does not mean certitude. We've all gotten enthusiastic at times about some Next Big Thing. I count this enthusiasm as part of the larger Web picture, which is unlikely to fizzle out. >Tim says: >>One interesting remark I read from someone was that the Java distribution >>model returns us to an era of easier distribution of small programs. The >>"application bloat" of very large programs may be at least partly fixed. >>We'll see. > >I have my doubts about this one. I think application bloat comes from >market forces and from the kind of bundling you see in XYZCorpOffice >products where you get 4 applications packaged together. This marketing >approach maximizes revenue by selling you products you don't need as a >matter of convenience. But, we shall see. If you mean "Microsoft Office," I wasn't really thinking of this. The point this person I cited (I don't remember who it was) was that this makes it easier for a application to get "shelf space," because the shelf is the Web. Payment is problematic, but distribution should be easy. Obviously, Mosaic (and then Netscape) was a good example of this. A small team, or even a single person, with a Good Idea, gets distribution. The Net and Unix have long had this (with Unix tools and languages), but the Web and applets may well extend this to a broader base. We'll see. >There are some features of Java which make it less than ideal for crypto >applications. These features can be overcome, but they will affect >implementors and users. I think the interesting target date to plan for is a year from now. >(1) There are not many sources of high-quality entropy available to Java >applets. Keystroke timings and scribble windows are probably the best >sources, but may represent an inconvenience for users. Shouldn't be any worse or any better than with the status quo, right? I'm not sure I see the Java issue. (I've been looking at SoundClip and AudioClip, but only cursorily.) By the way, Hal Finney is working on a bignum package. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From loki at obscura.com Fri Apr 26 23:34:27 1996 From: loki at obscura.com (Lance Cottrell) Date: Sat, 27 Apr 1996 14:34:27 +0800 Subject: Mixmaster message formats Message-ID: <ada6f5a301021004defb@[206.170.115.3]> -----BEGIN PGP SIGNED MESSAGE----- I know Raph already answered this, but I want to toss my few cents in. It is important to understand the threat model of Mixmaster. I assumed that all links and some remailers would be compromised. My goal was to ensure that no information about the message was revealed except to the first and last remailers in the chain. To borrow from physics (black hole) terminology, the message must have no hair. Any active padding by the remailer implies that it knows an upper limit on the size of the actual message. If each remailer removes some information, which must be replaced, then conspiring remailers can obtain information about the where messages are going, by comparing size, and knowing that the "kernel" of the message can only shrink. This last statement is true unless remailers add extra hops, which they encrypt. The reason this is not effective has been thoroughly discussed on this list. Take a look at the essay on my home page. It explains most of the design decisions. -Lance Cottrell At 5:25 PM 4/25/96, Mark M. wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >I was thinking about how Mixmaster needs a separate message format so it >can make messages a fixed size and add a packet ID. However, couldn't all >this be done with PGP? With PGP, the length of the file being encrypted is >encrypted itself, so it would be possible to append random data to the end >of the file to make the message a fixed length like Mixmaster. Also, the >packet-ID could be implemented by putting a line such as the following in the >message: > >:: >Packet-ID: foobar > >The only other thing that would have to be taken care of is chaining. The >way I could see this working is to have a header in the encrypted message that >tells the remailer whether it should de-armor the message at the next layer, >append random data, then re-armor, and pass it to the next remailer. Am I >missing something? > >- -- Mark > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 >http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 >"The concept of normalcy is just a conspiracy of the majority" -me > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3 >Charset: noconv > >iQCVAwUBMYAXxLZc+sv5siulAQG5CwP/Qbgune3sjNyB7Y8xNxNW6hCahtgBNJDk >oT+hZHdlmcB6CZXjgDUSczIfAnygS71PBBysB4DJnugluMTMTGfqmgeikXdvL1zt >vnwx5xlG0HQeTbVE2+c1uW4uamkdb0MZmNLR06S9M+2i0ROaWzGwNO6WEHqoEL3W >qwXZ7zPtId0= >=MaO4 >-----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYFHQfPzr81BVjMVAQH0qgf8DbhHB2rHxYAAMBKoOAiDRW7zy+UViknf 2BmIv6NDW2MYtTHNSLykDVx3XQCeGG4QuuFcmdveD3livQizC9Tb5Rj8cMNI/Qb6 R7RYEAsaraluxBYNxHxFPejZUy/r9jjJm+LzSVaYVfEdzgt5jjNrm2YV53nOinD8 4sfgBtWNKWAyiyl7lTFWKAhLdfYsp3klTecnEBuPetZlv1V3b4RR2xZi4ggIK4VR lFkASSQUp/c+JhkJWRcNw6z+Df2XJ59ORUGC+MuJp/W56YoTGicca3mI64qGwg7J 745XF8oAOuD3OCvreWiOYU/LScG3lKKMYfhCyWnGXpt32BJyM5hm1w== =WD5g -----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From iang at cs.berkeley.edu Fri Apr 26 23:37:29 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Sat, 27 Apr 1996 14:37:29 +0800 Subject: An idea for refining penet-style anonymous servers In-Reply-To: <Uc5fx8m9LojB085yn@netcom.com> Message-ID: <4lrkjn$abo@abraham.cs.berkeley.edu> In article <Uc5fx8m9LojB085yn at netcom.com>, Alan Bostick <abostick at netcom.com> wrote: >My scheme is the design of the address database. It consists of two >hash tables, one for sending messages (which maps anonymous IDs onto >sender's addresses), and one for receiving them (mapping recipient's >addresses onto anonymous IDs). A cryptographically secure hash (say, >MD5) is used for the index of both tables. > >The index of the sending message table is the MD5 hash of the sender's >address. The table entry the index points to is the sender's anonymous >ID, encrypted by a symmetric algorithm (maybe IDEA). The encryption key >would be a different hash, by another algorithm (let's suppose it's >SHA), of that same address. > >In forwarding a message, the server MD5-hashes the sender's address and >looks at the table. If it doesn't find a corresponding entry, it >creates one. If it *does* find an entry, it SHA-hashes the sender's >address and uses this key to decrypt the anonymous ID. In the unlikely >event of collision the decrypted ID will be gibberish and the server >does something sensible (like appending padding to the address and >trying again). The header information is filtered and the anonymous ID >inserted in the From: line. > >The receiving message hash table is designed similarly, in reverse. The >index of the hash table is the MD5 hash of the anonymous ID; the entry >in the table is the recipient's email address, encrypted with the SHA >hash of the anonymous ID. When a message comes in, the anon ID is >hashed and looked up in the table. If nothing is found, the message is >bounced. If an entry is found, the anon ID is SHA hashed and the table >entry decrypted. If it is gibberish, a collision has taken place and >handled appropriately. The message is then forwarded to its intended >recipient. > >What all this accomplishes is to obscure more information from attackers >and from honest operators. In the event of abuse it is a simple matter >to find out who the abusers are and block them out. If the operator is >subject to subpoena, anyone named in the subpoena can be easily >identified . . . *but nobody else can!* Authorities cannot use a search >for one identity as an excuse for a fishing expedition in the address >database. > >(Obscuring information from honest operators can protect the operator >when questions of liability or even conspiracy come up.) > >There is a way that attackers who have seized or copied the database can >search it - by trying it out on anonymous IDs, or user addresses, until >they hit paydirt. And of course such an anonymous server can be no more >trustworthy than its operator; and the fundamental security limitations of >the penet-style anonymous server are well-understood. > >So what do people think of this scheme of mine? Are there drawbacks or >weaknesses that I'm not seeing? Is it a good idea? I'd really like it >if *something* good came out of being laid up with the flu. This sounds a bit like the scheme mentioned in AC2, pp73-74. Check it out (and its reference, if you have time...). - Ian From sjb at universe.digex.net Fri Apr 26 23:44:09 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 27 Apr 1996 14:44:09 +0800 Subject: The Joy of Java In-Reply-To: <199604260527.WAA02314@netcom8.netcom.com> Message-ID: <199604262131.RAA13066@universe.digex.net> Mike Duvos writes: > > 1. Java is of course not a perfect language, nor even the > > best for specific applications. Other languages will > > continue to thrive. Critics of the language and related > > items (applet model, JDK, JITs, etc.) may point to various > > problems (e.g. security). > > > 2. However, the "big picture" is compelling. Java arrives > > at a time when a Babel of languages and platforms threatens > > interoperability. C++ is despised by many (though, to be > > fair, liked by many, too), and developers are adopting > > Visual Basic (and the vbx widgets, etc.), PowerBuilder, > > Delphi, flavors of Smalltalk (no pun intended), and > > scripting languages (Perl, TCL, Python, etc.). > >I completely agree with this. Java incorporates the type of >automatic corruption-proof memory management found in languages >like APL, the basic notions of object oriented programming, fast >dynamic linking, and a C-like program structure. > >This is powerful combination of features and gives Java the >potential to do all the platform-independent things that were >advertised for C before the rude reality of thousand line >makefiles reared its ugly head. . The complete specification of >the Java Virtual Machine means that the behavior of Java programs >is perfectly well-defined, and one does not have to tweek >anything which is processor or operating system dependent. Unfortunately, this last statement isn't really true. To quote from the "Java Security" paper from some Princeton researchers: The Java language has neighter a formal semantics nor a formal description of its type system. We do not know what a Java program means, in any formal sense, so we cannot reason formally about Java and the security properties of the Java libraries written in Java. Java lacks a formal description of its type system, yet the security of Java relies on the soundness of its type system. And later: The Java bytecode is where the security properties must ultimately be verified . . . . Unfortunately, it is rather difficult to verify the bytecode. . . . The present type verifier cannot be proven correct, because there is not a formal description of the type system. Object-oriented type systems are a current research topic; it seems unwise for the system's security to rely on such a mechanism without a strong theoretical foundation. It is not certain that an informally specified system as large and complicated as Java bytecode is consistent. And in the conclusions: We conclude that the Java system in its current form cannot easily be made secure. Significant redesign of the language, the bytecode format, and the runtime system appear to be necessary steps toward building a higher-assurance system. . . . Execution of remotely- loaded code is a relatively new phenomenon, and more work is required to make it safe. I do think that the ideas embodied in Java are very important, and will significantly shape the future of computing, but Java itself may be just a stepping stone on the way. From unicorn at schloss.li Fri Apr 26 23:51:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Apr 1996 14:51:51 +0800 Subject: RSA129 Message-ID: <Pine.SUN.3.93.960426200445.12146G-100000@polaris.mindport.net> At one point someone asked about how the breaking of RSA129 might impact on the calculation of MIPSyears to crack a 512 bit RSA key (i.e. a PGP 512 bit key). Was there ever an answer to this question? Are there current guesses for 1024 and 512 bit keys out there? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From perry at piermont.com Fri Apr 26 23:53:33 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 14:53:33 +0800 Subject: The Joy of Java In-Reply-To: <199604262131.RAA13066@universe.digex.net> Message-ID: <199604270025.UAA01602@jekyll.piermont.com> Scott Brickner writes: > Unfortunately, this last statement isn't really true. To quote from the > "Java Security" paper from some Princeton researchers: > > The Java language has neighter a formal semantics nor a formal > description of its type system. We do not know what a Java program > means, in any formal sense, so we cannot reason formally about Java > and the security properties of the Java libraries written in Java. > Java lacks a formal description of its type system, yet the security > of Java relies on the soundness of its type system. I will point out that complete formal semantics exist for other, perfectly practical to use languages, like Scheme. > We conclude that the Java system in its current form cannot easily > be made secure. Significant redesign of the language, the bytecode > format, and the runtime system appear to be necessary steps toward > building a higher-assurance system. . . . Execution of remotely- > loaded code is a relatively new phenomenon, and more work is > required to make it safe. > > I do think that the ideas embodied in Java are very important, and will > significantly shape the future of computing, but Java itself may be just > a stepping stone on the way. I go further. Java, as envisioned, cannot be made secure. It is too powerful a language. Furthermore, it is unnecessary for the tasks that it is used for, which are basically adding fancy wacky graphics and simple applications and such to web pages. Perry From unicorn at schloss.li Fri Apr 26 23:54:05 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Apr 1996 14:54:05 +0800 Subject: WWW proxies? Message-ID: <Pine.SUN.3.93.960426191223.12146D-100000@polaris.mindport.net> Has anyone developed such a beast yet? Will we have as extensive a WWW proxy network as remailer network? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From sjb at universe.digex.net Fri Apr 26 23:55:22 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 27 Apr 1996 14:55:22 +0800 Subject: The Joy of Java In-Reply-To: <199604270040.RAA09526@atropos.c2.org> Message-ID: <199604270053.UAA22329@universe.digex.net> sameer at c2.org writes: >> I go further. Java, as envisioned, cannot be made secure. It is too >> powerful a language. Furthermore, it is unnecessary for the tasks that >> it is used for, which are basically adding fancy wacky graphics and >> simple applications and such to web pages. >> > > Even though that is all it is used for now, I think it was >*intended* to be used for more. True. It's still lacking a couple of (non-language) features. The most important (and most cpunks relevant) is a mechanism to pay people to run programs for you. This sort of thing is dangerous without a safe environment. If it was safe to do so, I can see about two hundred PowerPC systems from where I sit that are idle 90% or more. As more users become permanently connected to the net (cable modems and such), there will be *millions* of computers with a little processing power each that are available for distributed tasks. The next generation of "Toy Story" just might be done in near real- time. From tcmay at got.net Sat Apr 27 00:00:01 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 27 Apr 1996 15:00:01 +0800 Subject: Is the public involved in the crypto policy debate? Message-ID: <ada69f4d020210048855@[205.199.118.202]> Alex Strasheim sent me a private message, which I did not realize was not also addressed to the list as a whole. I'll remove any of his quoted comments so I can post my comments here. (This is an important issue. I think most people who write thoughtful essays, as Alex did in his private message to me, should post their thoughts publically. "Saving bandwidth" is hardly a good thing to do when the issues are so central to why we exist as a group.) About whether we and people like us have had an influence, or are seen by Washington, Bonn, Moscow, etc. as a bunch of meddlers and spoiled children: The "vocal public sector" consists of: - the attendess at CFP and similar conferences - many of the readers of "Wired" and similar mags - nearly all members of the Cypherpunks and similar lists - a huge fraction of the readers of Usenet - various "public interest" lobbying groups, including the ACLU, EFF, EPIC, etc. - many members of the press who write articles critical of crypto policy - nearly all libertarians (and Libertarians) - professors and policy analysts who write articles critical of crypto policy - many leftists who fear government snooping, COINTELPRO, etc. - many rightists who fear government snooping, anti-militia laws, Waco, etc. This is a powerful "axis." Do Americans support our position? Some say yes. I'm not so sure we should rest easy. If the issue is rephrased as: "Should nuclear terrorists be free to plot the destruction of New York City with unbreakable cryptography the FBI is powerless to do anything about?," the answer will be "Of course not." (Well, maybe not if New York City is the exemplar....) This is why I am so skeptical of public opinion polls on crypto. Those who live by the sword shall die by the sword. And if this round of crypto regulation is "lost" by the Administration, or if a major new terrorist incident occurs, or if PGP is involved in a heinous incident, or if a more statist Administration comes to power, I fully expect a campaign invoking the Four Horsemen of the Infocalypse. Then we will likely find that "most Americans" support "reasonable restrictions" on communications privacy, including limits on crypto strength, mandatory escrow, major limits on anonymous digital cash, etc. This is why we must get to the "point of no return," the point of the phase transition, before "they" do. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sat Apr 27 00:00:36 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 27 Apr 1996 15:00:36 +0800 Subject: alias servers (al la alias.c2.org) Message-ID: <Pine.SUN.3.93.960426203004.12146H-100000@polaris.mindport.net> Is anyone besides c2.org running an alias server? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From cp at proust.suba.com Sat Apr 27 00:01:55 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 27 Apr 1996 15:01:55 +0800 Subject: Is the public involved in the crypto policy debate? In-Reply-To: <ada5d55c30021004254b@[205.199.118.202]> Message-ID: <199604262232.RAA00634@proust.suba.com> > = Tim > To be fair to Jim Bell, he made the same point a day or so ago. Then I agree with him on this. I'm not making any claims of orginality or of depth here -- it's a simple point, probably too obvious for most people here to concern themsevles with. But at the same time, it's a central point. Big business has a lot of clout in America. People who stand on soapboxes in the park (or on the net) and make impassioned speeches on behalf of liberty don't. I expect the "golden key" group will get the export restrictions on crypto killed. That's one head of the monster, although there will be other heads left. > I don't necessarily sift Stewart Baker's words for hermeneutical signs of > what the government is planning. He might just as well have included > "public opinion" in his list, and nothing would change. But he didn't. You're right, it wouldn't have altered his argument in any significant way if he had. But the public *was* left of his "policy triumverate". I don't want to read too much into it either, but he was talking about the differences between who is participating in the crypto discussions in America and in Japan -- who's included and who's excluded was central to what he was saying, not an afterthought he hadn't thought through. > And I'm quite sure that Baker, Denning, Nelson, et. al. are acutely aware > of the role of the "public" in these matters. The "public" as made manifest > in newspaper articles critical of Clipper, in "Wired" features against key > escrow and in favor of Cypherpunks-type themes, and so on. My impression is that they look at the vast majority of people who rail against clipper as spoiled children who don't know what's good for them, and who must be protected from their own folly. Of course I'm not including people like Tim in that "vast majority". Tim ought to be flattered by how seriously they take his ideas on crypto anarchy. But people like me? I don't think we figure into the equation. > While the "vocal minority" that rails against Administration policy in > sci.crypt, talk.politics.crypto, comp.org.eff.talk, this list, etc., are > not the public at large, we are certainly a part of the public. The only problem I have with this statement is that it's not strong enough. Public sentiment is overwhelmingly lopsided in support of our point of view. But does that have an effect on policy? > I think the rejection of Clipper by "the public" is proof of this. What killed Clipper? It's hard to say. There was certainly very strong public opposition, but I'm not sure it was worth as much in the end as Blaze's attack. If Clipper had worked, it would probably be alive today. Blaze's attack demonstrated that even those who aren't worried about the government's intentions ought to worry about its competence. And although opposistion to Clipper from business was less visible than the current opposition to export restrictions, it was there. AT&T was roundly criticized for agreeing to work with Clipper should it have come to pass, but they did speak out against it (and paid Matt's salary). I'm inclined to give more credit to Blaze and the companies who spoke against it than to public sentiment, although I can't think of an objective way to confirm my suspicions. > (If we were leftist theoreticians, we could debate for years or even > decades whether our movement is truly a mass movement, or just a vanguard > movement, etc.) I'm not sure those distinctions are useful, but for whatever it's worth, I don't think debates about crypto anarchy, or fights over key management are ever going to be joined by the public at large. It takes a lot of work to understand the issues, and most people have their hands full with the things that are going on in their own lives and careers. Clipper was easy to grab ahold of -- big brother wants to put a wiretapping chip in your phone, what do you think of that? I don't know that the rest of the points we'll fight over will be as accessible. The devil's in the details, and the details are hard to slog through. (I wasn't able to get any of my friends excited when Netscape let users choose which CAs to trust in 2.0b3, for example.) All I'm really saying is that having business on our side of the export issue is a good thing, and it could very well be the difference between victory and defeat, despite the fact that some of the companies in question might have questionable credentials as civil libertarians. The text Hal quoted gave some small reinforcement of that point of view, in my opinion. I wouldn't argue that it's enough to prove that big businesses have a disproportionate amount of political clout -- that's probably another job best left to the leftist theoreticians. From perry at piermont.com Sat Apr 27 00:10:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 15:10:26 +0800 Subject: WWW proxies? In-Reply-To: <Pine.SUN.3.93.960426191223.12146D-100000@polaris.mindport.net> Message-ID: <199604270050.UAA01645@jekyll.piermont.com> Black Unicorn writes: > Has anyone developed such a beast yet? The CERN HTTP server is a proxy out of the box. > Will we have as extensive a WWW proxy network as remailer network? Unclear. .pm From perry at piermont.com Sat Apr 27 00:17:45 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 15:17:45 +0800 Subject: The Joy of Java In-Reply-To: <199604270053.UAA22329@universe.digex.net> Message-ID: <199604270123.VAA01708@jekyll.piermont.com> Scott Brickner writes: > True. It's still lacking a couple of (non-language) features. The > most important (and most cpunks relevant) is a mechanism to pay people > to run programs for you. This sort of thing is dangerous without a > safe environment. You can do that safely without making it dangerous for your machine. I know how I would build a restricted execution environment for such markets. However, Java is 1) too slow, since if you are selling rendering cycles or such you don't want to be running an interpreter, 2) insufficently safe, and 3) paradoxically, insufficiently powerful for the sort of code you would want to run in such an environment. Perry From perry at piermont.com Sat Apr 27 00:21:12 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 15:21:12 +0800 Subject: Golden Key Campaign In-Reply-To: <199604262210.SAA27467@amsterdam.lcs.mit.edu> Message-ID: <199604270019.UAA01587@jekyll.piermont.com> David Mazieres writes: > Isn't Rabin's algorithm patented, too? There is no patent on Rabin per se. .pm From daw at cs.berkeley.edu Sat Apr 27 00:33:02 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Sat, 27 Apr 1996 15:33:02 +0800 Subject: An idea for refining penet-style anonymous servers In-Reply-To: <Uc5fx8m9LojB085yn@netcom.com> Message-ID: <4lrtrv$dq@joseph.cs.berkeley.edu> In article <Uc5fx8m9LojB085yn at netcom.com>, Alan Bostick <abostick at netcom.com> wrote: > Authorities cannot use a search > for one identity as an excuse for a fishing expedition in the address > database. [...] > There is a way that attackers who have seized or copied the database can > search it - by trying it out on anonymous IDs, or user addresses, until > they hit paydirt. So maybe this is an incremental improvement over the penet model, but I'm not yet convinced that it's really a gigantic advance. The threat model I'm most worried about is this: I post a Co$ document about clams & volcanos, under a nym. The Co$ has enough lawyers to subvert any justice system; they might be pissed off enough to target me. I don't want them to recover my name. As you point out, your improvement can't protect against this scenario. Maybe it can help protect others, so that when the Co$ scum steal the database, they can't compromise everyone who's ever used penet. But I'm not convinced-- what if the Co$ do a DejaNews search for 'anon*@penet.fi' and use each hit to query the database? I think they'll be able to break the anonymity of nearly everyone in the database. So I'll make another proposal, to try to be constructive. Write a program to translate between penet-style remailers and mixmaster/alpha style remailers. Set up a service which automatically creates a chain of nyms for you, with encryption at all the mixmaster/alpha - to - mixmaster/alpha links. People seem to (like / be familiar with / be willing to use) the penet style interface-- so use the penet syntax as the interface to the user, so the user doesn't have to know anything about what the remailers are doing behind his back. (Or use some *simple* Java/html-forms/... interface.) Advantages: to figure out the link between a nym and the real person, you have to compromise a whole chain of remailers (except for the following drawback). the nym<->person database is distributed, so is less susceptible to attack. Drawbacks: this doesn't encrypt the link between the user and the first remailer, so if Co$ can sniff on the link between you and your first remailer, you're screwed. This is still an improvement over vanilla penet.fi-- the Co$ has better lawyers than wiretappers, I suspect-- and you can also make sure your first link is just a couple of hops away. One might also contemplate using Hal's java applet to automatically pgp encrypt the first link (so you only have to assume that the web server you got the applet from is trustworthy, and that the Co$ isn't doing active attacks on you). This is still a compromise between security & usability, unfortunately. Comments? From zachb at netcom.com Sat Apr 27 00:40:00 1996 From: zachb at netcom.com (Zach Babayco) Date: Sat, 27 Apr 1996 15:40:00 +0800 Subject: trusting the processor chip In-Reply-To: <ada66cd5000210045f20@[205.199.118.202]> Message-ID: <Pine.3.89.9604261948.A21433-0100000@netcom9> On Fri, 26 Apr 1996, Timothy C. May wrote: [snip] > > Though there have been fictional accounts--e.g. the French novel > "Softwar"--about replacement of chips with TLA versions, this tack is very > hard to pull off. (The Infoworld "April Fool's Day" 1991 report that the > NSA had arranged for printers entering Iraq to be modified so as to send > intelligence info was gullibly picked up by several outfits that should've > known better and reported as fact.) > Actually, the report said that the NSA had made chips with a virus on them, and that it supposedly knocked out some of their computers. I think it was U.S. World & News that ran the story as fact, and stood by it even when it was proven to be false. Makes you wonder if the media bothers to do any fact-checking when reporting, especially when reporting on computer topics these days. zachb at netcom.com <----------- finger for public key (new key as of 4/23) zachb at odyline.com > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Licensed Ontologist | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." > > > > > From perry at piermont.com Sat Apr 27 00:46:51 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 15:46:51 +0800 Subject: The Joy of Java In-Reply-To: <199604270040.RAA09526@atropos.c2.org> Message-ID: <199604270111.VAA01682@jekyll.piermont.com> sameer at c2.org writes: > > I go further. Java, as envisioned, cannot be made secure. It is too > > powerful a language. Furthermore, it is unnecessary for the tasks that > > it is used for, which are basically adding fancy wacky graphics and > > simple applications and such to web pages. > > Even though that is all it is used for now, I think it was > *intended* to be used for more. So much the worse. I don't think its a good idea to download random programs and run them without even realizing it, especially when they run in an execution environment which is not particularly emasculated. I don't think this can be made particularly secure in the general case. It is a bad paradigm. I've said it before, and everything we've seen thus far about Java supports my contention. Perry From mpd at netcom.com Sat Apr 27 00:47:46 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 27 Apr 1996 15:47:46 +0800 Subject: The Joy of Java In-Reply-To: <ada697c601021004c3a0@[205.199.118.202]> Message-ID: <199604270221.TAA17097@netcom7.netcom.com> I wrote: > The complete specification of the Java Virtual Machine means > that the behavior of Java programs is perfectly > well-defined, and one does not have to tweek anything which > is processor or operating system dependent. Scott Brickner <sjb at universe.digex.net> writes: > Unfortunately, this last statement isn't really true. To > quote from the "Java Security" paper from some Princeton > researchers: > The Java language has neighter a formal semantics nor > a formal description of its type system. We do not > know what a Java program means, in any formal sense, so > we cannot reason formally about Java and the security > properties of the Java libraries written in Java. Java > lacks a formal description of its type system, yet the > security of Java relies on the soundness of its type > system. This is overly pessimistic. Java primitive data types are fully specified and Java operators are well-defined in the sense that their results are unambiguous with specified input. One certainly does not have situations as one has in C, where things like "int" or what happens to the sign bit on certain shifts is left up to the implementor's discretion. Even the typical "side effects" tricks with passed parameters should be impossible with Java programs. While it is true that formal meta-language descriptions of Java semantics and the universe of Java types are not currently provided for the language, and the traditional kinds of formal correctness proofs haven't been published, the language is sufficiently simple and restricted to make it unlikely that major loopholes will be discovered in this area. I would be truly surprised, for instance, if instruction sequences which unbalanced the stack, wrote out of bounds, or accessed memory locations as inconsistant types, were discovered to slip past a bytecode verifier correctly implemented according to Sun's recommendations. Saying that the current specification does not support formal proofs of correctness is far different than saying that the language itself is broken. > The Java bytecode is where the security properties > must ultimately be verified . . . . Unfortunately, it > is rather difficult to verify the bytecode. . . . The > present type verifier cannot be proven correct, because > there is not a formal description of the type system. Again, he is not saying that the type verifier isn't correct, merely that the materials with which to construct a proof have not yet been dumped on top of his desk. > Object-oriented type systems are a current research > topic; it seems unwise for the system's security to > rely on such a mechanism without a strong theoretical > foundation. It is not certain that an informally > specified system as large and complicated as Java > bytecode is consistent. Not certain, but very very likely. Due to the restricted nature of Java and the bytecode, the checks that need to be done are fairly simple transitive closures of relations involving local program structure. While the general theory of object-oriented runtime structures can get hairy, Java's elimination of things like multiple inheritance makes its own corner of this universe considerably more tractable. > We conclude that the Java system in its current form > cannot easily be made secure. Significant redesign of > the language, the bytecode format, and the runtime > system appear to be necessary steps toward building a > higher-assurance system. . . . Execution of remotely- > loaded code is a relatively new phenomenon, and more > work is required to make it safe. This summary might be a bit more impressive if the author had included a bytecode fragment or two as a concrete example of where such changes were necessitated. > I do think that the ideas embodied in Java are very > important, and will significantly shape the future of > computing, but Java itself may be just a stepping stone on > the way. I think Java, as currently specified, is going to be around for quite a while. I further think that the concerns expressed above will be addressed by augmentation of the existing specifications and by construction of the necessary proofs of correctness, and not by drastic surgery on the language and virtual machine as they currently exist. In any case, the anarchy of the free market rarely takes notice of the theoretical musings of academicians. Until Java experiences a catastrophic and public train wreck, people will continue to use it and its reputation will continue to grow. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From sameer at c2.org Sat Apr 27 00:53:48 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 27 Apr 1996 15:53:48 +0800 Subject: WWW proxies? In-Reply-To: <199604270050.UAA01645@jekyll.piermont.com> Message-ID: <199604270128.SAA12508@atropos.c2.org> > > The CERN HTTP server is a proxy out of the box. CERN HTTP has a few problems: A) It is slow B) It requires client-software cooperation C) Doesn't allow chaining D) Doesn't do crypto. C2 will be soon announcing an anon proxy which eliminates both problems B and C. Eliminating problem D will be done in the near term, and eliminating problem A will be done in the long term. (BTW: We are in search of a gfx designer for this project. Please contact me if you know someone) > > > Will we have as extensive a WWW proxy network as remailer network? > > Unclear. > > .pm > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From weidai at eskimo.com Sat Apr 27 01:01:44 1996 From: weidai at eskimo.com (Wei Dai) Date: Sat, 27 Apr 1996 16:01:44 +0800 Subject: factoring estimates In-Reply-To: <Pine.SUN.3.93.960426200445.12146G-100000@polaris.mindport.net> Message-ID: <Pine.SUN.3.93.960426202534.22851A-100000@eskimo.com> On Fri, 26 Apr 1996, Black Unicorn wrote: > Are there current guesses for 1024 and 512 bit keys out there? The best estimates from before the break of RSA130 is (see The Future of Integer Factorization by Andrew M. Odlyzko): bits MY required log base 2 of total instructions 428 1000 55 512 3*10^4 60 1024 3*10^11 83 2048 3*10^20 113 The factoring of RSA130 proved that a 432 bit number takes only 500 MIPS-years. Therefore the above estimates should be divided by 2: 432 500 54 512 1.5*10^4 59 1024 1.5*10^11 82 2048 1.5*10^20 112 Wei Dai From snow at crash.suba.com Sat Apr 27 01:24:10 1996 From: snow at crash.suba.com (Snow) Date: Sat, 27 Apr 1996 16:24:10 +0800 Subject: Nazis on the Net In-Reply-To: <199604231853.UAA04047@utopia.hacktic.nl> Message-ID: <Pine.LNX.3.91.960426222544.371C-100000@crash.suba.com> Sorry about spewing this to the List, but nobody at replay.com wouldnot get it back to him. On Tue, 23 Apr 1996, Anonymous wrote: > E. ALLEN SMITH writes: > | (one reason for Hiroshima and Nagasaki being right > | was the Japanese alliance with Germany) > Was Dresden also right? (more died than at Hiroshima) The firebombing Yes. War, especially in the modern era requires a large industrial base to maintain (well, non-guerilla operations anyway) > of Tokyo? (10% died in one raid). Stalins execution of his own people? Yes, as above. To accomplish his goals, yes. IMO, no. > Look at facts, not propoganda, before coming to such conclusions. > The conventions of war (namely the aim of keeping civilians out of it, > along with good treatment of prisoners) evolved over many centuries, Centuries? Maybe 3 of them, the 1600's, 1700's and 1800's, more like never. > but then come the Brits and the Yanks to destroy it all with their > indiscriminate bombing of civilians, using the "they can stop the > torture simply by surrendering," and "those bombs saved countless There has been a long history of taking the war to the civilians. Salting crop land, poisoning wells, burning cities--long before Sherman marched on Atlanta civilians were targets. The Aristocracy didn't approve publically, but what does a blockade accomplish if not to deprive civilians of certain things? Yes, it also keeps it out of the hands of the Military, but it also affects non-military. > [American/British] lives!" excuses, and directing attention away from > their own attrocities by spreading propoganda such as soap made from > Jews. Then to direct attention away from themselves even further, the > victors judge the defeated at Nuremburg for "war crimes," when the > accusors themselves were guilty of terror bombing, the worst war crime > of them all. War is a most nasty thing, and often fought by people who are at very impressionable age (young men). Watching your friends and buddies die is a tough thing for most, as is killing other people. For most people killing is not something to be done lightly, and it is necessary to work them into a state were killing is possible. This state also tends to make certain actions seem like a good idea. As to the Strategic decesions like the bombing of Dresden and the Nuking of Japan, well, when is the last time a Political leader (and High Ranking Generals ARE Political Leaders) actually stopped to consider the lives or feelings of people that aren't going to vote for hir? > | and the Holocaust (people who claim > | it didn't happen are calling my paternal grandfather a liar). > > Does anybody really claim it did not happen? I doubt it. > I assert that those who express doubt over details of the current > story (such as the numbers that died in the camps, the existence of > gas chambers, or whether Hitler gave an order to systematically kill > Jews) are referred to by the media as saying that the Holocaust didn't I doubt Hitler explicitly said "Kill all the jews for me would you Gobby?" but hey, the guy was the ABSOLUTE RULER, he made his desires known, and things happened. > happen, but that is *not* what they are saying. With regard to your > hundreds of thousands of people died, then who would disagree with him? > If on the other hand he asserts that he saw gassed Jews at Dachau, > then he is mistaken (although not necessarally a liar.) I don't know enough WWII history to know how the Nazis were attempting to solve the "Jewish Problem" at Dachau, but I hear that Belson was a Gas <sorry> > The Nuremberg Trials...had been popular throughout the world and > particularly in the United States. Equally popular was the sentence > already announced by the high tribunal: death. But what kind of trial was > this? ...The Constitution was not a collection of loosely given political > promises subject to broad interpretation. It was not a list of pleasing > platitudes to be set lightly aside when expediency required it. It was > the foundation of the American system of law and justice and [Robert Taft] ^^^^^^^^^^^^^^^^^^^^^^ > was repelled by the picture of his country discarding those Constitutional > precepts in order to punish a vanquished enemy. I wasn't aware that the US Constitution could be applied outside the US. While I understand why you use a remailer, I wish you'd post some address that I could send mail to rather than cluttering up the list. Petro, Christopher C. petro at suba.com (prefered) snow at crash.suba.com From perry at piermont.com Sat Apr 27 01:27:10 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 27 Apr 1996 16:27:10 +0800 Subject: Golden Key Campaign In-Reply-To: <199604270039.RAA09438@atropos.c2.org> Message-ID: <199604270101.VAA01670@jekyll.piermont.com> sameer at c2.org writes: > > David Mazieres writes: > > > Isn't Rabin's algorithm patented, too? > > > > There is no patent on Rabin per se. > What do you mean by "per se"? Rabin is covered by the patents on public key itself. It is the contention of RSA DSI that the patent on RSA claims all public key methods that use exponentiation. I do not believe this to be the case, but I am not the god of patents. There is no direct patent on Rabin, however. Perry From snow at crash.suba.com Sat Apr 27 01:28:22 1996 From: snow at crash.suba.com (Snow) Date: Sat, 27 Apr 1996 16:28:22 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <199604251236.OAA09404@utopia.hacktic.nl> Message-ID: <Pine.LNX.3.91.960426235849.371H-100000@crash.suba.com> On Thu, 25 Apr 1996, Anonymous wrote: > It is because of such baseless inferences, I have to remain anonymous. I would > dearly love to debate under my real name, but am prevented from doing so by the > neo-Nazi name-calling. No, you aren't. Get a fscking freenet account so we can take this to email. > Yes you are correct, I disagree that Abraham Lincoln was better than those in > the South, not for racial reasons (remember, the Civil War was *not* about > slavery, because the slavery issue only arised *after* the war started), but No, the war was over states rights and economics. Slavery was one of the issues involved in the states rights debates. From sameer at c2.org Sat Apr 27 01:32:02 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 27 Apr 1996 16:32:02 +0800 Subject: Golden Key Campaign In-Reply-To: <199604270019.UAA01587@jekyll.piermont.com> Message-ID: <199604270039.RAA09438@atropos.c2.org> What do you mean by "per se"? That it might be covered by the Stanford patents? (Those are the ones that allegedly cover all public-key, right?) > > David Mazieres writes: > > Isn't Rabin's algorithm patented, too? > > There is no patent on Rabin per se. > > .pm > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From snow at crash.suba.com Sat Apr 27 01:41:25 1996 From: snow at crash.suba.com (Snow) Date: Sat, 27 Apr 1996 16:41:25 +0800 Subject: Golden Key Campaign In-Reply-To: <Pine.SUN.3.93.960424141313.12174A-100000@eskimo.com> Message-ID: <Pine.LNX.3.91.960426232131.371F-100000@crash.suba.com> In for a dime, in for a dollar. On Wed, 24 Apr 1996, Wei Dai wrote: > You can do signatures with Rabin too. I have a version of it in > Crypto++ 2.0. It's been out for a while and RSA hasn't bothered me about > it. > Does anyone want to explain why, given the alternatives, people continue > to use RSA and pay for it? Reputation Capital? Petro, Christopher C. petro at suba.com <prefered> snow at crash.suba.com From llurch at networking.stanford.edu Sat Apr 27 01:42:01 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Apr 1996 16:42:01 +0800 Subject: Nazis on the Net In-Reply-To: <Pine.LNX.3.91.960426222544.371C-100000@crash.suba.com> Message-ID: <Pine.GUL.3.93.960426211955.6711B-100000@Networking.Stanford.EDU> On Fri, 26 Apr 1996, Snow wrote: > Sorry about spewing this to the List, but nobody at replay.com would not get > it back to him. I'm glad *somebody* realized that. I believe there have been at least a half dozen messages Cc'd to nobody in the last couple days. [everything of "substance" deleted] > While I understand why you use a remailer, I wish you'd post some > address that I could send mail to rather than cluttering up the list. Based on other discussions we've had, I believe I've sent Nobody the FAQ for the alpha.c2.org remailer. Another, minimum alternative would be to post anonymous messages with a PGP signature. This would at least answer the questions of whether the Mr. Nobody that posted the Iron Mountain hoax is the same Mr. Nobody who spews about Dresden. If Nobody needs help getting an alpha.c2.org account to work, and he doesn't trust anybody here, then I recommend whitewolf at alpha.c2.org, an avowed National Socialist who 1) will not betray Nobody's trust and 2) is not subject to surveilance, because all messages to him will arrive PGP-encrypted, to be read offline. Another Nazi who seems to know a lot about how alpha.c2.org works, because he traced my friend Erin's nym back with a traffic-analysis spam, is ralphj at eskimo.com. I would recommend "Dave Harmon," but he had his netcom account yanked because he kept forging cancels for my and others' Usenet posts, among other things I can't talk about. I believe the same person can be reached through the penet.fi pseudonym "Skipper's Hammer," though. Hope this helps. At least with a stable nym, we'd be able to flame you for off-topic posts. -rich From sandfort at crl.com Sat Apr 27 01:45:36 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 27 Apr 1996 16:45:36 +0800 Subject: Click here to become an International Arms Trafficker In-Reply-To: <2.2.32.19960426091033.00688010@gateway> Message-ID: <Pine.SUN.3.91.960426194348.11804A-100000@crl4.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 26 Apr 1996, David K. Merriman wrote: > Well, I'm ITAR violator # 6 :-) I am #3. Who is #1? Gee, that sounds sorta familiar. I hope we don't end up as Prisoners. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From snow at crash.suba.com Sat Apr 27 01:47:17 1996 From: snow at crash.suba.com (Snow) Date: Sat, 27 Apr 1996 16:47:17 +0800 Subject: trusting the processor chip In-Reply-To: <m0uCa4r-00094aC@pacifier.com> Message-ID: <Pine.LNX.3.91.960427002329.371K-100000@crash.suba.com> On Thu, 25 Apr 1996, jim bell wrote: > > This analysis seems to assume that the entire production run of a standard > product is subverted. More likely,I think, an organization like the NSA > might build a pin-compatible version of an existing, commonly-used product > like a keyboard encoder chip that is designed to transmit (by RFI signals) > the contents of what is typed at the keyboard. It's simple, it's hard to > detect, and it gets what they want. I thought that most (all?) chips already radiated on the electromagnetic spectrum? Isn't that what tempest is about? From frantz at netcom.com Sat Apr 27 01:55:15 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 27 Apr 1996 16:55:15 +0800 Subject: The Joy of Java Message-ID: <199604270100.SAA11735@netcom9.netcom.com> At 3:57 PM 4/26/96 -0700, Timothy C. May wrote: >I think the interesting target date to plan for is a year from now. I said a few months ago that I thought Java would be ready for prime time in a couple of years. I think we are in complete agreement here. >>(1) There are not many sources of high-quality entropy available to Java >>applets. Keystroke timings and scribble windows are probably the best >>sources, but may represent an inconvenience for users. > >Shouldn't be any worse or any better than with the status quo, right? I'm >not sure I see the Java issue. (I've been looking at SoundClip and >AudioClip, but only cursorily.) I think it is a bit worse since an applet doesn't get access to a lot of stuff a C program, or even better an OS gets. A C program has a lot of environmental queries that might produce some entropy, although they would also be available to an attacker on the same system. The OS has access to interrupt times, mouse movements, and keyboard timings for ALL the applications that have run since boot. >By the way, Hal Finney is working on a bignum package. I know. I have an (old) version on my disk. AFAIK, Hal is the most active person developing crypto and crypto related Java code. He deserves thanks from all of us. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sameer at c2.org Sat Apr 27 02:07:15 1996 From: sameer at c2.org (sameer at c2.org) Date: Sat, 27 Apr 1996 17:07:15 +0800 Subject: The Joy of Java In-Reply-To: <199604270025.UAA01602@jekyll.piermont.com> Message-ID: <199604270040.RAA09526@atropos.c2.org> > > I go further. Java, as envisioned, cannot be made secure. It is too > powerful a language. Furthermore, it is unnecessary for the tasks that > it is used for, which are basically adding fancy wacky graphics and > simple applications and such to web pages. > Even though that is all it is used for now, I think it was *intended* to be used for more. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From hochiminh at alpha.c2.org Sat Apr 27 02:14:01 1996 From: hochiminh at alpha.c2.org (hochiminh at alpha.c2.org) Date: Sat, 27 Apr 1996 17:14:01 +0800 Subject: code vs cypher Message-ID: <199604270331.UAA23746@infinity.c2.org> Perry E. Metzger" <perry at piermont.com> writes: pm> tm> Timothy C. May writes: pm> tm> Well, I was not invited to join the elite and secret pm> tm> coderpunks list, pm> It is neither elite nor secret. It is fairly high signal to noise. pm> I think only about one in every fifty or so cypherpunks pm> messages has any content at all worth mentioning. Agreed! I wasn't "invited". I simply requested access and was quickly welcomed to the list. pm> tm> but I still have some thoughts on coding and, pm> tm> especially, on the opportunities offered by Java. pm> tm> Sorry if this interferes with discussions of Rabbi pm> tm> Heir and Morris Dees. pm> You have no right to grumble about the situation here. pm> It is exactly what you wanted. Here you were, a person pm> of some personal gravitas and moral authority, and you pm> put your stamp on the "post whatever you like; don't let pm> the grumbling censors stop you". Well, as you sow, so pm> shall you reap. Its your fault, more than anyone else's. TC May was not the first person to substantialy digress from chartered topics but he certainly "ran with the ball" when he got his chance to expose his ignorance and intolerance of other races and religions ( the cypher-relevance or "charter topicality of which always escaped me). I was discouraged by the encouragement given to the murder advocating moron, Jim Bell to post his insance littany. pm> If Cypherpunks has become a cesspit, well, its YOUR cesspit, pm> Tim. Its the list you always strove to create, but it appears pm> that you now don't like the smell of your own wallow. Well, pm> sorry. Deal with it. Well put, Perry! From alano at teleport.com Sat Apr 27 02:18:47 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 27 Apr 1996 17:18:47 +0800 Subject: Reminder: PDX Physical Cypherpunks Meeting Saturday Message-ID: <2.2.32.19960427023120.00a27cf8@mail.teleport.com> A reminder for those who are intending to show up.... If you are intending on being involved with the key signing, please send me your public key(s) so that they can be included. -----BEGIN PGP SIGNED MESSAGE----- There will be another physical meeting on the Cypherpunks in Portland, OR. The particulars: Location: Powell's Technical Bookstore 33 NW Park Portland, OR 97209 (Just north of Burnside off of the Park blocks.) Date: April 27th, 1996 Time: 5:23pm Discussions will cover: ** A Portland Remailer ** Various Coding Projects ** Events in the News ** Other Projects related to Crypto (Web sites and Documentation) ** Possible PGP Keysigning (Depends on the response) ** General Discussion Devolving into Chaos If you have any other topics for discussion, bring them up at the meeting or you can e-mail me in advance. Powell's Technical Book has a good selection of crypto books, so you might want to be prepared. (Do not bring money you cannot afford to spend. Powell's has an evil force that seduces people into buying books.) A PGP keysigning will be held if there are enough interested people. If you are interested in participating, please send me your public key via e-mail. Any comments, suggestions, ideas, and/or complains can be sent to me at alano at teleport.com. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMXMZZeQCP3v30CeZAQG0/Af/To2q0fuLk8Q6KquP+6LX1/1EOqGGoxBZ jWfCJoz40Wk1EHMJMis+XpiPgcXg2nAZNeQXubS4Q9se8uGG57UbzpX8rv5GnzdV HWimufNeL/bfxSn+OYswTEQExSwG2V/TSWZNwfFf5Xl/6V0zy1Xa5qY8CEtXn1fr 3/vXicYexd3NwSvToN5udYYtUe2kH14O3RIoXAnaJwMZLvS+oiDzw8LWXI7UMdsf akUbhisfgf/lu3wiMVQkN2hdP15rioIlAhryA0skvl1fxh3OkFC8/GDJpRBRWD+K RjO5VgRRXYrQUG4PKAK8Y1/PSINzandOkaMc2duaSshslZYyI3YRmg== =zD1a -----END PGP SIGNATURE----- --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From dp at world.std.com Sat Apr 27 02:19:11 1996 From: dp at world.std.com (Jeff DelPapa) Date: Sat, 27 Apr 1996 17:19:11 +0800 Subject: Joy of Java Message-ID: <199604270335.AA06305@world.std.com> Scott Brickner <sjb at universe.digex.net> wrote: > >And later: > > The Java bytecode is where the security properties must ultimately > be verified . . . . Unfortunately, it is rather difficult to verify > the bytecode. . . . The present type verifier cannot be proven > correct, because there is not a formal description of the type > system. Object-oriented type systems are a current research topic; > it seems unwise for the system's security to rely on such a > mechanism without a strong theoretical foundation. It is not > certain that an informally specified system as large and complicated > as Java bytecode is consistent. > >And in the conclusions: > > We conclude that the Java system in its current form cannot easily > be made secure. Significant redesign of the language, the bytecode > format, and the runtime system appear to be necessary steps toward > building a higher-assurance system. . . . Execution of remotely- > loaded code is a relatively new phenomenon, and more work is > required to make it safe. > >I do think that the ideas embodied in Java are very important, and will >significantly shape the future of computing, but Java itself may be just >a stepping stone on the way. Given the crowd here, this is likely stating the obvious, but it has never failed to provoke spluttering from the Sun employees I have tried it on. The thing not mentioned in this excerpt is that at best, the verification will have been done for the Sun implementation of the byte code engine. There have been announcements of competing implementations of the the engine, and any assumptions of safety are out the window in that case. Sun doesn't have any control over Java the byte code engine, anyone who wants can build one. (and at 40kb total size, it is a tractable thing for an undergrad that didn't manage to find a summer job). Sun does control Java the logo, and can deny a license to use it. That is likely to become a meaningless distinction -- If somone will install a disk recieved unsolicited in the mail, or handed to them at a trade show (how hard can it be to re-seal AOL packaging, such that a casual recipient won't notice), they aren't bright enough to insist on genuine Sun brand Java. If it becomes an expected thing, that all browsers/os's/toaster-ovens have a java byte code engine in them, there will be a sizable number sold without "benifit" of trademark (at the low end if nothing else, Sun does expect to be paid to use the steaming cup). Not all of them will have sufficient rigor applied to their development. Once common, then things get interesting. The press will (for lack of anything else to do, as all the engines are supposed to act identically) start to benchmark the competing implementations. At that point, under pressure to "get good numbers", some of the more "expensive" operations will be "tuned". Other restrictions might be sacrificed in order to have something ready for Comdex... Can't happen you say? I still remember when some of the PC video makers got caught special casing the strings in one of the big magazines benchmarks. Unfortunately, Sun has designed a fine example of a "Square Peg". As OAK, it was a moderately good fit for the intended use. With zillions of set top boxes, and a limited number of sources of product (national/regional controlled entry broadcaster model), you had to have remote execution, nobody could build a big enough set of servers. Since it was coming from a broadcaster, you could get away with trusting signed code -- not just any bozo can get video broadcast nationally (unless it is violent, and even then they time base correct it), the same would be true of set top code. Since it meant selling hardware (engine in rom), there would be a limited number of sources of system code -- the above mentioned undergrad would find it difficult to find enough capital to get a mass market hardware product to market. And when you get down to it, with only a few meg of ram, and no disk, there really wasn't a huge amount of data to compromise. Now lets examine what they are trying to do with it. It is a software only item currently, thus it has very low entry barriers. Code can be put up by any bozo with $10/month to pay a local web provider -- even if the code is signed, you may not be able to get at the author of an applet, either because of national boundries, or anonymity. And you get to run the stuff on a machine with a lot of state (all the dells and gateways sold today had at least a gig of state spinning there to browse), and a live net connection (back to the source if nothing else) to transmit interesting things back with. Looks like a bad fit to me. But the PR department does have a big hammer, and they are beating on it, and the hole is starting to give a bit -- they have it forced about halfway now... To get a round peg, they have to build a system at the A2 trust level. That means a verified design, and an implementation checked against that design. Sun hasn't done the design side of the game, if the comments made about the design by the Princeton group are accurate. Lacking a verifiable design, even Sun's implementation must be doubted. But it doesn't end there, the browser that surrounds the byte code engine can compromise even a good implementation (as netscape has demonstrated), and last, Sun has no way to ensure that everything that executes the byte codes is a "good" implementation. We don't even have to assume malicious intent on the engine builder, accidents have already supplied us with enough examples of how it can go wrong. (tho it is easier if you put the hole there -- you don't have to be skilled enough to find a hole to exploit, just good enough to add a hole to an existing implementation) <dp> From frissell at panix.com Sat Apr 27 02:39:53 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 27 Apr 1996 17:39:53 +0800 Subject: US law - World Law - Secret Banking Message-ID: <2.2.32.19960427033035.00d183b0@panix.com> At 04:55 PM 4/26/96 -0400, Black Unicorn wrote: >First of all, and as one of the only western powers to do so, the United >States taxes its citizens on _worldwide income_. While this in itself, >with a proper foreign tax credit system, is not offensive, when the Unites >States adds to this a very wide scope of extraterratorial jurisdiction and >compelled process, it becomes more than tax. Further, the United States >implements policy it cannot directly legislate constiutionally through >taxation. Just to make it perfectly clear... The US (and the Philippines) are the only countries in the *civilized world* that tax non-resident citizens. This means, par example, that if you are born in the US and leave at the age of 2 days, never return, never get any services from any US government, you are subject to full US federal taxation. If you happen to reside in a country with no tax treaty with the US, you will owe local country taxes *plus* US federal taxes simply because of citizenship. In any of the European countries, you can eliminate your tax liability for foreign (out-of-country) source income simply by moving overseas. They tax all residents but only non-resident citizens who have domestic source income. The US grabs everything even if you've had virtually no US contacts. This is why some rich Americans have renounced their citizenship to avoid taxes on their non-US income, rich Brits don't have to renounce they can keep their citizenship and just move. >It is partly the arrogance of many U.S. citizens, and the view that their >government knows the one single way to conduct economic and foreign >affairs, that empowers the United States to impose her tax and >economic policy on unconnected sovereigns thousands of miles away. Note the other areas this has applied as well. Roosevelt's outlawry of private posession of gold by Americans made it a crime for Americans to own gold anywhere on earth. And the proposed regs on licensing of space launches prohibited Americans from committing unlicensed space launches anywhere on earth. DCF "Note that no woman has ever conquered Europe but several men have. No point, I just thought it was interesting." From daw at cs.berkeley.edu Sat Apr 27 02:46:33 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Sat, 27 Apr 1996 17:46:33 +0800 Subject: WWW proxies? Message-ID: <199604270555.WAA00661@joseph.cs.berkeley.edu> In article <Pine.SUN.3.93.960426191223.12146D-100000 at polaris.mindport.net> you write: > > Has anyone developed such a beast yet? > > Will we have as extensive a WWW proxy network as remailer network? > Here's what I know of. You could get an anonymous www.c2.org account and websurf from it. You can also publish web pages anonymously from c2. See http://www.c2.org/anon.phtml It looks like there's an experimental anonymizing proxy up in France (if you can tolerate the link delay): http://hplyot.obspm.fr:6661/ http://hplyot.obspm.fr:80/~dl/anonproxy.txt I haven't tested it myself, though. CMU has a web anonymizer at http://anonymizer.cs.cmu.edu:8080/ Unfortunately, it's not useable by the public yet. (They promise to release it in early 1996.) Decense is a early prototype of a double-blind penet-style "re-webserver": http://www.clark.net/pub/rjc/decense.html Wei Dai has talked about PipeNet, a network of "re-routers" for general Internet traffic. Unfortunately, at this point, it's only a pipe dream on the whiteboard (as far as I know-- correct me if I'm wrong!). If I left any out, let me know. I hope to get a chance to play with these things (and possibly install one on my machine) during the summer, when I'll have some more free time. Whee! From llurch at networking.stanford.edu Sat Apr 27 03:00:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 27 Apr 1996 18:00:42 +0800 Subject: [NOISE] Re: Nazis on the Net In-Reply-To: <Pine.LNX.3.91.960426235849.371H-100000@crash.suba.com> Message-ID: <Pine.GUL.3.93.960426231143.6711C-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Snow wrote: > On Thu, 25 Apr 1996, The Troll wrote: > > It is because of such baseless inferences, I have to remain anonymous. I would > > dearly love to debate under my real name, but am prevented from doing so by the > > neo-Nazi name-calling. > > No, you aren't. Get a fscking freenet account so we can take this > to email. Who says he doesn't have one? This is the most un-PC place you can get. He's just trolling. For all you wonderful open-minded folks who have made up your mind about me, please see http://www-leland.stanford.edu/~ajg/ for an ACCURATE perspective on my character and views that should surprise just about everybody who has trolled here. Please note that ajg has already received dozens of comments, has already turned in the paper, and is very busy on another. She knows about a few typos and technical errors, and she knows that she misquoted me once. -rich From stewarts at ix.netcom.com Sat Apr 27 03:13:25 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Apr 1996 18:13:25 +0800 Subject: RSAREF dos not give you access to RSA Message-ID: <199604270629.XAA05305@toad.com> At 05:48 PM 4/26/96 -0400, David Mazieres <dm at amsterdam.lcs.mit.edu> wrote: >> 5) the price of RSA is fairly low, once free RSAREF came out >RSAREF does not give you RSA. Do not think that you can write and >distribute free software that uses RSA encryption in the US just >because of the existence of RSAREF. If you don't believe me, let me >tell you a little story. [ really atrocious story of RSA's non-responsiveness, deleted] >The RSAREF license strictly requires that you only use the documented >RSAREF interface, which does not include direct access to the RSA functions. Yeah, that's a good point, and it'd slipped my mind since the PGP permission was eventually granted. For some applications of RSA, you can use RSAREF to do them; you may have to not mind an extra DES layer thrown in where you really don't need it, and the resulting ugliness. (But at least encrypting a random session key with a random DES key doesn't provide much hook for a DES-cracker.) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From des at juno.com Sat Apr 27 03:31:46 1996 From: des at juno.com (David E Smith) Date: Sat, 27 Apr 1996 18:31:46 +0800 Subject: alias servers (al la alias.c2.org) In-Reply-To: <Pine.SUN.3.93.960426203004.12146H-100000@polaris.mindport.net> Message-ID: <19960427.020607.14462.3.des@juno.com> On Fri, 26 Apr 1996 20:30:38 -0400 (EDT) Black Unicorn <unicorn at schloss.li> writes: > >Is anyone besides c2.org running an alias server? > There's a few of them - nym.gondolin.org, nym.alias.net, and alias.alias.net are the others that leap to mind just now. Of course, having just previewed the Juno "free-email" service, I might count it also. dave (really dsmith at midwest.net - pay no attention to the nym behind the curtain!) From dan at dpcsys.com Sat Apr 27 04:47:00 1996 From: dan at dpcsys.com (Dan Busarow) Date: Sat, 27 Apr 1996 19:47:00 +0800 Subject: The Joy of Java In-Reply-To: <199604270040.RAA09526@atropos.c2.org> Message-ID: <Pine.SV4.3.91.960427003947.6962C-100000@cedb> On Fri, 26 Apr 1996 sameer at c2.org wrote: > > > > I go further. Java, as envisioned, cannot be made secure. It is too > > powerful a language. Furthermore, it is unnecessary for the tasks that > > Even though that is all it is used for now, I think it was > *intended* to be used for more. At Usenix 96 in San Diego it was pointed out that applets are an abberation. This is a complete language designed to displace C++, Visual Basic and other OO languages. Thinking of Java as simpy a Web enhancement tool is short sighted. Personally it is more attractive than C++ for product development and we are trying to get it on FreeBSD, SCO UnixWare and SCO OSR5. Using Java for applets _only_ is like fucking your mother... Most of us are not into it. Dan -- Dan Busarow DPC Systems Dana Point, California From rich at c2.org Sat Apr 27 05:46:49 1996 From: rich at c2.org (Rich Graves) Date: Sat, 27 Apr 1996 20:46:49 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file Message-ID: <199604270912.CAA07530@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- If you are involved with the affairs of a large organization, I urge you to check www.whoswhere.com to see if they have a bunch of user email addresses that they shouldn't. Of course there is little that one can do about this kind of invasion of privacy. But they don't have to be so fucking blatant and stupid about it. They have the email addresses of DAEMONS from our password files in their database. There is no need for mailbombing, or anything like that. Our lawyers are simply going to nuke them from orbit. Please check them out before they go offline, so that you will have a shot at whatever is left. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYHku43DXUbM57SdAQGQpwP/U9TzWE2vEjHYZo4eniVctFe3pVe0KIQe FvdNOWTykqfgEyhagKuifmRwUgjjIcIZONzRDw1Hi7UrJbOghH3j9sW5wxsphbxU 3U0hHuKumAczUHn03IVkkF4JpobawEgHqqP1Y++PhNopAvqnVSu+hnf5aIS1R390 MlUiwpoo0OE= =+Mm2 -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sat Apr 27 05:48:46 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Apr 1996 20:48:46 +0800 Subject: The Joy of Java Message-ID: <199604270944.CAA07981@toad.com> >From my perspective, the biggest win of Java isn't the security, though that's certainly important. It's that it's a reasonably powerful virtual machine that doesn't need to run on Microsoft operating systems, though it can (except Win3.1, of course.) That means that decent small application software can be written that doesn't have to be locked into the far less secure/reliable DOS/Windows/95 architectures, and can run on Macs and Linux and Unix, a bit slowly, but with a lot less baggage. (Maybe 16-bit code is gone from NT 4.0, but it's not going to run on 386s!?!) Yes, you may want to be careful with code that autoloads from web pages, but you don't have to be quite as paranoid with Java from ftp sites as you did with MS binaries, and you can be more comfortable with applets like word processors and data-crunchers knowing they won't be doing all the "helpful" things MSOffice likes to help you with. # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stewarts at ix.netcom.com Sat Apr 27 05:50:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Apr 1996 20:50:53 +0800 Subject: trusting the processor chip Message-ID: <199604270939.CAA07905@toad.com> >> By NSA standards, it is simple. NSA has probably had its own >> semiconductor fabs for 30+ years. >Yep. Regardless of whether the fabs are government property or not, >it's a sure thing that some contractors have appropriately SCIFfed >fabs and appropriately cleared staffs. There's an interesting Moore's Law wrinkle to this. Not only does processor speed double every 18 months, but the cost of the chip fab plant for each generation of technology also doubles. Intel's building some $2B plants now, and who knows what the x886 CPU and 256MB memory fab plants will cost. While the costs are somewhat lower for a low-volume plant than a high-volume one, at some point it will be much harder (as a percentage of their total budget) for the NSA to stay ahead of the power curve, and they'll have to switch over to designs like highly-custom applications on commercial FPGAs and such. And "appropriately cleared staffs" are also harder to find as the chip business internationalizes. Back when I was a tool of the military-industrial complex, I was working on an RFP that had a heavy-duty "buy American" policy, not only for economic protectionism but to make sure that UnAmerican Foreigners didn't subvert the designs for critical components to add security leaks. For instance, the controller chips for disk drives, and raw EPROM. We eventually got them to let us use imported commercial products as long as any design and construction that was actually specific to the customer was done in the US, on the assumption that the Singaporean Espionage Service wasn't going to put back-doors in all the disk drives their city exported, and the Korean CIA wasn't going to put extra pins in their EPROMS that would replace the contents with hacked versions designed to steal US Secrets :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stewarts at ix.netcom.com Sat Apr 27 06:01:41 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Apr 1996 21:01:41 +0800 Subject: WWW proxies? Message-ID: <199604270939.CAA07910@toad.com> At 07:13 PM 4/26/96 -0400, Black Unicorn <unicorn at schloss.li> wrote: >Has anyone developed such a beast yet? Good timing for the question! As Perry pointed out, the CERN httpd provides basic proxy functions, but it doesn't do the anonymizing job of deleting/replacing information your browser may output to a CGI script, so it's only a partial solution. The pre-beta-test anonymizer proxy Sameer mentioned does the main protocols, though doesn't anonymize https: yet; doing the job right is difficult or impossible without support in the browser for features such as double-encrypted SSL sessions (one layer of encryption between the browser and proxy, and an end-to-end connection between the browser and the destination server.) [Jeff - any chance of this unlikely feature being supported?] I tried doing an https: connection to the proxy, but something wasn't in the directory it expected; that's what betas are for :-) Alternatively, maybe an SSH connection could work? >Will we have as extensive a WWW proxy network as remailer network? That's partly a technical question, and partly a social/economic one. The technical parts are whether it's easy to install an anonymizer on your web server (at least for Unix and maybe NT users), and whether there's a big drawback if you do, like performance hit or extra charges from your ISP. There's also a technical issue of whether anon-proxies will be quiet underground things, or whether there'll be some convenient coordination mechanism, such as random.anonymizer.com being a DNS hack that picks a random anonymous server that can be temporarily registered by just starting an anonymizer application. The social parts of the question are how we get people to _want_ to install it, and how we get them to keep running it once it gets annoying. A good PR job can help, especially if installation+registration is a one-or-two-button thing; using one anonymizer nags you to install your own. Perhaps somebody will find a convenient way to add only-mildly-annoying advertising to the anonymizers, or to collect digicash without discouraging users, giving some tradeoff between social responsibiity and crass profit motives, and allowing a spectrum of anonymizers to operate. Of course, especially with some profit-making services (e.g. the Anonymous Porn Proxy or the Hemp Buyers' Privacy Connection) the server may have trouble convincing customers that the anonymity is really being preserved, whether from government subpoenas, junkmail and credit card fraud, or future resale to Blacknet. The other side of the propagation problem is keeping proxy providers willing to run their services after they have problems because of how their service is used. One problem is spammers and other abusers. Suppose somebody uses your anonymizer to connect to a web-posting page or mailto: and spams a big mailing list or newsgroup with objectionable material, like the <perjorative deleted> spammer who sent hate mail from my remailer to the various gay newsgroups signed with some innocent bystander's name. At best you get flamed; at worst your ISP drops your service. Or the spammer signs the guestbook at whitehouse.gov in an interesting manner. Another problem is users whose behaviour attracts attention. Maybe it's the highly legitimate user who checks out the tax forms on irs.gov for taxable activities the IRS didn't know were involved in, like overseas banking and stocks when _your_ tax returns all said "broke college student" (just _try_ explaining anonymizers to the compuer-illiterate IRS clerk.) Maybe it's the user who wants to avoid junk email when she checks out the Make.Money.Fast.multilevel.religious.technology stockbroker service. Guess who's now on Their lists. Maybe they used the anonymizer to view child pornography from kidporn.sting.postalinspector.memphis.usps.gov, and the Post Office Police come kick your door down. Or maybe they were checking out the schedule at the Cannabis Buyer's Club using your anonymizer just in case the FBI wiretappers wanted to enforce laws that the S.F. Police don't bother people about. Some of these problems can be helped by things like transient proxy servers, if we build a convenient way for them to hook in for a while and drop back out. On the other hand, if you're waiting for me to write all this code I'm suggesting we need, you'd be better off hacking some more easy partial solutions that can be deployed, tested, and replaced with the next edition :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From stewarts at ix.netcom.com Sat Apr 27 06:38:03 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 27 Apr 1996 21:38:03 +0800 Subject: Click here to become an International Arms Trafficker Message-ID: <199604271013.DAA08223@toad.com> At 07:46 PM 4/26/96 -0700, Sandy wrote: >> Well, I'm ITAR violator # 6 :-) >I am #3. Who is #1? Gee, that sounds sorta familiar. I hope >we don't end up as Prisoners. You are in the Village. A low crawl leads off to the north.... I was #21 and #22, though the first one didn't actually export crypto, and the second one exported code for rot13 instead of perl. So there's now some rot13 hanging out in the Caribbean, waiting for Hostile Foreigners and NarcoTerrorist Tax Evaders to protect their privacy with it. (This is _illegal_??) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From wb8foz at nrk.com Sat Apr 27 07:33:00 1996 From: wb8foz at nrk.com (David Lesher) Date: Sat, 27 Apr 1996 22:33:00 +0800 Subject: trusting the processor chip In-Reply-To: <Pine.LNX.3.91.960427002329.371K-100000@crash.suba.com> Message-ID: <199604271104.HAA01654@nrk.com> > > More likely,I think, an organization like the NSA > > might build a pin-compatible version of an existing, commonly-used product > > like a keyboard encoder chip that is designed to transmit (by RFI signals) > > the contents of what is typed at the keyboard. It's simple, it's hard to > > detect, and it gets what they want. > > I thought that most (all?) chips already radiated on the > electromagnetic spectrum? Isn't that what tempest is about? A) Yes, all circuitry radiates to some extent. The variable is the "some" factor. And is the noise compromising or just revealing? [Does it allow the Opposition to know you are typing, or WHAT you are typing...?] And the one everyone here seems to ignore -- can you hear it from where you need to? [I know of one National Lab with a blanket Tempest exemption -- it's a MILE to the uncontrolled border area.] B) Sure the Fort has Fab facilities. But Acme Gas & Grocery fixes cars, yet they do NOT have the diagnostic computer for my [in my dreams..] new BMW. Preventium & leading edge chips requires MASSIVE amounts of money for the infrastructure, and yesterday's versions do not cut it. [Tim, got any real $$ here?] I suspect it's like monitors: 14" SVGA's cost $200; 16" $650; 19" $1200 & 21", don't ask. Sure, tomorrow the 16" is $500, but you need it TODAY. The Fort is too busy trying to justify its FTE numbers to blow a couple zillion on keeping current with fab stuff. Plus, in a business with only a few customers, how does they keep the stepper-supplier from wising up? And when Mr. Bill introduces the 686, do you start all over? C) Would the Fort *really* ask for & get the needed cooperation while the industry fights CrippleChip/GAK? D) There are far cheaper ways to attack, as others point it. Neuter the power-supply controller chip, and it stays the same for generations. Or go for the video RAMDAC. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From jya at pipeline.com Sat Apr 27 07:43:41 1996 From: jya at pipeline.com (John Young) Date: Sat, 27 Apr 1996 22:43:41 +0800 Subject: Cell Kill 2 Message-ID: <199604271127.HAA17044@pipe4.nyc.pipeline.com> 4-27-96 NYT op-ed claims: On April 21, two Russian laser-guided missiles reportedly zeroed in on the cellular phone of Dzhokhar M. Dudayev, leader of the Chechen rebels, and killed him. According to the Russian newspaper Izvestia, Mr. Dudayev died while phoning an aide to King Hassan II of Morocco, who had been asked by President Yeltsin to help mediate an end to the war. Will any leader ever again be so gullible? From allyn at allyn.com Sat Apr 27 12:16:02 1996 From: allyn at allyn.com (Mark Allyn 206-860-9454) Date: Sun, 28 Apr 1996 03:16:02 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <199604270912.CAA07530@Networking.Stanford.EDU> Message-ID: <199604271430.HAA03553@mark.allyn.com> They are gone now. mark.allyn.com% lynx http://www.WhosWhere.com lynx: Can't access start file http://www.WhosWhere.com mark.allyn.com% telnet www.whoswhere.com www.whoswhere.com: unknown host They are still registered with Internic: mark.allyn.com% dig whoswhere.com any ; <<>> DiG 2.0 <<>> whoswhere.com any ;; ->>HEADER<<- opcode: QUERY , status: NOERROR, id: 6 ;; flags: qr rd ra ; Ques: 1, Ans: 2, Auth: 2, Addit: 2 ;; QUESTIONS: ;; whoswhere.com, type = ANY, class = IN ;; ANSWERS: whoswhere.com. 172787 NS CHARON.PSC.EDU. whoswhere.com. 172787 NS ATTICA.MAGICALFOX.com. ;; AUTHORITY RECORDS: WHOSWHERE.com. 172787 NS CHARON.PSC.EDU. WHOSWHERE.com. 172787 NS ATTICA.MAGICALFOX.com. ;; ADDITIONAL RECORDS: CHARON.PSC.EDU. 172787 A 128.182.65.6 ATTICA.MAGICALFOX.com. 172787 A 204.170.102.34 From allyn at allyn.com Sat Apr 27 12:16:21 1996 From: allyn at allyn.com (Mark Allyn 206-860-9454) Date: Sun, 28 Apr 1996 03:16:21 +0800 Subject: [NOISE] What is "laser material"? In-Reply-To: <2.2.32.19960426175657.00ae9254@mail.teleport.com> Message-ID: <199604271436.HAA03567@mark.allyn.com> -> The problem with laser based weapons is they are weather dependant. Try -> using a laser in the rain and see how coherent a beam you get. -> What this has to do with crypto, I have no idea... (Maybe they are going to -> try and etch RSA in four lines of Perl into the side of the whitehouse.) Of course they should etch it in both text and bar code so that a foreign spy satalite with a bar code reader can read it. From ddt at lsd.com Sat Apr 27 13:22:27 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 28 Apr 1996 04:22:27 +0800 Subject: [;)] Message-ID: <v03006609ada7c6731b3b@[192.187.167.52]> <http://www.well.com/user/ddt/info/jet-reply.html> From merriman at arn.net Sat Apr 27 14:12:36 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 28 Apr 1996 05:12:36 +0800 Subject: Cell Kill 2 Message-ID: <2.2.32.19960427014653.0069df44@gateway> At 07:27 AM 04/27/96 -0400, John Young <jya at pipeline.com> wrote: > 4-27-96 NYT op-ed claims: > > On April 21, two Russian laser-guided missiles > reportedly zeroed in on the cellular phone of Dzhokhar > M. Dudayev, leader of the Chechen rebels, and killed Okay, I'll play: are we supposed to believe that a laser(optically)-guided missile homed in on a cellular(RF) phone? C'mon now. Who was driving the *real* targeting laser? Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From alano at teleport.com Sat Apr 27 14:52:24 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 28 Apr 1996 05:52:24 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file Message-ID: <2.2.32.19960427162826.00ab5bc4@mail.teleport.com> At 07:30 AM 4/27/96 -0700, Mark Allyn 206-860-9454 wrote: >They are gone now. > >mark.allyn.com% lynx http://www.WhosWhere.com Try http://www.whowhere.com/ . (Rich Graves mistyped the address.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From alano at teleport.com Sat Apr 27 14:53:18 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 28 Apr 1996 05:53:18 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file Message-ID: <2.2.32.19960427162824.00ab39d4@mail.teleport.com> At 02:12 AM 4/27/96 -0700, Rich Graves wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >If you are involved with the affairs of a large organization, I urge you >to check www.whoswhere.com to see if they have a bunch of user email >addresses that they shouldn't. They also have some information that is seriously outdated. They have two e-mail addresses for me that are about 2-3 years out of date. (I wonder how some of this information was collected. One was from my Fidonet point address of years back. Not something accesable from finger.) >Of course there is little that one can do about this kind of invasion of >privacy. But they don't have to be so fucking blatant and stupid about it. >They have the email addresses of DAEMONS from our password files in their >database. I wonder if those addresses are from a "finger @sitename.org" hack. It becomes worrysome when the methods of hackers intersect with those of database compilers. >There is no need for mailbombing, or anything like that. Our lawyers are >simply going to nuke them from orbit. Please check them out before they go >offline, so that you will have a shot at whatever is left. Keep us informed as to the fireworks. it will be fun to watch. --- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From norm at netcom.com Sat Apr 27 15:23:45 1996 From: norm at netcom.com (Norman Hardy) Date: Sun, 28 Apr 1996 06:23:45 +0800 Subject: trusting the processor chip Message-ID: <ada8110401021004e1c4@DialupEudora> At 9:53 AM 4/25/96, Jeffrey C. Flynn wrote: .... > >It looks like I may have no other option than to give some processor some >degree of trust. Which processor I should choose, and why that one? .... In the days of microcode this was my best (worst?) scenario. Setting up for fast divide has been an art long before Pentium divide fame. In microcode you don't spend time testing for cases that you can prove won't happen. Some obscure cases can arise only with a rare combinations of two 48 bit operands. The microcode flaw would be to put the processor into privileged mode even while getting the right answer. There would plausible deniability even if the flaw were discovered. (Gosh, I didn't test for this fall thru case because here is the proof that it can't happen.) Of course there is a bug in the proof but no one reads proofs. This can now be exploited by anyone that knows what division leaves the machine in privileged state. This is an attack on those systems that are rated to run untrusted machine code, using privileged mode code to limit the operation of the untrusted code. Only one person is necessary to pull this off. He must be trusted to produce microcode and the implementer of the divide algorithm. Test code will not find the transition to privileged code just because you can't test the whole machine state after every tested instruction. Normally the bogus privileged state of the machine will quickly expire (on the next interrupt) and will cause no permanent state change even in those few cases where a magic division occurs naturally. From lzirko at isdn.net Sat Apr 27 15:38:09 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sun, 28 Apr 1996 06:38:09 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd fi Message-ID: <199604271650.LAA03361@rex.isdn.net> DNS lookups fail currently for www.whoswhere.com and whoswhere.com. Gee, this is quick work. Who are those masked men, opps lawyers? > Date: Sat, 27 Apr 1996 02:12:20 -0700 > From: rich at c2.org (Rich Graves) > To: cypherpunks at toad.com > Subject: www.WhosWhere.com selling access to my employer's passwd file > Organization: Uncensored Internet, http://www.c2.org/uncensored/ > -----BEGIN PGP SIGNED MESSAGE----- > > If you are involved with the affairs of a large organization, I urge you > to check www.whoswhere.com to see if they have a bunch of user email > addresses that they shouldn't. > > Of course there is little that one can do about this kind of invasion of > privacy. But they don't have to be so fucking blatant and stupid about it. > They have the email addresses of DAEMONS from our password files in their > database. > > There is no need for mailbombing, or anything like that. Our lawyers are > simply going to nuke them from orbit. Please check them out before they go > offline, so that you will have a shot at whatever is left. > > - -rich > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMYHku43DXUbM57SdAQGQpwP/U9TzWE2vEjHYZo4eniVctFe3pVe0KIQe > FvdNOWTykqfgEyhagKuifmRwUgjjIcIZONzRDw1Hi7UrJbOghH3j9sW5wxsphbxU > 3U0hHuKumAczUHn03IVkkF4JpobawEgHqqP1Y++PhNopAvqnVSu+hnf5aIS1R390 > MlUiwpoo0OE= > =+Mm2 > -----END PGP SIGNATURE----- > > Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzFseHQAAAEH/2gtDJSlsDvTo7m+Caj5zKuLO4dVl6L9e4xxFOAqKMtkHDIh 2z6NqqGnAKDai3eDXInBuOTGoyb82pkV7wD7naQDx7bppfwmJNguOPvlrErOZHcA NbAkyXCoKHgDxeXLq0MMcyC8+kBxYNKhMPm17g7tny4DKD+fzat4k3UiSAves6Y7 jLgQwwQ7TLYIGg7iPAsbMTnOF5iP51Ib47Ozjb3suJvJjUOTSUdl4V3e9EHWiniH G6kI1cfOdUmLXIgNZ34utTwwb2H/LhEDYrydmXJG6FfUolAThCwCbTG++Hq7/Ywr BOawFj3BhySTvpp/bSCJt1Mz/eELEq9xwQCaVD0ABRG0G0xvdSBaaXJrbyA8bHpp cmtvQGlzZG4ubmV0PokBFQMFEDFsfBcSr3HBAJpUPQEBRHoH/R+rkuMa9Vw+Civd 5QQM0tBMEPDUa7G2qNLKO0FBmVHoqq+VGeD9X2X+EBld0AwuWvshQfsViG2uBNxk Cr44y+Q0tXByCZqR8snTZG12BtFaCZv51XVieo2ygWQdmNp5DyMEyIOXUByORT2m 2Jx2VngcFt5rpzZLRALqwBDkV00Xcm8MPQzqGq8ZQA3nmExQkdpnSJIJX0irWjDM OueDrn9mBz2NwIZmddShYGUdhRXgpLYPHLMpo2fxE0dXiWkaDlyx47k4MIWaDoF4 nnTXxmEcS98AkT2PfqU4dT3UfZpZnHqkWQ7d4JqvXs9RmmH9K/NyBB+LykOvA1/t W6deAaWJAJUDBRAxbHtD30Eh39zrXZUBAYPsA/0dIEjlSuc8wrX5KJzAhXqUKBbg e3toQJk8RZwm4f80SC2DopEXYdmwAVrhOou7vezeu29mYVunKaDKg5xjnUfVR1WS ZXy54ZfYEG4Zrdi4vJgydb96AwoF3VAYyAbV45XBTfy3ujZjZRxpZS96X7iKk+6l quslrTmMFLhju4vWKw== =wksf -----END PGP PUBLIC KEY BLOCK----- From tcmay at got.net Sat Apr 27 15:43:50 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Apr 1996 06:43:50 +0800 Subject: The Joy of Java Message-ID: <ada79e9200021004908e@[205.199.118.202]> At 7:51 AM 4/27/96, Dan Busarow wrote: >At Usenix 96 in San Diego it was pointed out that applets are an abberation. >This is a complete language designed to displace C++, Visual Basic and >other OO languages. Thinking of Java as simpy a Web enhancement tool >is short sighted. > >Personally it is more attractive than C++ for product development and >we are trying to get it on FreeBSD, SCO UnixWare and SCO OSR5. Using >Java for applets _only_ is like fucking your mother... Most of us are >not into it. Ignoring the gross violation of the CDA, I agree. I think of it (and so do a lot of others) as: - a cleaned-up C++, with features of Smalltalk, Objective-C, and Lisp - a tool with built-in hooks for Net-centric computing - some safety features that distinguish it from C++ and the like - a bytecode/virtual machine approach that means the same code can be run on any platform for which a VM exists (the key to applets, but also the key to portability...what the world might have looked like for the past 15 years has the UCSD p-system succeeded instead of MS-DOS) Is it safe to run untrusted applets on your machine? Probably not. Running strange programs probably is never safe. I don't view this as something any new language is likely to solve, unless it's a language with such limited expressability as to be "safe and boring." As Perry has noted, financial institutions can ill afford to have applets being dropped into their main computers unless they are safe and secure. Not too surprising. But, then, they also have other security issues they constantly have to deal with that others don't. I suspect the safety issues will continue to crop up, but will be dealt with in other ways. The signed classes approach, the approaches used in E, etc. Netscape's limits on what applets can do, for example, may be extended in other ways (a kind of firewall approach?). To borrow a viewpoint, I don't expect the Java-based gargoyles in "True Names" to be "trustworthy"...TANSTAAFL. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Apr 27 16:06:40 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 28 Apr 1996 07:06:40 +0800 Subject: trusting the processor chip Message-ID: <ada7a2f20102100497bb@[205.199.118.202]> First, there ain't no way that electromagnetic radiation is going to be detected coming from the surface of a ULSI chip. Radiated power levels are going to be in nanowatt or picowatt level from any one metal or poly line, and of course will be undetectable at any distance. Not to mention the size of the radiator implies inefficient launch of pulses (the lines are likely to be rarely longer than a millimeter). At 11:04 AM 4/27/96, David Lesher wrote: (quoting someone else) >> > More likely,I think, an organization like the NSA >> I thought that most (all?) chips already radiated on the >> electromagnetic spectrum? Isn't that what tempest is about? TEMPEST is not about emissions from the surface of a ULSI chip, for example, but about the emissions (and controlling them, shielding them, detecting them) from equipment in general. Most of the "van Eck" radiation (so-called because he wrote the first major public papers on this mode) comes from the deflection circuitry for CRTs, where the radiated power levels (and lengths of radiating elements) are considerably larger than what I mentioned above. It is the CRTs that mostly cause problems. The PCBs inside modern computers also emit wideband pulses, and this may be detectable and usable to an adversary. Good shielding practice helps (those little FCC stickers....). TEMPEST deals with suppressing the emission even more. >B) Sure the Fort has Fab facilities. But Acme Gas & Grocery fixes >cars, yet they do NOT have the diagnostic computer for my [in my >dreams..] new BMW. > >Preventium & leading edge chips requires MASSIVE amounts of >money for the infrastructure, and yesterday's versions do not cut >it. [Tim, got any real $$ here?] I suspect it's like monitors: 14" >SVGA's cost $200; 16" $650; 19" $1200 & 21", don't ask. Sure, >tomorrow the 16" is $500, but you need it TODAY. I hate to say it, but all this stuff has been covered extensively in the past, in the archives. Yes, the NSA has its own wafer fab. Or, more precisely, the most recent example I know of is that National Semiconductor accepted a contract to build a fab at Fort Meade. This is not surprising, as the NSA is responsible for supplying coding and ciphering materials to U.S. forces worldwide, and so must generate ROMs, PLAs, and other special chips to cipher machines around the world. Having the fab at the Fort helps security. (Sandia Labs also makes such gizmos for them, and has pretty good security, I suspect.) These wafer fabs are probably 1.25 micron fabs, far from the .35 micron fabs now being used to make the 166 MHz Pentiums you can buy at Price Club. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From lzirko at isdn.net Sat Apr 27 16:07:40 1996 From: lzirko at isdn.net (Lou Zirko) Date: Sun, 28 Apr 1996 07:07:40 +0800 Subject: Click here to become an International Arms Trafficker Message-ID: <199604271643.LAA03312@rex.isdn.net> # 37 > At 02:46 PM 04/26/96 -0400, Vince Cate wrote: > > > > "Click here to become an International Arms Trafficker" > > > > Well, I'm ITAR violator # 6 :-) > > Dave Merriman > ------------------------------------------------------------- > "Giving money and power to government is like giving > whiskey and car keys to teenage boys." > P. J. O'Rourke (b. 1947), U.S. journalist. > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > http://www.shellback.com/personal/merriman/index.htm > > > Lou Zirko (615)851-1057 Zystems lzirko at isdn.net "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzFseHQAAAEH/2gtDJSlsDvTo7m+Caj5zKuLO4dVl6L9e4xxFOAqKMtkHDIh 2z6NqqGnAKDai3eDXInBuOTGoyb82pkV7wD7naQDx7bppfwmJNguOPvlrErOZHcA NbAkyXCoKHgDxeXLq0MMcyC8+kBxYNKhMPm17g7tny4DKD+fzat4k3UiSAves6Y7 jLgQwwQ7TLYIGg7iPAsbMTnOF5iP51Ib47Ozjb3suJvJjUOTSUdl4V3e9EHWiniH G6kI1cfOdUmLXIgNZ34utTwwb2H/LhEDYrydmXJG6FfUolAThCwCbTG++Hq7/Ywr BOawFj3BhySTvpp/bSCJt1Mz/eELEq9xwQCaVD0ABRG0G0xvdSBaaXJrbyA8bHpp cmtvQGlzZG4ubmV0PokBFQMFEDFsfBcSr3HBAJpUPQEBRHoH/R+rkuMa9Vw+Civd 5QQM0tBMEPDUa7G2qNLKO0FBmVHoqq+VGeD9X2X+EBld0AwuWvshQfsViG2uBNxk Cr44y+Q0tXByCZqR8snTZG12BtFaCZv51XVieo2ygWQdmNp5DyMEyIOXUByORT2m 2Jx2VngcFt5rpzZLRALqwBDkV00Xcm8MPQzqGq8ZQA3nmExQkdpnSJIJX0irWjDM OueDrn9mBz2NwIZmddShYGUdhRXgpLYPHLMpo2fxE0dXiWkaDlyx47k4MIWaDoF4 nnTXxmEcS98AkT2PfqU4dT3UfZpZnHqkWQ7d4JqvXs9RmmH9K/NyBB+LykOvA1/t W6deAaWJAJUDBRAxbHtD30Eh39zrXZUBAYPsA/0dIEjlSuc8wrX5KJzAhXqUKBbg e3toQJk8RZwm4f80SC2DopEXYdmwAVrhOou7vezeu29mYVunKaDKg5xjnUfVR1WS ZXy54ZfYEG4Zrdi4vJgydb96AwoF3VAYyAbV45XBTfy3ujZjZRxpZS96X7iKk+6l quslrTmMFLhju4vWKw== =wksf -----END PGP PUBLIC KEY BLOCK----- From seth at hygnet.com Sat Apr 27 16:12:14 1996 From: seth at hygnet.com (Seth I. Rich) Date: Sun, 28 Apr 1996 07:12:14 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <199604271430.HAA03553@mark.allyn.com> Message-ID: <199604271642.MAA04605@arkady.hygnet.com> > They are gone now. > > mark.allyn.com% lynx http://www.WhosWhere.com % lynx -dump http://www.whowhere.com/ [WhoWhere? Banner] [Toolbar: Use hyperlinks at the bottom] TELL US WHAT YOU THINK: The WhoWhere? Internet Survey Welcome to WhoWhere?, the largest Internet directory of email addresses from around the world. This free service is rapidly growing because so many of you Add Your Listing! [...] Seth --------------------------------------------------------------------------- Seth I. Rich - seth at hygnet.com "Info-Puritan elitist crapola!!" Systems Administrator / Webmaster, HYGNet (pbeilard at direct.ca) Rabbits on walls, no problem. From ChristopherA at consensus.com Sat Apr 27 16:28:24 1996 From: ChristopherA at consensus.com (Christopher Allen) Date: Sun, 28 Apr 1996 07:28:24 +0800 Subject: Fwd: RSAREF dos not give you access to RSA In-Reply-To: <960427060855_76703.407_CHN32-1@CompuServe.COM> Message-ID: <v03006601ada81036cb69@[157.22.240.191]> At 1:48 PM on 4/26/96 , David Mazieres <dm at amsterdam.lcs.mit.edu> wrote: >After many many messages, I got bounced around from RSA to Consensys >Corp. and back to RSA. Just an FYI, Consensus Development (not Consensys) can only offer a commercial licenses to RSAREF. Some such licenses we can grant waivers to user lower-level routines -- to date we've granted waivers for SSL and PGP compatible software. >Conclusion: You can't use the RSA algorithm in free software. The >RSAREF interface is too restrictive, and when RSA says in the license >that "RSA will grant all reasonable requests for permission to make >such modifications" to the interface, it is either an outright lie, or >something that only happens after so much delay that they might as >well not give you such permission. The problem is that only RSA Labs (not RSA Data Security) can offer this permission (as they have all the non-commercial rights) and they are not set up to handle such requests. I'll see what I can do as the commercial licensee to influence making this happen. RSAREF was released "to support standards" and SSH is a beginning of a standard, so I think it should be possible. ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<ChristopherA at consensus.com> 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. ..<http://www.consensus.com/> o510/559-1500 f510/559-1505.. From jimbell at pacifier.com Sat Apr 27 19:15:26 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 28 Apr 1996 10:15:26 +0800 Subject: trusting the processor chip Message-ID: <m0uDEIm-00093vC@pacifier.com> At 12:25 AM 4/27/96 -0500, Snow wrote: >On Thu, 25 Apr 1996, jim bell wrote: >> >> This analysis seems to assume that the entire production run of a standard >> product is subverted. More likely,I think, an organization like the NSA >> might build a pin-compatible version of an existing, commonly-used product >> like a keyboard encoder chip that is designed to transmit (by RFI signals) >> the contents of what is typed at the keyboard. It's simple, it's hard to >> detect, and it gets what they want. > > I thought that most (all?) chips already radiated on the >electromagnetic spectrum? Isn't that what tempest is about? There's a difference between trying to find a needle in a haystack, and finding a day-glo, red-hot needle that plays music at 110 decibels in that same haystack. Digital logic chips do radiate EMI, but some radiate very little (because their are few logic transitions or they occur relatively infrequently) or are buried within other circuitry and they don't have a particularly good antenna. The Trojan horse chip I'm hypothesizing would be specifically designed to radiate a fairly loud, continuous signal, on wires that are long enough to make a good antenna. Ideally, the chip would have a crystal to produce a very constant frequency, so that other noise not on that frequency could be ignored. The best place to put such a chip would be a location outside the computer's case, or at least it would have access to the outside. I think that a keyboard controller would be optimum, because I suspect that there are a relatively small number of different designs. Jim Bell jimbell at pacifier.com From Javaone at sbexpos.com Sat Apr 27 19:42:41 1996 From: Javaone at sbexpos.com (JavaOne) Date: Sun, 28 Apr 1996 10:42:41 +0800 Subject: You're Invited Message-ID: <199604271833.LAA06983@well.com> From unicorn at schloss.li Sat Apr 27 19:52:42 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 10:52:42 +0800 Subject: Cell Kill 2 In-Reply-To: <199604271127.HAA17044@pipe4.nyc.pipeline.com> Message-ID: <Pine.SUN.3.93.960427160915.21860A-100000@polaris.mindport.net> On Sat, 27 Apr 1996, John Young wrote: > 4-27-96 NYT op-ed claims: > > On April 21, two Russian laser-guided missiles People really need to understand their technology before they write stuff like this. > reportedly zeroed in on the cellular phone of Dzhokhar > M. Dudayev, leader of the Chechen rebels, and killed > him. > > According to the Russian newspaper Izvestia, Mr. Dudayev > died while phoning an aide to King Hassan II of Morocco, > who had been asked by President Yeltsin to help mediate > an end to the war. Will any leader ever again be so > gullible? > > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From markm at voicenet.com Sat Apr 27 19:55:42 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 28 Apr 1996 10:55:42 +0800 Subject: An idea for refining penet-style anonymous servers In-Reply-To: <Uc5fx8m9LojB085yn@netcom.com> Message-ID: <Pine.LNX.3.92.960425181712.779A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On Thu, 25 Apr 1996, Alan Bostick wrote: > My scheme is the design of the address database. It consists of two > hash tables, one for sending messages (which maps anonymous IDs onto > sender's addresses), and one for receiving them (mapping recipient's > addresses onto anonymous IDs). A cryptographically secure hash (say, > MD5) is used for the index of both tables. Funny. I had the *exact* same idea a couple of months ago. However, I did find several flaws in it. > > The index of the sending message table is the MD5 hash of the sender's > address. The table entry the index points to is the sender's anonymous > ID, encrypted by a symmetric algorithm (maybe IDEA). The encryption key > would be a different hash, by another algorithm (let's suppose it's > SHA), of that same address. Perhaps the address could be hashed several times for the table look-up and then the address could be hashed a less number of times for decryption with the IDEA key. This reduces the amount of code needed and also eliminates any problems with only using 128 bits of SHA output. > > In forwarding a message, the server MD5-hashes the sender's address and > looks at the table. If it doesn't find a corresponding entry, it > creates one. If it *does* find an entry, it SHA-hashes the sender's > address and uses this key to decrypt the anonymous ID. In the unlikely > event of collision the decrypted ID will be gibberish and the server > does something sensible (like appending padding to the address and > trying again). The header information is filtered and the anonymous ID > inserted in the From: line. In the scheme I thought of, a password would be sent with the message, which would be hashed, appended to the hash of the address, and then hashed again to get the decryption key. > There is a way that attackers who have seized or copied the database can > search it - by trying it out on anonymous IDs, or user addresses, until > they hit paydirt. And of course such an anonymous server can be no more > trustworthy than its operator; and the fundamental security limitations of > the penet-style anonymous server are well-understood. Searching for the real address behind a pseudonym is not hard at all. Just hash the anonymous address, look it up in the table, then decrypt the cooresponding encrypted address. This was the major flaw that I spotted with this scheme. > > So what do people think of this scheme of mine? Are there drawbacks or > weaknesses that I'm not seeing? Is it a good idea? I'd really like it > if *something* good came out of being laid up with the flu. The only other problem I found is a pretty minor one: the address database would be twice as large as it would be if it was stored in plaintext. I don't think that much security is gained by using this scheme. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMX/727Zc+sv5siulAQGbwgP/XfQ2qw4HrzRX/DtFq542EnwnDuE+ACYk OG3/dlCzqn4mmXNBB1QAh3K7tzNS0Gah46fODI/5lTHRqwyFehFIC96X3L45mEPO QJWcvu2mqf6KhR5QnanB6jNw+okp1NAvTRJA2QhIZtPBBS3Xm3NfhrtHF8BKdxdu WqjXM4HMjxs= =gpZ8 -----END PGP SIGNATURE----- From erehwon at c2.org Sat Apr 27 20:12:50 1996 From: erehwon at c2.org (William Knowles) Date: Sun, 28 Apr 1996 11:12:50 +0800 Subject: You are now an International Arms Trafficker (#1) ??? Message-ID: <Pine.SUN.3.91.960427130413.15899A-100000@infinity.c2.org> Yikes, Tell me that conspiracy to break ITAR isn't grounds for becoming arms trafficker #1 I don't even have the latest version of the shortened Perl-RSA code back from the screenprinters. Coming Soon! New fashionable Perl-RSA shirts! You are now an International Arms Trafficker Thanks for the munitions package. You are trafficker number: 1 Offshore Information Services Ltd. -William Knowles erehwon at c2.org -- From dlv at bwalk.dm.com Sat Apr 27 20:30:23 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 28 Apr 1996 11:30:23 +0800 Subject: Cell Kill 2 In-Reply-To: <Pine.SUN.3.93.960427160915.21860A-100000@polaris.mindport.net> Message-ID: <9Bc3mD213w165w@bwalk.dm.com> Black Unicorn <unicorn at schloss.li> writes: > > According to the Russian newspaper Izvestia, Mr. Dudayev > > died while phoning an aide to King Hassan II of Morocco, > > who had been asked by President Yeltsin to help mediate > > an end to the war. Will any leader ever again be so > > gullible? According to some Usenet articles I saw, Dudaev died while talking on the phone with the Russian Duma deputy Konstantin Borovoy. I think I used to exchange a few e-mails with Konstantin before he became filthy rich. It's a small world. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From sentiono at cycor.ca Sat Apr 27 21:24:13 1996 From: sentiono at cycor.ca (Sentiono Leowinata) Date: Sun, 28 Apr 1996 12:24:13 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <2.2.32.19960427162826.00ab5bc4@mail.teleport.com> Message-ID: <Pine.OSF.3.91.960427180844.11803B-100000@bud.peinet.pe.ca> On Sat, 27 Apr 1996, Alan Olsen wrote: > At 07:30 AM 4/27/96 -0700, Mark Allyn 206-860-9454 wrote: > >They are gone now. > >mark.allyn.com% lynx http://www.WhosWhere.com > Try http://www.whowhere.com/ . (Rich Graves mistyped the address.) I wonder how they can get the e-mail address? Our finger daemon are blocked. Many un-broadcast e-mail addresses (the account never send any e-mails to anyone) are in the database. How? Furthermore, isn't it also privacy invasion? Would any hackers or expert people kindly to tell me how to block further threat like this? Or tell me the way they do it, and I'll try to think the way to prevent it in the future. Sincerely, Sent. --------------------------------------------------------------- Sentiono Leowinata, Charlottetown, Prince Edward Island, Canada Systems Engineer/Programmer Analyst - Cycor Communications Inc. sentiono at cycor.ca, 902-629-2488, http://www.cycor.ca/ From mkj at october.segno.com Sat Apr 27 21:24:26 1996 From: mkj at october.segno.com (mkj at october.segno.com) Date: Sun, 28 Apr 1996 12:24:26 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199604271611.AA05770@october.segno.com> Please forgive what may be a stupid question, but I've been wondering about this for a long time, and today I'm tired of wondering. A consistent theme here is "crypto-anarchy", which appears to be essentially the idea that widespread cryptography will make tax collection impossible, bringing down governments. I don't see how this will work. The logical flaw in this argument seems so obvious (and at least some of the people who buy into it seem so obviously intelligent), that I can't help but think I must be missing something. Certainly the widespread use of cryptography will frustrate modern systems of taxation, such as income taxes, sales taxes, etc., which are based on the monitoring of financial transactions. But these systems are a mere flash in the pan; taxes existed, and governments sustained themselves perfectly well, long before these systems arose. Why then shouldn't we expect that modern governments, in the face of widespread cryptography, will simply revert to more traditional (and brutal) systems such as head taxes, land taxes, travel tolls, etc.? --- mkj From mrm at netcom.com Sat Apr 27 21:32:17 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 28 Apr 1996 12:32:17 +0800 Subject: The Joy of Java In-Reply-To: <ada5c3312c021004e096@[205.199.118.202]> Message-ID: <199604272244.PAA01728@netcom20.netcom.com> Why is everybody so into declaring who the winner is and who the loser is, instead of just implementing some useful program on the internet using "your favorite langues?" Maybe it's a gender thang. You boys are into talk, huh. :-) Marianne From mrm at netcom.com Sat Apr 27 21:39:29 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 28 Apr 1996 12:39:29 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.GUL.3.93.960424222517.22644F-100000@Networking.Stanford.EDU> Message-ID: <199604272256.PAA02672@netcom20.netcom.com> One thing I don't understand, why do you trust signed code? So you know the code is signed by Jack the Ripper. so what? How do decide what you want the code to be allowed to do? I think there's nothing for it but a kind of limited capabilities model built on top of the authentication mechanism. Marianne From mccoy at communities.com Sat Apr 27 21:41:48 1996 From: mccoy at communities.com (Jim McCoy) Date: Sun, 28 Apr 1996 12:41:48 +0800 Subject: The Joy of Java Message-ID: <v02140b01ada85707e260@[205.162.51.35]> Perry writes: > Scott Brickner writes: > > True. It's still lacking a couple of (non-language) features. The > > most important (and most cpunks relevant) is a mechanism to pay people > > to run programs for you. This sort of thing is dangerous without a > > safe environment. This is not as far away as you might think. Trust me... :) > You can do that safely without making it dangerous for your machine. I > know how I would build a restricted execution environment for such > markets. However, Java is 1) too slow, since if you are selling > rendering cycles or such you don't want to be running an interpreter, > 2) insufficently safe, and 3) paradoxically, insufficiently powerful > for the sort of code you would want to run in such an environment. Wow, three incorrect assumption in a single sentence, another hat-trick for Perry. Speed of execution is not a major problem given JIT compiler and interpreter improvements; this has been broadcast far and wide on the net so your presumed ignorance of this is a bit hard to believe. Additionally, if you are buying cycles off the net you can set things up to run in parallel and accomplish more than you ever could without the ability. To farm out code. This is absolutely trivial when it comes to tasks which are inherently easy to break into chunks which can be run in this fashion (like rendering and ray-tracing, etc.) As far as safety goes there are a lot of people working on this problem and for tasks of this type it is not as difficult as you assume. As far as it being insufficiently powerful for running distributed computation and cycle serving I know know for a fact that this is not the case. Rather than trying (and often failing) to prove that unsolvable problems exist in Java why don't you present the net with an alternative that does not suffer from these limitations. jim From jimbell at pacifier.com Sat Apr 27 21:47:47 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 28 Apr 1996 12:47:47 +0800 Subject: "A Closer Look" Message-ID: <m0uDIAr-000900C@pacifier.com> April 22, 1996 Electronic Buyers News, Page 2. A Closer Look column, by Jack Robertson "bigbrother.com" Orwell would have loved it. National tyrants are helpless to control the free flow of information within their borders. And if they do succeed in closing down ramps to the global data superhighway, their economies crumble. Not that some folks aren't trying to rein in the Internet. Strong-arm governments--including China, Vietnam, Singapore, and some African military dictatorships--want to control domestic access to the Net. Even democracies such as Germany want to censor the Web, and the European Union is debating regulation of it. The United States itself could end up trying to control the Net in well-intentioned but dubious efforts to censor content deemed obscene. The censor's club could be provided unwittingly by the movie industry and by consumer-electronics manufacturers. Their rigid copyright protection plan for DVD would require that every computer I/O interface be designed to block out the copying of any copyrighted motion picture. Once in place, others could sieze the I/O block to bar access to any content thought to be objectionable. Uncle Sam could also end up giving ammunition to Internet censors in a yet-to-be-released proposal to the G-7 economic powers pertaining to copyright protection on the Internet. The Clinton administration will submit the plan to the next G-7 conference in Lyon, France, in late June. The administration's earlier copyright plan for the U.S. National Information Infrastructure has stirred plenty of controversy in th is country over its potential shackling of the free flow of information. So far, the unruly and ubiquitous Internet has defied almost all restraints. Governments, businesses, politically correct factions can't get their arms around this amorphous giant. Stalin could jam out the BBC and the Voice of America. Iran can bar newspapers and periodicals. Singapore can threaten judicial to try to keep the press in line. But how do you cordon off the Web? Some regimes envision their own national gateways to control Net traffic acrosss their borders. Fat chance. Even if police states could build an Internet firewall, it would take the resources of a National Security Agency to monitor the traffic and ferret out noxious communications. In a first thrust to control electronic data, China is regulating all foreign news services through its Xinhua News Agency. That way, Big Brother can lower the boom wherever a central node can be hit. But the anarchical Internet has no central control points--In fact, very little control at all. A grassroots paradigm, the Net is a totally free democratic voice. Like it or not, we need to keep it that way. [end of article.] From kinney at bogart.Colorado.EDU Sat Apr 27 21:48:52 1996 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Sun, 28 Apr 1996 12:48:52 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.OSF.3.91.960427180844.11803B-100000@bud.peinet.pe.ca> Message-ID: <199604272318.RAA08172@bogart.Colorado.EDU> I looked up Stephen Hawking in their "database". The appalling result: > Name: Stephen Hawking > E-mail: retard at dribble.net > Last Updated: Mar '96 > Address: 1, Crip Street > Cambridge > Disabled > UK > Phone: > URL: http://www.damtp.cam.ac.uk/DAMTP/user/hawking/ > > Message: Ngghhh ngghy mmmfffgffff ngggnnhghh Sign me up for the IPO... -- Will From perry at piermont.com Sat Apr 27 22:08:07 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 28 Apr 1996 13:08:07 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604271611.AA05770@october.segno.com> Message-ID: <199604272308.TAA04540@jekyll.piermont.com> mkj at october.segno.com writes: > Why then shouldn't we expect that modern governments, in the face of > widespread cryptography, will simply revert to more traditional (and > brutal) systems such as head taxes, land taxes, travel tolls, etc.? I don't believe those "brutal" forms of taxes ever disappeared in the first place. Tolls, real estate taxes and indeed virtually every tax that has ever been thought of are all in place today. Personally, I feel that being force to "revert" to something like sales taxes would be of dramatic benefit because savings would no longer be penalized in our economy, but thats another story. I think that the cryptoanarchy types are arguing not so much that government is impossible as much as that cryptography and the changes that massive loss of central authority will bring are impossible to stop. Forms of government control based on things like stopping the free flow of information or preventing people from engaging in many forms of peaceful association cannot continue in a world such as we are almost inevitably facing. The question is really one of how much damage and chaos governments create while trying to fight the inevitable. Perry From unicorn at schloss.li Sat Apr 27 22:09:47 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 13:09:47 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.OSF.3.91.960427180844.11803B-100000@bud.peinet.pe.ca> Message-ID: <Pine.SUN.3.93.960427191953.24829F-100000@polaris.mindport.net> On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > I wonder how they can get the e-mail address? Our finger daemon are > blocked. Many un-broadcast e-mail addresses (the account never send any > e-mails to anyone) are in the database. How? > Furthermore, isn't it also privacy invasion? > Would any hackers or expert people kindly to tell me how to block > further threat like this? Use a nym. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From perry at piermont.com Sat Apr 27 22:37:25 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 28 Apr 1996 13:37:25 +0800 Subject: The Joy of Java In-Reply-To: <v02140b01ada85707e260@[205.162.51.35]> Message-ID: <199604272331.TAA04613@jekyll.piermont.com> Jim McCoy writes: > Rather than trying (and often failing) to prove that unsolvable problems > exist in Java why don't you present the net with an alternative that does > not suffer from these limitations. I'm not sure that an alternative per se is needed. Java is overgeneral for the task that it is being used for. This overgenerality leads to danger. I agree that in and of itself its a nice programming language. .pm From sandfort at crl.com Sat Apr 27 22:42:09 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 28 Apr 1996 13:42:09 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604271611.AA05770@october.segno.com> Message-ID: <Pine.SUN.3.91.960427153644.3252A-100000@crl12.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 27 Apr 1996 mkj at october.segno.com wrote: > ... > Certainly the widespread use of cryptography will frustrate modern > systems of taxation, such as **income taxes**, sales taxes, etc., [emphasis added] Income tax is the Godzilla of taxes. It is THE TAX when it comes to the US. (Perhaps VAT has a similar status elsewhere, but both, as pointed out, are subject to crypto-anarchistic subversion.) > ...taxes existed, and governments sustained themselves perfectly > well, long before these systems arose. But at nowhere near the voracious levels of modern states. > Why then shouldn't we expect that modern governments, in the face of > widespread cryptography, will simply revert to more traditional (and > brutal) systems such as head taxes, land taxes, travel tolls, etc.? For the same reasons they were dropped in the past. They have only a limited ability to extract tribute from a defenseless populace. Today's citizens have far more power vis-a-vis the state, and far less deference for authority. HEAD TAX--This "regressive" tax would really piss off those on the lower end of the economic ladder if the price-per-head were anywhere near what is needed maintain a government. The amount of social control needed to make sure most people had complied would be beyond anything a modern state could field. LAND TAX--Might be better than a head tax, but the unintended affects would still piss off the poor. It would give the relatively few land owners enormous motivation to buy off assessors and, ultimately, higher government officials. To the extent land taxes could be collected, they would be enormously economically destructive. The net effect would be similar to Soviet collectivisation. The land, the productive base of a nation's economic health would be constantly eroded until everyone was impoverished. TRAVEL TOLLS--Yeah, right. The Soviets required VISAS, to travel between cities, yet they couldn't even stop students from taking unauthorized jaunts. The MODERN state is doomed and, thanks to technology, the people have too much power to permit more "traditional" governments to control them. States may not go quietly into that gentle night, their death throes may be very bloody, but go they will. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From llurch at networking.stanford.edu Sat Apr 27 22:47:08 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 13:47:08 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.SUN.3.93.960427191953.24829F-100000@polaris.mindport.net> Message-ID: <Pine.GUL.3.93.960427163753.9454D-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Black Unicorn wrote: > On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > > > > I wonder how they can get the e-mail address? Our finger daemon are > > blocked. Many un-broadcast e-mail addresses (the account never send any > > e-mails to anyone) are in the database. How? > > Furthermore, isn't it also privacy invasion? > > Would any hackers or expert people kindly to tell me how to block > > further threat like this? > > Use a nym. This doesn't necessarily help if you work or study at a large institution (stanford.edu, for example). It depends on what you want to keep private. If I want to moonlight or carry on a political discussion, I can use untraceable nyms, but if someone wants to know where Rich Graves works, then there is no way for me to stop them from finding out. That's not a problem for me, obviously, but I've got 30,000 other people to worry about. What whowhere.com did (whoswhere was a typo, yes -- it was late, and I was rather pissed off) was grab the password file some time ago. We know that they grabbed the password file because they have misspellings, odd capitalizations, and daemon/group IDs that appear *only* in the password file. We know exactly when they did it, because the password file is built sequentially. They have everything up to line 26,667, and nothing after that line. We know exactly when account 26,668 was opened. Search for "SITN Account" at organization "stanford.edu". These are kerberos IDs that have never had email addresses. They have never existed outside the password file. They also have password files from a few other large educational and commercial organizations. It is not clear that they broke the law getting our password file, but in at least two other cases, it is. The threat profile is this. We've got grad students and visiting lecturers from repressive countries, or good-guy countries threatened by terrorists. We've got some really famous people who don't want to be stalked. These people have unlisted phone numbers, unlisted email addresses, unlisted physical addresses, and if you call the registrar for a transcript, the registrar will neither confirm nor deny that Stanford has ever heard of such a person. If you finger @stanford.edu, these people will never show up, no matter how you formulate the query. They're simply not in any directory database. If you grep one of the files that whowhere.com OBVIOUSLY used to build its database, some of these people do show up. If you then finger that address specifically, you might get the last login time and location, which might tell you exactly where they live and work on campus. You can then send a package with excessive postage, or something like that. Never mind women (or men) being stalked by sticky-fingered psychopaths. One person's paranoia is another person's reality. In a way, I suppose we're "asking for it," because anyone with a reasonable level of technical knowledge would know that the password file the whowhere.com guys took is vulnerable, but the users who are now in a public directory without their knowledge or consent were NOT asking for it. Since the fact that they're at Stanford is one of the things some of them might want to keep secret, there is no satisfactory compromise short of removing all names and addresses collected in such unethical ways. whowhere.com is in Mountain View; its principals live in Palo Alto, a ten-minute bike ride from campus. If some (former) Stanford affiliate helped them out, they're in trouble. If some (former) Stanford affiliate didn't help them out, then they're in a lot more trouble. They also have an entry for me as "Dick Graves - CDA Investigator." I believe I used this in the From: line of two posts to su.* newsgroups that do not propagate beyond nntp.stanford.edu. The presence of this address means that they were building their database on Stanford computers, which is a big, big no-no. -rich From EALLENSMITH at ocelot.Rutgers.EDU Sat Apr 27 22:59:00 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 13:59:00 +0800 Subject: Anonymous banking Message-ID: <01I41RMZUD188Y52ZX@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 24-APR-1996 21:06:33.48 Thank you for the information. >Not too bad, but there are crackdowns on anonymous and pseudonym accounts. >MLAT's exist with the United States. Austria has been the focus of >careful investigations and a lot of diplomatic pressure. EC membership >will require compliance with standards for client identification. The >article is somewhat in error. Anonymous accounts are no longer easy to >open and generally require the voucher of a local attorney. Speaking of attorneys, is there any way that an attorney can serve as an anonymous mail forwarder? The user would give the attorney permission to look at anything suspicious (e.g., mail from a credit card company) to make sure no fraud, theft, et al were being committed. Would this be covered under lawyer-client confidentiality in the US? >In general adding a country to the money laundering offender list is a >political decision and NOT demonstrative of a country's actual money >laundering use. (Note that Vanuatu is not included, nor is Isle of Man). >Mostly its a question of countries with corrupt officials who will look >the other way, not of countries which strict banking privacy. Fascinating. >This is nearly irresponsible reporting. Reporters nowdays are getting so overloaded that they're taking information from whoever will talk to them. Look at what happened with the chips-in-Iraqui printer story. -Allen From llurch at networking.stanford.edu Sat Apr 27 23:09:07 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 14:09:07 +0800 Subject: Mindshare and Java In-Reply-To: <199604272256.PAA02672@netcom20.netcom.com> Message-ID: <Pine.GUL.3.93.960427162243.9454C-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Marianne Mueller wrote: > One thing I don't understand, why do you trust signed code? > > So you know the code is signed by Jack the Ripper. so what? How do > decide what you want the code to be allowed to do? I think there's > nothing for it but a kind of limited capabilities model built on top > of the authentication mechanism. I explained/retracted/fudged this in a later message. Some of the things a valid signature from Jack the Ripper means: 1. If it breaks something, I can send Jack the Ripper a bug report, or a flame, as appropriate. 2. If I like it, I can send Jack the Ripper money or other form of good vibes. 3. If I am Jack the Ripper, I have a way of proving that the code is my intellectual property. 4. If I'm not Jack the Ripper, I can say "That wasn't me." 5. If I am GNU, I can advertise and "enforce" my copyleft policy. 6. I have a way of knowing if Alice or Bob stuck a virus or trojan into Jack's code. "Trust" really isn't the right word for what I'm getting at. Microsoft's digital signature initiative is basically FUD with the spin "Only stuff signed or endorsed by Microsoft is going to work," but I don't think that this spin is inherent in signed code initiatives generally. I think it would be a waste of time to build a multitiered security model where applets with certain classes of signatures would be allowed to do more. But signatures are still useful in a flat security model. I think this is already all being done for Java, though, so never mind, probably. I was just responding in a generally applicable way. -rich From jimbell at pacifier.com Sat Apr 27 23:09:33 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 28 Apr 1996 14:09:33 +0800 Subject: You are now an International Arms Trafficker (#1) ??? Message-ID: <m0uDJCd-0008xTC@pacifier.com> At 01:10 PM 4/27/96 -0700, William Knowles wrote: >Yikes, > >Tell me that conspiracy to break ITAR isn't grounds for becoming >arms trafficker #1 > >I don't even have the latest version of the shortened Perl-RSA >code back from the screenprinters. I thought of a method of exporting encryption code that doesn't require an export license, but better yet makes some _deserving_ soul a criminal. (In hindsight, it seems obvious, although I don't recall seeing it discussed.) Basically, you take advantage of the fact that on the Internet, incorrectly-addressed email is often/usually returned to what appears to be the sender. For example, send PGP source, split into appropriately-sized chumks, to somebody like bigshot at nsa.com. Mis-spell his name, of course, and forge the note so that it appears to be coming from some out-of-country address. His ISP's system's email software sees the bad address, "returns" it, and it's sent to that out-of-US location. Keep the messages as evidence; forward them to the appropriate prosecutor, who is stuck between a rock and a hard place: Either he prosecutes a "good guy," or he fails to prosecute an unauthorized encryption exporter and thus sets up a bad precedent. Jim Bell jimbell at pacifier.com From rccarpenter at hol.gr Sat Apr 27 23:15:44 1996 From: rccarpenter at hol.gr (Richard C. Carpenter) Date: Sun, 28 Apr 1996 14:15:44 +0800 Subject: Click here to become an International Arms Trafficker Message-ID: <01BB34AA.0E2DFC40@dmbbs6.hol.gr> -----BEGIN PGP SIGNED MESSAGE----- "Declared Munitions Exporter & Trafficker, Nos. 27 _&_ 28" (Not being a glutton, the first try didn't export crypto.) -RCC ================================================================ Key Fingerprint 7A 10 04 1C 81 60 96 FB A1 5A 57 E7 CB 67 4B 06 PGP KeyID A5D1C931 ** public key available on keyservers ** ================================================================ "Government is actually the worst failure of civilized man. There has never been a really good one, and even those that are most tolerable are arbitrary, cruel, grasping and unintelligent." -- H.L. Mencken ================================================================ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAgUBMYLyCdjIfSil0ckxAQGTJgQAyBHD7ZGTi/KTDeXaIfxW07c6xxsR2sLI MjJ4jLx608/2bKtRkOw+PIzXZvj9NtTKdZ2elBDasszlgoK6l2Kb+NZS3jU1lYAS ZT7E2LiYE5ShBIWlI04D6nnwIuFWnPMgLPcBgdtIQ7MWrKxnb2qEtuFL9lAxj2kI UxNYSd0zQWw= =PjTz -----END PGP SIGNATURE----- From markm at voicenet.com Sat Apr 27 23:18:22 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 28 Apr 1996 14:18:22 +0800 Subject: pgpcrack v0.6b Message-ID: <Pine.LNX.3.93.960427195145.14933A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- PGPCrack v0.6b is now available from http://www.voicenet.com/~markm/pgpcrack6b.tar.gz . It is now more portable and it is less likely to find an invalid passphrase valid. I have also included a passphrase list in the distribution. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMYK0ULZc+sv5siulAQHJlAQAozGi0IW0GqB3cs/QsHaoeeVLY8YXqbKe 7la4Ybe7MYxSMgRXt7AXG8/5nd3ECNOBlopzEBN91TEotHHe7X4Idqx93cJC94+M jln5HbmnLlExr9JIKFgeyHiwm5wruxbk3UHMIOEn82Hp04OdzazjQxDzfjzst6r0 S38TgBHtoC4= =6ct2 -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Sat Apr 27 23:20:54 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 14:20:54 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <2.2.32.19960427162824.00ab39d4@mail.teleport.com> Message-ID: <Pine.GUL.3.93.960427172022.9454F-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Alan Olsen wrote: > >Of course there is little that one can do about this kind of invasion of > >privacy. But they don't have to be so fucking blatant and stupid about it. > >They have the email addresses of DAEMONS from our password files in their > >database. > > I wonder if those addresses are from a "finger @sitename.org" hack. It > becomes worrysome when the methods of hackers intersect with those of > database compilers. They did that too. They got recursive whois and finger sweeps dated mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once in a while), a Usenet-wide sweep dated early 1994, a sweep of local, firewalled su.* newsgroups last December/January 95/96, and an outright theft of the master shadow password file for most stanford.edu accounts (address, real name, and UID only, no group ID or encrypted password) in January 1996. I'm sure they bought the first two from some other source. As much as I'm tempted to call these jokers at home early tomorrow morning, I know that a slow roasting by lawyers and the newsmedia is likely to be more effective. -rich From Ryan.Russell at sybase.com Sat Apr 27 23:43:13 1996 From: Ryan.Russell at sybase.com (Ryan Russell/SYBASE) Date: Sun, 28 Apr 1996 14:43:13 +0800 Subject: WWW proxies? Message-ID: <9604280105.AA18824@notesgw2.sybase.com> We use CERN proxies, as well as general purpose proxies, which effectivly narrows it down to someone within my company. But, that only masks the IP address. My impression was that most browsers hand out enough info about you at the application layer that it does little good to mask the IP address. At least for privacy purposes...address translation is a great firewall model, IMHO. Ryan ---------- Previous Message ---------- To: cypherpunks cc: From: unicorn @ schloss.li (Black Unicorn) @ smtp Date: 04/26/96 07:13:06 PM Subject: WWW proxies? Has anyone developed such a beast yet? Will we have as extensive a WWW proxy network as remailer network? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From frissell at panix.com Sat Apr 27 23:45:39 1996 From: frissell at panix.com (Duncan Frissell) Date: Sun, 28 Apr 1996 14:45:39 +0800 Subject: US law - World Law - Secret Banking Message-ID: <2.2.32.19960428005703.00d22650@panix.com> At 02:43 PM 4/27/96 -0400, Michael Froomkin wrote: >I disagree with the assertion that a hypothetical 2 yr old with a US >passport who never set foot in the US again gets nothing for her >citizenship. The evidence is that she didn't rennounce it: if was >worthless to her she could easily do so. > She need not ever have even gotten a US passport. Additionally, she probably can't renounce her citizenship until she reaches majority. Also, if she is born with a fortune and the Clinton Exit Tax (which declares that renunciation of citizenship is a taxable event) is in place, she is out vast quantities of cash for nothing. The problem is the US tax system which tries to maintain an extra-territorial reach and encourages renunciation of citizenship. DCF From mrm at netcom.com Sat Apr 27 23:47:04 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 28 Apr 1996 14:47:04 +0800 Subject: The Joy of Java In-Reply-To: <199604270123.VAA01708@jekyll.piermont.com> Message-ID: <199604272232.PAA00806@netcom20.netcom.com> Perry writes: You can do that safely without making it dangerous for your machine. I know how I would build a restricted execution environment for such markets. However, Java is 1) too slow, since if you are selling rendering cycles or such you don't want to be running an interpreter, 2) insufficently safe, and 3) paradoxically, insufficiently powerful for the sort of code you would want to run in such an environment. What solution is fast enough and safe enough and powerful enough? Does such a solution exist? I say, No, it doesn't. So let's quit pretending that the Holy Grail exists, and get back to engineering. But let's not have a food fight. Although entertaining in the short term, food fights are actually deathly boring and incredibly unfruitful in the long term. I'm interested in helping people do interesting things in a reasonably secure way, on the internet, using Java. We're working on a response to the Felten el al. paper, which will be posted to the net shortly. I think some of their points are perfectly valid, some of their points are irrelevant, and a lot of the presentation is melodramatic. Melodrama is good for sound bites, I guess. Marianne working on Java security stuff at Sun From adam at rosa.com Sat Apr 27 23:52:44 1996 From: adam at rosa.com (Adam philipp) Date: Sun, 28 Apr 1996 14:52:44 +0800 Subject: Internet Police Law (fwd) Message-ID: <2.2.16.19960427165636.403fce62@sirius.infonex.com> This seems to be an interesting developement in GA... With CP relevance. >It is being dubbed the Internet Police Law. Georgia's state government is >beginning to catch a little net-heat because of a new law signed by the >Governor last week which, according to some, CRIMINALIZES the use of e-mail >addresses which don't properly identify a person, as well as the practice of >linking to another web page by name without first obtaining permission to >link. > >If anyone cares to see information and commentary on this new law, feel free >to browse over to www.kuesterlaw.com. I would love to know what everyone >thinks about the constitutionality of this bill, as well as any other comments. > >Thanks. >jk >Jeffrey R. Kuester, Esq. Patent, Copyright, & Trademark Law >6445 Powers Ferry Road, Suite 230, Atlanta, Georgia 30339 >Ph (770) 951-2623 Fax (770) 612-9713 >E-mail: kuester at kuesterlaw.com >WWW: http://www.KUESTERLAW.com (The Technology Law Resource) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | My PGP key is available on my |Unauthorized interception violates | | home page: http://www.rosa.com |federal law (18 USC Section 2700 et| |=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA...see home page... |communications are preferred for | | -=[ FUCK THE CDA]=- |sensitive materials. | \=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ If A is a success in life, then A = x + y + z. Work is x; y is play; and z is keeping your mouth shut. Albert Einstein (1879-1955) From perry at piermont.com Sat Apr 27 23:58:04 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 28 Apr 1996 14:58:04 +0800 Subject: The Joy of Java In-Reply-To: <199604272232.PAA00806@netcom20.netcom.com> Message-ID: <199604272322.TAA04559@jekyll.piermont.com> Marianne Mueller writes: > Perry writes: > > You can do that safely without making it dangerous for your machine. I > know how I would build a restricted execution environment for such > markets. However, Java is 1) too slow, since if you are selling rendering > cycles or such you don't want to be running an interpreter, 2) > insufficently safe, and 3) paradoxically, insufficiently powerful for the > sort of code you would want to run in such an environment. > > What solution is fast enough and safe enough and powerful enough? Does > such a solution exist? I say, No, it doesn't. I say yes, it does. If what you want to do is run a distributed ray tracer, and sell the cycles for it, you can run an ordinary executable on a machine with an unusual kernel. If, for example, you could completely revoke access to the bulk of system calls and only permit I/O to a small number of inherited file descriptors, you could probably manage to get a reasonable engineering solution in place that would be suitable solely for things like markets in CPU cycles. I could probably design such an execution environment in a few weeks. Such an execution environment radically differs from Java in so far as it has a "what is not expressly permitted is forbidden" strategy all the way down to the kernel interface. It might still be dangerous in the presence of things like kernel bugs that permit you to write arbitrary memory addresses, however. My suspicion is that something thats okay from an engineering standpoint should be possible. > But let's not have a food fight. Although entertaining in the short term, > food fights are actually deathly boring and incredibly unfruitful in the > long term. I'm interested in helping people do interesting things in a > reasonably secure way, on the internet, using Java. What you are saying, Marianne, is that you work for the Java group at Sun, Java has become very important to Sun's strategy, and that thus Java isn't going to be abandoned regardless of techincal problems. > We're working on a response to the Felten el al. paper, which will > be posted to the net shortly. I think some of their points are > perfectly valid, some of their points are irrelevant, and a lot of > the presentation is melodramatic. Melodrama is good for sound > bites, I guess. Look, not to be insulting, but your job pretty much dictates that you have no choice but to declare their work to be incorrect. I mean, your customers would be very mad for you to say otherwise, and your management would fire you if you didn't say otherwise. This must certainly color your commentary. Understand, I'm not accusing you of being a bad person, but I am noting that you aren't in a position to be objective. Perry From unicorn at schloss.li Sun Apr 28 00:00:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 15:00:51 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604271611.AA05770@october.segno.com> Message-ID: <Pine.SUN.3.93.960427184419.24829D-100000@polaris.mindport.net> On Sat, 27 Apr 1996 mkj at october.segno.com wrote: > Please forgive what may be a stupid question, but I've been wondering > about this for a long time, and today I'm tired of wondering. > > A consistent theme here is "crypto-anarchy", which appears to be > essentially the idea that widespread cryptography will make tax > collection impossible, bringing down governments. Well, this is merely one aspect of what I consider "crypto-anarchy" to mean. > I don't see how > this will work. The logical flaw in this argument seems so obvious > (and at least some of the people who buy into it seem so obviously > intelligent), that I can't help but think I must be missing something. > > Certainly the widespread use of cryptography will frustrate modern > systems of taxation, such as income taxes, sales taxes, etc., which > are based on the monitoring of financial transactions. But these > systems are a mere flash in the pan; taxes existed, and governments > sustained themselves perfectly well, long before these systems arose. > > Why then shouldn't we expect that modern governments, in the face of > widespread cryptography, will simply revert to more traditional (and > brutal) systems such as head taxes, land taxes, travel tolls, etc.? Now, how are you going to impose taxes on heads if it becomes impossible to track down a person? You have to find them to tax them. With secure, anonymous communications, people can exist without giving away their location, business interests, property holdings, etc...etc... Travel taxes? Well, that's equally difficult to enforce. Particularly in large states. Consider the difficulty of charging $1 for crossing the Mexican-U.S. border. Any guesses as to compliance rates there? The only option for government becomes forcible seizure of land and or persons to enforce taxation. Note that even today property in the United States owned by tax evaders is difficult to seize if one cannot prove tax evasion. (Taxation is merely one example of regulations that become difficult to enforce with proper cryptography in place by the way). This being so I think it obvious that a manner of market economy among political systems will emerge. Some nation states will participate in what liberal-economists call a "race to the bottom" where they will continue to reduce regulations and so forth to attract businesses and thus income. Those on the far left somehow count this a _bad_ thing, citing typically environmental issues. It never ceases to amaze me that they don't get the message when 20% of the corporate population departs and they still don't realize that just raising taxes won't solve the problem. Essentially this is what the expatriation tax is. Money is fleeing because taxes in the United States are offensively high in the view of the citizens. I know! Let's impose regulation forbidding these traitorous deserters and increasing taxes on them! Uh huh. Sure. I invite those considering expatriation to consult with me. While I won't encourage tax evasion, I can show you, for academic purposes, how impractical the expatriation tax is to enforce. Short of closing the economic and physical borders, I'm not quite sure what you can do. (Closing the borders is hardly a viable option either). Much as secret banking emerged, I think it fairly obvious that some nation states will recognize that they have an interest in deregulating and charging nearly no tax. Many already have. It should come as no surprise to you that the United States considers these jurisdictions a threat. (Note that compliance in low tax jurisdictions approaches 100%). They will also recognize that they can attract several wealthy citizens to their shores who will invigorate their local economies if they pass laws with strict assurances of property rights. Force is only the answer so long as the population has no other option. I think it's fairly clear that nation-states who insist on using draconian means to enforce taxation in some last ditch effort to bail out their sinking boats will find their borders are leaking wealth to capital flight like screen doors. The only populations left to oppress and collect from will be those who cannot afford to flee. Not much left to collect, in other words. Not much to collect, a poor and disgruntled population probably nearing homicidal tendencies (especially in the U.S. example where a culture of freedom of spirit is less likely to foster much subserviance to a military type crackdown). More and more problems at home, less and less money to deal with it. Sound like disaster to me. Now, I don't think its going to happen quite that way. I think your assumption that draconian measures are going to be employed so easily is a incorrect one. Still, let's assume your correct for a moment. Are YOU going to stick around? > --- mkj > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From mrm at netcom.com Sun Apr 28 00:06:32 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sun, 28 Apr 1996 15:06:32 +0800 Subject: The Joy of Java In-Reply-To: <199604272322.TAA04559@jekyll.piermont.com> Message-ID: <199604280147.SAA20653@netcom20.netcom.com> I guess you're opting for food fight? I'll let people who know me judge if they think I'm mouthing party line or what not .. :-) Marianne From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 00:14:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 15:14:35 +0800 Subject: Nazis on the Net Message-ID: <01I41UO92ZME8Y5319@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 27-APR-1996 02:38:42.42 >On Fri, 26 Apr 1996, Snow wrote: >> Sorry about spewing this to the List, but nobody at replay.com would not get >> it back to him. >I'm glad *somebody* realized that. I believe there have been at least a >half dozen messages Cc'd to nobody in the last couple days. In some cases (such as my lone message, which was Cc'd to cypherpunks), they may be simply using a mail reader that doesn't allow retention of the threading reply header without sending it to the address of the original message. (Since these same mail readers, such as mine, also usually don't use the threading information, this is an act of charity.) >Hope this helps. At least with a stable nym, we'd be able to flame you for >off-topic posts. I'm going to be mailing some replies on this topic to some people, off the list; if anyone is curious and wishes to receive them also, let me know (off-list). -Allen From angels at wavenet.com Sun Apr 28 00:22:29 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Sun, 28 Apr 1996 15:22:29 +0800 Subject: [NOISE] Re: Guardian angels, the decency brigade, and cyberserap Message-ID: <v01510106a9e30a91595f@[198.147.118.221]> Peter Trei wrote about my signature: > >It's this last sig-quote that bothers me. It's worth noting that, unlike >the other two, it has no attribution. It looks like an inversion of >Benjamin Franklin's: > >" They that can give up essential liberty to obtain a little temporary safety > deserve neither liberty nor safety." > - Historical Review of Pennsylvania It is an inversion of that quotation and it does indeed sum up our focus. It has no name on it because I switched it around to make a motto for our work. Not that I disagree with Franklin though. The comment is true both ways around. > >People usually put in their .sigs quotes they feel sum up their personal >philiosophy. I guess soon we'll see 'Gabriel' give us some more words >to live by; these may be right up his alley: > >"War is Peace" >"Ignorance is Strength" >"Freedom is Slavery" > - Orwell, "1984" :) As a former teacher at the University of London department of adult studies, teaching history, politics and International Relations I can assure you I am very familiar with the history and belief of totalitarianism - and have opposed them all my life. > >Gabriel's also misquoting Burke - the actual text is: >"The only thing necessary for the triumph of evil is for good people to do >nothing. " > That's not how I have it but hey! Obviously we are dealing here with a man who knows his quotes. Gabriel ********************************************************* "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 00:31:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 15:31:48 +0800 Subject: You have been deleted Message-ID: <01I41UH0QEF48Y5319@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" ** Reply to note from Black Unicorn <unicorn at schloss.li> 04/24/96 03:01am -0400 >That a medical experiment including Chelsea could improve a man is >beyond the bounds of reason. Be nice to the poor kid... she didn't chose her parents. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 00:36:06 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 15:36:06 +0800 Subject: International Capital Flows Called Criminal Message-ID: <01I41VP9IK728Y5319@mbcl.rutgers.edu> From: IN%"frissell at panix.com" "Duncan Frissell" 25-APR-1996 14:36:03.76 >Now the last time I looked, 'Capital Flight' was as legal as church on a >Sunday. Or is this a proposal for exchange controls. Is this guy a state >or federal prosecutor? He was also unable to come up with legitimate >reasons for $3 Billion to go from Egypt to the Bahamas. I can think of any >one of a number of legal reasons, one being "International Tax Planning." As well as the taxes on those transferring their citizenship (which rather give the lie to those who say to libertarians that we ought to just move someplace else), there's also various limits on capital flow in other countries. Perhaps he's wanting the US to back these? Preventing people from taking their cash out of a country without economic development does reduce the costs to the World Bank et al for development funding. Of course, it also means that those people (generally the brightest ones in those countries) are more likely to leave, and will bear the brunt of development failures. -Allen From steve at miranova.com Sun Apr 28 00:50:22 1996 From: steve at miranova.com (Steven L Baur) Date: Sun, 28 Apr 1996 15:50:22 +0800 Subject: [WebRobotPunks] OKRA net.citizen Directory Service In-Reply-To: <199604270912.CAA07530@Networking.Stanford.EDU> Message-ID: <m2wx31w1io.fsf@deanna.miranova.com> These guys are worse offenders than whowhere, and they do abusive fingering (the only webrobot that has shown up so far in my finger logs): http://okra.ucr.edu/okra/ They have an e-mail address for me I used once in a Usenet test post 5 years ago. Since that address was entered into their database on the 9th of March, 1996 the only place they could have gotten it from is one of Tim May's old Usenet backup tapes. Coming soon ``Expanded database size''? I can hardly wait ... OKRA net.citizen Directory Service Brought to you by the Department of Computer Science _________________________________________________________________ new New Database Engine Now Active! Faster! - Increased Precision! - Exciting New Output Format! coming soon Expanded database size on the way... _________________________________________________________________ Current Statistics Database entries: 3,525,243 Queries performed today: 2,084 -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From declan+ at CMU.EDU Sun Apr 28 00:59:31 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 28 Apr 1996 15:59:31 +0800 Subject: Internet Police Law (fwd) In-Reply-To: <2.2.16.19960427165636.403fce62@sirius.infonex.com> Message-ID: <IlUhh4_00YUvF_sswV@andrew.cmu.edu> Excerpts from internet.cypherpunks: 27-Apr-96 Internet Police Law (fwd) by Adam philipp at rosa.com > This seems to be an interesting developement in GA... With CP relevance. I have quite a bit of info on this, including the text of the law, at: http://fight-censorship.dementia.org/fight-censorship/dl?thread =The+Day+the+Sites+Went+Out+in+Georgia?&after=2233 -Declan From unicorn at schloss.li Sun Apr 28 01:04:31 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 16:04:31 +0800 Subject: Cell Kill 2 In-Reply-To: <9Bc3mD213w165w@bwalk.dm.com> Message-ID: <Pine.SUN.3.93.960427224620.24829I-100000@polaris.mindport.net> On Sat, 27 Apr 1996, Dr. Dimitri Vulis wrote: > Black Unicorn <unicorn at schloss.li> writes: > > > According to the Russian newspaper Izvestia, Mr. Dudayev > > > died while phoning an aide to King Hassan II of Morocco, > > > who had been asked by President Yeltsin to help mediate > > > an end to the war. Will any leader ever again be so > > > gullible? Watch your attributation. I didn't write this. > --- > > Dr. Dimitri Vulis > Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 01:09:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 16:09:36 +0800 Subject: US law - World Law - Secret Banking Message-ID: <01I41WVH0QN28Y5319@mbcl.rutgers.edu> From: IN%"ml3e+ at andrew.cmu.edu" "Michael Loomis" 26-APR-1996 07:40:10.88 > I have been reading this list to get an idea where Declan gets some >of his lunatic ideas and what Rich Graves says when he is not up to >Holocaust fetishism. Despite Timothy's claim to the contrary, it seems >that the basic point of this list is some libertarian notion that tax >evasion is a good thing. Well, actually it's on a lot of other things also, including ones that those against censorship (I assume you're on the fight-censorship list, and thus encountered both Declan and Rich?) should favor. Examples include anonymous remailers and web pages (the deceanse (sp) project). Moreover, anonymous digital cash has applications to fighting censorship. Applications include paying someone to remail information or to put it on the web. c2.org, for instance, accepts even the present semi-anonymous digital cash and offers anonymous web page hosting. >While I am not clear how serious of threat, if one at all, to a system of >fair taxiation, That depends on how one defines "fair." >since much of the talk could be simply bluff, I have been made glad for the >first time for the War on Drugs. This silly war--tragic in terms of its >economic cost and its assault on liberty--at least has forces some >government agencies to take you seriously enough to figure out how to derail >your plans of tax evasion. Most of the tracking and other mechanisms discussed are even more of a threat to liberty - most significantly privacy, although there are other ones involved as well - and, indeed, to economic efficiency. A lot of the proposed and/or instituted regulations can also be used to discourage various politically unpopular but economically efficient operations; an example is "capital flight." In other words, unless you really want to live under a set of laws as restrictive as those in Communist China, support the cypherpunks. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 01:09:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 16:09:52 +0800 Subject: US law - World Law - Secret Banking Message-ID: <01I41W3KEPEC8Y5319@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 26-APR-1996 01:19:03.47 >What has consistently alarmed me is the United States trend of extending >her own moral and ethical standards world wide. Granted the United States >is the foremost world economic power, but the power to control markets and >the political power to invade the sovereignty of other states are two >distinct issues. The United States is, in one form or another, attempting >to homogonize the legal systems of the world to comply with her own >concept of what is "right" or "fair." This is disturbing. I have no problems with extending US sovereignty where it will improve civil liberties. However, about the only place where it appears to do so is going against child labor. Otherwise, every action of the US government in this regard appears to have been to decrease civil liberties in other countries (and, indirectly, in the United States). >By no means are the states of the world united on the meaning of >anti-trust, the appropriate levels of regulation therein, or the manner in >which to enforce these segments of the law. That the United States should >seek to impose her own will and concepts on foreign states strikes me as >the antithesis of this once noble power's call, indeed the central focus >of her foreign policy, for the self determination of all nation states. Well, I wouldn't say that the self-determination of nation states is the important part. Indeed, most of the cases in which "national sovereignty" is used as an excuse are ones in which the other country is in the wrong. German censorship and Tianenmin (sp?) Square are excellent examples. If patriotism is the last refuge of a scoundrel, national sovereignty is the last refuge of a scoundrel nation. I've deleted the rest of your statements because I essentially agree with them. -Allen From unicorn at schloss.li Sun Apr 28 01:11:16 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 16:11:16 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.GUL.3.93.960427163753.9454D-100000@Networking.Stanford.EDU> Message-ID: <Pine.SUN.3.93.960427225005.24829J-100000@polaris.mindport.net> On Sat, 27 Apr 1996, Rich Graves wrote: > On Sat, 27 Apr 1996, Black Unicorn wrote: > > > On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > > > > > > > I wonder how they can get the e-mail address? Our finger daemon are > > > blocked. Many un-broadcast e-mail addresses (the account never send any > > > e-mails to anyone) are in the database. How? > > > Furthermore, isn't it also privacy invasion? > > > Would any hackers or expert people kindly to tell me how to block > > > further threat like this? > > > > Use a nym. > > This doesn't necessarily help if you work or study at a large institution > (stanford.edu, for example). I think you took my comment in a smaller scope than it was intended. Use a nym. If you want absolute privacy, work and study under a nym. It's hardly difficult, you just have to start early. The bottom line is if you want privacy you have to work for it. You are screwed the moment you give your information to anyone. The first transfer you have puts information into the system regardless of the legal 'protections' that say otherwise. Treat your personal information as you would a trade secret. Once it's out, it's out. Depending on someone else (university, employer, government, phonecompany etc.) to protect data for you is, in my view, foolish. Do it yourself. It may seem extreme, but it is the only way to be certain. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From snow at crash.suba.com Sun Apr 28 01:13:50 1996 From: snow at crash.suba.com (Snow) Date: Sun, 28 Apr 1996 16:13:50 +0800 Subject: trusting the processor chip In-Reply-To: <m0uCiBa-00094jC@pacifier.com> Message-ID: <Pine.LNX.3.91.960427220258.1445B-100000@crash.suba.com> On Fri, 26 Apr 1996, jim bell wrote: [...] > and will be very hard to separate. If it is possible to replace a keyboard > chip with a Trojan Horse, the one desired target will be far more identifiable. Why go thru all the hassle when software would be easier? Or a very small camera placed in the ceiling watching the keyboard? It would seem to me that building a hacked chip that did _everything_ that the original did plus would be a lot more difficult (think Fab Plants, tool up costs, engineering) than just faking an alien abduction... Petro, Christopher C. petro at suba.com <prefered> snow at crash.suba.com From unicorn at schloss.li Sun Apr 28 01:23:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 28 Apr 1996 16:23:45 +0800 Subject: Anonymous banking In-Reply-To: <01I41RMZUD188Y52ZX@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.93.960427225726.24829K-100000@polaris.mindport.net> On Sat, 27 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 24-APR-1996 21:06:33.48 > > Thank you for the information. Sure. > Speaking of attorneys, is there any way that an attorney can serve as > an anonymous mail forwarder? The user would give the attorney permission to > look at anything suspicious (e.g., mail from a credit card company) to make > sure no fraud, theft, et al were being committed. Would this be covered under > lawyer-client confidentiality in the US? Well, using attorney client confidentality to shield things otherwise discoverable just doesn't work. There are many mail forwarding services that don't use attornies. An attorney is going to charge you by the hour for this service. I don't think you really want to pay for it. > >In general adding a country to the money laundering offender list is a > >political decision and NOT demonstrative of a country's actual money > >laundering use. (Note that Vanuatu is not included, nor is Isle of Man). > >Mostly its a question of countries with corrupt officials who will look > >the other way, not of countries which strict banking privacy. > > Fascinating. Common sense really. This is a fact of life when dealing with the political arms of the United States. > >This is nearly irresponsible reporting. > > Reporters nowdays are getting so overloaded that they're taking > information from whoever will talk to them. Look at what happened with the > chips-in-Iraqui printer story. Yep. > -Allen > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From anonymous-remailer at shell.portal.com Sun Apr 28 01:54:58 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 28 Apr 1996 16:54:58 +0800 Subject: Anybody know anything about this? Message-ID: <199604280326.UAA07174@jobe.shell.portal.com> ---------- Forwarded message ---------- Resolved by the Senate (the House of Representatives concurring), That the Secretary of the Senate, in the enrollment of the bill (S. 735) shall make the following corrections: (Enrolled Bill (Sent to President)) --S.Con.Res.55-- S.Con.Res.55 Agreed to April 24, 1996 One Hundred Fourth Congress of the United States of America AT THE SECOND SESSION Begun and held at the City of Washington on Wednesday, the third day of January, one thousand nine hundred and ninety-six Concurrent Resolution Resolved by the Senate (the House of Representatives concurring), That the Secretary of the Senate, in the enrollment of the bill (S. 735) shall make the following corrections: ... `(g) LIMITATION ON DISCOVERY- `(1) IN GENERAL- (A) Subject to paragraph (2), if an action is filed that would otherwise be barred by section 1604, but for subsection (a)(7), the court, upon request of the Attorney General, shall stay any request, demand, or order for discovery on the United States that the Attorney General certifies would significantly interfere with a criminal investigation or prosecution, or a national security operation, related to the incident that gave rise to the cause of action, until such time as the Attorney General advises the court that such request, demand, or order will no longer so interfere. `(B) A stay under this paragraph shall be in effect during the 12-month period beginning on the date on which the court issues the order to stay discovery. The court shall renew the order to stay discovery for additional 12-month periods upon motion by the United States if the Attorney General certifies that discovery would significantly interfere with a criminal investigation or prosecution, or a national security operation, related to the incident that gave rise to the cause of action. `(2) SUNSET- (A) Subject to subparagraph (B), no stay shall be granted or continued in effect under paragraph (1) after the date that is 10 years after the date on which the incident that gave rise to the cause of action occurred. `(B) After the period referred to in subparagraph (A), the court, upon request of the Attorney General, may stay any request, demand, or order for discovery on the United States that the court finds a substantial likelihood would-- `(i) create a serious threat of death or serious bodily injury to any person; `(ii) adversely affect the ability of the United States to work in cooperation with foreign and international law enforcement agencies in investigating violations of United States law; or `(iii) obstruct the criminal case related to the incident that gave rise to the cause of action or undermine the potential for a conviction in such case. From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 01:56:39 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 28 Apr 1996 16:56:39 +0800 Subject: OS/2 encryption utilities Message-ID: <01I41XUCBC4W8Y5319@mbcl.rutgers.edu> I thought the following from CuDigest should serve to illustrate some of the discussion recently on this subject. -Allen >>>>>>>>>>>>>>>>>>>>>>>> Computer underground Digest Sun Apr 21, 1996 Volume 8 : Issue 32 [...] Date: Mon, 8 Apr 1996 10:50:41 -0700 (PDT) From: Doc_Holliday at AWWWSOME.COM(M. Steven McClanahan) Subject: File 3--Canadian "criminalization of technology" [...] Speaking as one who had a Power Macintosh with a 2 gigabyte hard disk drive and all my backups subpeonaed in a civil case, I can tell you that the other side is not likely to want or accept your help in determining what is on your mass storage devices and/or in learning how your systems work. I had to stand by while the attorney corrupted all the data on my hard drive trying to beat my PGP encryption. Then he did the same thing to my back ups. Despite my protests I would have GIVEN them the key to decrypt the data - he didn't trust me. This is in a CIVIL case, imagine how they would feel in a CRIMINAL matter. They spent days trying to get past PGP and could not. Even if they had, all they would have gotten was copies of email between my wife and I. The downside was it took me two weeks to reconstruct my hard drive, time which the courts refused to order the attorney that started all this to pay me for. (They did sanction him after he threatened to punch me during a deposition for refusing to reveal my sources - which were protected by attorney-client privilege - which I thought was interesting; apparently he could waste all my time, but he couldn't hit me.) The court decided my data had no value and that having to rebuild my hard drive was a "minor inconveneince" compared to the "interests of justice." Since it is a no win situation, extending cooperation is problematic. It probably won't do any good. My experience told me most people in law enforcement have not advanced, technologically, past the level of an Atari 2600 and are completely baffled by complex systems. Based on what they did with a Mac system, I doubt they would even be able to access anything now that I use a SPARCstation 4. An attitude seems to have developed in the prosecution of computer crime that "the ends justifies the means." As the voters have gone along like sheep and surrendered many civil rights in the prosecution of drug related crimes, they are similarly doing in the prosecution of computer crimes having to do with the Internet and claims of "child porn." This is extremely dangerous as. If you look long and hard enough on any system,and systems accessible to it, you can, eventually, find something that will offend someone. Therefore, applying the rule that "the ends justifies the means," everyone who connects to a computer network is thereby "criminalized." The frigthening part is that, whether or not the innocent victim is doing anything illegal, the reams of good press such actions bring for prosecutors and police just encourages them. After it is all through and nothing illegal is found, law enforcement still looks good in the press, (because the public has been whipped up into such a frenzy they preceive any action as "good"). The victims of such harassment are always "guilty" in the eyes of the public, simply because the government took any action. From llurch at networking.stanford.edu Sun Apr 28 01:58:59 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 16:58:59 +0800 Subject: Cell Kill 2 In-Reply-To: <Pine.SUN.3.93.960427224620.24829I-100000@polaris.mindport.net> Message-ID: <Pine.GUL.3.93.960427203014.9901C-100000@Networking.Stanford.EDU> "Dr. Denning? Is that you? Always a pleasure to take your call. Yes, I think location-based authentication is a grand idea." -rich From jrichard at slonet.org Sun Apr 28 01:59:39 1996 From: jrichard at slonet.org (Josh Richards) Date: Sun, 28 Apr 1996 16:59:39 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <199604271430.HAA03553@mark.allyn.com> Message-ID: <Pine.SOL.3.93.960427200735.3454A-100000@spork.callamer.com> On Sat, 27 Apr 1996, Mark Allyn 206-860-9454 wrote: > They are gone now. Don't bet on it. (see below) > > mark.allyn.com% lynx http://www.WhosWhere.com > > lynx: Can't access start file http://www.WhosWhere.com > > mark.allyn.com% telnet www.whoswhere.com > www.whoswhere.com: unknown host [..dig output snipped] They're still around. Drop the `s'....."www.whowhere.com" (Both domains are registered with InterNIC, but they seem to be different organizations.....) Interesting, they've got some of my *really* old addresses (and the newer ones too). Josh Richards (jrichard at slonet.org) SLONET Regional Information Access, Inc., Development Team SLO Street Tech Development (Computer Services) <URL:http://www.slonet.org/~jrichard/> From creal at nando.net Sun Apr 28 02:03:18 1996 From: creal at nando.net (creal) Date: Sun, 28 Apr 1996 17:03:18 +0800 Subject: Clyink Encryption Units Message-ID: <Pine.SUN.3.91.960424095738.5217B-100000@bessel.nando.net> Cylink STX-2400X Voice/Data Encryption Units - Easy hook-up to phone (4-pin modular plug) - 198 bit key - Clear/Secure voice/data - keyed lock - SEEK key exchange or manual key loading - User's manual - ac power supplys These are the same as the STX 9600X currently sold by Cylink at $3000/unit except the data transfer rate is 2400 bps instead of 9600 bps. Good voice recovery. Like new condition. Asking $450. From reagle at MIT.EDU Sun Apr 28 02:03:27 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Sun, 28 Apr 1996 17:03:27 +0800 Subject: (FYI) Fraud On The Internet Message-ID: <9604280324.AA22485@rpcp.mit.edu> >X-Sender: reagle at rpcp.mit.edu >Date: Sat, 27 Apr 1996 23:03:22 -0400 >To: coredohrs at RPCP.MIT.EDU >From: "Joseph M. Reagle Jr." <reagle at mit.edu> >Subject: Fraud On The Internet > > >Fraud On The Internet > >The National Fraud Information Center has begun collecting information >about fraud on the Internet. As part of the effort to gather >information and announce the project to Internet users, the NFIC has >created its own Web site and is accepting information via e-mail. The >Web site has links to state, federal and international law enforcement >sites plus details of the Internet fraud program and how suspicious >activity can be reported. >World Wide Web: http://www.fraud.org/ >E-mail: nfic at internetmci.com >_______________________ >Regards, I, man, am regal; a German am I >Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html >reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E > > > _______________________ Regards, I, man, am regal; a German am I Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From jya at pipeline.com Sun Apr 28 02:12:18 1996 From: jya at pipeline.com (John Young) Date: Sun, 28 Apr 1996 17:12:18 +0800 Subject: Cell Kill 2 Message-ID: <199604280339.XAA07392@pipe2.nyc.pipeline.com> Responding to msg by unicorn at schloss.li (Black Unicorn) on Sat, 27 Apr 10:46 PM >Watch your attributation. I didn't write this. True. The NYT op-ed author's credit: Robert A. Pape teaches government at Dartmouth College and is the author of "Bombing to Win: Air Power and Coercion in War." ---------- ET cites: http://www.yahoo.com/headlines/960427/news/stories/chechnya_10.ht ml Tension rose even higher after the Chechens announced that Dudayev, a former Soviet air force general, had been killed in a rocket attack as he spoke to a Russian parliamentarian on a satellite phone. ---------- Which leaves open who is spoofing who. Dimitri, are you laser-celling killfile disinfo? From ses at tipper.oit.unc.edu Sun Apr 28 02:33:08 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 28 Apr 1996 17:33:08 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.GUL.3.93.960427162243.9454C-100000@Networking.Stanford.EDU> Message-ID: <Pine.SOL.3.91.960427210353.25084B-100000@chivalry> On Sat, 27 Apr 1996, Rich Graves wrote: > I think it would be a waste of time to build a multitiered security model > where applets with certain classes of signatures would be allowed to do > more. But signatures are still useful in a flat security model. Can you explain a bit more about why you think a multitiered model is not useful? I thought the general rule of thumb was to execute code with the minimum privileges necessary- are you advocating a single all-or-nothing approach? Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From llurch at networking.stanford.edu Sun Apr 28 02:43:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 17:43:27 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.SOL.3.91.960427210353.25084B-100000@chivalry> Message-ID: <Pine.GUL.3.93.960427212210.9901E-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Simon Spero wrote: > On Sat, 27 Apr 1996, Rich Graves wrote: > > > I think it would be a waste of time to build a multitiered security model > > where applets with certain classes of signatures would be allowed to do > > more. But signatures are still useful in a flat security model. > > Can you explain a bit more about why you think a multitiered model is not > useful? I thought the general rule of thumb was to execute code with the > minimum privileges necessary- are you advocating a single all-or-nothing > approach? Er, yes, I see I misspoke again. (Speaking well outside my areas of technical expertise tends towards the manifestation of such gaffes, so I'd be perfectly happy just to shut up if y'all would stop asking me direct questions.) To the extent I have any clue what I mean myself, my position is that the privileges accorded to a particular bit of untrusted code should not be derived automatically from the signature on said code. -rich From roger at coelacanth.com Sun Apr 28 03:06:28 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 28 Apr 1996 18:06:28 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.GUL.3.93.960427163753.9454D-100000@Networking.Stanford.EDU> Message-ID: <9604280504.AA0285@sturgeon.coelacanth.com> >>>>> Rich Graves <llurch at networking.stanford.edu> writes: > What whowhere.com did (whoswhere was a typo, yes -- it was late, > and I was rather pissed off) was grab the password file... Pretty apparent, when you discover that they have 167 matches for "daemon", >>500 matches for "admin", etc., which don't return any valid user email addresses... -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From steve at edmweb.com Sun Apr 28 03:07:41 1996 From: steve at edmweb.com (Steve Reid) Date: Sun, 28 Apr 1996 18:07:41 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604271611.AA05770@october.segno.com> Message-ID: <Pine.BSF.3.91.960427213515.9348A-100000@kirk.edmweb.com> > Why then shouldn't we expect that modern governments, in the face of > widespread cryptography, will simply revert to more traditional (and > brutal) systems such as head taxes, land taxes, travel tolls, etc.? That's easy to get around- move to another country with another government. I've read here that the US government would try to tax you anyway, but it would be very difficult to collect... You could still anonymously work in the US or some other strong economy, by telecommuting. Also, you can get around head taxes by not letting the government know where you are (easy with the anonymity thing). Travel tolls can be avoided by not traveling (telecommute instead). Land taxes are more difficult, since you kinda need a place to live, so maybe best to move to another country. I'm not advocating tax evasion, I'm just saying it could become possible. There's no guarantee that crypto-anarchy will come to be... I think the crypto genie is permanently out of the bottle (or at least will be soon), but if anonymous digital cash doesn't catch on, crypto anarchy won't be the same. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From llurch at networking.stanford.edu Sun Apr 28 03:19:04 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 18:19:04 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.SUN.3.93.960427225005.24829J-100000@polaris.mindport.net> Message-ID: <Pine.GUL.3.93.960427214213.9901G-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996, Black Unicorn wrote: > > > [Unicorn of Color:] > > > Use a nym. > >[Me:] > > This doesn't necessarily help if you work or study at a large institution > > (stanford.edu, for example). > [Unicorn of Color:] > I think you took my comment in a smaller scope than it was intended. > > Use a nym. If you want absolute privacy, work and study under a nym. > It's hardly difficult, you just have to start early. I disagree that it's "hardly difficult" for most normal people. There are bits and pieces of helpful information around, but they tend to be in tax-protester-type rags that also contain a lot of loony stuff guaranteed to land you in jail. And many of them are just snake oil scams themselves. You know the difference, but I'm only starting to learn to, and Joe Schmo hasn't a chance. Anyway, I can't work for an organization like Stanford University without a real name and Social Security number. In theory, I suppose, that real name and Social Security number don't need to be the only ones I have. > Depending on someone else (university, employer, government, > phonecompany etc.) to protect data for you is, in my view, foolish. In this case, I am the "someone else." How do I behave responsibly when I have thousands of people coming in every Fall with no clue about privacy issues? I have to go after the leaks. Of course I know that none of my clients has any real security or privacy, but stopping such information from being trivially available on public web servers at least helps stave off the random nutcase. Restricting the field to more specific nutcases, with or without official titles, helps with the threat profile. It was an uphill battle just to delink identity, location, and DNS registration. It used to be that you could pinpoint a student's name, address, and telephone number by their personal computer's static IP address. They weren't even told that this was possible. On yesterday's lovey-dovey research/educational Internet where everybody trusted everybody else, it was just more efficient for troubleshooters and system administrators to know where everybody was. Now, it's a scarier world, and we all know that, but it's tough convincing people to change a system that works. My personal choice has been (near-) complete openness, because I ironically feel more secure if it is trivial for certain very specific nutcases to verify that I pose no threat to them. I do not wish my enemies to be paranoid. Paranoid people break things. I've chosen the security of the high ground rather than the secuurity of the cave. Of course, I'm learning to keep my personal life personal, and one day, I might find it useful to disappear. -rich From blake at bcdev.com Sun Apr 28 03:28:49 1996 From: blake at bcdev.com (Blake Coverett) Date: Sun, 28 Apr 1996 18:28:49 +0800 Subject: Mindshare and Java Message-ID: <01BB34A1.56D52990@bcdev.com> > "Trust" really isn't the right word for what I'm getting at. Microsoft's > digital signature initiative is basically FUD with the spin "Only stuff > signed or endorsed by Microsoft is going to work," but I don't think that > this spin is inherent in signed code initiatives generally. At the risk of being rude... I you had actually looked at the system in question you'd realize that your statements above are sheer nonsense. -Blake (who posted a summary of the WinTrust stuff some weeks back) From ethridge at Onramp.NET Sun Apr 28 03:53:53 1996 From: ethridge at Onramp.NET (Allen B. Ethridge) Date: Sun, 28 Apr 1996 18:53:53 +0800 Subject: [NOISE] Re: Guardian angels, the decency brigade, andcyberserap In-Reply-To: <v01510106a9e30a91595f@[198.147.118.221]> Message-ID: <v03006600ada8c4679a53@[199.1.11.202]> angels at wavenet.com wrote: >Peter Trei wrote about my signature: >> >>It's this last sig-quote that bothers me. It's worth noting that, unlike >>the other two, it has no attribution. It looks like an inversion of >>Benjamin Franklin's: >> >>" They that can give up essential liberty to obtain a little temporary safety >> deserve neither liberty nor safety." >> - Historical Review of Pennsylvania > >It is an inversion of that quotation and it does indeed sum up our focus. >It has no name on it because I switched it around to make a motto for our >work. Not that I disagree with Franklin though. The comment is true both >ways around. No. "Those who sacrifice security for freedom, will have neither" is not consistent with Franklin's statement, nor is it true. Security and freedom are antithetical, and worse than that, security is always an illusion. But you can have your illusion, as long as you keep it out of my life. Censor yourself if you wish, but don't censor anything I might want to look up. >>People usually put in their .sigs quotes they feel sum up their personal >>philiosophy. I guess soon we'll see 'Gabriel' give us some more words >>to live by; these may be right up his alley: >> >>"War is Peace" >>"Ignorance is Strength" >>"Freedom is Slavery" >> - Orwell, "1984" > >:) As a former teacher at the University of London department of adult >studies, teaching history, politics and International Relations I can >assure you I am very familiar with the history and belief of >totalitarianism - and have opposed them all my life. Yeah, right. Although you don't seem to have mastered propaganda quite yet. allen ethridge at onramp.net From llurch at networking.stanford.edu Sun Apr 28 03:54:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 18:54:40 +0800 Subject: Mindshare and Java In-Reply-To: <01BB34A1.56D52990@bcdev.com> Message-ID: <Pine.GUL.3.93.960427230932.9901J-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, Blake Coverett wrote: > > "Trust" really isn't the right word for what I'm getting at. Microsoft's > > digital signature initiative is basically FUD with the spin "Only stuff > > signed or endorsed by Microsoft is going to work," but I don't think that > > this spin is inherent in signed code initiatives generally. > > At the risk of being rude... I you had actually looked at the system in > question you'd realize that your statements above are sheer nonsense. This is cypherpunks, and you think you need to apologize for being rude? You're right, of course. I was basing the above on a marketing paper on the December TechNet CD. Since then, the people who do the real work appear to have developed a reasonable system. Who, me, biased against Microsoft? Absolutely. Just keep that in mind. -rich From llurch at networking.stanford.edu Sun Apr 28 04:06:13 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 19:06:13 +0800 Subject: Anybody know anything about this? In-Reply-To: <199604280326.UAA07174@jobe.shell.portal.com> Message-ID: <Pine.GUL.3.93.960427212949.9901F-100000@Networking.Stanford.EDU> On Sat, 27 Apr 1996 anonymous-remailer at shell.portal.com wrote: > ---------- Forwarded message ---------- > > Resolved by the Senate (the House of Representatives concurring), That > the Secretary of the Senate, in the enrollment of the bill (S. 735) > shall make the following corrections: (Enrolled Bill (Sent to > President)) Looks like lawyerese from the conference report reconciling the house and senate versions of the bill to me. I only speak english, Spanish, HTML, and perl, but given more information, I might try. Please give a better citation of the source next time so that we ("we") have a chance in hell of investigating further. It appears to be an elucidation of legal ways for the guvmint to refuse to release information on pending investigations of enumerated terrorist and organized crime groups, of course. What parts of it are more or less injurious to civil liberties than current law, I don't know. Get the full text, the references, and a lawyer. All you're likely to get here is speculation. I usually trust and agree with EPIC, CDT, EFF, and the ACLU -- if they have stated a position. I know they generally opposed the whole enchilada of S.735 (which was "The Anti-Terrorism Bill"), but I don't know about these provisions. The Congressional Record is at http://thomas.loc.gov/ The US Code is at http://www.law.cornell.edu/ I don't know where to get the CFR online; anybody? -rich From perry at piermont.com Sun Apr 28 04:12:23 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 28 Apr 1996 19:12:23 +0800 Subject: The Joy of Java In-Reply-To: <199604280147.SAA20653@netcom20.netcom.com> Message-ID: <199604280704.DAA06780@jekyll.piermont.com> Marianne Mueller writes: > I guess you're opting for food fight? > > I'll let people who know me judge if they think I'm mouthing party line > or what not .. As I said, I don't think you are a bad person. I merely think that no one could expect the Java security person to say anything other than what you have said. .pm From jimbell at pacifier.com Sun Apr 28 04:37:50 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 28 Apr 1996 19:37:50 +0800 Subject: [NOISE] Re: Guardian angels, the decency brigade, and cyberserap Message-ID: <m0uDOuV-000924C@pacifier.com> At 06:31 PM 4/27/96 -0700, CyberAngels Director : Colin Gabriel Hatcher wrote: >Peter Trei wrote about my signature: >> >>It's this last sig-quote that bothers me. It's worth noting that, unlike >>the other two, it has no attribution. It looks like an inversion of >>Benjamin Franklin's: >> >>" They that can give up essential liberty to obtain a little temporary safety >> deserve neither liberty nor safety." >> - Historical Review of Pennsylvania > >It is an inversion of that quotation and it does indeed sum up our focus. >It has no name on it because I switched it around to make a motto for our >work. Not that I disagree with Franklin though. The comment is true both >ways around. I find that to be a disgusting opinion. Quite to the contrary, I think that whenever it _appears_ that giving up "a little liberty" would provide more security, there are other ways of providing that same security that don't require any loss of liberty. For just one example, it is well known that the "war on drugs" actually causes a great deal of street crime. But a person who doesn't see this, or doesn't want to admit this might see that crime and conclude that some loss of liberty (like, for instance, giving the police the authority to stop and frisk all passers-by whenever they want) would improve safety. What he doesn't admit is that by legalizing drugs nearly all of that crime would disappear, vastly improving safety. So it's a false trade-off, in both directions. Authoritarians may disagree. Jim Bell jimbell at pacifier.com From attila at primenet.com Sun Apr 28 04:40:09 1996 From: attila at primenet.com (attila) Date: Sun, 28 Apr 1996 19:40:09 +0800 Subject: code vs cypher Message-ID: <199604280552.WAA20878@primenet.com> ** Reply to note from hochiminh at alpha.c2.org 04/26/96 8:31pm -0700 = Perry E. Metzger" <perry at piermont.com> writes: = = pm> tm> Timothy C. May writes: = pm> tm> Well, I was not invited to join the elite and secret = pm> tm> coderpunks list, = well, apparently that was not a problem. = pm> It is neither elite nor secret. It is fairly high signal to = pm> noise. = pm> I think only about one in every fifty or so cypherpunks = pm> messages has any content at all worth mentioning. = = Agreed! I wasn't "invited". I simply requested access and = was quickly welcomed to the list. = yes, and that was the intent. I do not think the intent of those of us who formed Coderpunks "conspired to form an elitest group." The basic problem was simple --even code topics were politicized in cypherpunks which resulted in scores and days of "re: " messages until someone finally prefaced it with [NOISE], or changed the subject. = pm> tm> but I still have some thoughts on coding and, = pm> tm> especially, on the opportunities offered by Java. = pm> tm> Sorry if this interferes with discussions of Rabbi = pm> tm> Heir and Morris Dees. = = pm> You have no right to grumble about the situation here. = pm> It is exactly what you wanted. Here you were, a person = pm> of some personal gravitas and moral authority, and you = pm> put your stamp on the "post whatever you like; don't let = pm> the grumbling censors stop you". Well, as you sow, so = pm> shall you reap. Its your fault, more than anyone else's. = = TC May was not the first person to substantialy digress from = chartered topics but he certainly "ran with the ball" when he = got his chance to expose his ignorance and intolerance of = other races and religions (the cypher-relevance or "charter = topicality of which always escaped me). I was discouraged = by the encouragement given to the murder advocating moron, = Jim Bell to post his insance littany. = as to jim bell, does this imply you believe in censorship? I think you are mistaken with your implication that tcmay is a racist. Bigotry, etc. is usually created in the mind of a reader who jumps to conclusions. I am somewhat older than tim, and I find the politically correct revisionism even more humourous (and very intellectually cheap): vertically challenged, horizontally challenged, mobility challenged, mentally challenged, or whatever the current fads are. and, to top it off, I am disgusted with the high and mighty moralism of the revisionists. I fully agree with EEO, but I thoroughly disagree with quotas and preferences. I have more than an even tendency to call a spade a spade, and I may live where guns tend to outnumber our many children, but the only way a stranger can be bounced from my table is to interfer with grace --and there are some, as they are attending for the extra plate which is always set, who would protest that my prayer offends them. does anybody still have manners? tim finds humour in many things --and, he has the courage to challenge the politically correct revisonism which is being shoved down our throats by a bigger and bigger, but certainly not better, creeping vine of vipers we call our government, which is nothing more than a ship of fools. = pm> If Cypherpunks has become a cesspit, well, its YOUR cesspit, = pm> Tim. Its the list you always strove to create, but it appears = pm> that you now don't like the smell of your own wallow. Well, = pm> sorry. Deal with it. = = Well put, Perry! well, the premise may be correct on what cypherpunks drifts into with the endless political back and forth --the open forum; however, the creation of the cesspit is not one party's fault --we _all_ have contributed to the problem --which is compounded by direct, on-line connections. so, how about a little moderation in all things? -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks <cypherpunks at toad.com> From llurch at networking.stanford.edu Sun Apr 28 06:19:25 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 21:19:25 +0800 Subject: code vs cypher In-Reply-To: <199604280552.WAA20878@primenet.com> Message-ID: <Pine.GUL.3.93.960428005017.9901K-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, attila wrote: > ** Reply to note from hochiminh at alpha.c2.org 04/26/96 8:31pm -0700 > > = TC May was not the first person to substantialy digress from > = chartered topics but he certainly "ran with the ball" when he > = got his chance to expose his ignorance and intolerance of > = other races and religions (the cypher-relevance or "charter > = topicality of which always escaped me). I was discouraged > = by the encouragement given to the murder advocating moron, > = Jim Bell to post his insance littany. > = > as to jim bell, does this imply you believe in censorship? No, it simply means he thinks that Bell is a loon. I thought that for a while, too, but now I think he's simply politically immature, and into novelty acts. I am also pleased to see Bell seem to learn and mature over the last few months, as I know I have. Nobody is irredeemable. I have never killfiled anyone, though I've ignored people from time to time as a way of controllin gmy blood pressure. Detweiler was right when he talked about the thin skins and huge egos here. Why cry "censor" when somebody simply tells you to shut up? It's called social pressure, and it's a good thing. You may respond to social pressure however you wish. > I think you are mistaken with your implication that tcmay is a > racist. Bigotry, etc. is usually created in the mind of a reader who > jumps to conclusions. Likewise "PC." He may correct me if I'm wrong, but I think you are mistaken in your implication that hochiminh means to imply that TC May is a racist. "Ignorance and intolerance" are different animals entirely, and speaking on a purely analytical rather than moral level, I believe these terms are accurately applied to Tim's statements, especially about non-English speakers and nuking the Japs. But I recognize Tim's good humor (in all three meanings), and think he's a great guy, as are most of the inmates in this particular asylum. My parents and a couple of friends at work are right-wing fundamentalist loons, and a couple of friends from school are left-wing multiculturalist loons. From this vantage point, I learn a lot. It's really funny comparing the presentation of left-wingers in right-wing propaganda to the presentation of right-wingers in left-wing propaganda. It seems that cypherpunks gets the worst extremes of both. Sometimes I play along (too often, probably, so I'm learning how to resist being trolled -- Michael Loomis's laughable "Rich Graves, Holocaust fetishist" was a good test), sometimes I just sit back and watch. > I am somewhat older than tim, and I find the > politically correct revisionism even more humourous (and very > intellectually cheap): vertically challenged, horizontally > challenged, mobility challenged, mentally challenged, or whatever > the current fads are. You will see none of these terms anywhere but in failed trial balloons and parodies of the supposedly politically correct, of course. It's really amazing how a myth can take on a life of its own. The left has the same kind of ludicrous misconceptions about the religious right. I'll tell my parents some of the things my leftist friends have been told about some of the organizations my parents belong to, and they say, huh? Tell a feminist what Pat Robertson says about feminists, and she says, huh? > thoroughly disagree with quotas and preferences. I have more than > an even tendency to call a spade a spade, and I may live where guns > tend to outnumber our many children, but the only way a stranger can > be bounced from my table is to interfer with grace --and there are > some, as they are attending for the extra plate which is always set, > who would protest that my prayer offends them. does anybody still > have manners? I once met a guy in Hollister who did. I still resent being packed off to church, and I certainly oppose state- sponsored school prayer; but anyone who goes out of their way to ridicule someone else's beliefs, or who intentionally disrupts someone else's worship, is an asshole, IMHO. > tim finds humour in many things --and, he has the courage to > challenge the politically correct revisonism which is being shoved > down our throats by a bigger and bigger, but certainly not better, > creeping vine of vipers we call our government, which is nothing > more than a ship of fools. I would agree with this wholeheartedly if you turned down the volume about 80%. I hardly think it takes that much courage to disagree with PC excesses, especially the ones that don't exist, like this "vertically challenged" bullshit. It certainly doesn't take much courage on the cypherpunks list. Admitting that you pray -- now, that takes courage, well, in polite circles in California it does. > well, the premise may be correct on what cypherpunks drifts > into with the endless political back and forth --the open forum; > however, the creation of the cesspit is not one party's fault --we > _all_ have contributed to the problem --which is compounded by > direct, on-line connections. > > so, how about a little moderation in all things? I'm all for that. Anyone for a little croquet? -rich From bob at bridgew.demon.co.uk Sun Apr 28 06:42:27 1996 From: bob at bridgew.demon.co.uk (Bob Bridgewater) Date: Sun, 28 Apr 1996 21:42:27 +0800 Subject: Windows remailer source code Message-ID: <3183259e.1339015@post.demon.co.uk> Hi, Please could you tell me if you know of any remailer source code that will run under Windows NT3.51 to enable me to set-up a remailer myself. Somebody told me that one has been announced recently and you may know where to find this. Any suggestions would be welcome. Bob Bridgewater bob at bridgew.demon.co.uk From llurch at networking.stanford.edu Sun Apr 28 08:09:29 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 28 Apr 1996 23:09:29 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.GUL.3.93.960427214213.9901G-100000@Networking.Stanford.EDU> Message-ID: <Pine.GUL.3.93.960428032656.9901M-100000@Networking.Stanford.EDU> I should have done some more research first before going off and whining. It seems that at least two Stanford graduate students, one in business and one in engineering, are involved with the project. I guess they thought, "Look, the Yahoo guys just got millions of bucks. Let's do the same thing." They will be receiving an excellent education in "knowing your target audience" and "good design." Also "intellectual property," "public relations," and a few other subjects. -rich From ddt at lsd.com Sun Apr 28 08:43:59 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 28 Apr 1996 23:43:59 +0800 Subject: [;)] v2.0 Message-ID: <v0300661eada902e273e5@[192.187.167.52]> <http://www.well.com/user/ddt/info/jet-reply.html> (v2.0) From llurch at networking.stanford.edu Sun Apr 28 09:26:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 00:26:43 +0800 Subject: [WhoWhere?] In-Reply-To: <Mailstrom.1.06.34473.-26472.morgan@networking.stanford.edu> Message-ID: <Pine.GUL.3.93.960428042051.12519A-100000@Networking.Stanford.EDU> You wrote: > We would like to bring to your attention the WhoWhere? search engine at > URL: http://www.whowhere.com If you feel it is appropriate for the > Stanford community, we would appreciate a link from your "campus > directory"... > > WhoWhere? is an effort by a team from Stanford GSB and engineering school > and we would appreciate your support of our efforts. > > Please feel free to give us any feedback to enhance our service > to build the largest white pages community. Please unplug your server from the Internet immediately, and do not plug it back in until all database entries based on other than publicly available information have been scrubbed. Please refer any Stanford affiliates involved with your project to the thread concerning your activities in the su.computers newsgroup. Thank you. Have a nice day. -rich From mkj at october.segno.com Sun Apr 28 10:20:05 1996 From: mkj at october.segno.com (mkj at october.segno.com) Date: Mon, 29 Apr 1996 01:20:05 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199604281221.AA01603@october.segno.com> Sandy Sandfort wrote: > Income tax is the Godzilla of taxes. It is THE TAX when it comes > to the US. (Perhaps VAT has a similar status elsewhere, but both, > as pointed out, are subject to crypto-anarchistic subversion.) > > > ...taxes existed, and governments sustained themselves perfectly > > well, long before these systems arose. > > But at nowhere near the voracious levels of modern states. This is a point I hadn't considered. If the govt doesn't know where most of the money is, they can't "harvest" it nearly as efficiently. Although they will almost certainly try to extract as much as possible from the poor, you can't get blood from a stone. Hence the size of current governments will undoubtedly have to shrink. Most other arguments put forth so far in this thread, about how people "won't stand for" certain government behaviors and so forth, I don't find convincing. Modern military technologies, especially in the U.S., make the prospects of a sucessful popular uprising dubious. When you cut off someone's air supply, even the nicest, gentlest person will go into an unrestrained, murderous frenzy. I expect something similar will happen to even the most "civilized" governments within the next few years, as popular crypto begins to cut off their money supply. As I see it, only those relatively few citizens who can afford to flee will dare to resist. Which brings us to the "flight of capital" issue. Will nations be able to compete freely for the loyalty of the rich? Or will the most powerful nations form effective coalitions, and perhaps simply bomb "rogue" nations into the stone age? The more I contemplate my "simple" question of yesterday, the more I find myself getting into deep waters which I feel ill-equipped to navigate. I rapidly run up against such imponderable questions as, "What is government?" and "What is wealth, really?" Only one thing is certain: We live in interesting times! At any rate, I thank everyone for their thoughtful responses. --- mkj From declan+ at CMU.EDU Sun Apr 28 11:23:34 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 29 Apr 1996 02:23:34 +0800 Subject: [NOISE] Re: Guardian angels, the decency brigade, and In-Reply-To: <9604270337.AA22787@frumious-bandersnatch.MIT.EDU> Message-ID: <ElUqZXC00YUvE1vu1P@andrew.cmu.edu> ---------- Forwarded message begins here ---------- From: sethf at MIT.EDU Date: Fri, 26 Apr 1996 23:37:48 -0400 Message-Id: <9604270337.AA22787 at frumious-bandersnatch.MIT.EDU> To: angels at wavenet.com Subject: Re: Guardian angels, the decency brigade, and cyberseraphim Cc: fight-censorship+ at andrew.cmu.edu, mnemonic at well.com, cp at panix.com I have been researching the issue of ratings for some time, and thinking of getting a SafeSurf rating for a few pages as an experiment, so this "patrolling" is pretty interesting: "Gabriel" writes: > The answer is yes. So how can Safesurf be sure that sites registered with > them are indeed genuinely kidsafe? Simple - someone has to go and check > out all the sites who register with Safesurf. Now, would you be kind enough to tell me what happens next? Suppose you check out a site and find it is in your opinion not "kidsafe". What do you do in that case? This is not clear from your message. If the essence of the the SafeSurf system is "voluntary" ratings, are you not substituting your own standard? After all, in reference to Declan McCullagh's point about the fight-censorship archives, you say: "Why ask? Clearly a site with a message like this would not be suitable for children to read. That would be an adult site rating." Clearly then, you have some standard you are applying, which seems in this case be roughly "any archive which contains any message with any sexual content, no matter what the context or proportion, does not qualify as "kidsafe" in the CyberAngels view." So, in reality do we not have two standards here, the site's "voluntary" one, and the one the CyberAngels apply to the site? Only if the two coincide will all be well. Thus, is it not reasonable to ask that the CyberAngels at least make clear their criteria? I collect items such as this (ratings systems), I would be very interested in what the CyberAngels have come up with. ================ Seth Finkelstein sethf at mit.edu P.S. I don't know if you're a recent recruit or not, but Curtis Sliwa has a checkered history at best. Given the fabrications in the Angel's past, what can we expect in their future? References: AUTHOR: Goodstein, Laurie TITLE: Guardian Angels' Chief Clouds His Reputation SOURCE: Washington Post SEC,PG:COL: A, 3:1 DATE: Nov 29, 1992 ABSTRACT: Curtis Sliwa, founder of the Guardian Angels, has admitted that some of his 1980s exploits were fabricated to get publicity. AUTHOR: Gonzalez, David TITLE: Police Union to Sue Sliwa over Hoaxes SOURCE: New York Times SEC,PG:COL: B, 6:6 DATE: Nov 26, 1992 ABSTRACT: Ron Reale, the president of the New York City transit police union, said Nov 25, 1992 that his group would file a lawsuit against Curtis Sliwa, the founder of the Guardian Angels, on the grounds that he had injured the union's reputation by faking crime-fighting exploits in order to garner publicity for the Guardian Angels. AUTHOR: Gonzalez, David TITLE: Sliwa Admits Faking Crimes for Publicity SOURCE: New York Times SEC,PG:COL: B, 1:4 DATE: Nov 25, 1992 ABSTRACT: The Guardian Angels' founder and leader, Curtis Sliwa, admitted in a New York Post article on Nov 24, 1992 that he faked six of the group's early crime-fighting exploits to gain publicity. Some former and present associates contend that even more of the group's activities were publicity stunts. TITLE: Curtis Sliwa's Confession SOURCE: New York Times SEC,PG:COL: A, 32:1 DATE: Nov 27, 1992 ABSTRACT: An editorial wonders why so many New Yorkers got taken in by Curtis Sliwa, the Guardian Angels' leader who recently confessed that he and his Angels fabricated several exploits in order to gain public support. From gunjan at parsecweb.com Sun Apr 28 11:28:01 1996 From: gunjan at parsecweb.com (Gunjan Sinha) Date: Mon, 29 Apr 1996 02:28:01 +0800 Subject: [WhoWhere?] Message-ID: <199604281351.GAA16852@parsecweb.com> I am sorry if you misunderstood my previous email. We are ex-Stanford grad, not current students! The WhoWhere? database is collected through a combination of technolofy, partnerships, and self-registrations by end-users. Our content is from publicly available sources. We run crawlers for Newsgroups and WWW to collect our content. Several Thousand individuals come to WhoWhere? to add theor listing every day. Hope I have been able to clarify your confusion. Gunjan WhoWhere? Inc. > From llurch at networking.stanford.edu Sun Apr 28 04:54:21 1996 > Date: Sun, 28 Apr 1996 04:43:36 -0700 (PDT) > From: Rich Graves <llurch at networking.stanford.edu> > To: Gunjan Sinha <gunjan at parsecweb.com> > cc: cypherpunks at toad.com > Subject: Re: [WhoWhere?] > > You wrote: > > > We would like to bring to your attention the WhoWhere? search engine at > > URL: http://www.whowhere.com If you feel it is appropriate for the > > Stanford community, we would appreciate a link from your "campus > > directory"... > > > > WhoWhere? is an effort by a team from Stanford GSB and engineering school > > and we would appreciate your support of our efforts. > > > > Please feel free to give us any feedback to enhance our service > > to build the largest white pages community. > > Please unplug your server from the Internet immediately, and do not plug > it back in until all database entries based on other than publicly > available information have been scrubbed. Please refer any Stanford > affiliates involved with your project to the thread concerning your > activities in the su.computers newsgroup. > > Thank you. Have a nice day. > > -rich > > From perry at jpunix.com Sun Apr 28 11:36:12 1996 From: perry at jpunix.com (John A. Perry) Date: Mon, 29 Apr 1996 02:36:12 +0800 Subject: Keyserver at jpunix.com on WWW Message-ID: <Pine.NEB.3.93.960428082815.6527A-100000@alpha.jpunix.com> -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone, I just got through implementing and testing Brian LaMacchia's code for WWW access to the PGP keyserver at jpunix.com. This means that the Web page for jpunix.com can now perform interactive, realtime searches and adds against the keyserver database. If you would like to try it, the URL is: http://www.jpunix.com/pks-toplev.html John Perry - KG5RG - perry at alpha.jpunix.com - PGP-encrypted e-mail welcome! WWW - http://www.jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp2.0, a Pine/PGP interface. iQCVAwUBMYN2llOTpEThrthvAQEyqwP5AT14+2NbvdXdEnr8nxaSUVcLUmA2M0+z PDdOXidleU4P5BesHe0cIO0FdrpLC7EHi7mhg3XgwEeooCv2wGsOf59oGGikaqSl 4WLEvoQQOftVQNeE5vv7mbiYo4M5CZBm/QSu1QK3SD37ohT/pRy+RFu0ldRuxrAl aPSro/koBN8= =pFGr -----END PGP SIGNATURE----- From ichudov at algebra.com Sun Apr 28 12:19:55 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Mon, 29 Apr 1996 03:19:55 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.GUL.3.93.960427172022.9454F-100000@Networking.Stanford.EDU> Message-ID: <199604281414.JAA14452@manifold.algebra.com> Rich Graves wrote: > They did that too. They got recursive whois and finger sweeps dated > mid-1993 (we catch people doing whois aaaa*, aaab*, and so on every once > in a while), a Usenet-wide sweep dated early 1994, a sweep of local, > firewalled su.* newsgroups last December/January 95/96, and an outright > theft of the master shadow password file for most stanford.edu accounts > (address, real name, and UID only, no group ID or encrypted password) in > January 1996. Why people tolerate running "old" finger server on their machines? Old finger server giving anyone names of all users logged on, dynamic information such as from where they are logging in, etc etc is just as bad invasion of privacy as whowhere.com. It does not take a genius to write a safer replacement for in.fingerd that reports only what users wish to report about themselves. There are many good replacements for finger daemon floating around, too. I wrote one in perl, it is about 50 lines long and is free for asking. - Igor. From bryce at digicash.com Sun Apr 28 13:08:10 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Mon, 29 Apr 1996 04:08:10 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <199604241913.PAA12632@universe.digex.net> Message-ID: <199604281528.RAA10421@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Scott Brickner <sjb at universe.digex.net> writes: bryce at digicash.com writes: > >3. My fee per bet is USD5.00 or FIM50.00, or cyb7000.00. > >This is for "simple", winner-take-all bets. For other > >arrangements, make me an offer. > > Wouldn't it be more reasonable for the fee to be something like 2%? It > seems odd that to have a $2 bet settled you'd need to pay $5. And > since the ante is required before the bet is formalized, why not just > take your cut out of the winnings? You're right. I wasn't thinking. I hereby change my fee to 0. Bryce, Escrow and Arbitration Agent Serving The cypherpunks List Since 1996 -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYOOnUjbHy8sKZitAQGdJAL+LR1RWSD4k3b5YjqG2ekzKAULeiA2bUI4 MkV74a6JzOW/iKX3tS0Y40K5j4Xnp7uOYXbJOsOtHtb0U/J4IrFj1ALbp8B4C4Pr 9EqVuKs1nQZCvoAxbW8/O4Xn38uM5DHR =+7PU -----END PGP SIGNATURE----- From bryce at digicash.com Sun Apr 28 13:18:44 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Mon, 29 Apr 1996 04:18:44 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <01I3X9N6RA1W8Y50LP@mbcl.rutgers.edu> Message-ID: <199604281539.RAA10757@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- E. Allen Smith <eallensmith at ocelot.rutgers.edu> wrote: (> Bryce wrote:) > >1. Acceptable digital signature upon the "bet statement" > >from each bettor. (Note that PGP signatures from PGP key > >pairs which are not connected to me via the Web of Trust, or > >which are not verifiable by me via an out-of-band > >connection, are not acceptable digital signatures. This is > >because of the MITM attack problem, not because I need True > >Names to be connected to the signatures.) > > IIRC, currently Black Unicorn doesn't have any signatures on > his public key of others. Therefore, this requirement, while understandable, > could cause a bit of a difficulty in the current situation. Hm. This is a toughie. For one it would help if Black Unicorn had a "pseudonym keysignature" from someone who had a Web O Trust link to me. This would make me more certain that a hypothetical man in the middle between me and the rest of you wasn't able to impersonate Black Unicorn. Of course, such a MITM could still impersonate Black Unicorn by being between Uni and the rest of us. It would help if Uni made a habit of publishing his true public key via various difficult-to-intercept channels, but of course we can't _know_ whether Uni is doing that or not in any case. Yeah, it's hard to gain trust in the absence of a Mitch (a.k.a. MITM) between Uni and us. It is feasible, for my purposes, though. We could tie Uni's ostensible pubkey to the Web of Trust. We could assume that Uni is resourceful enough to publish his own pubkey via difficult-to-intercept channels, to check his own pubkey, and to broadcast a warning if any active attack is detected. Then as time passed we could gain trust in the lack of an active attack on that pubkey. Currently neither the first (add key to WoT) nor the second (believe that Uni is actively trying to propagate/check his key) step is working... Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYORSEjbHy8sKZitAQGXkAMAvU13aY2pzagOtSoYSomvO2tYzZBNZzUw 4Ke8a4tprEOP7r+nkXLH0EJgDEG4OSBzj3FmpxJ6OrMnsb/qDo0vXfI/GlIal0/j J2z+LxOQvoSOMRKvydZUA/8Wc64+gKYH =x3Nm -----END PGP SIGNATURE----- From hoz at univel.telescan.com Sun Apr 28 13:55:06 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Mon, 29 Apr 1996 04:55:06 +0800 Subject: Book: The President's Eyes Only Message-ID: <199604281408.HAA09274@toad.com> I just finished reading "For the President's Eyes Only", a book by Christopher Andrew. It describes the uses that US presidents have made of intelligence and intelligence organizations, from George Washington to George Bush. What caught my eye first was a quotation by David Kahn that says: "This is the most important book ever written about American intelligence." The cypherpunks relevance (Besides the David Kahn quote) is the frequent mention of NSA decrypts and SIGINT. The frequency that nations and individuals have used (and apparently continue to use) breakable encryption is incredible. The intelligence that has been derived by breaking them is worth a great deal, in dollars and maybe lives. This book has made me understand a bit, why a government might try to limit strong cryptography. I suppose I tended to look upon ITAR restrictions on cryptography as a sign of a power-hungry, self-agrandizing, government that has lost track of the fact that its legitimacy depends on protecting the blessings of liberty for its citizens. That's partly true, but there's more to it than that. After reading "For the President's Eyes Only", I can understand that many in government believe that they are protecting the public by outlawing cryptography. After careful reconsideration, I still believe in strong free crypto, but it made me think very hard. I think that some on this list and in sci.crypt should be ashamed of their ad hominem attacks in an area where reasonable people disagree. The crypto-game is being played "for keeps". Someday, all crypto may be too strong to break, but for right now, many "bad guys" (and whatever your philosophy, I bet you can find some) use weak crypto, and this allows the US Govt. to know more about what goes on in the world. As long as Uncle Sam keeps his finger on a nuclear trigger, I can see a strong case that knowing what he's doing and not getting too surprised are (mostly) good things. There will be a price to pay when everyone uses strong crypto. There will be great benefits derived, as well. It will be very expensive, but worth it. If we want to make it happen sooner, we should understand (and respect) our opponents in this debate. Rick F. Hoselton (who doesn't claim to present opinions for others) From markm at voicenet.com Sun Apr 28 14:05:41 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 29 Apr 1996 05:05:41 +0800 Subject: WWW Proxies? Message-ID: <Pine.LNX.3.93.960428123832.212A-100000@gak> -----BEGIN PGP SIGNED MESSAGE----- On 27 Apr 1996, Ryan Russell/SYBASE wrote: > We use CERN proxies, as well as general purpose proxies, > which effectivly narrows it down to someone within my company. > > But, that only masks the IP address. My impression was that > most browsers hand out enough info about you at the application > layer that it does little good to mask the IP address. At least for > privacy purposes...address translation is a great firewall > model, IMHO. There are anonymous web proxies that remove the headers sent with the HTTP request. This way, it is impossible to track down the user without doing some sort of active monitoring of connections to the proxy. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMYLrg7Zc+sv5siulAQH2OQP9EeKgA0L8ApKBd6D0EsgrsisgldIim7nY GFAPDZqde7wXI09Am5mSTcUOlGYojXiV6lxxB/UZ/Dq/7Q2ZaahhF+gPefnRKLtb VmHMK2mkkJB76OhUvMDC69FYg5IoZTe2yBhnYpaglu1oqK1DVSNMJTKKt27KPsWj lGCoDjdIKg8= =zk1P -----END PGP SIGNATURE----- From bryce at digicash.com Sun Apr 28 14:09:50 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Mon, 29 Apr 1996 05:09:50 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <Pine.SUN.3.93.960425030044.3252P-100000@polaris.mindport.net> Message-ID: <199604281543.RAA11268@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Black Unicorn <unicorn at schloss.li> wrote: (> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) > > IIRC, currently Black Unicorn doesn't have any signatures on > > his public key of others. Therefore, this requirement, while understandable, > > could cause a bit of a difficulty in the current situation. > > Please obtain a copy of my current key by finger. Oh please. My respect for Uni's acumen just decremented a couple of notches. A 2048-bit key, and no signatures? Rather like a front door with welded plate armor and an open window, no? Let's talk more off-list... Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYOSHkjbHy8sKZitAQGCdgL+J7TWOfx0izYITDa3UlXFP68k5DfAFrlb FWR3NP10/eqDDr/6guzse4Slp0SoCT49uVsy4kiZvwOT6uUIOv1DhobrUjHJMF1T LmNlAAPnAYK/NfwmZNQAX6NRbLPxd66o =EUxl -----END PGP SIGNATURE----- From bryce at digicash.com Sun Apr 28 14:26:58 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Mon, 29 Apr 1996 05:26:58 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <Pine.SUN.3.93.960425030044.3252P-100000@polaris.mindport.net> Message-ID: <199604281556.RAA11900@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Ya gotta get yourself connected, as the Stereo MC's said. Unfortunately I can't see anyway to gain trust in this pseudonym since I don't believe that the ostensible owner, name of "Black Unicorn", understands about how to establish a strong pseudonym in the Web O Trust. I mean, I could explain it to him, but not even counting the difficulties of communicating such complex concepts among humans, there is the fact that if Mitch is here, he can prevent the real Uni from seeing the explanation, and he can act in Black Uni's place as if he understands. Then he can go through the necessary steps to increase our trust in his pubkey, as if Uni were going through them. There would be only one problem for Mitch: there would be some knowledge shared by the facade Uni and the rest of us that was not shared by the real Uni and the rest of us. Forever into the future whenever this knowledge came up in conversation Mitch would have to break automated-active-attack mode and go into acting mode to prevent us from realizing that we remembered history differently. Wouldn't be cool if we could somehow make much of our conversation depend on that shared memory in some non-automatible way? Then we could just recurse, making more and more of the conversation depend on previous conversation in a non-automatible way. Eventually all of our conversation would have to be acted by a human MITM instead of just falsely digitally authenticated by an automated MITM... more later, Bryce P.S. - -----BEGIN PGP MESSAGE----- Version: 2.6.2i hQEMAy1onm9OaF05AQf8D+nK6n4pobVlbL04r/un3dwxbOlCW/C5Iu8a//Wiu49B +ExkmlqK04cJbyF17N5F+j628RncYTyohUXvYPC0UtQPWWV3bj2euxFyzr8d40Cn W0mKGI4/6W29RYXwEn/3g+g+2sJt/HCIG1/RnhbcOCubJIQRYIY/7srmuiahLVob a1bKxd5Zp1JRHHmEPvFrpzz/TuiUKf4JGczcrhMYlt3q1fFsB4cW2inA9ymHdHZS OPiO+9au67fsv0YlF8qGoqEgeKuyX/pZUs1knntH7IFkjCziD0EeaTg+wvs5veJY fpJdTcCES0tuqFD+4WM1CV0Ad8mPLOGDsxF2vBMOuaYAAADVYpDriBhb5KIQJsTG M9957b/XTA7T2mq+sPsYd8ivoVgQqgiVYcJzpd0K5oqJTlsNpKzN23R2cfS4EGqV Xg3KNZqMSpA+u7Lx5OgZaeG0qaSpAtPxX7z6IZQL71YGjaoqNBaZHpuPdRIiic2g jfaX3DBBndue1801fQsahyqUqw2H/AeEVC7aJVlN9L/h7f85EIeIrLFPkl09uM9s XqalftyF90SAvynSVv+zVoAhvSETtTwecryM9sbpqQiDnYYw3zDsCK/cTOAcjtYo c68y2eyNPG8p =5LFk - -----END PGP MESSAGE----- EALLENSMITH could have been included in the encryption but I couldn't find a PGP key for him. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYOVIEjbHy8sKZitAQGl0wMAoLEe5xqPMs9J2vclqbmN2QNCyXk4l3qH g4TUVepq1gMlXXJ4w2Xae/XxsX7Ytu5aeNlkcUsLUgjtkAm63WAaJszgQGtLwqTI poZ4wfv7DMZC0n9lXsfacrBtIaJCKLTj =2e1i -----END PGP SIGNATURE----- Replied: Sun, 28 Apr 1996 17:43:29 +0200 Replied: Black Unicorn <unicorn at schloss.li> Replied: "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> Replied: cypherpunks at toad.com Return-Path: unicorn at schloss.li Received: from polaris.mindport.net (polaris.mindport.net [205.219.167.2]) by digicash.com (8.6.11/8.6.10) with ESMTP id JAA11303 for <bryce at digicash.com>; Thu, 25 Apr 1996 09:02:23 +0200 Received: from localhost (unicorn at localhost) by polaris.mindport.net (8.6.12/8.6.12) with SMTP id DAA03059; Thu, 25 Apr 1996 03:01:57 -0400 Posted-Date: Thu, 25 Apr 1996 03:01:57 -0400 Date: Thu, 25 Apr 1996 03:01:56 -0400 (EDT) From: Black Unicorn <unicorn at schloss.li> X-Sender: unicorn at polaris.mindport.net To: "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> cc: bryce at digicash.com, cypherpunks at toad.com Subject: Re: arbiter/escrow agent for hire In-Reply-To: <01I3X9N6RA1W8Y50LP at mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.93.960425030044.3252P-100000 at polaris.mindport.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Wed, 24 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"bryce at digicash.com" 24-APR-1996 10:05:20.14 > > >1. Acceptable digital signature upon the "bet statement" > >from each bettor. (Note that PGP signatures from PGP key > >pairs which are not connected to me via the Web of Trust, or > >which are not verifiable by me via an out-of-band > >connection, are not acceptable digital signatures. This is > >because of the MITM attack problem, not because I need True > >Names to be connected to the signatures.) > > IIRC, currently Black Unicorn doesn't have any signatures on > his public key of others. Therefore, this requirement, while understandable, > could cause a bit of a difficulty in the current situation. Please obtain a copy of my current key by finger. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jlasser at rwd.goucher.edu Sun Apr 28 14:44:44 1996 From: jlasser at rwd.goucher.edu (Moltar Ramone) Date: Mon, 29 Apr 1996 05:44:44 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.GUL.3.93.960427162243.9454C-100000@Networking.Stanford.EDU> Message-ID: <Pine.SUN.3.91.960428123816.8031A-100000@rwd.goucher.edu> On Sat, 27 Apr 1996, Rich Graves wrote: > Some of the things a valid signature from Jack the Ripper means: [ ... ] > 4. If I'm not Jack the Ripper, I can say "That wasn't me." Aaaah... you can say it, but there's no way to prove it... anyone can still be anyone without persistent ID of some sort. some people would want this to be your True Name. (I'm not agreeing with this... but you can't prove you're _not_ a Nym. Jim Bell has claimed (well, implied that he believes, although he hasn't outright claimed) that I'm L.D. and/or Black Unicorn. There's no way I can prove I'm not one of them without demonstrating who they are. Which I can't do just by signing Java code... Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From roy at sendai.cybrspc.mn.org Sun Apr 28 15:50:31 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Mon, 29 Apr 1996 06:50:31 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <199604281556.RAA11900@digicash.com> Message-ID: <960428.121408.2z7.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, bryce at digicash.com writes: > Unfortunately I can't see anyway to gain trust in this > pseudonym since I don't believe that the ostensible owner, > name of "Black Unicorn", understands about how to establish > a strong pseudonym in the Web O Trust. [12:09] 1 [c:\grab]:sendai# pgp -kvv unicorn at schloss.li Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil's Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1996/04/28 17:10 GMT Key ring: 'c:\glyph\pubring.pgp', looking for user ID "unicorn at schloss.li". Type bits/keyID Date User ID pub 2048/4E685D39 1995/03/26 Black Unicorn <unicorn at schloss.li> sig 5AC7B865 (Unknown signator, can't be checked) sig DCB75233 Sandy Sandfort <SSANDFORT at ATTMAIL.COM> sig 4E685D39 Black Unicorn <unicorn at schloss.li> 1 matching key found. Looks like a good start to me. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYOnwBvikii9febJAQHafQP9HY9bjBIBqlPg9NT+/K6kpcYwvJkJGhrF NYqwwYPSJqHwCVs+BPnPrdvjPR/rkSqyBeKx2QNOF84HpZmAXn/URQ064DRI0Gug w7VlotuuGfa8HMS/MQwOMDEu42jQJuDpQsibwkWeCvy8IZrgpjsyl86w2lKd1Gjf GymvDoJ7j7U= =DYms -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Apr 28 16:24:21 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Apr 1996 07:24:21 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <m0uDagf-00093GC@pacifier.com> At 08:21 AM 4/28/96 -0400, mkj at october.segno.com wrote: >Sandy Sandfort wrote: >> Income tax is the Godzilla of taxes. It is THE TAX when it comes >> to the US. (Perhaps VAT has a similar status elsewhere, but both, >> as pointed out, are subject to crypto-anarchistic subversion.) >> >> > ...taxes existed, and governments sustained themselves perfectly >> > well, long before these systems arose. >> >> But at nowhere near the voracious levels of modern states. > >This is a point I hadn't considered. If the govt doesn't know where >most of the money is, they can't "harvest" it nearly as efficiently. >Although they will almost certainly try to extract as much as possible >from the poor, you can't get blood from a stone. Hence the size of >current governments will undoubtedly have to shrink. >Most other arguments put forth so far in this thread, about how people >"won't stand for" certain government behaviors and so forth, I don't >find convincing. Modern military technologies, especially in the >U.S., make the prospects of a sucessful popular uprising dubious. Then you obviously haven't read the essay (AP) I sent you yesterday. "Military technologies" only work effectively against a military target. Kill civilians and you just make other civilians angry. At that point they'll be look for a weapon that "military technologies" cannot effectively oppose. That weapon is already known to be possible. Quite the contrary, I think that a "successful popular uprising" will require only a very small investment in time and money, in which some of they key players in government are targeted and the prospect exists for easily and cheaply getting the rest. At that point they will resign in droves. > >When you cut off someone's air supply, even the nicest, gentlest >person will go into an unrestrained, murderous frenzy. I expect >something similar will happen to even the most "civilized" governments >within the next few years, as popular crypto begins to cut off their >money supply. As I see it, only those relatively few citizens who can >afford to flee will dare to resist. Please read the essay. I think it may enlighten you. Even with "conventional" analysis, there is no reason to believe that governement will be able to avoid shrinking. Aside from making it easier to avoid taxation, the vast increase in information communicated by the Internet is taking a huge amount of power away from the traditional media, and the media is (despite the illusion they want you to believe!) the main backer of the government in most cases. In addition, this information flow is making it ever more difficult to pass abusive laws; if the government does something stupid in the morning, by noon they are being flooded with faxes and emails. And the whole concept of having a "governement" tends to be based on the assumption that people are incapable of making decisions for themselves. That's an increasingly unrealistic position. Government feeds on its own size; once government is dramatically reduced below its current size, it will become even less able to resist further contraction. Probably few government employees realize this. Jim Bell jimbell at pacifier.com From brucem at wichita.fn.net Sun Apr 28 16:57:52 1996 From: brucem at wichita.fn.net (Bruce Marshall) Date: Mon, 29 Apr 1996 07:57:52 +0800 Subject: trusting the processor chip In-Reply-To: <Pine.3.89.9604261948.A21433-0100000@netcom9> Message-ID: <Pine.BSI.3.91.960428141110.9821A-100000@wichita.fn.net> On Fri, 26 Apr 1996, Zach Babayco wrote: > Actually, the report said that the NSA had made chips with a virus on > them, and that it supposedly knocked out some of their computers. I > think it was U.S. World & News that ran the story as fact, and stood by > it even when it was proven to be false. Makes you wonder if the media > bothers to do any fact-checking when reporting, especially when reporting > on computer topics these days. Fact-checking often takes second priority to releasing "ground breaking" news. BTW, I stil have the original article that appeared about the NSA's alleged chip swap operation. Bruce Marshall From llurch at networking.stanford.edu Sun Apr 28 17:45:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 08:45:45 +0800 Subject: Proving that you're not a nym [was Re: Mindshare and Java] In-Reply-To: <Pine.SUN.3.91.960428123816.8031A-100000@rwd.goucher.edu> Message-ID: <Pine.GUL.3.93.960428114931.13032D-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, Moltar Ramone wrote: > > 4. If I'm not Jack the Ripper, I can say "That wasn't me." > > Aaaah... you can say it, but there's no way to prove it... > > anyone can still be anyone without persistent ID of some sort. > > some people would want this to be your True Name. > > (I'm not agreeing with this... but you can't prove you're _not_ a Nym. > Jim Bell has claimed (well, implied that he believes, although he hasn't > outright claimed) that I'm L.D. and/or Black Unicorn. > > There's no way I can prove I'm not one of them without demonstrating who > they are. Which I can't do just by signing Java code... Yes, of course there's the caveat "without demonstrating who they are." I am stupid, but not THAT stupid. Though on second thought... you can, through the web of trust. If a mutually trusted signator who has signed keys for both A and B solemnly swears that they are different people, then that should be sufficent proof for me. I am under no illusion that PGP signatures are exclusive as to identity, but if a mutually trusted signator made such a statement in addition to signing the keys, I would accept it. In this specific case, no, there is nothing you can do to prove that you're not the Unicorn of Color, because there are no signatures on his or her key. In addition, in some sense, the different nyms of one person ARE different people. They can certainly have different reputations. A signature from 0xCCE7B49D, rich at c2.org, means something different than a signature from 0x189D1595, win-request at metrics.com, the moderator of comp.os.ms-windows.announce, which at the moment is me. If I get code signed by "Bill Gates, speaking for Microsoft," I may treat it differently than code signed by "Bill Gates, not speaking for his employer." -rich From cp at proust.suba.com Sun Apr 28 18:22:23 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 29 Apr 1996 09:22:23 +0800 Subject: The Joy of Java In-Reply-To: <199604280704.DAA06780@jekyll.piermont.com> Message-ID: <199604281940.OAA01010@proust.suba.com> >From the begining of the Java discussion on this list, Perry has been predicting that a continuous series of security holes would be discovered in Java implementations. So far he's been proven right. I like Java -- I'm not a professional programmer, and Java is a lot easier for me to work with than C++. And I can buy the argument that for many people the benefits of applets will outweigh the security risks. I'm willing to run sendmail, and I'm willing to run Java as well. I'm not working in a finance house, and there's not anything that sensitive on my machine. It also seems likely to me that Java secure mail applets and remailer clients will do a lot of good from a cypherpunk point of view. Java looks like it's going to put easy to use gui crypto tools within reach of everyone with a web browser. So I'd like to see Java catch on, as long as users are allowed to make informed decisions about the risks and the benefits of running applets. But Perry has a track record on this issue (and on many other issues as well). I don't think many people here are going dismiss what he's saying because someone called him a food fighter. From unicorn at schloss.li Sun Apr 28 18:30:09 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 09:30:09 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <199604281556.RAA11900@digicash.com> Message-ID: <Pine.SUN.3.93.960428162347.12806D-100000@polaris.mindport.net> On Sun, 28 Apr 1996 bryce at digicash.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Ya gotta get yourself connected, as the Stereo MC's said. > > > Unfortunately I can't see anyway to gain trust in this > pseudonym since I don't believe that the ostensible owner, > name of "Black Unicorn", understands about how to establish > a strong pseudonym in the Web O Trust. (Sigh). I'll say it yet a third time. Get a current copy of my key which is signed by at least three people on the web of trust. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun Apr 28 18:41:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 09:41:20 +0800 Subject: www.WhoWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.GUL.3.93.960427214213.9901G-100000@Networking.Stanford.EDU> Message-ID: <Pine.SUN.3.93.960428161156.12806A-100000@polaris.mindport.net> On Sat, 27 Apr 1996, Rich Graves wrote: > On Sat, 27 Apr 1996, Black Unicorn wrote: > > [Unicorn of Color:] > > I think you took my comment in a smaller scope than it was intended. > > > > Use a nym. If you want absolute privacy, work and study under a nym. > > It's hardly difficult, you just have to start early. > > I disagree that it's "hardly difficult" for most normal people. There are > bits and pieces of helpful information around, but they tend to be in > tax-protester-type rags that also contain a lot of loony stuff guaranteed > to land you in jail. And many of them are just snake oil scams themselves. > You know the difference, but I'm only starting to learn to, and Joe Schmo > hasn't a chance. It's an informational issue, not a logistical problem. This much is true. But think of it this way. Joe Blow's house burns down, taking with it all his documentation. Even Joe Blow has to be able to replace it all even with no credentials. So what makes you and Joe Blow distinct when you're standing in line to get those credentials? That should give you some idea of the (lack of) difficulty. > > Anyway, I can't work for an organization like Stanford University without > a real name and Social Security number. I challenge this assumption. > In theory, I suppose, that real > name and Social Security number don't need to be the only ones I have. Precisely. > > Depending on someone else (university, employer, government, > > phonecompany etc.) to protect data for you is, in my view, foolish. > > In this case, I am the "someone else." How do I behave responsibly when I > have thousands of people coming in every Fall with no clue about privacy > issues? [...] > It was an uphill battle just to delink identity, location, and DNS > registration. It used to be that you could pinpoint a student's name, > address, and telephone number by their personal computer's static IP > address. They weren't even told that this was possible. On yesterday's > lovey-dovey research/educational Internet where everybody trusted > everybody else, it was just more efficient for troubleshooters and system > administrators to know where everybody was. Now, it's a scarier world, and > we all know that, but it's tough convincing people to change a system that > works. I applaud your efforts, but the 'one good administrator' can only do so much. In the end if people want privacy they have to work for it themselves. The goal in my view is to promote an atmosphere where that kind of self-insurance is possible, not one that puts the responsibility in the hands of government, or the system administrator. > My personal choice has been (near-) complete openness, because I > ironically feel more secure if it is trivial for certain very specific > nutcases to verify that I pose no threat to them. I do not wish my enemies > to be paranoid. Paranoid people break things. The nice thing about paranoids, and other privacy invaders, is that when they have an answer to a question they usually stop looking. Provide them with an answer. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From snow at crash.suba.com Sun Apr 28 18:49:31 1996 From: snow at crash.suba.com (Snow) Date: Mon, 29 Apr 1996 09:49:31 +0800 Subject: trusting the processor chip In-Reply-To: <m0uDEIm-00093vC@pacifier.com> Message-ID: <Pine.LNX.3.91.960428150426.2054A-100000@crash.suba.com> I realize that when one argues with a fool, no one can tell the difference, but as the dumbest person on the list, I figure I can learn from just about anyone here. Not that I am calling Mr. Bell a fool. On Sat, 27 Apr 1996, jim bell wrote: > At 12:25 AM 4/27/96 -0500, Snow wrote: > >On Thu, 25 Apr 1996, jim bell wrote: > >> product is subverted. More likely,I think, an organization like the NSA > > I thought that most (all?) chips already radiated on the > >electromagnetic spectrum? Isn't that what tempest is about? > There's a difference between trying to find a needle in a haystack, and > finding a day-glo, red-hot needle that plays music at 110 decibels in that <snip> > The best place to put such a chip would be a location outside the computer's > relatively small number of different designs. I still maintain that this would be less feasible than either: a) Tempest. Why bother resubverting each new processor (think about it, Which processor? Intel (all variants) Motorola (all variants), Digital (Alpha) etc. When it would be easier (It seems to me at least) to develop a system that _can_ find that needle in a hay stack, and simply develop translators for each kind of chip (which could be done in software I'd think) to show what the chip is doing. b) physcailly compromising the work enviroment so that you see what the person is typing as well as what is on the screen. As well as get Voice etc. c) This I just thought of, and is kind of a hybrid of Mr. Bells idea and a tempest style attack, it isn't thought through real well, but I _think_ it would work. Each processor would emit on a certain band, so you build a "repeater" that takes that band, encodes it, steps it to a different band and retrans it. This device probably could be made small enough to fit _easily_ inside a case, and draw very little power (the transmitting distance would not need to very far) and since most people never open their cases, it would be fairly safe from detection. It could even be designed to piggyback on common device interface cards (parallel/serial cards, Video cards) so that even if one _did_ open ones case you probably wouldn't notice. All that this would entail _after_ development would be a simple B&E. This wouldn't solve the problem of decoding, but it heats the needle, and makes it sound off at many times less cost than subverting the chip. Petro, Christopher C. petro at suba.com <prefered> snow at crash.suba.com From unicorn at schloss.li Sun Apr 28 19:20:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 10:20:44 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604281221.AA01603@october.segno.com> Message-ID: <Pine.SUN.3.93.960428163305.12806E-100000@polaris.mindport.net> On Sun, 28 Apr 1996 mkj at october.segno.com wrote: [...] > Most other arguments put forth so far in this thread, about how people > "won't stand for" certain government behaviors and so forth, I don't > find convincing. Modern military technologies, especially in the > U.S., make the prospects of a sucessful popular uprising dubious. C.f., Chechnya, Afghanistan, Vietnam, Columbia. See Also Generally, various and numerous publications on the successes of low and medium intensity conflict campaigns against modern armies. (Note that I don't think it will come to this in the United States, but your assumption is a faulty one). --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Sun Apr 28 19:33:56 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 10:33:56 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <199604281543.RAA11268@digicash.com> Message-ID: <Pine.SUN.3.93.960428162112.12806C-100000@polaris.mindport.net> On Sun, 28 Apr 1996 bryce at digicash.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Black Unicorn <unicorn at schloss.li> wrote: > (> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) > > > IIRC, currently Black Unicorn doesn't have any signatures on > > > his public key of others. Therefore, this requirement, while understandable, > > > could cause a bit of a difficulty in the current situation. > > > > Please obtain a copy of my current key by finger. > > > Oh please. My respect for Uni's acumen just decremented a > couple of notches. A 2048-bit key, and no signatures? > Rather like a front door with welded plate armor and an open > window, no? My key is hardly signatureless. Please obtain a current copy. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From s1113645 at tesla.cc.uottawa.ca Sun Apr 28 19:41:41 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 29 Apr 1996 10:41:41 +0800 Subject: Book: The President's Eyes Only In-Reply-To: <199604281408.HAA09274@toad.com> Message-ID: <Pine.3.89.9604281636.A30261-0100000@tesla.cc.uottawa.ca> On Sun, 28 Apr 1996, rick hoselton wrote: > The crypto-game is being played "for keeps". Someday, all crypto > may be too strong to break, but for right now, many "bad guys" > (and whatever your philosophy, I bet you can find some) use weak > crypto, and this allows the US Govt. to know more about what goes But then, most of these tend to be either governments far more vulnerable to citizen crypto than USG or organized crime groups (the results of black markets, and guess who makes them black?). And terrorists a la Hezb'Allah or the IRA are just mafias that do high-impact marketing. [Sorry to give the standard doctrinaire canned response, but then it's the standard unconvincing threat.] > on in the world. As long as Uncle Sam keeps his finger on a nuclear > trigger, I can see a strong case that knowing what he's doing and > not getting too surprised are (mostly) good things. Do you mean him knowing what he's doing or us knowing? ;-) Thanks for the book reference. I'll go grab it. From jamesd at echeque.com Sun Apr 28 19:46:55 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 29 Apr 1996 10:46:55 +0800 Subject: code vs cypher Message-ID: <199604282111.OAA25863@dns1.noc.best.net> At 01:41 AM 4/28/96 -0700, Rich Graves wrote: > I'm learning how to resist being trolled -- Michael > Loomis's laughable "Rich Graves, Holocaust fetishist" was a good test), I believe Rich Loomis was referring to the fact that this is cypherpunks not holocaust punks. You continually bring up this irrelevant topic whenever someone complains about your egregious statism on other issues: We are sick to the back teeth with hearing what a good guy you have been on Nazism and the holocaust. We do not give a shit. We gave a shit the first time, but we are up to about the hundredth time and counting. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Sun Apr 28 19:49:59 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 29 Apr 1996 10:49:59 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <199604282111.OAA25859@dns1.noc.best.net> At 08:21 AM 4/28/96 -0400, mkj at october.segno.com wrote: > Modern military technologies, especially in the > U.S., make the prospects of a sucessful popular uprising dubious. By this argument the Soviet Empire could never fall. Governments are rarely overthrown. Rather, they collapse. Governments continually struggle to maintain cohesion. Sometimes they fail. They do not naturally have cohesion. A government is not naturally a single thing, not an entity by nature, the way a person is an entity by nature. > When you cut off someone's air supply, even the nicest, gentlest > person will go into an unrestrained, murderous frenzy. I expect > something similar will happen to even the most "civilized" governments > within the next few years, as popular crypto begins to cut off their > money supply. False on two counts: First "frenzy" is exactly the opposite of what the government needs to stay in one piece, to continue to be a government. Secondly, when you cut of someones air supply, they do not necessarily defend themselves. I think I may have reported in cypherpunks my little experiment in Cuba when I cut off a cop's air supply, to test my hypothesis that even the cuban cops have a slave mentality. People frequently fail to defend themselves, when suitably intimidated, and this is basically what governments rely upon. If governments have to start pulling guns all the time, they will fall. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From s1113645 at tesla.cc.uottawa.ca Sun Apr 28 19:58:02 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 29 Apr 1996 10:58:02 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <199604281221.AA01603@october.segno.com> Message-ID: <Pine.3.89.9604281554.A30287-0100000@tesla.cc.uottawa.ca> One of these days I'm going to learn the art of succint writing. On Sun, 28 Apr 1996 mkj at october.segno.com wrote: > Which brings us to the "flight of capital" issue. Will nations be > able to compete freely for the loyalty of the rich? Or will the most > powerful nations form effective coalitions, and perhaps simply bomb > "rogue" nations into the stone age? I don't think the rich are really the issue. From what Sandy, Black Unicorn and others write, it looks like those of the rich who are self-employed already play these shell games to a certain extent and a certain amount competition and thumb-screwing already happens. What is interesting is how it applies to the middle-class, where most of the tax-base is. Imagine a world where for cost reasons most offices are VR constructs (a la Snow Crash and all the others) run over the net. Assume that for privacy reasons, nobody in their right minds goes without crypto since any cracker could literally be recording their whole lives. (And assume that this gets built into all the software or the users scream murder as hard as we did when Netscape's CEO looked like he was waffling on GAK.) Assume that some enterprising jurisdictions find some *reliable* means of automating entity creation and use of all the offshore services (creation of companies, trusts, doing financial transactions...) and offer a standard API to these services, making the whole game a commodity and as easy to access as downloading Netscape. Assume that somehow secure pseudonymous financial markets can be created. (Big if, but also big profits) Also assume very low transaction fees as a result. The result of this might be that the netshore economy might actually have lower overhead and an easier interface to its users than the physical world version. If people's easiest intro to economics and the job market is such a simple anarchy and the place where they get most of their entertainment, education and generally spend most of their lives is such an impossible to regulate environment, what do you think this bodes for state control? Or people's desire for it? There is no teacher like experience. Many of us have found it safer to use a pseudonym, sometimes even to save ourselves from occasional embarassment when saying stupid things (nevermind privacy from altavista and whowhere). I think it is natural for people to want such things, especially in a VR environment when anyone can watch you. I assume that in this the cypherpunks, roleplayers, MUD players, political writers and BBSers are not radical but merely slightly ahead of the curve. It is also not a coincidence that pseudonymity keeps getting reinvented in new environments. Basic human need. These games have all been possible for quite some time in the offshore market and seem far more developped. I've read that there are as many registered corporations in the Cayman Islands as there are inhabitants. It might actually be less of a hassle to conduct your business as a corporation than as a individual. Even here in high-tax Canada there are nifty tax benefits (I'm told). Foreign jurisdictions might also be easier to deal with as a corporation (do you *really* want the Chinese government to know that you're doing business with their people? Do you want to get on Saudi Arabia's blacklist?) How do you think most people will act when they learn that just by putting on their glasses they could enter a tax-free jurisdiction with perfect privacy? THIS meme does travel. Now many here think that unless we get chaumian ecash Real Soon Now, none of this will happen. I submit that there will be far more demand for it in the years to come than right now. Anonymous ecash is still several years ahead of its mass-market time. I don't see how in the absence of GAK or any other mandated ID scheme that it will be any easier to stop it (maybe you do). And market share? How can VISA and Microsoft compete against something that lets you save on taxes (why compete *against* it when you can be part of it?). Marketing this is a no-brainer. The only extra expense I can see is that if you're large enough, you might need more accountants to help with your double-booking. (Though maybe you could fire them all if the system is done right) Finally, how will you regulate disputes? Last week we had just this problem. Now imagine how these things will be resolved when real money is involved and force cannot be applied. Arbitration is already "in" in the real world... It's much faster than the average court. What do you think will happen when enough people get exposed to that? Arbitration negotiators (lawyers) might be quite cheaper than real lawyers, after all there's less rules to learn (probably standardized and commoditized) and a global market of them (competition!). Markets can also be set up for transferable lawsuits with greater ease... In sum we're talking about the age of the global small business. As long as you're in the service industry, and you don't deal with physical goods, even if a only few of these things happen, life will be interesting. Ps. Micheal Froomkin disagrees with this. How for example will you escape having your house seized, how will you convince a large institution like his university to pay you as a longterm contractor...? I may be unrealistic, but judging from what is happening to university funding in this country, the increased number of for-credit university courses done by video or TV (Carleton U does 'em), the increased demand for knowledge workers and the increase in small specialty colleges, I'd say he might dean of the www.law.anguila.edu online law school sooner than he thinks. And as for his house, getting "payment" from your "employer" (trust fund/company) only for your expenses is already quite possible and (so it's been said around here) seemingly legal (IANAL!) He might even rent it from some odd offshore real estate company (himself). The only difference compared to now is that it might eventually become alot easier. Thinking of setting up your own universities, folks? From mpd at netcom.com Sun Apr 28 20:22:50 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 29 Apr 1996 11:22:50 +0800 Subject: The Joy of Java In-Reply-To: <199604281940.OAA01010@proust.suba.com> Message-ID: <199604282116.OAA28028@netcom15.netcom.com> Alex Strasheim <cp at proust.suba.com> writes: > I like Java -- I'm not a professional programmer, and Java > is a lot easier for me to work with than C++. And I can buy > the argument that for many people the benefits of applets > will outweigh the security risks. I hope everyone here realizes that Java is not just about Applets. Applets are simply one of many abstract classes in Java, suitable for further refinement into things that get plugged into Web pages. Java itself is a full-blown programming language, like C or C++, with command line processing conventions, runtime libraries, and all the other amenities of procedure-oriented programming languages. You can write anything you want in Java, and execute the program at a shell prompt by simply typing its name followed by some arguments. (Perhaps you might have to alias "name" to "java name", but you get the general idea) While the security issues being discussed are indeed important for Applets, where untrusted code from God-knows-where comes into intimate contact with the program visible decor of ones platform, they are less important when Java is used as an ordinary programming language, in order to take advantage of its platform-independence and incorruptable run-time structure. Again, this is not directed at Alex or anyone else specifically, but some of the messages I have read here recently have given the distinct impression that people are thinking of Java as a language solely for writing Applets, as opposed to something more general and a bullet-proof replacement for C++ and C. I think we'll be seeing a lot of things written in Java in the future. A good first start would be a set of Daemons for Unix which run on any platform and are totally immune to the buffer-overrun type holes which permit people to easily break into systems. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From grafolog at netcom.com Sun Apr 28 20:25:30 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 29 Apr 1996 11:25:30 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <m0uDagf-00093GC@pacifier.com> Message-ID: <Pine.3.89.9604282013.A25461-0100000@netcom4> Jim: On Sun, 28 Apr 1996, jim bell wrote: > Government feeds on its own size; once government is dramatically reduced > below its current size, it will become even less able to resist further The only true part of this paragraph is that government feeds on its own size. > contraction. Probably few government employees realize this. What was the name of that government department that was created to obtain and store Helium for the US dirigible fleet? And just how recently was it abolished. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From asgaard at sos.sll.se Sun Apr 28 20:35:34 1996 From: asgaard at sos.sll.se (Asgaard) Date: Mon, 29 Apr 1996 11:35:34 +0800 Subject: Cell Kill 2 In-Reply-To: <199604280339.XAA07392@pipe2.nyc.pipeline.com> Message-ID: <Pine.HPP.3.91.960428210130.10419A-100000@cor.sos.sll.se> >On April 21, two Russian laser-guided missiles >reportedly zeroed in on the cellular phone of Dzhokhar ******** -------------- >he spoke to a Russian parliamentarian on a satellite phone. ********* Now, more interesting than whom he was talking to (who could be a completely unknowing party to the events) is the issue of what kind of phone Dudayev was using. I somehow doubt that the area he was operating from has a widely spread out cellular net. And cellular targeting might not be accurate enough for this application of force. It makes more sense if he was using a direct (mobile) phone-satellite device, assuming such devices are emitting a stronger signal that could easily be targeted by AWAC type technology, or even satellites (that they are communicating with in the first place). Coming so soon after it was reported that the US had decided (still) that the war down there is an internal Russian affair, all but giving them a go for a total solution, the possibility of US involvement has to be contemplated. But I guess the Russians might have enough capabilities by themselves to orchestrate a stunt like this. That the involved weaponry was laser guided might be misinformation. Why not microwave signal guided? (I don't know what I'm talking about here, of course. Perhaps satellite phones even implement GPS and just tell where they are??). Asgaard From unicorn at schloss.li Sun Apr 28 20:38:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 11:38:08 +0800 Subject: Proving that you're not a nym [was Re: Mindshare and Java] In-Reply-To: <Pine.GUL.3.93.960428114931.13032D-100000@Networking.Stanford.EDU> Message-ID: <Pine.SUN.3.93.960428175310.19393A-100000@polaris.mindport.net> On Sun, 28 Apr 1996, Rich Graves wrote: > In this specific case, no, there is nothing you can do to prove that > you're not the Unicorn of Color, because there are no signatures on his or > her key. > Would you PLEASE, get your facts straight? Try checking it yourself maybe, instead of assuming this to be true because someone else said so? --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Sun Apr 28 20:45:21 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Apr 1996 11:45:21 +0800 Subject: Mindshare and Java Message-ID: <m0uDdSn-000943C@pacifier.com> At 12:41 PM 4/28/96 -0400, Moltar Ramone wrote: >(I'm not agreeing with this... but you can't prove you're _not_ a Nym. >Jim Bell has claimed (well, implied that he believes, although he hasn't >outright claimed) that I'm L.D. and/or Black Unicorn. I don't recall ever implying this... Could you be more specific? I've noticed a bit of coordination, but is there any more than this? Jim Bell jimbell at pacifier.com From tomw at netscape.com Sun Apr 28 20:51:37 1996 From: tomw at netscape.com (Tom Weinstein) Date: Mon, 29 Apr 1996 11:51:37 +0800 Subject: Mindshare and Java In-Reply-To: <199604272256.PAA02672@netcom20.netcom.com> Message-ID: <3183E853.41C6@netscape.com> Rich Graves wrote: > > Some of the things a valid signature from Jack the Ripper means: > > 1. If it breaks something, I can send Jack the Ripper a bug report, or > a flame, as appropriate. > 2. If I like it, I can send Jack the Ripper money or other form of > good vibes. > 6. I have a way of knowing if Alice or Bob stuck a virus or trojan > into Jack's code. Yep, these are true. > 3. If I am Jack the Ripper, I have a way of proving that the code is > my intellectual property. How do you prove that? If I strip off your signature and sign it myself, how do you know it's yours? > 4. If I'm not Jack the Ripper, I can say "That wasn't me." No you can't. How do I know that Jack isn't a nym of yours? > 5. If I am GNU, I can advertise and "enforce" my copyleft policy. How? -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From steve at edmweb.com Sun Apr 28 21:00:24 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 29 Apr 1996 12:00:24 +0800 Subject: PGP and pseudonyms Message-ID: <Pine.BSF.3.91.960428145038.10410A-100000@kirk.edmweb.com> Suppose someone were using a pseudonym, and had a seperate PGP key for this pseudonym. If this person's secret keyring were stolen, could person=pseudonym be revealed, based on the key ID? Or would it require knowing the passphrase? ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From jimbell at pacifier.com Sun Apr 28 21:02:50 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Apr 1996 12:02:50 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <m0uDeWY-000900C@pacifier.com> At 08:50 PM 4/28/96 +0000, Jonathon Blake wrote: > Jim: > >On Sun, 28 Apr 1996, jim bell wrote: > >> Government feeds on its own size; once government is dramatically reduced >> below its current size, it will become even less able to resist further > > The only true part of this paragraph is that government feeds > on its own size. > >> contraction. Probably few government employees realize this. > > What was the name of that government department that was > created to obtain and store Helium for the US dirigible > fleet? And just how recently was it abolished. I don't see that what you said challenged what I said. For most of this century, government (and in particular, the Federal government) has been on a fast-track to expansion. Only quite recently has this expansion begun to slow. I was referring to contractions to come; not to contractions (if any?) that have occurred in the past. Jim Bell jimbell at pacifier.com From steve at edmweb.com Sun Apr 28 21:08:33 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 29 Apr 1996 12:08:33 +0800 Subject: code vs cypher In-Reply-To: <199604270331.UAA23746@infinity.c2.org> Message-ID: <Pine.BSF.3.91.960428150833.10410B-100000@kirk.edmweb.com> > pm> It is neither elite nor secret. It is fairly high signal to noise. > pm> I think only about one in every fifty or so cypherpunks > pm> messages has any content at all worth mentioning. > > Agreed! I wasn't "invited". I simply requested access and > was quickly welcomed to the list. Hmm... I sent out a "subscribe coderpunks" to majordomo at toad.com three days ago, and I recieved the "your message has been forwarded to the list owner" message, but nothing else. It wouldn't suprise me to find I'm just not 'elite' enough, but I'll wait and see what coderpunks-approval at toad.com has to say. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 21:09:03 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 12:09:03 +0800 Subject: The Joy of Java Message-ID: <01I432H2ATAI8Y53B6@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 27-APR-1996 02:59:17.07 >At 3:57 PM 4/26/96 -0700, Timothy C. May wrote: >>I think the interesting target date to plan for is a year from now. >I said a few months ago that I thought Java would be ready for prime time >in a couple of years. I think we are in complete agreement here. If Java can indeed be reworked to provide proper security (e.g., if Perry's incorrect in this case - everyone's falliable), then how much modifications are likely to be necessary? I'm currently looking at the possibility of learning a modern high-level computer language, and Java looks like one of the more promising options. (I currently know a bit of Applesoft Basic, Quattro Pro Macro language, VAX/VMS .COM file language, and MS-DOS batch file language.) In other words, I'm wondering if it's worth my while to learn Java now, or if I should wait (and possibly learn another language) until the bugs are worked out? Will removing the flaws make it such a different language that learning it now won't be of much use for someone like me? Thanks, -Allen From grafolog at netcom.com Sun Apr 28 21:16:58 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Mon, 29 Apr 1996 12:16:58 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <m0uDeWY-000900C@pacifier.com> Message-ID: <Pine.3.89.9604282226.A2147-0100000@netcom4> Jim: On Sun, 28 Apr 1996, jim bell wrote: > For most of this century, government (and in particular, > the Federal government) has been on a fast-track to expansion. I'm glad you read some history books. > Only quite recently has this expansion begun to slow. I was And even read some current newspapers. > referring to contractions to come; not to contractions (if any?) > that have occurred in the past. But had you learned anything from history, you would have discovered that governments to do not contract in size. The Strategic Helium Reserve was just one contemporary example of how government departments hang around, totally unneeded. xan jonathon grafolog at netcom.com ********************************************************************** * * * Opinions expressed don't necessarily reflect my own views. * * * * There is no way that they can be construed to represent * * any organization's views. * * * ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ftp://ftp.netcom.com/pub/gr/graphology/home.html * * * * OR * * * * http://members.tripod.com/~graphology/index.html * * * *********************************************************************** From sandfort at crl.com Sun Apr 28 21:38:07 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 29 Apr 1996 12:38:07 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <Pine.3.89.9604281554.A30287-0100000@tesla.cc.uottawa.ca> Message-ID: <Pine.SUN.3.91.960428143454.11667B-100000@crl9.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 28 Apr 1996 s1113645 at tesla.cc.uottawa.ca wrote: > I don't think the rich are really the issue. From what Sandy, Black > Unicorn and others write, it looks like those of the rich who are > self-employed already play these shell games to a certain extent and a > certain amount competition and thumb-screwing already happens. > > What is interesting is how it applies to the middle-class, where most of > the tax-base is. [He/She then goes on to write a very well thought out analysis of the ramifications of crypto-anarchy.] It used to be that only the rich owned cars, went on cruises or flew in airplanes. Now almost every person of moderate or even modest means can do all three. The same tread can also be seen in the use of offshore techniques. A couple of generations ago, only multinationals and the super rich could avail themselves of offshore banks, asset protection trust, foreign incorporation, etc. Fifteen years ago, I was helping members of the upper middle class do the same think. Today, virtually anyone on this list can afford these techniques. Non-US people have been using them for years. The reason middle class Americans aren't savvy that yet are ignorance and inertia. Everyday, Americans are becoming less parochial (due in part, ironically, to government hysteria about money laundering) about such possibilities. As the Clintons and Doles turn up the tax and regulatory heat, they will also overcome their inertia. Another irony in America is that the lower class seems to be way ahead of the middle class in keeping more of what they earn. Do you think ANY waiter/waitress in the U.S. reports all his/her tips? Do you really think the neighbor who helped you tune up your car last week will pay taxes on what you paid him? Watch where the money goes when you pay for an item in a mom and pop grocery. Sometimes it goes in the till, other times, in the owner's pocket. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 21:45:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 12:45:35 +0800 Subject: Mindshare and Java Message-ID: <01I4326V6O0W8Y53B6@mbcl.rutgers.edu> From: IN%"ses at tipper.oit.unc.edu" "Simon Spero" 26-APR-1996 02:36:25.74 >In SolidOak, the verification is more or less free of charge, as it runs >the signature code in a separate low priority thread, which often gets to >complete during network induced latencies when fetching sub-classes, which >can be initiated on class download before the code is instantiated.It also >allows multiple classes to verified with just one PKOP, so the cpu cost >is amortised over a lot of stuff Umm... doesn't that allow code with a faked signature to be temporarily trusted, long enough to possibly do some damage? For instance, in fetching sub-classes, what is the code allowed to "know" in fetching them? Such information could be sent out, including by what the code was requesting. Sorry if the above is not applicable; please explain why not, if so. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 22:01:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 13:01:17 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I4336FFBS68Y53B6@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 27-APR-1996 23:39:58.42 >Now, how are you going to impose taxes on heads if it becomes impossible >to track down a person? You have to find them to tax them. With secure, >anonymous communications, people can exist without giving away their >location, business interests, property holdings, etc...etc... Travel However, one can ask at various points for identification, possibly cryptographically protected. If that ID hasn't had its head tax paid recently, then you sieze the person. (See below for why I'd call this a probably growing tendency). The ID in question can be biometric, and thus can't be passed (easily) from one person to another once the head tax has been paid on it. Now, what sorts of points one can ask for identification is one place where it gets interesting. If you are doing property taxes, then you can require that the "registered owner" present the cash. But that doesn't prevent someone from hiring someone else to be the registered owner. However, except for schemes such as Assasination Politics et al, enforcing that supposed owner from becoming the de facto as well as de jure owner can be difficult. (In other words, if he says you don't own the property, and the state backs him up because he's paid his head tax and you haven't, then you've got a problem.) Other such interactions are whenever you get caught doing something physical, such as through various police stings. If you don't have your head tax paid on some ID with biometric links to you, then you get put in jail longer. >The only option for government becomes forcible seizure of land and or >persons to enforce taxation. Note that even today property in >the United States owned by tax evaders is difficult to seize if >one cannot prove tax evasion. (Taxation is merely one example of >regulations that become difficult to enforce with proper cryptography in >place by the way). As the state becomes more and more desperate, it seems likely that seizures (or even destruction) of property and persons on such grounds will become more and more frequent and easy. Unconstitutional in most cases? Probably... but they may stop caring. >This being so I think it obvious that a manner of market economy among >political systems will emerge. Some nation states will participate in >what liberal-economists call a "race to the bottom" where they will >continue to reduce regulations and so forth to attract businesses and thus >income. Those on the far left somehow count this a _bad_ thing, citing >typically environmental issues. It never ceases to amaze me that they >don't get the message when 20% of the corporate population departs and >they still don't realize that just raising taxes won't solve the problem. Agreed. I just don't think the "bottom" is zero. In most areas, some government is likely to remain. (Indeed, for my purpose of maximizing individual choices (with the most important of such choices being those known as civil liberties), I currently believe that this is for the best.) -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sun Apr 28 22:03:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 13:03:31 +0800 Subject: Anonymous banking Message-ID: <01I432OG4L8G8Y53B6@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 27-APR-1996 23:07:10.42 >Well, using attorney client confidentality to shield things otherwise >discoverable just doesn't work. Given discussions as to attorneys holding passphrases, et al, perhaps a tutorial from the lawyers on the list (yourself and others, since disagreements among J.D.'s have been known to happen) on what attorney-client confidentiality does cover? >There are many mail forwarding services that don't use attornies. An >attorney is going to charge you by the hour for this service. I don't >think you really want to pay for it. Most of them aren't anonymous, either... although that does give me the thought of going to one outside the US and its reporting requirements. They'd know who I was (or at least the address it was going to), but at least nobody else would know. Any suggestions, since you've been writing of the joys of nymdom recently? -Allen From jamesd at echeque.com Sun Apr 28 23:42:35 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 29 Apr 1996 14:42:35 +0800 Subject: code vs cypher Message-ID: <199604290203.TAA03998@dns1.noc.best.net> jamesd at echeque.com" 28-APR-1996 19:31:33.43 > > [Rich Graves] continually brings up this irrelevant > > topic whenever someone complains about [his] egregious > > statism on other issues: At 07:39 PM 4/28/96 EDT, E. ALLEN SMITH wrote: > And what's wrong with being a statist on _some_ issues? > A strict party line will do nobody any good. I believe my complaint was primarily that he kept beating on Nazi issues, which are now entirely off topic since the German attempt to politically censor the internet was defeated. Now if the next time somebody calls him a statist, Rich would tell us what he is doing about the CDA, instead of lecturing us about the Simon Weisenthal center, that would be fine, provided he tells us ONCE, or maybe twice. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From llurch at networking.stanford.edu Sun Apr 28 23:59:12 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 14:59:12 +0800 Subject: Mindshare and Java In-Reply-To: <3183E853.41C6@netscape.com> Message-ID: <Pine.GUL.3.93.960428165347.13032N-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, Tom Weinstein wrote: > Rich Graves wrote: > > > > Some of the things a valid signature from Jack the Ripper means: [True statements deleted] > > 3. If I am Jack the Ripper, I have a way of proving that the code is > > my intellectual property. > > How do you prove that? If I strip off your signature and sign it > myself, how do you know it's yours? Hmm. Very interesting point. You would need to make the signature technology at least tamper-evident by embedding it "somehow," and recursing infinitely. Yup, sounds pretty impossible, so I'm sure somebody's going to come up with an answer. Maybe the one-time signature, or signatures authenticated by location. > > 4. If I'm not Jack the Ripper, I can say "That wasn't me." > > No you can't. How do I know that Jack isn't a nym of yours? Answered elsewhere. Trusted third party swears you're different. Also, signatures from different nyms are useful even if the identity relationship among nyms are known. Compare the nym "Tom Weinstein, Cypherpunk" with "Tom Weinstein, speaking for Netscape" and "Tom Weinstein, can't talk during the IPO." > > 5. If I am GNU, I can advertise and "enforce" my copyleft policy. > > How? OK, you probably can't. This is a special case of #3. -rich From llurch at networking.stanford.edu Mon Apr 29 00:00:12 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 15:00:12 +0800 Subject: Proving that you're not a nym [was Re: Mindshare and Java] In-Reply-To: <Pine.SUN.3.93.960428175310.19393A-100000@polaris.mindport.net> Message-ID: <Pine.GUL.3.93.960428164938.13032M-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, Black Unicorn wrote: > On Sun, 28 Apr 1996, Rich Graves wrote: > > > In this specific case, no, there is nothing you can do to prove that > > you're not the Unicorn of Color, because there are no signatures on his > > or her key. > > Would you PLEASE, get your facts straight? > > Try checking it yourself maybe, instead of assuming this to be true > because someone else said so? All right, all right. We surrender! Call this a problem with the web of reputation capital, I guess. You can be led to believe all sorts of silly things when someone you trust makes a mistake. -rich From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 00:04:00 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 15:04:00 +0800 Subject: Book: The President's Eyes Only Message-ID: <01I434LP0CLS8Y53B6@mbcl.rutgers.edu> From: IN%"hoz at univel.telescan.com" 28-APR-1996 13:57:13.98 >The cypherpunks relevance (Besides the David Kahn quote) is >the frequent mention of NSA decrypts and SIGINT. The frequency >that nations and individuals have used (and apparently continue >to use) breakable encryption is incredible. The intelligence >that has been derived by breaking them is worth a great deal, >in dollars and maybe lives. This book has made me understand a >bit, why a government might try to limit strong cryptography. But do keep in mind that it's not just the US government that can decrypt weak cryptography. So can a lot of other governments... including ones like France and Japan that engage in a lot of commercial espionage. And ITAR restrictions have hindered the use of cryptography in the US by limiting the market for products. As has been said on here in the past, there are probably several groups within the NSA. Some think that getting the info is more important than protecting US citizens from having _their_ info stolen. Some think the reverse. And the ones in the NSA (and the rest of the US government) with darker motives (power et al) are going to be in the first group - they're not concerned with effects on US citizens. -Allen From steve at edmweb.com Mon Apr 29 00:06:24 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 29 Apr 1996 15:06:24 +0800 Subject: PGP and pseudonyms In-Reply-To: <2.2.32.19960428231217.00ac5b6c@mail.teleport.com> Message-ID: <Pine.BSF.3.91.960428165931.10757A-100000@kirk.edmweb.com> > >this pseudonym. If this person's secret keyring were stolen, could > >person=pseudonym be revealed, based on the key ID? Or would it require > >knowing the passphrase? > > Yes, the person=personna would be revealed. No, a passphrase would not be > needed. > To demonstrate try "pgp -kv secring.pgp" and see what you get. I kinda figured that... I was just wondering if maybe the info could be altered, so that the real info can't be figured without getting the passphrase. > I hope this gets fixed in PGP 3.0. I guess pseudonymity(sp?) wasn't the main concern when PGP was created. I suppose a temporary fix would be to not use an ordinary PGP passphrase, but rather encrypt the whole secring.pgp file. Decrypt it when you need it, and be very careful to properly clean up when you're done. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 00:07:28 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 15:07:28 +0800 Subject: code vs cypher Message-ID: <01I434P7PXFQ8Y53B6@mbcl.rutgers.edu> From: IN%"jamesd at echeque.com" 28-APR-1996 19:31:33.43 >You continually bring up this irrelevant topic whenever someone complains >about your egregious statism on other issues: And what's wrong with being a statist on _some_ issues? A strict party line will do nobody any good. In other words, politics makes strange bedfellows, such as libertarians with (non-PC) liberals on many free-speech issues, libertarians with militia types (including the neo-Nazis) on freedom of association, etcetera. -Allen From unicorn at schloss.li Mon Apr 29 00:16:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 15:16:08 +0800 Subject: My nym: Statement Message-ID: <Pine.SUN.3.93.960428215100.25014G-100000@polaris.mindport.net> -----BEGIN PGP SIGNED MESSAGE----- I thought I would take a moment to discuss my nym, given the Web of Trust issues floating about right now. When I developed this nym I hoped to merely avoid connecting my political views with my real life persona. Generally speaking many of my associates, my family and what clients I still serve would find my political views somewhat distasteful. It was with a view to prevent this connection that I originally created the nym on cypherpunks. As time went by I found it useful for other reasons involving my previous employer which I won't go into in detail. Some on the list have met me, either at the cypherpunks meeting in D.C. when the clipper issue was emerging, or relating to ongoing and emerging projects. Others have spoken to me on the phone extensively or briefly. Really I preserve the nym for reputation capital more than anything else. I serve the list best with my input (whether you agree with it or not) when there is some reputation context attached. Hopefully the majority of it relates to the perception that I post 'good' material or that I 'have a clue.' With any luck some of you are not so quick to delete messages that bear my address as you would be to delete something from "nobody at whereever.com." By the same token, certainly some of you are burning up the "D" key when I post a lot. If nothing else a consistant address helps in filtering. Those generally interested in my subjects of expertise and interest will have an extra bit of filtering information (1=is a black unicorn post) as will those who find my posts annoying. When I communicate securely it's generally with people who I have some business or personal dealings with. This tends to eliminate the need for me to be extensively interwraped in the web of trust. Those who don't know me would be as unwise to send me sensitive mailings as they would be to cc: fbi.gov. (At least until "is not a fed" signatures start to become popular). Because most of my encrypted traffic is of a financial and business nature I like the overkill of a 2048 bit key. I also want a published 2048 bit key in the event it becomes difficult to publically distribute keys in the future. The man in the middle problem with my nym is not really an issue as far as I can tell. I suppose someone might argue that they wouldn't want to mail me anything asking for legal advice for fear it might be intercepted and returned to them with disinformation attached. As these are people I generally don't know, it's equally likely to them that I am simply an agent provocateur who has no man in the middle problems. - From my end, man in the middle attacks are difficult to use against me because those with whom I have extensive business and personal communications know me well enough to permit end to end verification through seperate secure channels. (I use secure telephones regularly, and this permits voice recognition). "But you could be more than one person..." So? Do you like this group's legal and political views? Then who cares how many people I am? I suppose if it makes people happy I will get 10 signatures binding me strongly to the larger web of trust. It's never seemed worth the effort before. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYQf/S1onm9OaF05AQHBFQf/cHK9XAeFsWSGb02skl+2Tbr71fBb5EB9 B9ySM9+z6pbaXlTrpE5b4U2951Q3qidpppm09f05KHKYhfdVjck3I2vvoF1tFa9q gVZnjW8CmiYQFc7F65wvvdvjeet7sB4+ki/PbojXz9cYt7x5mDegdPWEOAx82yh1 eLs3WyMqUAL2NUqNaL48Dr7Y8xSvO24qdyARC4FHEvDQFomhYme6kZ33RKtKaoFx K2qCGYEJkyaIMtNkBYR5B15JPhmLuEKUbHDkQYiaYv1cRKguF55nGlh9vsq6Qr5j oyB5MkK8sZZKqwIFnUPLwxD3d1DCgvm5gWV3W2LeiQq9Ovk74Nh95A== =Xm1B -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From mrm at netcom.com Mon Apr 29 00:24:11 1996 From: mrm at netcom.com (Marianne Mueller) Date: Mon, 29 Apr 1996 15:24:11 +0800 Subject: learning Java Message-ID: <199604290024.RAA14184@netcom20.netcom.com> I think that learning Java and having fun using Java (it is possible ... and I speak as someone who doesn't think that programming is necessarily fun in its own right) is orthogonal to the issue of learning and applying the applet security model. In other words, learning Java today won't be a waste of effort when more sophisticated security schemes come online. I like Laura Lemay's book "Teach yourself Java in 21 days" and the O'Reilly book "Java in a Nutshell." We also have a tutorial online at http://java.sun.com/tutorial/, and all kinds of programmer's documentation at http://java.sun.com/doc/programmer.html The applet security model is described on http://java.sun.com/sfaq/ [Yes we know that more and better documentation is needed!] Anyone who wishes, can get a full source release by faxing us a license agreement. Source isn't a substitute for documentation, but some people actually prefer source to English. See http://java.sun.com/licensing.html for details on how to get the full source release. As other people have pointed out, applet security != internet security. Java is a programming language, and standalone Java apps can and do implement their own security policies. I apologize in advance to Perry and others who will tell me that this posting of mine isn't relevant to cypherpunks. I won't do it again. Marianne JavaSoft, Sun Microsystems Inc From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 00:26:36 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 15:26:36 +0800 Subject: Mindshare and Java Message-ID: <01I43B7OQJE88Y53CU@mbcl.rutgers.edu> From: IN%"tomw at netscape.com" "Tom Weinstein" 28-APR-1996 20:13:00.23 >Rich Graves wrote: > >> 3. If I am Jack the Ripper, I have a way of proving that the code is >> my intellectual property. >How do you prove that? If I strip off your signature and sign it >myself, how do you know it's yours? Prior publication or timestamping. Admittedly, you could have come up with the same stuff independently (and will probably have modified some unimportant respects so that the code is different, even if you didn't). But that problem is there in any copyrighting/anti-plagarism scheme. For instance, I recently had an idea on genetic algorithms (I've been researching coding techniques for them.) I then came across a version of it in a journal, so I have to cite that journal when I give the idea - even though I came up with it independently. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 00:33:24 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 15:33:24 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I43B16HT2U8Y53CU@mbcl.rutgers.edu> From: IN%"s1113645 at tesla.cc.uottawa.ca" 28-APR-1996 19:36:41.10 >What is interesting is how it applies to the middle-class, where most of >the tax-base is. Currently, yes... but the divide between rich and poor is growing. (So long as this divide is determined by merit, and the poor still have enough to survive, I'd call this a good trend. So would various other people on this list, perhaps without my caveats.) In other words, the middle class is going up or down. The factory workers are going down; the high-ability workers (including information workers) are going up. So just talking about the rich makes sense. -Allen From sunder at dorsai.dorsai.org Mon Apr 29 00:37:43 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Mon, 29 Apr 1996 15:37:43 +0800 Subject: Click here to become an International Arms Trafficker In-Reply-To: <2.2.32.19960426091033.00688010@gateway> Message-ID: <Pine.SUN.3.91.960428221525.16777A-100000@dorsai> On Fri, 26 Apr 1996, David K. Merriman wrote: > At 02:46 PM 04/26/96 -0400, Vince Cate wrote: > > > > "Click here to become an International Arms Trafficker" > > > >Offshore Information Services Ltd. has set up a web page to make it really > >easy for people to become International Arms Traffickers. All they have to > >do is fill in their name and email address and then click. Check out: > > > > http://online.offshore.com.ai/arms-trafficker/ > > > >If you think this is half as funny as I do, please make a link from > >one of your pages to this one. > > > > Well, I'm ITAR violator # 6 :-) I just made ITAR violator #66 on this page. :^) ROTFL!!! And while I'm at it, there's a CDA violation in my .signature file - I'm sure flirting with the law tonight! Heheheheheh! ========================================================================== + ^ + | Ray Arachelian |FH| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder at dorsai.org|UE|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| --------------- |CC|What part of 'Congress shall make no |=\/|\/= /|\ | Just Say |KD|law abridging the freedom of speech' |==\|/== + v + | "No" to the NSA!|TA| do you not understand? |======= ===================http://www.dorsai.org/~sunder/========================= Obscenity laws are the crutches of inarticulate motherfuckers-Fuck the CDA From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 00:44:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 15:44:19 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <01I433EEPIGC8Y53B6@mbcl.rutgers.edu> From: IN%"mkj at october.segno.com" 28-APR-1996 10:29:40.72 >Most other arguments put forth so far in this thread, about how people >"won't stand for" certain government behaviors and so forth, I don't >find convincing. Modern military technologies, especially in the >U.S., make the prospects of a sucessful popular uprising dubious. Well, atomic bombing your own populace is not exactly the way for a nation-state to survive. Most other high-effectiveness means of taking out internal rebels also don't work very well. Why do you think a lot of areas with civil wars are kind of destroyed by the end of them? Even with the low level of military technology at the time, the South was quite thoroughly devastated by the end of the Civil War - and it would have been even without such "atrocities" (so-called by Confederate sympathizers) as the burning of Atlanta. >Which brings us to the "flight of capital" issue. Will nations be >able to compete freely for the loyalty of the rich? Or will the most >powerful nations form effective coalitions, and perhaps simply bomb >"rogue" nations into the stone age? It depends partially on whether those "rogue" nations have nuclear weapons (or, like Japan, the economic equivalents). I suspect that the best way to have a country with fully anonymous digital cash in widespread, legal use will be to have that country be a nuclear power. Thus, discussions of how to construct a backyard nuclear device (the subject of earlier debates on here between Jim Bell and others) may be quite relevant. Having those loyal rich types around to fund such an effort may make such possible, especially with the breakdown of the Soviet Union and the resulting availability of nuclear material. -Allen From jimbell at pacifier.com Mon Apr 29 00:57:07 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Apr 1996 15:57:07 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <m0uDh1O-00092NC@pacifier.com> At 02:12 PM 4/28/96 -0700, jamesd at echeque.com wrote: > >> When you cut off someone's air supply, even the nicest, gentlest >> person will go into an unrestrained, murderous frenzy. I expect >> something similar will happen to even the most "civilized" governments >> within the next few years, as popular crypto begins to cut off their >> money supply. > >False on two counts: > >First "frenzy" is exactly the opposite of what the >government needs to stay in one piece, to continue >to be a government. > >Secondly, when you cut of someones air supply, >they do not necessarily defend themselves. While that's obviously an imperfect analogy he gave, I think it's inadvertently instructive for an unobvious reason: Governments are _supposed_ to be products of the will of the people (at least, in so-called "freedom-loving" societies they are). If that's the case, then if society decides that governments should be reduced or even eliminated, those governments should have no objection. To whatever extent they DO have an objection, it can only be because the government is no longer representing the population as it was supposed to do, but has started to represent the vested interests of people whose livelihood depends on that government. And to whatever extent this is happening, that's all the more reason to get rid of that government. Unfortunately, that's exactly the position we find ourselves in today. Jim Bell jimbell at pacifier.com From llurch at networking.stanford.edu Mon Apr 29 00:59:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 15:59:36 +0800 Subject: PGP and pseudonyms In-Reply-To: <Pine.BSF.3.91.960428165931.10757A-100000@kirk.edmweb.com> Message-ID: <Pine.GUL.3.93.960428201204.13032R-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, Steve Reid wrote: > > >this pseudonym. If this person's secret keyring were stolen, could > > >person=pseudonym be revealed, based on the key ID? Or would it require > > >knowing the passphrase? [...] > I guess pseudonymity(sp?) wasn't the main concern when PGP was created. > > I suppose a temporary fix would be to not use an ordinary PGP passphrase, > but rather encrypt the whole secring.pgp file. Decrypt it when you need > it, and be very careful to properly clean up when you're done. Huh? Just use multiple secring.pgp files, and toggle PGPPATH. What's the problem? I guess that wouldn't be so convenient on the Mac version, I guess, but you could write an AppleScript to swap file/folder names. -rich From jimbell at pacifier.com Mon Apr 29 01:03:52 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 29 Apr 1996 16:03:52 +0800 Subject: Book: The President's Eyes Only Message-ID: <m0uDfdU-00091FC@pacifier.com> At 07:08 AM 4/28/96 -0700, rick hoselton wrote: >I just finished reading "For the President's Eyes Only", >a book by Christopher Andrew. [stuff deleted] >I suppose I tended to look upon ITAR restrictions on cryptography >as a sign of a power-hungry, self-agrandizing, government that has >lost track of the fact that its legitimacy depends on protecting >the blessings of liberty for its citizens. That's partly true, >but there's more to it than that. > >After reading "For the President's Eyes Only", I can understand that >many in government believe that they are protecting the public by >outlawing cryptography. After careful reconsideration, I still >believe in strong free crypto, but it made me think very hard. >I think that some on this list and in sci.crypt should be ashamed of >their ad hominem attacks in an area where reasonable people disagree. > >The crypto-game is being played "for keeps". Someday, all crypto >may be too strong to break, but for right now, many "bad guys" >(and whatever your philosophy, I bet you can find some) use weak >crypto, and this allows the US Govt. to know more about what goes >on in the world. Here's one reason why I object to this. While "reasonable people" occasionally disagree about things, in the political arena my experience has been that the main reason they disagree is their differing VALUES, not the interpretation of those values. For example, if a person simply disliked the concept of freedom (for others, anyway) or wanted to maintain the power of an existing government against future reductions based on technological developments, he'd object to the deployment of good crypto by ordinary citizens. One could argue that his position is "reasonable" given his value system, but in reality his would be a particularly hostile position with regards to my rights. Yes, "bad guys" exist, but for most if not all of us the vast majority of those bad guys would have no use for crypto, and probably wouldn't be able to figure out how to install and run PGP. Only a very tiny fraction of "bad guys" would benefit from crypto, yet that's all the government is talking about. The reason is simple: The government's "bad guys" are NOT OUR "bad guys", not at all. The government is almost entirely uninterested in the common criminals who do most of the damage; it is focussing on the few people who are the biggest threat to _it_, not a threat to the public. It is this self-interest that makes the positions of the government-apologists unreasonable, and worthy of our scorn. Jim Bell jimbell at pacifier.com As long as Uncle Sam keeps his finger on a nuclear >trigger, I can see a strong case that knowing what he's doing and >not getting too surprised are (mostly) good things. > >There will be a price to pay when everyone uses strong crypto. >There will be great benefits derived, as well. It will be very >expensive, but worth it. If we want to make it happen sooner, >we should understand (and respect) our opponents in this debate. > > >Rick F. Hoselton (who doesn't claim to present opinions for others) > > > From die at pig.die.com Mon Apr 29 01:03:57 1996 From: die at pig.die.com (Dave Emery) Date: Mon, 29 Apr 1996 16:03:57 +0800 Subject: NOISE - AARMs Message-ID: <9604282326.AA01174@pig.die.com> >From MAILER-DAEMON Sun Apr 28 19:24:26 1996 Received: by pig.die.com (5.65/1.35) id AA01144; Sun, 28 Apr 96 19:24:26 -0400 Date: Sun, 28 Apr 96 19:24:26 -0400 From: MAILER-DAEMON (Mail Delivery Subsystem) Subject: Returned mail: User unknown Message-Id: <9604282324.AA01144 at pig.die.com> To: die Status: RO ----- Transcript of session follows ----- 550 cypherpunks.com... User unknown ----- Unsent message follows ----- Received: by pig.die.com (5.65/1.35) id AA01142; Sun, 28 Apr 96 19:24:26 -0400 Message-Id: <9604282324.AA01142 at pig.die.com> Subject: Re: Cell Kill 2 To: asgaard at sos.sll.se (Asgaard) Date: Sun, 28 Apr 1996 19:24:26 -0400 (EDT) From: "Dave Emery" <die at pig.die.com> Cc: cypherpunks.com Reply-To: die at die.com In-Reply-To: <Pine.HPP.3.91.960428210130.10419A-100000 at cor.sos.sll.se> from "Asgaard" at Apr 28, 96 11:44:03 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1237 Asgaard writes > > enough for this application of force. It makes more sense if > he was using a direct (mobile) phone-satellite device, assuming > such devices are emitting a stronger signal that could easily > be targeted by AWAC type technology, or even satellites (that > they are communicating with in the first place). > Much the most likely satellite phone is the widely used INMARSAT A or C types which radiate continuous narrow band (nbfm or QPSK) uplinks in L band (around 1636 mhz) at considerable power (multiple tens of watts) via antennas with large sidelobes (the fact that the antennas are small and portable on most satellite terminals mean that they radiate lots of energy in various directions other than the satellite because of the limitations of the physical optics involved at such a long wavelength). This would be a sitting duck for an anti-radiation missle. The US has had such missle's since the Vietnam era for knocking out radar sites, one can presume the USSR developed such weapons as well. Why the Russians did not use this technology earlier remains puzzling ... and why Dudeyev used a satellite phone which made him a sitting duck is even less clear. Dave Emery die at die.com From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 01:06:04 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 16:06:04 +0800 Subject: Nando.net on expatriate tax issue Message-ID: <01I43CGVYKGW8Y53DN@mbcl.rutgers.edu> Of course, the mainstream media is failing to question why such taxes should be in existence at all. -Allen >Billionaires' tax loophole could complicate passage of health reform >--------------------------------------------------------------------------- >Copyright 1996 Nando.net >Copyright 1996 The Associated Press >WASHINGTON (Apr 28, 1996 1:47 p.m. EDT) -- A once white-hot, but still >smoldering, partisan dispute over taxation of expatriate billionaires could >further complicate enactment of a popular measure making health insurance >portable from job to job. [...] >But an effort to plug a loophole that's allowed a handful of wealthy people >to avoid taxes by renouncing their citizenship could put another hurdle >before a health bill all sides say they want. >Competing expatriate billionaire provisions are tucked into separate health >bills that cleared the Senate last week and the House in March. >In an approach recommended by the Clinton administration, the Senate would >impose an immediate capital gains tax on the assets of wealthy people when >they renounce their citizenship. >However, the House bill, crafted by Ways and Means Chairman Bill Archer, >R-Texas, takes an entirely different approach that Democrats and the >administration say leaves the loophole wide open. >House and Senate lawmakers haven't met yet to work out the differences >between the two health bills. But if past negotiations on the expatriation >issue are any indication, the House version will emerge victorious. [...] >Instead of imposing a large and immediate tax on wealthy citizenship >renouncers, the House version tightens current law. It requires expatriates >with a net worth of $500,000 or more to pay taxes on capital gains and >other income from U.S.-based assets for 10 years after they renounce their >citizenship. >But critics say it will accomplish little more than forcing accountants and >lawyers to find more creative ways around the rules on behalf of >billionaire citizenship renouncers such as Campbell soup fortune heir John >Dorrance III and Dart Container Corp. President Kenneth Dart. >The House version would be extremely difficult to enforce and would allow >patient expatriates to avoid the tax by holding their assets for 10 years >before selling, they say. In the interim, they could raise cash by >borrowing against the assets. [...] >However, Archer says his committee's version is actually tougher. The >administration's proposal would create an incentive for people who had >recently inherited their wealth to expatriate before their newly acquired >assets started to appreciate, he said. >"The reality is their proposal is weaker than ours," Archer said. "Some of >the most egregious cases are where there have been heirs that have been >recipients of estates who can under their proposal leave and never pay >anything." From EALLENSMITH at ocelot.Rutgers.EDU Mon Apr 29 01:06:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 29 Apr 1996 16:06:41 +0800 Subject: arbiter/escrow agent for hire Message-ID: <01I43AVX02IO8Y53CU@mbcl.rutgers.edu> From: IN%"unicorn at schloss.li" "Black Unicorn" 28-APR-1996 20:43:07.41 >My key is available on the keyservers, as far as I know. >Sandy Sandfort, for one, has spoken with me extensively and his signature >is on my key. If you like, I suggest you ask him as to his view of my >credibility/continuity. My information would appear to be out of date; I was getting it from one of the web-of-trust studies which stated that your new key was not signed by anything except itself. Sorry. >Note, this hardly assures you that I'm not several people working >together, merely that this nym is connected to at least one person who >posts on cypherpunks regularly and has had a presence here since just >after the lists foundation. It would admittedly help if your messages were signed also; this would provide somewhat of an additional confirmation. However, I very well understand that this is not always possible/practical; note that I don't have a key yet. -Allen From s1113645 at tesla.cc.uottawa.ca Mon Apr 29 01:11:43 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 29 Apr 1996 16:11:43 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <Pine.3.89.9604281554.A30287-0100000@tesla.cc.uottawa.ca> Message-ID: <Pine.3.89.9604282014.F30933-0100000@tesla.cc.uottawa.ca> On Sun, 28 Apr 1996 I wrote: > One of these days I'm going to learn the art of succint writing. And fact-checking too. Time to eat words. > I don't think the rich are really the issue. From what Sandy, Black From s1113645 at tesla.cc.uottawa.ca Mon Apr 29 01:12:02 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Mon, 29 Apr 1996 16:12:02 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <01I43B16HT2U8Y53CU@mbcl.rutgers.edu> Message-ID: <Pine.3.89.9604282225.B28833-0100000@tesla.cc.uottawa.ca> On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"s1113645 at tesla.cc.uottawa.ca" 28-APR-1996 19:36:41.10 > > >What is interesting is how it applies to the middle-class, where most of > >the tax-base is. > > Currently, yes... but the divide between rich and poor is growing. > (So long as this divide is determined by merit, and the poor still have enough > to survive, I'd call this a good trend. So would various other people on this > list, perhaps without my caveats.) In other words, the middle class is going I agree with your caveat. It's where the anarchists get me skeptical. > up or down. The factory workers are going down; the high-ability workers > (including information workers) are going up. So just talking about the rich > makes sense. Someone sent me some US income tax figures. It would seem that the vast majority of personal taxes are paid by the rich and high-end upper-middle. So I'll eat my words and agree with you, talking about the rich makes quite a bit of sense. I sort of do wonder how many of those "corporations" are small businesses and individuals working as companies. Time for me to go find a national stats book. Of course only talking about the rich makes things so much easier. From WlkngOwl at UNiX.asb.com Mon Apr 29 01:14:16 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Mon, 29 Apr 1996 16:14:16 +0800 Subject: API for the next release of NOISE.SYS available... Message-ID: <199604290135.VAA12948@unix.asb.com> If you're interested in seeing the preliminary API for the next NOISE.SYS release, send a message with the subject "send noise-api" and my mail filter will respond in kind. Thoughful comments and criticisms or suggestions would be most welcome. If you're seriously interested in taking a look at the source code before the next version is released (that is, if you intend to comb it for bugs, optimizations, security flaws, etc. etc.) drop me a line. Rob. --- Send a blank message with the subject "send pgp-key" to <WlkngOwl at unix.asb.com> for a copy of my PGP key. From alano at teleport.com Mon Apr 29 01:16:12 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 29 Apr 1996 16:16:12 +0800 Subject: PGP and pseudonyms Message-ID: <2.2.32.19960428231217.00ac5b6c@mail.teleport.com> At 03:08 PM 4/28/96 -0700, Steve Reid wrote: >Suppose someone were using a pseudonym, and had a seperate PGP key for >this pseudonym. If this person's secret keyring were stolen, could >person=pseudonym be revealed, based on the key ID? Or would it require >knowing the passphrase? Yes, the person=personna would be revealed. No, a passphrase would not be needed. To demonstrate try "pgp -kv secring.pgp" and see what you get. I hope this gets fixed in PGP 3.0. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From unicorn at schloss.li Mon Apr 29 01:47:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 16:47:02 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <m0uDagf-00093GC@pacifier.com> Message-ID: <Pine.SUN.3.93.960428234342.5923A-100000@polaris.mindport.net> On Sun, 28 Apr 1996, jim bell wrote: [...] > "Military technologies" only work effectively against a military target. While generally I agree with you, I believe Esper Sata, Gerald Bull and Pablo Escobar might have more specific disagreements. > Kill civilians and you just make other civilians angry. At that point > they'll be look for a weapon that "military technologies" cannot effectively > oppose. That weapon is already known to be possible. While strong cryptography is powerful, and secure communications liberating, unplugging the phones would about cripple that 'weapon' for a while. Any group rebelling based only on high technology communication is an extremely vulnerable group, both to widespread denial of service, and more specific 'surgical' attacks. (Motorola stock anyone?) > Quite the contrary, I think that a "successful popular uprising" will > require only a very small investment in time and money, in which some of > they key players in government are targeted and the prospect exists for > easily and cheaply getting the rest. At that point they will resign in > droves. Firstly, uprising, even kicking people out of power might take only a small investment in time and money, but consolidating a new system (even a decentralized one) will be extensively expensive and time consuming. To the extent that a successful uprising depends on organizing the new power structure, I can't see how a successful popular uprising can be cheap. In addition I believe the assumption that a few, even several official deaths will cause mass resignations ignores history. See e.g., Columbia, South Africa, and any number of other examples. [...] > Government feeds on its own size; once government is dramatically reduced > below its current size, it will become even less able to resist further > contraction. Probably few government employees realize this. While I understand the point, I think that a slim efficient government is much better able to resist "contraction." The most effective covert action/terrorist/political agitation groups have all been small and closely held. It's easier to control all aspects of operation and a greater concentration can be put into internal security concerns as government shrinks. Obviously there is a critical mass, but I don't think you will see the "runaway refrigerator" effect with government shrinkage. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From unicorn at schloss.li Mon Apr 29 01:54:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 16:54:02 +0800 Subject: Attorney-Client / Nyms Message-ID: <Pine.SUN.3.93.960428210311.25014E-100000@polaris.mindport.net> -----BEGIN PGP SIGNED MESSAGE----- On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"unicorn at schloss.li" "Black Unicorn" 27-APR-1996 23:07:10.42 > > >Well, using attorney client confidentality to shield things otherwise > >discoverable just doesn't work. > > Given discussions as to attorneys holding passphrases, et al, perhaps > a tutorial from the lawyers on the list (yourself and others, since > disagreements among J.D.'s have been known to happen) on what attorney-client > confidentiality does cover? Proposed FRE 503 probably has the best codification of the prevailing common law on the subject. I reproduce it in part below. Typos are mine. (a) Definitions. As used in this rule: (1) A "client" is a person, public officer, or corporation, association, or other organization or entity, either public or private, who is rendered professional legal services by a lawyer, or who consults with a lawyer with a view to obtaining progessional legal services from him. [...] (b) General rule of privilege. A client has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purposes of facilitiating the rendition of professional legal services to the client, [between the attorney and the client directly or indirectly]. (c) Who may claim the privilege. The privilege may be claimed by the client [or his agents or assigns etc.] The person who was the lawyer at the time of the communication may claim the privilege but only on behalf of the client. His authoriety to do so is presumed in the absence of evidence to the contrary. (d) Exceptions. There is no privilege under this rule: (1) Furtherance of crime or fraud. If the services of the lawyer were sought or obtained to enable or aid anyone to commit or plan to commit what the client knew or reasonably should have known to be a crime or fraud; or (2) Claimants through the same deceased client. As to communication relevant to an issue between parties who claim through the samed deceased client, regardless of whether the claims are by testate or intestate succession or by inter vivos transaction; or (3) Breach of duty by lawyer or client. As to a communication relevant to an issue of breach of duty by the lawyer to his client or by the client to his lawyer; or (4) Document attested by lawyer. As to a communication relevant to an issue concerning an attested document to which the lawyer is an attesting witness; or (5) Joint clients. As to a communication relevant to matter of common interest between two or more clients if the communication was made by any of them to a lawyer retained or consulted in common, when offered in an action between any of the clients. (end) Generally speaking the particulars of attorney-client relationships are regulated by state statute, though some states define the provisions through common law. Note the confidentiality requirement. A client is estopped from claiming privilege if he discloses the content of the communication to a third party not connected to the attorney-client relationship. The identity of the client and the existance of the attorney client relationship are not confidential. There are some exceptions. Physical evidence is generally not protected by attorney client privilege unless it is a manifestation of communications between attorney and client (letters, documents etc.) Communications regarding future crimes or frauds are not protected. What I think you will be most interested in, however are the exception for stolen property and destruction of evidence. Stolen property may be held by an attorney for a reasonable time for inspection purposes, but must be returned to the rightful owner or the attorney will be a receiver of stolen goods and participating in an ongoing crime. Privilege will thus not apply. In re Ryder, 263 F.Supp. 360 (E.D.Va 1967). (Some courts will permit the attorney to refuse to disclose the source from which he obtained the property, however). Consider this in the context of trade secrets. All states have laws against destroying or concealing evidence. The attorney who advises his client to destroy evidence is a co-consiprator. Privilege does not apply. Clark v. State, 261 S.W.2d 339 (Crim. App Tex. 1953). (Interesting to wonder if advising a client to encrypt evidence is 'concealing' it). > > >There are many mail forwarding services that don't use attornies. An > >attorney is going to charge you by the hour for this service. I don't > >think you really want to pay for it. > > Most of them aren't anonymous, either... although that does give me > the thought of going to one outside the US and its reporting requirements. > They'd know who I was (or at least the address it was going to), but at least > nobody else would know. Any suggestions, since you've been writing of the joys > of nymdom recently? I suggest you use a forwarding service, sign up with your nym name, and provide the address of a P.O. box for them to forward to, also in the name of your nym. > -Allen -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYQU6S1onm9OaF05AQHN7ggAstl9Is4Yyt0ZSPiOJYBJvFqPoj8kNtQL 6TuIubS4Ybu+5tWEqI6O/llmwE0NGw9q8ow4zK4yAm7PnbtvcFsRvjLy+KlPbU6/ rVTd1EI9Qz6rGTiK99j3bBxdYsQv4p4AwiC/+sdR/ZJyq6+ZR5PX/RzqPO/Tfxc6 nlM/G0S4PcA45W4v+lDRbj8GTcRaTlziPAl8/8xJGPuapZBrt8Icl92dLrCAFu7e vGe0u0yrRw/ljq2hQ1FjpQzEv4pbQ4XPxylqmoh7lTjkFw2KsT/pNb/36YUNisPv 4n4EiAcRCviVBSmaOF8DzgwANirTR5WEYj9ayIBwN5UmlwZnKWf/Bw== =N2Wa -----END PGP SIGNATURE----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From angus at bmsysltd.demon.co.uk Mon Apr 29 02:17:14 1996 From: angus at bmsysltd.demon.co.uk (Gus) Date: Mon, 29 Apr 1996 17:17:14 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.OSF.3.91.960427180844.11803B-100000@bud.peinet.pe.ca> Message-ID: <Pine.LNX.3.91.960428235747.1082B-100000@bmsysltd.demon.co.uk> On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > I wonder how they can get the e-mail address? Our finger daemon are > blocked. Many un-broadcast e-mail addresses (the account never send any > e-mails to anyone) are in the database. How? It's a sad fact that many unscrupulous(sp?) writers of WWW pages use non-visilble "on load" HTML to record what the web browser thinks the email address of the person browsing the page, and, I presume sell this info to the junk email producers. Part of the WhoWhere archives could have come from such sources. (personally my address in netscape is stop.stealing at addresses.you.CENSORED) If one really set ones mind to it, I guess that grepping through mailing list archives for addresses, and using a webcrawler to search for MAILTO= would lead to many thousands, or even hundreds of thousands, of addresses. On the plus side, the search engine will not let "*","\*","?*" and so be used, and there are no real matches for "root", apart from stuff like "Bob Root" etc. -- Gus <angus at bmsysltd.demon.co.uk> |-|PGP Fingerprint = 73 83 C0 EA 2E A6 00 3E http://www.thepulse.co.uk/angus |=|(Key on request) 08 B1 19 0D 8B BE 87 B9 CIS 100545.720 |+| "Linux - You know you want to." | "fuck" |Advertising/Promotional email will result in a campaign of hatred and abuse| From hfinney at shell.portal.com Mon Apr 29 02:35:54 1996 From: hfinney at shell.portal.com (Hal) Date: Mon, 29 Apr 1996 17:35:54 +0800 Subject: Java security weaknesses Message-ID: <199604290457.VAA22845@jobe.shell.portal.com> To add to the list of Java security weaknesses from the Princeton paper I posted the other day, I saw a new one on comp.lang.java this afternoon. It is another bug in the bytecode verifier, different from the one discovered by the Princeton group, that allows you to bypass the security mechanisms completely. Details are not yet available. Apparently the earlier bytecode verifier bug still does not have a fix available. However the nature of the bug itself was kept secret until last week. Now that it is out I hope Sun and Netscape will push to get the fix available ASAP. The bug appears to require considerable sophistication to exploit (understanding the details of the class resolution mechanism). Still with the talent which is out there on the net I imagine it will only be another week or two at most before a demonstration exploit appears. I hope the extended delay in making the fix available means that an intensive review of the code is being conducted, so that for example this other bug will have been fixed as well in the new release. I certainly hope that it won't be another month before a fix comes out for this new bug. Hal From sameer at c2.org Mon Apr 29 04:21:10 1996 From: sameer at c2.org (sameer at c2.org) Date: Mon, 29 Apr 1996 19:21:10 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <Pine.SUN.3.93.960428162347.12806D-100000@polaris.mindport.net> Message-ID: <199604290521.WAA21769@atropos.c2.org> > (Sigh). I'll say it yet a third time. Get a current copy of my key which > is signed by at least three people on the web of trust. As if this "web of trust" was actually worth something. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From unicorn at schloss.li Mon Apr 29 04:21:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 19:21:51 +0800 Subject: Mindshare and Java In-Reply-To: <Pine.GUL.3.93.960428165347.13032N-100000@Networking.Stanford.EDU> Message-ID: <Pine.SUN.3.93.960429010905.8863A-100000@polaris.mindport.net> On Sun, 28 Apr 1996, Rich Graves wrote: > On Sun, 28 Apr 1996, Tom Weinstein wrote: > > Rich Graves wrote: > > > > > > Some of the things a valid signature from Jack the Ripper means: > > [True statements deleted] > > > > 3. If I am Jack the Ripper, I have a way of proving that the code is > > > my intellectual property. > > > > How do you prove that? If I strip off your signature and sign it > > myself, how do you know it's yours? > > Hmm. Very interesting point. You would need to make the signature > technology at least tamper-evident by embedding it "somehow," and > recursing infinitely. Yup, sounds pretty impossible, so I'm sure > somebody's going to come up with an answer. Maybe the one-time signature, > or signatures authenticated by location. I have put my 'secret' signature on work product by stegoing little things into the text. (A simple example would be if the first letter of each sentence on each paragraph spelled your name). I'm sure members of the list can come up with any number of creative alternatives. If this is done discretely enough and embedded "deep" enough into the property, it is pretty reliable. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From llurch at networking.stanford.edu Mon Apr 29 04:34:56 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 19:34:56 +0800 Subject: code vs cypher In-Reply-To: <01I434P7PXFQ8Y53B6@mbcl.rutgers.edu> Message-ID: <Pine.GUL.3.93.960428202142.13032S-100000@Networking.Stanford.EDU> On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > From: IN%"jamesd at echeque.com" 28-APR-1996 19:31:33.43 > > >You continually bring up this irrelevant topic whenever someone complains > >about your egregious statism on other issues: > > And what's wrong with being a statist on _some_ issues? A strict party > line will do nobody any good. In other words, politics makes strange > bedfellows, such as libertarians with (non-PC) liberals on many free-speech > issues, libertarians with militia types (including the [censored]) on freedom > of association, etcetera. Er... thanks, but no thanks. This presumes that James's characterization of my positions on other issues is correct, and I do not believe that it is. Astute readers may remember that I "became" a FUCKING STATIST because I objected to Jim Bell's idea that no government employee deserved any privacy in his or her personal life. I adopted the epithet because I thought it was funny. I do not recall defending any statist policies. I did not defend the [censored], and indeed to defend the [censored] would not have been egregious statism, or indeed any kind of statism at all, because we were talking about private pressure on private ISPs. I am well aware that the [censored] has favored arbitrary statist controls in other countries and circumstances, but I do not recall ever discussing those policies of the [censored] with anyone here. In fact, most [censored], [censored], and [censored], and all regular posters to alt.revisionism save one, have criticized the [censored] rather roundly, and supported free speech for [censored]. I am not [censored], and I do not support the [censored]. I do not believe I have ever defended any policy of the [censored]. I have merely endeavored that in their zeal to demonstrate opposition to the policies of the [censored], some more activist folks such as [censored], [censored], and [censored] have strayed a bit too far into the deep end by criticizing positions that the [censored] does not, in fact, hold. My position on most such issues is yes, the walls are closing in, but the sky is not falling. I'd rather look on the bright side sometimes, and I will never accept untruths, especially from friends. -rich From jamesd at echeque.com Mon Apr 29 04:39:23 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 29 Apr 1996 19:39:23 +0800 Subject: code vs cypher Message-ID: <199604290602.XAA02064@dns2.noc.best.net> At 10:01 PM 4/28/96 -0700, Rich Graves wrote: > I do not recall defending any statist policies. I did not defend the > [SMC call to silence Nazis], and indeed to defend the > [SMC ] would not have been > egregious statism, or indeed any kind of statism at all, I do not recall anyone accusing you of statism on the SMC call to cut Nazi net access -- probably because I deleted all that tedious crap, not because nobody accused you. I and others accused you of statism on various other matters, such as your claim that those who fail to pay taxes steal from society, and I just accused you of always changing the subject to Nazism whenever somebody accuses you of statism. And I also accused you of talking about Nazism much too much. And what happened: You immediately changed the subject to Nazism. Cut the nazism, please. Statism is sometimes on topic. Nazism will not be on topic until the next serious threat to Nazi's net access. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Mon Apr 29 04:43:50 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 19:43:50 +0800 Subject: Nando.net on expatriate tax issue In-Reply-To: <01I43CGVYKGW8Y53DN@mbcl.rutgers.edu> Message-ID: <Pine.SUN.3.93.960429011537.8863D-100000@polaris.mindport.net> On Sun, 28 Apr 1996, E. ALLEN SMITH wrote: > Of course, the mainstream media is failing to question why such taxes > should be in existence at all. > -Allen > > >Billionaires' tax loophole could complicate passage of health reform > >--------------------------------------------------------------------------- > >Copyright 1996 Nando.net > >Copyright 1996 The Associated Press [...] > >Instead of imposing a large and immediate tax on wealthy citizenship > >renouncers, the House version tightens current law. It requires expatriates > >with a net worth of $500,000 or more to pay taxes on capital gains and > >other income from U.S.-based assets for 10 years after they renounce their > >citizenship. Uh. Hmmmmm. I refer you to section 877 of the current tax law. (a) In General.- Every nonresident alien individual who at any time after March 8, 1965, and within the 10 year period immediately preceding the close of the taxible year lost United States citizenship [unless he shows non-tax avoidance intent with the burden on taxpayer to make such showing] shall be taxable for such taxable year in the manner provided in subsection (b)... (b) Alternate Tax: [Imposes the larger of normal taxation calculation and the calculation with the source rules in (c)]. (c) Special Rules of Source.- For purposes of subsection (b), the following items of gross income shall be treated as income from sources within the United States: [Sale of real property or stocks and debt obligations] (end) In other words, you get taxed on capital gains and sale of stock or property as well as real income for 10 years after your expatriation if you cannot show you renounced citizenship for non-tax purposes. What precisely does this reporter think is being "tightened" in his or her version of the House bill? (Note that in current law there is no $500,000 floor). In fact the reporter hasn't bothered to describe what the provision really does. (Imposes a expatriation is taxable event analysis). Talk about a snow job. I won't say it is or is not advertant, but it's bloody annoying. > >The House version would be extremely difficult to enforce and would allow > >patient expatriates to avoid the tax by holding their assets for 10 years > >before selling, they say. In the interim, they could raise cash by > >borrowing against the assets. Which is the law today. What is with this guy? Get your facts straight media. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From angels at wavenet.com Mon Apr 29 05:03:58 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Mon, 29 Apr 1996 20:03:58 +0800 Subject: Freedom and security Message-ID: <v01510107a9e4964f3008@[198.147.118.206]> >No. "Those who sacrifice security for freedom, will have neither" is >not consistent with Franklin's statement, nor is it true. Security and >freedom are antithetical, and worse than that, security is always an >illusion. But you can have your illusion, as long as you keep it out of >my life. Censor yourself if you wish, but don't censor anything I might >want to look up. > The relationship / balance between security and freedom is always a defining factor in a society. My point is that a society with no laws and no codes of conduct is not a free society. This is not the same thing as saying that all societies need government. Small communities can and do operate without major legislation, using what sociologists refer to as "informal social controls", e.g. peer pressure. But even those small communities require and enforce boundaries on the conduct of their members. There is no society that tolerates the murder of its innocent members. The Internet may once have been one of those small close knit communities, small enough not to require law enforcement - although even then it had rules that had to be followed. But that Internet is gone, and it will never return, because now its the biggest city in the world, and the history of the change from pastoral communities to urban life, to the development of nation states and power blocs is also the history of crime. And as the Internet grows, so will its security problems. My position is to seek a balance between the freedom of the individual and the security of the community. My argument is that when the security of the community is threatened by the freedom of the individual, the community will always prioritise its safety. Good government of course means maintaining individual freedoms *and* maintaining community security. I actually disagree that they are antithetical. On the contrary they are a balance that any society has to find. Where individual freedom takes over you have the urban jungle where predators consume prey. Where security takes over you have the totalitarian state. Neither is necessary nor inevitable. We are simply concentrating on the problem from two different angles. My concern is to maximise community safety while protecting individual freedom. Your angle is to maximise individual freedom while protecting community safety. There is IMHO very little difference between the two. ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From hfinney at shell.portal.com Mon Apr 29 05:36:01 1996 From: hfinney at shell.portal.com (Hal) Date: Mon, 29 Apr 1996 20:36:01 +0800 Subject: The Joy of Java Message-ID: <199604290530.WAA25425@jobe.shell.portal.com> Somewhat independent of the security/safety issues regarding Java applets, there are also questions about their suitability for crypto applications. Applets currently labor under several restrictions (at least when part of the Netscape browser) which make it hard to do crypto: Applets cannot accept net connections, and they can only make outgoing connections to the host which provided them to the browser. Applets cannot read or write local disk files. Applets cannot access other local hardware, such as smart cards, printers, or microphones. These restrictions make several things difficult. Finding good sources of entropy for random numbers is hard. Applets do have millisecond resolution event timers (provided that the implementation keeps times to that resolution, of which there is no guarantee), so they can get some entropy by keystroke timings or mouse movements. But they have little access to disk files or other sources of environmental noise. Retaining secure information between runs is also hard. Specifically, there is no place to store key data other than by sending it to the server and having it put it somewhere. It would not be hard to have an applet which created a public key, but the key would have to be stored in an insecure location. So the best it could do would be to encrypt the key with a user specified pass phrase and hope that was strong enough. The restriction on connections makes other applications difficult. To make an applet which can send PGP compatible email it needs to be able to look up keys on the key servers. This can only work if the host serving the applet can look up keys for it. It has to be either running a key server or able to forward requests to one. This requirement makes the applet not "self contained" in that to put it on your web pages you also have to have this other infrastructure in place. Another problem is in trusting applets. Imagine an applet to help you participate in electronic commerce. Just type in your ecash pass phrase and it will help you open your ecash account and then charge you tiny amounts as you surf the web. But of course if the applet is capable of withdrawing small amounts, it would also be able to withdraw big amounts as well. It could drain your bank account before you knew it. Some of these problems might be fixed by giving applets limited access to disk files. But even then it would be risky to let an applet see your PGP secret key ring or ecash wallet. Signed applets can probably help with some of these as well. If Phil Zimmermann has signed the PGP applet, maybe you'll trust it as much as you trust the PGP executable. Likewise if Chaum has signed the ecash applet you'll trust it as much as you trust the ecash software. The thing to keep in mind is that you are already trusting people when you use their code, or virtually any code for that matter. PGP is special because source is available. Of course most people don't have any guarantee that your particular binary was built from the source that you see. But all the other software you run makes you vulnerable. How do you know that DOOM, for example, doesn't check to see if there is a network connection and send out your PGP secret key ring? You even have a pointer to it in your PGPPATH environment variable. Maybe that's unlikely because you'd see your modem lights flash suspiciously, but how about networking applications? Suppose Microsoft's Internet Explorer rummaged through key rings and wallets, piggybacking packets on your output data as you browse? You'd probably never know. So there are limits to how much safety you can expect. Hopefully with signed applets it will be OK to authorize some overrides of the current restrictions so that these other kinds of applications can be provided. Hal From icodesupport at ipro.com Mon Apr 29 05:37:24 1996 From: icodesupport at ipro.com (icodesupport at ipro.com) Date: Mon, 29 Apr 1996 20:37:24 +0800 Subject: Your I/CODE Message-ID: <199604290703.AAA12624@amperage.ipro.com> Thank you for registering. Your I/CODE is: adct0524. Please write it down since it will be useful at other WWW sites. Please note that the first four chracters of your icode are letters, and the rest and numbers...sometimes they look the same. Also, if you have chosen to protect your I/CODE with a password, our technical support staff will not be able to reveal your I/CODE or your personal information to you unless you can supply that password. Remember, as an I/CODE member, you get all these great benefits: SAVE TIME: You now have a password that will allow you to bypass registration forms at I/CODE-Accepting sites all over the Web. THE RED CARPET TREATMENT Your I/CODE is like a backstage pass to the best of the Web. When you use it, sites will give you access to special content, easy entry into sweepstakes, and more. IT'S FREE: Your I/CODE is free, and using it is free. Forever. Period. MORE INFO: For more information on I/CODEs, I/CODE benefits, and I/CODE sites, please visit the I/CODE Home Page at http://icode.ipro.com Thanks again for your interest, and GO! I/CODE! From nobody at REPLAY.COM Mon Apr 29 06:17:13 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 29 Apr 1996 21:17:13 +0800 Subject: Get your I/CODE today Message-ID: <199604290708.JAA14522@utopia.hacktic.nl> I just created a "cypherpunk" identity on I/PRO. Too bad they don't let you choose a nice string like "cypherpunk" to login with. The cypherpunks I/PRO code is: adct0524 (I told them that we live in Djibouti) From unicorn at schloss.li Mon Apr 29 06:46:30 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 29 Apr 1996 21:46:30 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.LNX.3.91.960428235747.1082B-100000@bmsysltd.demon.co.uk> Message-ID: <Pine.SUN.3.93.960429033853.11730B-100000@polaris.mindport.net> On Mon, 29 Apr 1996, Gus wrote: > On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > Part of the WhoWhere archives could have come from such sources. (personally > my address in netscape is stop.stealing at addresses.you.CENSORED) You should remove the profanity and instead put something like 'capon' or 'dingleberry.' This way perhaps they will publish the information or sell it to a client who might actually complain. > -- > Gus <angus at bmsysltd.demon.co.uk> |-|PGP Fingerprint = 73 83 C0 EA 2E A6 00 3E > http://www.thepulse.co.uk/angus |=|(Key on request) 08 B1 19 0D 8B BE 87 B9 > CIS 100545.720 |+| "Linux - You know you want to." | "fuck" > |Advertising/Promotional email will result in a campaign of hatred and abuse| --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From cwe at it.kth.se Mon Apr 29 07:21:58 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Mon, 29 Apr 1996 22:21:58 +0800 Subject: trusting the processor chip In-Reply-To: <Pine.LNX.3.91.960428150426.2054A-100000@crash.suba.com> Message-ID: <199604290725.JAA08405@piraya.electrum.kth.se> The promised reference: "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems" Olin Silbert, Oxford Systems Inc, Phillip A Porras, The Aerospace Corp, Robert Lindell, --- " --- Abstract: An in-depth analysis of the 80x86 processor families identifies architectural properties that may have unexpected, and undesirable, results in secure computer systems. In addition, reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems. In this paper, we discuss the imbalance in scrutiny for hardware protection mechanisms relative to software, and why this imbalance is increasingly difficult to justify as hardware complexity increases. We illustrate this difficulty with examples of architectural subtleties and reported implementation errors. My comments: This is a high-security view paper, so they go on looking for all possible covert channels etc. Not what we are discussing here, perhaps. They note one problem with Page Access Control by the TCB through the VERR and VERW instructions. In some cases it is possible that these instructions leave "grant access" when they should have said the opposite. They note that the Timestamp Counter (TCS) in the pentium might give out high-resolution timing information. This can be used attack sw RSA running in another task for example, I believe. They have 102 flaw reports collected for 80386, 80486, Pentium. There are 8 major security flaws reported. "7. The bits of the I/O Permission Bitmap (IOPB) correspond to individual byte addresses in the I/O address space. The D0 step of the 386 permits access to certain addresses prohibited by the I/O bitamap: if a 4-byte access is performed, only 3 of the 4 relevant bytes are checked." There were 9 denial-of-service as well, here's one "LAL, LSL, VERR, VERW for a null (zero) selector (A1 step) [Turl88]" Quite fun reading, although I also recognizes that this kind of attack is a bit down on the list of best cost/effort ratios. -Christian From steve at edmweb.com Mon Apr 29 07:34:42 1996 From: steve at edmweb.com (Steve Reid) Date: Mon, 29 Apr 1996 22:34:42 +0800 Subject: PGP and pseudonyms In-Reply-To: <Pine.GUL.3.93.960428201204.13032R-100000@Networking.Stanford.EDU> Message-ID: <Pine.BSF.3.91.960429000141.11364B-100000@kirk.edmweb.com> > > I suppose a temporary fix would be to not use an ordinary PGP passphrase, > > but rather encrypt the whole secring.pgp file. Decrypt it when you need > > it, and be very careful to properly clean up when you're done. > Huh? > Just use multiple secring.pgp files, and toggle PGPPATH. What's the > problem? You don't understand the problem we're concerned about... The problem is, the "real" person is in posession of the pseudonym's secret PGP key, and PGP doesn't try to hide that fact. Suppose John Doe is using the pseudonym "Evil Bastard". Naturally, he has a PGP key for his Evil Bastard identity. Now suppose someone gets into his computer. This person would be able to find Evil Bastard's secret key. Fortunately, the snoop would not be able to use the key, since it would be encrypted with a secure PGP passphrase. However, they would still be able to use the command "pgp -kvv secring.pgp", and that shows the key ID of each secret key. The key ID is the lower 64 bits of the public key, but it's included in unencrypted form on the secret keyring as well, to identify the secret key. The person who snooped the secret keyring would be able to see that John Doe has the secret key with the ID of (for example) 13579BDF. Since the ID of Evil Bastard's well-known public key is also 13579BDF, the snoop now knows that John Doe is in posession of a secret key that corresponds to Evil Bastard's public key, which proves that John Doe *IS* Evil Bastard. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From llurch at networking.stanford.edu Mon Apr 29 08:53:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 29 Apr 1996 23:53:33 +0800 Subject: ANNOUNCING The WhoWhere? Hack Stanford Contest! In-Reply-To: <199604281351.GAA16852@parsecweb.com> Message-ID: <Pine.GUL.3.93.960428224543.13032V-100000@Networking.Stanford.EDU> FOR IMMEDIATE RELEASE ON CYPHERPUNKS A Publicly Available Announcement Hey folks! A challenge. Using only legal and ethical means that would not embarrass you at your IPO, and using only publicly available sources on the Internet, please describe in detail how you found: 1. Where and when "siockman at leland.stanford.EDU (Larry Schwimmer)" appeared in a publicly available source. NOTE: this is not Larry's real email address. 2. Where and when "sitn0001 at leland.stanford.EDU (SITN Account 0001)" appeared in a publicly available source. 3. Robert Tharp's kerberos principal @ir.stanford.edu. Note: this nym has no email address or home directory, just a kerberos principal. 4. The current names and email addresses of all whowhere.com and parsecweb.com affiliates. Employees of whowhere.com and their families are not eligible for prizes. Current and former affiliates of Stanford University are not eligible for prizes, whether you use Stanford computers for the solution or not. You must be able to demonstrate your solution from a private ISP such as whowhere.com or netcom.com; solutions requiring other than publicly available access to any major university's computer system will be disqualified. To be eligible for prizes, I request that the source NOT be made publicly available until I have had a chance to make it unavailable. A consolation prize may be awarded to the first person who identifies whowhere.com's answers for challenges 1 and 2. This may not be the same answer as was given above. Void where prohibited by law. Your mileage may vary. Trix are for kids. On Sun, 28 Apr 1996, Gunjan Sinha <gunjan at parsecweb.com> wrote: > I am sorry if you misunderstood my previous email. We are ex-Stanford > grad, not current students! I apologize for assuming that your message was written in standard english, using the normal and customary (and publicly available) meanings of words such as, "WhoWhere? is an effort by a team from Stanford GSB and engineering school," and for assuming that the use of the Stanford name on a number of publicly available web pages indicated an active Stanford affiliation. In retrospect, I recognize that these were typographical errors, just like the four glaring HTML bugs and handful of security holes we've found so far (which are now publicly available information). Please take care to avoid such misunderstandings in the future by refraining from introducing yourselves in these ways, especially where such claims are likely to become publicly available information. > The WhoWhere? database is collected through > a combination of technolofy, partnerships, and self-registrations by > end-users. > > Our content is from publicly available sources. No, some of it is clearly not. Or if we do have such a serious security breach, then Stanford is violating Federal laws concerning the privacy of student records, and I would very much like to fix the problem, because I do not wish to go to prison. As I asked you and your technical droid before, please let me know how you obtained the "SITN Account" entries without delay. If your selection of publicly available information repositories is not considered publicly available information, then I would be happy to sign a nondisclosure agreement. The fact that I have signed such a nondisclosure agreement would, of course, become publicly available information. Please identify the publicly available source that associates the name Larry Schwimmer with the email address siockman at leland.Stanford.EDU. We believe that this association only happened once, where it would not have become publicly available information. I have every hope that we will be able to settle this to our mutual satisfaction privately. It sucks for everyone when disagreements such as this become publicly available information. Oh, there are some other problems with your site and its management, but I'm sure you'll be able to find those problems, because they have been posted as publicly available information. .signature publicly available From jk at stallion.ee Mon Apr 29 10:09:42 1996 From: jk at stallion.ee (=?ISO-8859-1?Q?J=FCri_Kaljundi?=) Date: Tue, 30 Apr 1996 01:09:42 +0800 Subject: Cell Kill 2 In-Reply-To: <199604271851.OAA28554@pipe4.nyc.pipeline.com> Message-ID: <Pine.GSO.3.93.960429122853.21405C-100000@happyman> > The Russians seem to agree. On April 21, two Russian > laser-guided missiles reportedly zeroed in on the cellular > telephone of Dzhokhar M. Dudayev, leader of the Chechen > rebels, and killed him. As far as I know, he was using a satellite phone (probably Inmarsat) on open ground outside a building. They had been using satellite phones before, but usually they were transmitting one-way information only (either voice or video), which had been recorded before, so Dudajev was not near at the time of connections. This time it had to be two-way, because he was negotiating with Moscow officials. BTW Dudajev was living in Estonia for a long time (before he started fighting for Chechen independence), being the head of Russian air forces located in Estonia. Now the building where he was working has been reconstructed as an hotel, and there is a special Dudajev suite, in case someone is visiting Estonia :) Estonian people are also very supportive for Chechen fight for independence. Juri Kaljundi jk at stallion.ee AS Stallion From attila at primenet.com Mon Apr 29 10:13:31 1996 From: attila at primenet.com (attila) Date: Tue, 30 Apr 1996 01:13:31 +0800 Subject: code vs. cypher Message-ID: <199604290910.CAA20783@primenet.com> ** Reply to note from Rich Graves <llurch at networking.stanford.edu> 04/28/96 01:41am -0700 = Admitting that you pray -- now, that takes courage, well, in polite = circles in California it does. aahh, but I live in rural Utah where the closest large city has a population of less than 25,000! -- "When you know everything I do - and you will - you will never think of the American government in the same way again." -- Tim McVeigh's defense attorney, Stephen Jones cc: Cypherpunks <cypherpunks at toad.com> From jsw at netscape.com Mon Apr 29 10:21:14 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 30 Apr 1996 01:21:14 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file In-Reply-To: <Pine.OSF.3.91.960427180844.11803B-100000@bud.peinet.pe.ca> Message-ID: <318492FE.6AF7@netscape.com> Gus wrote: > > On Sat, 27 Apr 1996, Sentiono Leowinata wrote: > > > I wonder how they can get the e-mail address? Our finger daemon are > > blocked. Many un-broadcast e-mail addresses (the account never send any > > e-mails to anyone) are in the database. How? > > It's a sad fact that many unscrupulous(sp?) writers of WWW pages use > non-visilble "on load" HTML to record what the web browser thinks the > email address of the person browsing the page, and, I presume sell this > info to the junk email producers. > > Part of the WhoWhere archives could have come from such sources. (personally > my address in netscape is stop.stealing at addresses.you.CENSORED) We go to great pains to keep from revealing your e-mail address to a web site. Several of the fixes in 2.01 were for these sorts of problems. Given a current version of Netscape Navigator, how would a spam-king steal your e-mail address from his web page? --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From snow at crash.suba.com Mon Apr 29 10:26:56 1996 From: snow at crash.suba.com (Snow) Date: Tue, 30 Apr 1996 01:26:56 +0800 Subject: [NOISE] Was Re: CryptoAnarchy: What's... Is now a long ramble. In-Reply-To: <199604281221.AA01603@october.segno.com> Message-ID: <Pine.LNX.3.91.960429021504.2417C-100000@crash.suba.com> Oh god, I'd doomed. I think I am gonna wind up on Mr. Bells side in this one. Please also note that I am cc:ing this to an individual who is both more knowlegable about certain aspects of the following, and interested in certain aspects of this. On Sun, 28 Apr 1996 mkj at october.segno.com wrote: > Sandy Sandfort wrote: > > Income tax is the Godzilla of taxes. It is THE TAX when it comes > > to the US. (Perhaps VAT has a similar status elsewhere, but both, > > Most other arguments put forth so far in this thread, about how people > "won't stand for" certain government behaviors and so forth, I don't > find convincing. Modern military technologies, especially in the > U.S., make the prospects of a sucessful popular uprising dubious. I strongly disagree with this. (Especially within the US) Modern Military technology doesn't have a lot to do with it. It is modern stratagies and tactics that make things difficult. In a "popular uprising" (in quotes because most aren't) an organized armed group will devistate(spelling?) a mob, and the technology necessary to do this is at least 30 years old. Fine. So change the tactics. Instead of "Rising Up", simply use an ages old an respected solution. Take out the leaders. Note, I am _not_ suggesting Mr. Bells assination politics, rather, given a violent revolution, or the beginings of one, shorten it by taking those who make the policies you disagree with. The things is, you HAVE to wait until the violence breaks out, and you HAVE to do the job quickly, and take out as much of the leadership as possible, otherwise your job gets much more dificult. I am digressing. My point is not to advocate such actions, only to argue that it isn't the TECHNOLOGY that is the problem, rather the strategy. > When you cut off someone's air supply, even the nicest, gentlest > person will go into an unrestrained, murderous frenzy. I expect > something similar will happen to even the most "civilized" governments > within the next few years, as popular crypto begins to cut off their > money supply. As I see it, only those relatively few citizens who can > afford to flee will dare to resist. As a suggestion, and using your analogy, wouldn't it be better to either a) drug the person you are strangling so they don't notice, or to simply break their neck? (I.e. make it so they don't notice they are strangling until it is too late, if ever, or to do it so quickly that they don't have time to react? In this case I think the second would be the most difficult. > Which brings us to the "flight of capital" issue. Will nations be > able to compete freely for the loyalty of the rich? Or will the most > powerful nations form effective coalitions, and perhaps simply bomb > "rogue" nations into the stone age? You might want to take a look at http://lois.kud-fp.si/nsk. (Note, you must use a graphical browser) Has this been discussed before? This Nation/State called Neue Slowenische Kunst is issuing passports to anyone who is a citizen. Citizenship is confered (apparently) on anyone who is willing to agree to their "constitution". These passports are being accepted (apparently, tho' I couldn't find the list of counties that accept them.) I disagree quite strongly with MANY of the rules/laws that their constituion establishes, but the idea interests me. New Slovenia isn't a (at this point my command of the language breaks down, or maybe there isn't an exact word for it) State. Basically, it is a Nation without borders, where citizenship is a matter of allegence rather than geographical location/birth. I don't know a whole lot about it, as those particular pages are entirely GIFs, and I am not a patient person. It got me to thinking (yeah, you probably saw the smoke). The idea that citizenship--or whatever it would be called--is based on things other than nationality (although NSK is a nationalist organization) is not new, but with (Cypherpunk tie in) the ability for people to communicate freely across borders, would it be possible set up something similar along other lines? /* Semantic Note: from this point on in this ramble, Nation will be used to describe a political entity based on philosphical allegance ala NSK, and State will be used to describe a geographically based political entity */ It would be relatively easy to set up, but recognition/validity would be a major difficulty (Understatement). Convincing others as to the necessity would be damn near impossible tho'. (I am starting to think of many many more obsticles. Law enforcement etc) The major advantage would be the impossibility of convention (or nuclear) attack. Simply, no land, nothing for a military to take and hold. Then agression against this posited nation would either devolve into police actions on known "citizens" and/or economic "warfare". Economic warfare would take place against National banks (ala a digital cash type system) by States refusing to allow certain National banks to convert currency in their jurisdiction. etc. The intersting possiblity lies in the taxiation realm. As it becomes easier and easier to hide income via anonymity, these Nations or at least their bank[s] could act as arbiters/agents in taxation, paying the states for services rendered based on their population in a given state. Another possiblity: Seperation of Powers, the States deal with physical matters such as roads, parks etc. operating on Service based taxes (gas taxes for roads, entrance fees for Parks etc. VAT to pay for police & fire depts) and the Nations take care of economic interests such as financial security currency exchange etc. I think I am going to be thinking about this for a while. > The more I contemplate my "simple" question of yesterday, the more I > find myself getting into deep waters which I feel ill-equipped to > navigate. I rapidly run up against such imponderable questions as, > "What is government?" and "What is wealth, really?" Only one thing > is certain: We live in interesting times! Are these the deep waters you refer to? From snow at crash.suba.com Mon Apr 29 10:27:33 1996 From: snow at crash.suba.com (Snow) Date: Tue, 30 Apr 1996 01:27:33 +0800 Subject: Cell Kill 2 In-Reply-To: <Pine.HPP.3.91.960428210130.10419A-100000@cor.sos.sll.se> Message-ID: <Pine.LNX.3.91.960429034239.2417G-100000@crash.suba.com> On Sun, 28 Apr 1996, Asgaard wrote: > >On April 21, two Russian laser-guided missiles > >reportedly zeroed in on the cellular phone of Dzhokhar > ******** > -------------- > >he spoke to a Russian parliamentarian on a satellite phone. > ********* > > That the involved weaponry was laser guided might be misinformation. > Why not microwave signal guided? (I don't know what I'm talking about > here, of course. Perhaps satellite phones even implement GPS and > just tell where they are??). Use radio trianglation, and have an operative "near by" paint the most likely spot with a laser. Send in the missles. AFAIK, the human eye/mind is still the quickest discrimination system around. From gary at systemics.com Mon Apr 29 11:02:30 1996 From: gary at systemics.com (Gary Howland) Date: Tue, 30 Apr 1996 02:02:30 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <199604281543.RAA11268@digicash.com> Message-ID: <31849110.446B9B3D@systemics.com> bryce at digicash.com wrote: > Black Unicorn <unicorn at schloss.li> wrote: > (> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) > > > IIRC, currently Black Unicorn doesn't have any signatures on > > > his public key of others. Therefore, this requirement, while understandable, > > > could cause a bit of a difficulty in the current situation. > > > > Please obtain a copy of my current key by finger. > > Oh please. My respect for Uni's acumen just decremented a > couple of notches. A 2048-bit key, and no signatures? > Rather like a front door with welded plate armor and an open > window, no? > > Let's talk more off-list... Hang on! This is interesting - keep in on-list! What's the big deal about not having signed his own key? The only thing that signing your own key does is show the [claimed] id of the real keyholder. There's no scope for abuse. Claiming this to be an armour door and open window is overreacting a bit. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland <gary at systemics.com> Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From snow at crash.suba.com Mon Apr 29 11:18:40 1996 From: snow at crash.suba.com (Snow) Date: Tue, 30 Apr 1996 02:18:40 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <m0uDagf-00093GC@pacifier.com> Message-ID: <Pine.LNX.3.91.960429032151.2417D-100000@crash.suba.com> On Sun, 28 Apr 1996, jim bell wrote: > At 08:21 AM 4/28/96 -0400, mkj at october.segno.com wrote: > >Although they will almost certainly try to extract as much as possible > >from the poor, you can't get blood from a stone. Hence the size of > >U.S., make the prospects of a sucessful popular uprising dubious. > > Quite the contrary, I think that a "successful popular uprising" will > require only a very small investment in time and money, in which some of > they key players in government are targeted and the prospect exists for > easily and cheaply getting the rest. At that point they will resign in droves. Damnit, I KNEW I was gonna wind up agreeing with him. ;) > avoid taxation, the vast increase in information communicated by the > Internet is taking a huge amount of power away from the traditional media, > backer of the government in most cases. In addition, this information flow > is making it ever more difficult to pass abusive laws; if the government On the contrary, just as the increased communications let opponents know about the legislation, it also lets the proponents know, and they supposedly send faxes and email in support. > does something stupid in the morning, by noon they are being flooded with > faxes and emails. And the whole concept of having a "governement" tends to > be based on the assumption that people are incapable of making decisions for > themselves. That's an increasingly unrealistic position. Literacy rates are dropping, the High School Dropout rates are on the rise. Hell, listen to talk radio for a while, and you tell me if these are the people YOU want running the country. They are motivated enough to call in and/or vote, but they aren't motivated enough to actually stop and think about the subject, much less learn about it. I am not saying that the average person can't make good decesions, only that many of them are not equipped to sort out the complexites, nor are they willing to think long term about things. Unfortunately this is also true of our leadership. Petro, Chistopher C. petro at suba.com <prefered> snow at crash.suba.com From bryce at digicash.com Mon Apr 29 11:25:44 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 30 Apr 1996 02:25:44 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <31849110.446B9B3D@systemics.com> Message-ID: <199604291026.MAA09328@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- An entity callnig itself Gary Howland <gary at systemics.com> is alleged to have written: > > bryce at digicash.com wrote: > > > Black Unicorn <unicorn at schloss.li> wrote: > > (> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) > > > > IIRC, currently Black Unicorn doesn't have any signatures on > > > > his public key of others. Therefore, this requirement, while understandable, > > > > could cause a bit of a difficulty in the current situation. > > > > > > Please obtain a copy of my current key by finger. > > > > Oh please. My respect for Uni's acumen just decremented a > > couple of notches. A 2048-bit key, and no signatures? > > Rather like a front door with welded plate armor and an open > > window, no? > > > > Let's talk more off-list... > > Hang on! This is interesting - keep in on-list! If we did, we'd have to kill you. 8-) > What's the big deal about not having signed his own key? > > The only thing that signing your own key does is show the > [claimed] id of the real keyholder. There's no scope for > abuse. Claiming this to be an armour door and open window > is overreacting a bit. Okay this is on-list because I have propagated disinformation and I'm trying to propagate the correction: for some reason I, and apparently E. ALLEN SMITH, got a copy of Black Uni's key which was devoid of signatures of any kind. My complaint was that this made it utterly open to MITM attacks. I was mistaken about Uni's key's lack of signatures though, and I apologized for saying the above. Actually, Black Uni's key via finger has two signatures (not counting his own): Sandy Sandfort (whose key has no signatures, as far as my copy of it goes), and loki at obscura.com (whose key has 22 signatures, only 3 of which are from keys that I can find copies of not counting loki's own). more later, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYSZZEjbHy8sKZitAQHB5wMA03m0NqNCMX0OjVdsQ+Kh7J6ZTPL3SJ/+ CqtrcrMly14cgBlDj4lWzXDZCHv179h8hyt0Y/zIG4fcnY+anUjFAN9vvUapqIxc PkeH27XuCN1JfeJCH/eTiy0Hzf6+nN5J =GbtJ -----END PGP SIGNATURE----- From bryce at digicash.com Mon Apr 29 11:42:37 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 30 Apr 1996 02:42:37 +0800 Subject: My nym: Statement In-Reply-To: <Pine.SUN.3.93.960428215100.25014G-100000@polaris.mindport.net> Message-ID: <199604290904.LAA03436@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself Black Unicorn <unicorn at schloss.li> probably wrote: > +++++ BEGIN PGP SIGNED MESSAGE (VERIFIED) (bap v1.1b2) +++++ > > I thought I would take a moment to discuss my nym, given the Web of Trust > issues floating about right now. <snip> > The man in the middle problem with my nym is not really an issue as far as > I can tell. I suppose someone might argue that they wouldn't want to mail > me anything asking for legal advice for fear it might be intercepted and > returned to them with disinformation attached. As these are people I > generally don't know, it's equally likely to them that I am simply an > agent provocateur who has no man in the middle problems. I find that less likely, personally. In any case it should be understood that they are separate threats, which should be considered separately. Solving one will not solve the other, but by leaving _both_ unsolved you increase your risk. > From my end, man in the middle attacks are difficult to use against me > because those with whom I have extensive business and personal > communications know me well enough to permit end to end verification > through seperate secure channels. (I use secure telephones regularly, and > this permits voice recognition). I apologize for mistakenly thinking that you had no signatures. Furthermore, I take back what I said about you not being sufficiently conscious of man in the middle attacks. So now we have connections to the Web O Trust, and some degree of confidence that you are alert to the possibility of MITM attacks. All I need to do is assure myself that each person between you and I on the Web O Trust is similarly engaging in counter-MITM measures... Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYSGMkjbHy8sKZitAQHHRgMAuq9/J3OacbGAUICrb2SaMfKrqY6AGnmP 2yOLDoNcokSfz+EUtcLEAHWUcXAXSqsK6CWFeMSniLb/uTYKNXzovh6lZ92AvkJu ynazcyAOtZYjDvlTkaFzdN2o1Ca3W2DI =A5Gy -----END PGP SIGNATURE----- From bryce at digicash.com Mon Apr 29 11:43:09 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 30 Apr 1996 02:43:09 +0800 Subject: Bold Assertion: there are no Men in the Middle Message-ID: <199604290915.LAA04182@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- I have the intuition that there has never been a successful MITM attack which has subverted the use of PGP authentication. If we could be sure of this hypothesis, then we could go about creating a strongly linked Web O Trust and then use it from now until such a future time as 1024-bit PGP keys are brute forceable. We could also use it to bootstrap bigger keys, a wider and more strongly- connected Web O Trust, etc. I can't think of any good way to test this hypothesis, however. One thing that we _could_ test is the difficulty of performing such an attack. If I had the cash, I would post a reward for anyone who could successfully run a demo MITM attack on two unsuspecting stooges. I would (of course) specify with more precision what would constitute a successful attack, how it would be proven to me that the attack was successful and so forth. But I don't have sufficient cash to motivate such a trick, and there would be some very complicated ethical and logistic questions about performing it. I still have a strong intuition that I could keep my cash if I made such a proposal and gave it a few simple stipulations (such as that the attacker would have to forge important material in the victim's name rather than just use the attack to eavesdrop...). The successful attacker would have to have the ability to get in the middle of TCP/IP connections as well as perhaps telephone connections, as well as have formidable computational and "social-engineering" (really: "-cracking") resources. more later, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYSIhkjbHy8sKZitAQHKYwL+Mj/4G5JW5F+v6w3+PqIIacC1BBNfnHqR rO5ra8bFAeGwz7vmIcmyQAxU/3PW/jjsLv0lo5f0j4eiQ/iDBYUjVUKKWfjDMzSi qIj1HNiHOq1eZ+M1rqvchwVRFTZazXsi =YUmd -----END PGP SIGNATURE----- From robert at infopoint.ie Mon Apr 29 11:43:38 1996 From: robert at infopoint.ie (Robert Fahy) Date: Tue, 30 Apr 1996 02:43:38 +0800 Subject: No Subject Message-ID: <09335874100046@infopoint.ie> unsubcribe robert at infopoint.ie From bryce at digicash.com Mon Apr 29 11:46:18 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 30 Apr 1996 02:46:18 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <199604290521.WAA21769@atropos.c2.org> Message-ID: <199604290846.KAA01661@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- sameer at c2.org wrote: (> Black Unicorn <unicorn at schloss.li> wrote:) > > (Sigh). I'll say it yet a third time. Get a current copy of my key which > > is signed by at least three people on the web of trust. > > As if this "web of trust" was actually worth something. It is most certainly worth something, as long as the participants exercise the necessary measures to detect and correct any active attacks on it. The primary reason that the Web O Trust is ineffective at this point is the prevalence of misunderstandings among users (including cypherpunks) about its usage and its efficacy. As an example of these prevalent misunderstandings, I submit to you the fact that PGP keyservers do not use PGP, either for encryption or authentication. If you suggest it to them (or indeed, to most cypherpunks) they will respond that it would "do no good". Ridiculous. It's a shame really, since if we _did_ have the wits to create a Web O Trust now, it would serve to prevent active attacks in the future. Hopefully the public key infrastructure people will come up with something that will replace the WoT and will be more understandable or acceptable to people. In the meantime, I cannot have much confidence in the security of my private communications with Black Unicorn, which makes me hesitant to exchange money with him. Unfortunate that cypherpunks are so ineffectual when it comes to "social engineering" (not in the "social cracking" sense). Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYSB8kjbHy8sKZitAQEuhwL/YDwOJB9pFP2Fbj0DBMvN8byLm4O3XwTK klt5SOkS4ahKoE04bzTAMb2HhyX4xGyGxJD/dbB0FxJSHRSpI5Th/6Jk6UNNQrMe 6GppN1HO2yHA5muxNxwWiERk0XGNtaFN =jMKu -----END PGP SIGNATURE----- From cp at proust.suba.com Mon Apr 29 14:05:16 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Tue, 30 Apr 1996 05:05:16 +0800 Subject: The Joy of Java In-Reply-To: <199604290530.WAA25425@jobe.shell.portal.com> Message-ID: <199604290929.EAA02285@proust.suba.com> [All of Hal's excellent post deleted] Everyone on this list is shooting for military grade security, and Hal's just given us a lot of reasons why it's going to be hard to achieve that with Java applets. I'm not sure that list proves that Java applets are completely unsuitable for crypto applications, though. I don't that the general public is ever going to have military grade security. (I don't think I will either, for that matter.) Most people don't have the discipline or the knowledge to use their tools properly. They'll pick weak passphrases, let other people have access to their computer, or not pay enough attention to plaintext disk residue. "The best shouldn't be the enemy of the good." The thing that's important is to set up workable and accssible systems that are good under everyday (typical) use, and that don't impose many limits on how secure individual users can make themselves. Java applets and applications taken together could be good at that. Most people probably pick weak PGP passphrases, and they probably don't bother to edit the letters they intend to encrypt on a ramdisk. But people who have reason or the inclination to careful can avoid these pitfalls and communicate with more security than more casual users. The things that make PGP worth using are (a) even casual users get a lot more security than they would have without PGP, and (b) it's possible to get just about as much security as is possible with anything if you use PGP properly. The point is that a java applet that implements a mixmaster client might not be nearly as secure as the unix C version, but if one existed it would still (right now, at least) be the best way to send anonymous mail for a comparatively naive user. It would fit into a larger mixmaster system that provides more security for people who are willing and able to invest the effort it takes to run the unix version. And better yet, shouldn't it be possible to set things up so that almost all of the code in a crypto applet could be reused in a crypto application that's more secure? Most crpto programs will need entropy, and that's hard to come by in a java applet; a java application should have an easier time of it. Why not write two versions of an entropy generator, one for applets, and one for applications, so that someone who writes a mixmaster applet can get a better mixmaster application for just a little more work? Isn't this sort of code reusability supposed to be what OOP is all about? Couldn't Hal's list of applet problems serve as the basis of two packages, one for applets, and another for applications? Each problem would have a method associated with it in each version of the package. Maybe the applet package would have a routine to write a file, encrypted with a passphrase, on a central server. The same routine in the application package would write the file, encrypted with a passphrase, to a local disk. Ideally, we'd have a mixmaster applet, with an explanation on the same page that says the stand alone application would be more secure, and a link to download it. Does this make sense? From anonymous-remailer at shell.portal.com Mon Apr 29 14:49:40 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 30 Apr 1996 05:49:40 +0800 Subject: Former CIA Director and *Strategic Investment* Editor missing Message-ID: <199604291106.EAA02347@jobe.shell.portal.com> CNN is reporting that Colby's canoe has been found on the Potomac and Colby is missing. From jya at pipeline.com Mon Apr 29 16:00:59 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Apr 1996 07:00:59 +0800 Subject: BOW_itz Message-ID: <199604291242.IAA05717@pipe1.nyc.pipeline.com> 4-29-96 WSJ has page one leader on the December federal bust of Bernard Oskar Bowitz, an EE peddling gear for cellular piracy. It lays out the cyber-tracking and -trapping. "This case offers a glimpse into the crime in the 21st century," scowls a US Attorney. Bowitz derises, "I'm very flattered to hear they think I'm a mastermind. I think they're watching too many Arnold Schwarzenegger movies." BOW_itz (but see below) ----- WSJ opens a pay-for-it Web site today: www.wsj.com From m5 at vail.tivoli.com Mon Apr 29 17:04:21 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 30 Apr 1996 08:04:21 +0800 Subject: Freedom and security In-Reply-To: <v01510107a9e4964f3008@[198.147.118.206]> Message-ID: <3184BA68.1AEC@vail.tivoli.com> CyberAngels Director : Colin Gabriel Hatcher wrote: > The relationship / balance between security and freedom is always a > defining factor in a society. My point is that a society with no laws and > no codes of conduct is not a free society. You have your definition of "free", and others have theirs. > My position is to seek a balance between the freedom of the individual and > the security of the community. My argument is that when the security of > the community is threatened by the freedom of the individual, the community > will always prioritise its safety. Good government of course means > maintaining individual freedoms *and* maintaining community security. I > actually disagree that they are antithetical. On the contrary they are a > balance that any society has to find. If they weren't antithetical, there'd be no need for a balance. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From jya at pipeline.com Mon Apr 29 17:44:23 1996 From: jya at pipeline.com (John Young) Date: Tue, 30 Apr 1996 08:44:23 +0800 Subject: WSJ on Crypto Push Message-ID: <199604291431.KAA03328@pipe2.nyc.pipeline.com> WSJ, April 29, 1996 Software-Scrambling Proponents Pushing To Ease Export Curbs New York -- Champions of encryption software -- computer programs that scramble data to thwart eavesdroppers -- this week will step up efforts to loosen export restrictions on the technology. Sen. Conrad Burns (R., Mont.) is expected to introduce tomorrow a bill that would ease the federal government's export rules. At the same time, industry-trade groups and privacy advocates will seek grass-roots support via the Internet. Current regulations limit the export of encryption software to weak systems that are presumed easy for intelligence and law-enforcement organizations to crack. The Clinton administration has opposed the sale of stronger systems, saying terrorists or other foes could use them to conduct operations without being monitored. But technology executives contend these regulations hamper their ability to compete overseas. And because the regulations govern any software that incorporates the technology to keep data secure, they can impede exports of electronic-mail systems, World Wide Web software and other Internet-related packages. "Right now, the industry is just wondering whether the administration will deal with this before we start losing market share," said D. James Bidzos, chief executive officer of RSA Data Security Inc., a Redwood City, Calif., concern that supplies encryption software. The new bill would give software makers free rein to sell scrambling systems overseas as long as the same systems are widely available in the U.S. Other encryption technologies could be exported as well if similar products are already generally available outside the U.S. ----- From frissell at panix.com Mon Apr 29 17:50:05 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 30 Apr 1996 08:50:05 +0800 Subject: Social Transformation, Not Tax Evision Message-ID: <2.2.32.19960429142827.00727a88@popserver.panix.com> -----BEGIN PGP SIGNED MESSAGE----- That's not a threat. It's a promise. Cypherpunks have many different political and ethical views. Like other denizens of the Net, some tend towards libertarianism. In fact, some of us argued five years ago or more that the culture of the net was inherently libertarian because making realistic threats of force was difficult over a communications medium. People just hang up on you. Since the best way to get on in electronic interactions is to offer something somebody wants and use third party guarantor systems to assure the payment in cases where payment is required, people would get used to non-coercive mechanisms of exchange and this would shape their general attitudes. Note that 95% of the world's population were once peasants bound to the soil. They had zero status. They were born one place and were stuck there until they died. This was ordained by God. When the age of reason and the machine came along, the productivity and hence the value of peasants exploded. They were able to leave the land and work in factories. Even though they looked like they were worse off, the earliest factory workers were vastly wealthier than they had been on the land. The ancien regime was destroyed by technology. Since then, we have experienced the Century of Death during which national states murdered more than 100 million people. In 1995, the Government of the United States collected under threat of force some $1.4 Trillion in exactions. More than any government in the history of Mankind. Today's regimes seem as natural to us as did the former arrangements which bound the peasants in thrall. They are ordained by God. Once the peasants had an out, they flocked to the cities and they continue to do so today in the Third world. Some of us on cypherpunks merely predict that when freed of the restraints imposed by the modern nation state, today's "peasants" will do the same. For the factory and the city substitute cyberspace. Social systems that are "ordained by God" are often discovered to actually be sustained by secular power and when the balance of power shifts... DCF "God fights on the side with the heaviest artillery. These days MarketEarth has the heaviest artillery." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYTRMYVO4r4sgSPhAQEufwP/bmZyYmNpBAMDJcAQ+enFvZDeCZwcMtvi 1wCuUsRvLmUcNlgYzDyVB22Pu03hi5TwG2+juFIMJ+QYJwCgApMtqI/lixlnuiuB SGua/yATB/AJ+Yg+l/cd8uY4GLKTWENlvlfFq1gMcqlRSGf+niAfalmvmoeTeBxv fBwG4T2MGoo= =NWDL -----END PGP SIGNATURE----- From anon-remailer at utopia.hacktic.nl Mon Apr 29 17:50:17 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Tue, 30 Apr 1996 08:50:17 +0800 Subject: No Subject Message-ID: <199604290734.JAA15398@utopia.hacktic.nl> Fm: E. Fudd <fudd at loony.org> I've been fowwowing de concepts of digitaw cash and encwyption, since I wead de awticwe in de August 1992 issue of Scientific Amewican on "encwypted signatuwes." Whiwe I've onwy fowwowed de Digitawibewty awea fow a few weeks, I can awweady see a numbew of points dat do (and shouwd!) stwongwy concewn de avewage savvy individuaw: 1. How can we twanswate de fweedom affowded by de Intewnet to owdinawy wife? 2. How can we keep de govewnment fwom banning encwyption, digitaw cash, and odew systems dat wiww impwove ouw fweedom? A few monds ago, I had a twuwy and qwite witewawwy "wevowutionawy" idea, and I jokingwy cawwed it "Assassination Powitics": I specuwated on de qwestion of whedew an owganization couwd be set up to _wegawwy_ announce eidew dat it wouwd be awawding a cash pwize to somebody who cowwectwy "pwedicted" de deaf of one of a wist of viowatows of wights, usuawwy eidew govewnment empwoyees, officehowdews, ow appointees. It couwd ask fow anonymous contwibutions fwom de pubwic, and individuaws wouwd be abwe send dose contwibutions using digitaw cash. I awso specuwated dat using modewn medods of pubwic-key encwyption and anonymous "digitaw cash," it wouwd be possibwe to make such awawds in such a way so dat nobody knows who is getting awawded de money, onwy dat de awawd is being given, uh-hah-hah-hah. Even de owganization itsewf wouwd have no infowmation dat couwd hewp de audowities find de pewson wesponsibwe fow de pwediction, wet awone de one who caused de deaf. It was not my intention to pwovide such a "tough nut to cwack" by awguing de genewaw case, cwaiming dat a pewson who hiwes a hitman is not guiwty of muwdew undew wibewtawian pwincipwes. Obviouswy, de pwobwem wif de genewaw case is dat de victim may be totawwy innocent undew wibewtawian pwincipwes, which wouwd make de kiwwing a cwime, weading to de qwestion of whedew de pewson offewing de money was himsewf guiwty. On de contwawy; my specuwation assumed dat de "victim" is a govewnment empwoyee, pwesumabwy one who is not mewewy taking a paycheck of stowen tax dowwaws, but awso is guiwty of extwa viowations of wights beyond dis. (Govewnment agents wesponsibwe fow de Wuby Widge incident and Waco come to mind.) In weceiving such money and in his vawious acts, he viowates de "Non-aggwession Pwincipwe" (NAP) and dus, pwesumabwy, any acts against him awe not de initiation of fowce undew wibewtawian pwincipwes. De owganization set up to manage such a system couwd, pwesumabwy, make up a wist of peopwe who had sewiouswy viowated de NAP, but who wouwd not see justice in ouw couwts due to de fact dat deiw actions wewe done at de behest of de govewnment. Associated wif each name wouwd be a dowwaw figuwe, de totaw amount of money de owganization has weceived as a contwibution, which is de amount dey wouwd give fow cowwectwy "pwedicting" de pewson's deaf, pwesumabwy naming de exact date. "Guessews" wouwd fowmuwate deiw "guess" into a fiwe, encwypt it wif de owganization's pubwic key, den twansmit it to de owganization, possibwy using medods as untwaceabwe as putting a fwoppy disk in an envewope and tossing it into a maiwbox, but mowe wikewy eidew a cascade of encwypted anonymous wemaiwews, ow possibwy pubwic-access Intewnet wocations, such as tewminaws at a wocaw wibwawy, etc. In owdew to pwevent such a system fwom becoming simpwy a wandom unpaid wottewy, in which peopwe can wandomwy guess a name and date (hoping dat wightning wouwd stwike, as it occasionawwy does), it wouwd be necessawy to detew such wandom guessing by weqwiwing de "guessews" to incwude wif deiw "guess" encwypted and untwaceabwe "digitaw cash," in an amount sufficientwy high to make wandom guessing impwacticaw. Fow exampwe, if de tawget was, say, 50 yeaws owd and had a wife expectancy of 30 yeaws, ow about 10,000 days, de amount of money weqwiwed to wegistew a guess must be at weast 1/10,000d of de amount of de awawd. In pwactice, de amount weqwiwed shouwd be faw highew, pewhaps as much as 1/1000 of de amount, since you can assume dat anybody making a guess wouwd feew sufficientwy confident of dat guess to wisk 1/1000d of his potentiaw wewawd. De digitaw cash wouwd be pwaced inside de outew "encwyption envewope," and couwd be decwypted using de owganization's pubwic key. De pwediction itsewf (incwuding name and date) wouwd be itsewf in anodew encwyption envewope inside de fiwst one, but it wouwd be encwypted using a key dat is onwy known to de pwedictow himsewf. In dis way, de owganization couwd decwypt de outew envewope and find de digitaw cash, but dey wouwd have no idea what is being pwedicted in de innewmost envewope, eidew de name ow de date. If, watew, de "pwediction" came twue, de pwedictow wouwd pwesumabwy send yet anodew encwypted "envewope" to de owganization, containing de decwyption key fow de pwevious "pwediction" envewope, pwus a pubwic key (despite its name, to be used onwy once!) to be used fow encwyption of digitaw cash used as payment fow de awawd. De owganization wouwd appwy de decwyption key to de pwediction envewope, discovew dat it wowks, den notice dat de pwediction incwuded was fuwfiwwed on de date stated. De pwedictow wouwd be, dewefowe, entitwed to de awawd. Nevewdewess, even den nobody wouwd actuawwy know WHO he is! It doesn't even know if de pwedictow had anyding to do wif de outcome of de pwediction, uh-hah-hah-hah. If it weceived dese fiwes in de maiw, in physicaw envewopes which had no wetuwn addwess, it wouwd have buwned de envewopes befowe it studied deiw contents. De wesuwt is dat even de active coopewation of de owganization couwd not possibwy hewp anyone, incwuding de powice, to wocate de pwedictow.) Awso incwuded widin dis "pwediction-fuwfiwwed" encwyption envewope wouwd be unsigned (not-yet-vawid) "digitaw cash," which wouwd den be bwindwy signed by de owganization's bank and subseqwentwy encwypted using de pubwic key incwuded. (De pubwic key couwd awso be pubwicized, to awwow membews of de pubwic to secuwewy send deiw comments and, possibwy, fuwdew gwatefuw wemunewation to de pwedictow, secuwewy.) De wesuwting encwypted fiwe couwd be pubwished openwy on de Intewnet, and it couwd den be decwypted by onwy one entity: De pewson who had made dat owiginaw, accuwate pwediction, uh-hah-hah-hah. De wesuwt is dat de wecipient wouwd be absowutewy untwaceabwe. De digitaw cash is den pwocessed by de wecipient by "unbwinding" it, a pwincipwe which is expwained in faw gweatew detaiw by an awticwe in de August 1992 issue of Scientific Amewican, uh-hah-hah-hah. De wesuwting digitaw cash is absowutewy untwaceabwe to its souwce. Dis ovewaww system achieves a numbew of goaws. Fiwst, it totawwy hides de identity of de pwedictow to de owganization, which makes it unnecessawy fow any potentiaw pwedictow to "twust" dem to not weveaw his name ow wocation, uh-hah-hah-hah. Secondwy, it awwows de pwedictow to make his pwediction widout weveawing de actuaw contents of dat pwediction untiw watew, when he chooses to, assuwing him dat his "tawget" cannot possibwy get eawwy wawning of his intent. (and "faiwed" pwedictions need nevew be weveawed). In fact, he needs nevew weveaw his pwediction unwess he wants de awawd. Diwd, it awwows de pwedictow to anonymouswy gwant his awawd to anyone ewse he chooses, since he may give dis digitaw cash to anyone widout feaw dat it wiww be twaced. Fow de owganization, dis system awso pwovides a numbew of advantages. By hiding de identity of de pwedictow fwom even it, de owganization cannot be fowced to weveaw it, in eidew civiw ow cwiminaw couwt. Dis shouwd awso shiewd de owganization fwom wiabiwity, since it wiww not know de contents of any "pwediction" untiw aftew it came twue. (Even so, de owganization wouwd be dewibewatewy kept "poow" so dat it wouwd be judgment-pwoof.) Since pwesumabwy most of de waws de owganization might be accused of viowating wouwd weqwiwe dat de viowatow have specific ow pwiow knowwedge, keeping itsewf ignowant of as many facts as possibwe, fow as wong as possibwe, wouwd pwesumabwy make it vewy difficuwt to pwosecute. [end pawt 1] [pawt 2] "At de Viwwage Pizza shop, as dey wewe sitting down to consume a peppewoni, Dowody asked Jim, 'So what odew inventions awe you wowking on?" Jim wepwied, 'I've got a new idea, but it's weawwy wevowutionawy. Witewawwy WEVOWUTIONAWY.' 'Okay, Jim, which govewnment awe you pwanning to ovewdwow?,' she asked, pwaying awong. 'Aww of dem,' answewed Jim." Powiticaw Impwications Imagine fow a moment dat as owdinawy citizens wewe watching de evening news, dey see an act by a govewnment empwoyee ow officehowdew dat dey feew viowates deiw wights, abuses de pubwic's twust, ow misuses de powews dat dey feew shouwd be wimited. A pewson whose actions awe so abusive ow impwopew dat de citizenwy shouwdn't have to towewate it. What if dey couwd go to deiw computews, type in de miscweant's name, and sewect a dowwaw amount: De amount dey, demsewves, wouwd be wiwwing to pay to anyone who "pwedicts" dat officehowdew's deaf. Dat donation wouwd be sent, encwypted and anonymouswy, to a centwaw wegistwy owganization, and be totawed, wif de totaw amount avaiwabwe widin seconds to any intewested individuaw. If onwy 0.1% of de popuwation, ow one pewson in a dousand, was wiwwing to pay $1 to see some govewnment swimebaww dead, dat wouwd be, in effect, a $250,000 bounty on his head. Fuwdew, imagine dat anyone considewing cowwecting dat bounty couwd do so wif de madematicaw cewtainty dat he can't possibwy be identified, and couwd cowwect de wewawd widout meeting, ow even tawking to, anybody who couwd watew identify him. Pewfect anonymity, pewfect secwecy, and pewfect secuwity. And dat, combined wif de ease and secuwity wif which dese contwibutions couwd be cowwected, wouwd make being an abusive govewnment empwoyee an extwemewy wisky pwoposition, uh- hah-hah-hah. Chances awe good dat nobody above de wevew of county commissionew wouwd even wisk staying in office. Just how wouwd dis change powitics in Amewica? It wouwd take faw wess time to answew, "What wouwd wemain de same?" No wongew wouwd we be ewecting peopwe who wiww tuwn awound and tax us to deaf, weguwate us to deaf, ow fow dat mattew sent hiwed dugs to kiww us when we oppose deiw wishes. No miwitawy? One of de attwactive potentiaw impwications of such a system wouwd be dat we might not even need a miwitawy to pwotect de countwy. Any dweatening ow abusive foweign weadew wouwd be subject to de same contwibution/assassination/wewawd system, and it wouwd opewate just as effectivewy ovew bowdews as it does domesticawwy. Dis countwy has weawned, in numewous exampwes subseqwent to many waws, dat once de powiticaw disputes between weadews has ceased, we (owdinawy citizens) awe abwe to get awong pwetty weww wif de citizens of odew countwies. Cwassic exampwes awe post-WWII Gewmany, Japan, and Itawy, and post-Soviet Wussia, de Eastewn bwoc, Awbania, and many odews. Contwawy exampwes awe dose in which de powiticaw dispute wemains, such as Nowf Kowea, Vietnam, Iwaq, Cuba, Wed China, and a few odews. In aww of dese exampwes, de opposing weadewship was NOT defeated, eidew in waw ow in an intewnaw powew stwuggwe. Cweawwy, it is not de PEOPWE who maintain de dispute, but de weadewship. Considew how histowy might have changed if we'd been abwe to "bump off" Wenin, Stawin, Hitwew, Mussowini, Tojo, Kim Iw Sung, Ho Chi Minh, Ayatowwah Khomeini, Saddam Hussein, Moammaw Khadafi, and vawious odews, awong wif aww of deiw wepwacements if necessawy, aww fow a measwy few miwwion dowwaws, wadew dan de biwwions of dowwaws and miwwions of wives dat subseqwent waws cost. But dat waises an intewesting qwestion, wif an even mowe intewesting answew. "If aww dis is so easy, why hasn't dis been done befowe?" I mean, waws awe destwuctive, costwy, and dangewous, so why hasn't some smawt powitician figuwed out dat instead of fighting de entiwe countwy, we couwd just 'zewo' de few bad guys on de top? De answew is qwite weveawing, and stwikingwy "wogicaw": If we can kiww DEIW weadews, dey can kiww OUW weadews too. Dat wouwd avoid de waw, but de weadewship on bof sides wouwd be dead, and guess who is making de decisions about what to do? Dat's wight, de WEADEWS! And de weadews (bof deiws and ouws!) wouwd wadew see 30,000,000 owdinawy peopwe die in WWII dan wose deiw own wives, if dey can get away wif it. Same in Kowea, Vietnam, Guwf Waw, and numewous odew disputes awound de gwobe. You can see dat as wong as we continue to awwow weadews, bof "ouws" and "deiws," to decide who shouwd die, dey wiww AWWAYS choose de owdinawy peopwe of each countwy. One weason de weadews have been abwe to avoid dis sowution is simpwe: Whiwe it's compawativewy easy to "get away wif muwdew," it's a wot hawdew to wewawd de pewson who does it, and dat pewson is definitewy taking a sewious wisk. (Most muwdews awe sowved based on some pwiow wewationship between de muwdew and victim, ow obsewvations of witnesses who know eidew de muwdewew ow de victim.) Histowicawwy, it has been essentiawwy impossibwe to adeqwatewy motivate a assassin, ensuwing his safety and anonymity as weww, if onwy because it has been impossibwe to PAY him in a fowm dat nobody can twace, and to ensuwe de siwence of aww potentiaw witnesses. Even if a pewson was wiwwing to die in de act, he wouwd want to know dat de peopwe he chooses wouwd get de wewawd, but if dey demsewves wewe identified dey'd be tawgets of wevenge. Aww dat's changed wif de advent of pubwic-key encwyption and digitaw cash. Now, it shouwd be possibwe to announce a standing offew to aww comews dat a wawge sum of digitaw cash wiww be sent to him in an untwaceabwe fashion shouwd he meet cewtain "conditions," conditions which don't even have to incwude pwoving (ow, fow dat mattew, even cwaiming) dat he was somehow wesponsibwe fow a deaf. I bewieve dat such a system has twemendous impwications fow de futuwe of fweedom. Wibewtawians in pawticuwaw (and I'm a wibewtawian) shouwd pay pawticuwaw attention to de fact dat dis system "encouwages" if not an anawchist outcome, at weast a minawchist (minimaw govewnment) system, because no wawge govewnmentaw stwuctuwe couwd even suwvive in its cuwwent fowm. In fact, I wouwd awgue dat dis system wouwd sowve a potentiaw pwobwem, occasionawwy postuwated, wif de adoption of wibewtawianism in one countwy, suwwounded by non-wibewtawian states. It couwd have weasonabwy been suspected dat in a gwaduaw shift to a wibewtawian powiticaw and economic system, wemnants of a non-wibewtawian system such as a miwitawy wouwd have to suwvive, to pwotect society against de dweats wepwesented by foweign states. Whiwe cewtainwy pwausibwe, it wouwd have been hawd fow an avewage naive pewson to imagine how de countwy wouwd maintain a $250 biwwion miwitawy budget, based on vowuntawy contwibutions. De easy answew, of couwse, is dat miwitawy budgets of dat size wouwd simpwy not happen in a wibewtawian society. Mowe pwobwematic is de qwestion of how a countwy wouwd defend itsewf, if it had to waise it defenses by vowuntawy contwibution, uh-hah-hah-hah. An eqwawwy simpwistic answew is dat dis countwy couwd pwobabwy be defended just fine on a budget 1/2 to 1/3 of de cuwwent budget. Twue, but dat misses de point. De weaw answew is even simpwew. Wawge awmies awe onwy necessawy to fight de odew wawge awmies owganized by de weadewship of odew, non-wibewtawian states, pwesumabwy against de wiww of deiw citizenwy. Once de pwobwem posed by _deiw_ weadewship is sowved (as weww as ouws; eidew by deiw own citizenwy by simiwaw anonymous contwibutions, ow by ouws), dewe wiww be no wawge awmies to oppose. [end of pawt 2] [pawt 3] In de 1960's movie, "De Domas Cwown Affaiw," actow Steve McQween pways a bowed muwti-miwwionaiwe who fights tedium by awwanging weww-pwanned high-yiewd bank wobbewies. He hiwes each of de wobbews sepawatewy and anonymouswy, so dat dey can neidew identify him ow each odew. Dey awwive at de bank on scheduwe, sepawatewy but simuwtaneouswy, compwete de wobbewy, den sepawate fowevew. He pays each wobbew out of his own funds, so dat de money cannot be twaced, and he keeps de pwoceeds of each wobbewy. In my wecent essay genewawwy titwed "Digitawibewty," ow eawwiew "Assassination powitics," I hypodesized dat it shouwd be possibwe to WEGAWWY set up an owganization which cowwects pewfectwy anonymous donations sent by membews of de pubwic, donations which instwuct de owganization to pay de amount to any pewson who cowwectwy guesses de date of deaf of some named pewson, fow exampwe some un-favowite govewnment empwoyee ow officehowdew. De owganization wouwd totawize de amounts of de donations fow each diffewent named pewson, and pubwish dat wist (pwesumabwy on de Intewnet) on a daiwy ow pewhaps even an houwwy basis, tewwing de pubwic exactwy how much a pewson wouwd get fow "pwedicting" de deaf of dat pawticuwaw tawget. Moweovew, dat owganization wouwd accept pewfectwy anonymous, untwaceabwe, encwypted "pwedictions" by vawious means, such as de Intewnet (pwobabwy dwough chains of encwypted anonymous wemaiwews), US maiw, couwiew, ow any numbew of odew means. Dose pwedictions wouwd contain two pawts: A smaww amount of untwaceabwe "digitaw cash," inside de outew "digitaw envewope," to ensuwe dat de "pwedictow" can't economicawwy just wandomwy choose dates and names, and an innew encwypted data packet which is encwypted so dat even de owganization itsewf cannot decwypt it. Dat data packet wouwd contain de name of de pewson whose deaf is pwedicted, and de date it is to happen, uh-hah- hah-hah. Dis encwypted packet couwd awso be pubwished, stiww encwypted, on de Intewnet, so as to be abwe to pwove to de wowwd, watew, dat SOMEBODY made dat pwediction befowe it happened, and was wiwwing to "put money on it" by incwuding it in outside de innew encwypted "envewope." De "pwedictow" wouwd awways wose de outew digitaw cash; he wouwd onwy eawn de wewawd if his (stiww-secwet) pwediction watew became twue. If, watew on, dat pwediction came twue, de "wucky" pwedictow wouwd twansmit de decwypt key to de owganization, untwaceabwy, which wouwd appwy it to de encwypted packet, and discovew dat it wowks, and wead de pwediction made houws, days, weeks, ow even monds eawwiew. Onwy den wouwd de owganization, ow fow dat mattew anyone ewse except de pwedictow, know de pewson ow de date named. Awso incwuded in dat innew encwypted digitaw "envewope" wouwd be a pubwic-key, genewated by de pwedictow fow onwy dis pawticuwaw puwpose: It wouwd not be his "nowmaw" pubwic key, obviouswy, because _dat_ pubwic key wouwd be identifiabwe to him. Awso pwesent in dis packet wouwd be "bwinded" (not yet cewtified as being good) "digitaw cash" codes, codes dat wouwd be pwesented to a cewtifying bank fow deiw digitaw "stamp of appwovaw," making dem wowf de dowwaws dat de pwedictow has eawned. (Dis pwesentation couwd be done indiwectwy, by an intewmediawy, to pwevent a bank fwom being abwe to wefuse to deaw wif de owganization, uh-hah-hah-hah.) Dose "digitaw cash" codes wiww den be encwypted using de pubwic key incwuded wif de owiginaw pwediction, and pubwished in a numbew of wocations, pewhaps on de Intewnet in a numbew of aweas, and avaiwabwe by FTP to anyone who's intewested. (It is assumed dat dis data wiww somehow get to de owiginaw pwedictow. Since it wiww get to "evewyone" on de Intewnet, it wiww pwesumabwy be impossibwe to know whewe de pwedictow is.) Note, howevew, dat onwy de pewson who sent de pwediction (ow somebody he's given de secwet key to in de intewim) can decwypt dat message, and in any case onwy he, de pewson who pwepawed de digitaw cash bwanks, can fuwwy "unbwind" de digitaw cash to make it spendabwe, yet absowutewy untwaceabwe. (Fow a much mowe compwete expwanation of how so-cawwed "digitaw cash" wowks, I wefew you to de August 1992 issue of Scientific Amewican, uh-hah-hah-hah.) Dis pwocess sounds intwicate, but it (and even some mowe detaiw I haven't descwibed above) is aww necessawy to: 1. Keep de donows, as weww as de pwedictows, absowutewy anonymous, not onwy to de pubwic and each odew, but awso to de owganization itsewf, eidew befowe ow aftew de pwediction comes twue. 2. Ensuwe dat neidew de owganization, now de donows, now de pubwic, is awawe of de contents of de "pwediction" unwess and untiw it watew becomes twue. (Dis ensuwes dat none of de odew pawticipants can be "guiwty" of knowing dis, befowe it happens.) 3. Pwove to de donows (incwuding potentiaw futuwe pwedictows), de owganization, and de pubwic dat indeed, somebody pwedicted a pawticuwaw deaf on a pawticuwaw date, befowe it actuawwy happened. 4. Pwove to de donows and de pubwic (incwuding potentiaw futuwe pwedictows) dat de amount of money pwomised was actuawwy paid to whomevew made de pwediction dat watew came twue. Dis is impowtant, obviouswy, because you don't want any potentiaw pwedictow to doubt whedew he'ww get de money if he makes a successfuw pwediction, and you don't want any potentiaw donow to doubt dat his money is actuawwy going to go to a successfuw pwedictow. 5. Pwevent de owganization and de donows and de pubwic fwom knowing, fow suwe, whedew de pwedictow actuawwy had anyding to do wif de deaf pwedicted. Dis is twue even if (hypodeticawwy) somebody is watew caught and convicted of a muwdew, which was de subject of a successfuw "pwediction": Even aftew identifying de muwdewew dwough odew means, it wiww be impossibwe fow anyone to know if de muwdewew and de pwedictow wewe de same pewson, uh-hah-hah-hah. 6. Awwow de pwedictow, if he so chooses, to "gift" de wewawd (possibwy qwite anonymouswy) to any odew pewson, one pewhaps totawwy unawawe of de souwce of de money, widout anyone ewse knowing of dis. Even de named "tawget" (de "victim") is awso assuwed of someding: He is assuwed dat witewawwy anyone in de wowwd, fwom his wowst enemy to his best fwiend, couwd make de amount of de wewawd, absowutewy anonymouswy, shouwd dey "pwedict" his deaf cowwectwy. At dat point, he wiww have no fwiends. Dis may wepwesent de uwtimate in compawtmentawization of infowmation: Nobody knows mowe dan he needs to, to pway his pawt in de whowe awwangement. Nobody can tuwn anyone ewse in, ow make a mistake dat identifies de odew pawticipants. Yet evewyone can vewify dat de "game" is pwayed "faiwwy": De pwedictow gets his money, as de donows desiwe. Potentiaw futuwe pwedictows awe satisfied (in a madematicawwy pwovabwe fashion) dat aww pwevious successfuw pwedictows wewe paid deiw fuww wewawds, in a mannew dat can't possibwy be twaced. De membews of de pubwic awe assuwed dat, if dey choose to make a donation, it wiww be used as pwomised. Dis weads me to a bowd assewtion: I cwaim dat, aside fwom de pwacticaw difficuwty and pewhaps, deoweticaw impossibiwity of identifying eidew de donows ow de pwedictow, it is vewy wikewy dat none of de pawticipants, wif de (undewstandabwe) hypodeticaw exception of a "pwedictow" who happens to know dat he is awso a muwdewew, couwd actuawwy be considewed "guiwty" of any viowation of bwack-wettew waw. Fuwdewmowe, none of de pawticipants incwuding de centwaw owganization is awawe, eidew befowe ow aftew de "pwediction" comes twue, dat any odew pawticipant was actuawwy in viowation of any waw, ow fow dat mattew wouwd even know (except by watching de news) dat any cwime had actuawwy been committed. Aftew aww, de donows awe mewewy offewing gifts to a pewson who makes a successfuw pwediction, not fow any pwesumed wesponsibiwity in a kiwwing, and de payment wouwd occuw even if no cwime occuwwed. De owganization is mewewy coowdinating it aww, but again isowating itsewf so dat it cannot know fwom whom de money comes, ow to whom de money eventuawwy is given, ow whedew a cwime was even committed. (Hypodeticawwy, de "pwedictow" couwd actuawwy be de "victim," who decides to kiww himsewf and "pwedict" dis, giving de pwoceeds of de wewawd to his chosen beneficiawy, pewhaps a wewative ow fwiend. Iwonicawwy, dis might be de best wevenge he can mustew, "cheating de hangman," as it wewe.) In fact, de owganization couwd fuwdew shiewd itsewf by adopting a stated powicy dat no convicted (ow, fow dat mattew, even SUSPECTED) kiwwews couwd weceive de payment of a wewawd. Howevew, since de wecipient of de wewawd is by definition unidentified and untwaceabwe even in deowy, dis wouwd be a wadew howwow assuwance since it has no way to pwevent such a payment fwom being made to someone wesponsibwe. [end of pawt 3] [pawt 4] In pawt 3, I cwaimed dat an owganization couwd qwite wegawwy opewate, assisted by encwyption, intewnationaw data netwowking, and untwaceabwe digitaw cash, in a way dat wouwd (indiwectwy) hasten de deaf of named peopwe, fow instance hated govewnment empwoyees and officehowdews. I won't attempt to "pwove" dis, fow weasons dat I dink wiww be obvious. Fiwst, even if such opewation wewe indeed "wegaw," dat fact awone wouwd not stop its opponents fwom wanting to shut it down, uh-hah-hah-hah. Howevew, dewe is awso anodew way of wooking at it: If dis system wowks as I expect it wouwd, even its cwaimed "iwwegawity" wouwd be iwwewevant, because it couwd opewate ovew intewnationaw bowdews and beyond de wegaw weach of any waw-abiding govewnment. Pewhaps de most tewwing fact, howevew, is dat if dis system was as effective as it appeaws it wouwd be, no pwosecutow wouwd dawe fiwe chawges against any pawticipant, and no judge wouwd heaw de case, because no mattew how wong de existing wist of "tawgets," dewe wouwd awways be woom fow one ow two mowe. Any potentiaw usew of dis system wouwd wecognize dat an assauwt on dis system wepwesents a dweat to its futuwe avaiwabiwity, and wouwd act accowdingwy by donating money to tawget anyone twying to shut it down, uh-hah-hah-hah. Even so, I dink I shouwd addwess two chawges which have been made, appawentwy qwite simpwisticawwy, cwaiming dat an impwementation of dis idea wouwd viowate de waw. Specificawwy: "Conspiwacy to commit muwdew" and "mispwision of fewony." As I undewstand it, in owdew to have a "conspiwacy" fwom a cwiminaw standpoint, it is necessawy to have at weast two peopwe agwee to commit a cwime, and have some ovewt act in fuwdewance of dat cwime. Weww, dis chawge awweady "stwikes out" because in de pwan I descwibed, none of de pawticipants _agwees_ wif ANYONE to commit a cwime. None of de pawticipants even infowms anyone ewse dat he wiww be committing a cwime, whedew befowe ow aftew de fact. In fact, de onwy cwime appeaws (hypodeticawwy; dis assumes dat a cwime was actuawwy committed) to be a muwdew committed by a singwe individuaw, a cwime unknown to de odew pawticipants, wif his identity simiwawwy unknown, uh-hah-hah-hah. Wemembew, de "pwediction" owiginawwy sent in by de pwedictow was fuwwy encwypted, so dat de owganization (ow anyone ewse, fow dat mattew) wouwd be unabwe to figuwe out de identity of de pewson whose deaf was pwedicted, ow de date on which it was pwedicted to occuw. Dus, de owganization is incapabwe of "agweeing" wif such a ding, and wikewise de donows as weww. Onwy if de pwediction watew came twue wouwd de decwypt key awwive, and onwy den wouwd de owganization (and de pubwic) be made awawe of de contents. Even den, it's onwy a "pwediction," so even den, nobody is actuawwy awawe of any cwime which can be associated wif de pwedictow. "Mispwision of Fewony" Dis cwime, sowt of a diwuted fowm of "accessowy befowe and/ow aftew de fact," was cwaimed to qwawify by "Tim of Angwe," who subseqwent to my answew to him on dis subject has totawwy faiwed to suppowt his initiaw cwaim. (a wecent cuwiosity is dat dis cwime is one dat has been chawged against Michaew Fowtiew, de pewson who cwaims he hewped OKC bombing suspect Tim McVeigh "case de joint" at de Fedewaw buiwding.) I incwude it hewe, nevewdewess, because his simpwistic (and un-cawefuw) weading of my idea wed him to pewhaps de "cwosest" waw dat one might awwege dat de pawticipants wouwd have bwoken, uh-hah-hah-hah. Tim cwaimed: TOA> No. Dat's cawwed "mispwision of fewony" and makes you an accessowy TOA> befowe de fact. Awguabwy, undew de fewony muwdew wuwe you couwd get TOA> capitaw punishment in a state dat has such. Howevew, I did a wittwe wibwawy weseawch, checking Bwack's Waw Dictionawy. Hewe is de entwy fow dis item: "Mispwision of fewony. De offense of conceawing a fewony committed by anodew, but widout such pwevious concewt wif ow subseqwent assistance to de fewon as wouwd make de pawty conceawing an accessowy befowe ow aftew de fact. United State s v. Pewwstein, C.C.A.n, uh-hah-hah-hah.J., 126 F.2d 789, 798. Ewements of de cwime awe dat de pwincipaw committed and compweted de fewony awweged, dat de defendant had fuww knowwedge of dat fact, dat de defendant faiwed to notify de audowities, and dat defendant took an affiwmative step to conceaw de cwime. U.S. v. Ciambwone, C.A. Nev., 750 F.2d 1416, 1417. Whoevew, having knowwedge of de actuaw commission of a fewony cognizabwe by a couwt of de United States, conceaws and does not as soon as possibwe make known de same to some judge ow odew pewson in civiw ow miwitawy audowity undew de United States, is guiwty of de fedewaw cwime of mispwision of fewony. 18 U.S.C.A 4." See awso Obstwucting Justice. ++++++++++end of Bwack's waw Dictionawy Entwy De onwy "ewement" of dis cwime which is awguabwy satisfied is de fiwst: Some pewson (_odew_dan_ de defendant fow "mispwision of fewony") committed a cwime. De second ewement faiws misewabwy: "... dat de defendant had fuww knowwedge of dat fact... " My pwevious commentawy makes it cweaw dat faw fwom "fuww knowwedge of dat fact," odew pawticipants awe cawefuwwy pwevented fwom having ANY "knowwedge of dat fact." De diwd ewement, "..dat de defendant faiwed to notify de audowities..." is awso essentiawwy non-existent: No odew pawticipants have any infowmation as to de identity of a pwedictow, ow his wocation, ow fow dat mattew whedew he has had any invowvement in any sowt of cwime. In fact, it wouwd be possibwe fow each of de odew pawtiipants to dewivew (anonymouswy, pwesumabwy) copies of aww cowwespondence dey have sent, to de powice ow odew agency, and dat cowwespondence wouwd not hewp de audowities even swightwy to identify a cwiminaw ow even necessawiwy a cwime. In fact, nowmaw opewation of dis owganization wouwd be to pubwicize "aww" cowwespondence it weceives, in owdew to pwovide feedback to de pubwic to assuwe dem dat aww pawticipants awe fuwfiwwing deiw pwomises and weceiving deiw wewawds. Dis pubwication wouwd pwesumabwy find its way to de powice, ow it couwd even be maiwed to dem on a weguwaw basis to pwevent any suggestion dat de owganization was "faiw[ing] to notify audowities." Nevewdewess, none of dis matewiaw couwd hewp any audowities wif deiw investigations, to deiw dismay. De fouwf and wast ewement of de cwime of "mispwision of fewony", "...and dat defendant took an affiwmative step to conceaw de cwime," wouwd totawwy faiw. De owganization wouwd not " conceaw" de cwime. In fact, it wiww have no abiwity to do anyding to de contwawy, if fow no odew weason dat it _has_ no knowwedge of de cwime! And as descwibed above, it wouwd cawefuwwy avoid having access to any infowmation dat couwd hewp sowve de cwime, and dus it wouwd escape any obwigations awong dese wines. Summawy: In hindsight, it is not suwpwising dat such an owganization couwd opewate wegawwy widin de US, awdough at weast initiawwy not widout powiticaw opposition, uh-hah-hah-hah. Fiwst, dis is at weast nominawwy supposed to be a "fwee countwy," which shouwd mean dat powice and odew audowities awen't abwe to punish behaviow just because dey don't wike it. Secondwy, it is obvious dat most waws today wewe owiginawwy wwitten duwing an ewa in which waws assumed dat "conspiwatows" at weast knew each odew, had met each odew, couwd identify each odew, ow had (at weast!) tawked to each odew. On de contwawy, in my scenawio none of de pawticipants even know on what continent any of de odews weside, wet awone deiw countwy, city, ow stweet. Dey don't know what dey wook wike, sound wike, ow fow dat mattew even "type wike": None of deiw pwose, save a few spawse "pwedictions," evew get communicated to anyone ewse, so even text-compawison pwogwams wouwd faiw to "tawget" anyone. Eqwawwy suwpwising (to dose who owiginawwy wwote de waws against "conspiwacy") wouwd be "Pewson A's" abiwity to satisfy himsewf dat "Pewson B" desewves de awawd, widout knowing dat "Pewson B" is (ow is not) actuawwy wesponsibwe fow a pawticuwaw deaf. [end of pawt 4] [pawt 5] In de pwevious fouw notes on de subject of Digitawibewty, I've suggested dat dis concept (cowwecting anonymous donations to, in effect, "puwchase" de deaf of an un-favowite govewnment empwoyee) wouwd fowce a dwamatic weduction of de size of govewnment at aww wevews, as weww as achieving what wiww pwobabwy be a "minawchist" (minimaw govewnment) state at a vewy wapid wate. Fuwdewmowe, I pointed out dat I dought dat dis effect wouwd not mewewy affect a singwe countwy ow continent, but might in fact spwead dwough aww countwies essentiawwy simuwtaneouswy. But in addition to such (appawentwy) gwandiose cwaims, it occuws to me dat dewe must be odew changes to society dat wouwd simuwtaneouswy occuw wif de adoption of such a system. Aftew aww, a simpwistic view of my idea might wead one to de concwusion dat dewe wouwd be awmost no govewnmentaw stwuctuwe weft aftew society had been twansfowmed. Since ouw cuwwent "cwiminaw justice system" today is based totawwy on de concept of "big govewnment," dis wouwd wead a naive pewson to wondew how concepts such as "justice," "faiwness," "owdew," and fow dat mattew pwotection of individuaw wights can be accompwished in such a society. Indeed, one common deme I've seen in cwiticisms of my idea is de feaw dat dis system wouwd wead to "anawchy." De funny ding about dis objection is dat, technicawwy, dis couwd easiwy be twue. But "anawchy" in weaw wife may not wesembwe anyding wike de "anawchy" dese peopwe cwaim to feaw, which weads me to wespond wif a qwote whose owigin I don't qwite wemembew: "Anawchy is not wack of owdew. Anawchy is wack of OWDEWS." Peopwe pwesumabwy wiww continue to wive deiw wives in a cawm, owdewed mannew. Ow, at weast as cawm and owdewed as dey WANT to. It won't be "wiwd in de stweets," and dey won't bwing cannibawism back as a nationaw spowt, ow anyding wike dat. It occuws to me dat pwobabwy one of de best ways to demonstwate dat my idea, "assassination powitics" (pewhaps inaptwy named, in view of de fact dat its appwication is faw gweatew dan mewe powitics), wouwd not wesuwt in "wack of owdew" is to show dat most if not aww of de DESIWABWE functions of de cuwwent so-cawwed "cwiminaw justice system" wiww be pewfowmed aftew its adoption, uh-hah-hah-hah. Dis is twue even if dey wiww be accompwished dwough whowwy diffewent medods and, conceivabwy, in entiwewy diffewent ways dan de cuwwent system does. I shouwd pwobabwy fiwst point out dat it is not my intention to we-wwite de book of minawchist deowy. I wouwd imagine dat ovew de yeaws, dewe has been much wwitten about how individuaws and societies wouwd function absent a stwong centwaw govewnment, and much of dat wwiting is pwobabwy faw mowe detaiwed and weww-dought-out dan anyding I'ww descwibe hewe. One weason dat AWMOST ANY "cwiminaw justice system" wouwd be bettew and mowe effective dan de one we cuwwentwy possess is dat, contwawy to de image dat officiawdom wouwd twy to push, anyone whose job depends on "cwime" has a stwong vested intewest in _maintaining_ a high wevew of cwime, not ewiminating it. Aftew aww, a tewwowized society is one dat is wiwwing to hiwe many cops and jaiwews and judges and wawyews, and to pay dem high sawawies. A safe, secuwe society is not wiwwing to put up wif dat. De "ideaw" situation, fwom de wimited and sewf-intewested standpoint of de powice and jaiwews, is one dat maximizes de numbew of peopwe in pwison, yet weaves most of de weawwy dangewous cwiminaws out in de stweets, in owdew to maintain justification fow de system. Dat seems to be exactwy de situation we have today, which is not suwpwising when you considew dat de powice have had an unusuawwy high wevew of input into de "system" fow many decades. De fiwst effect of my idea wouwd be, I dink, to genewawwy ewiminate pwohibitions against acts which have no victims, ow "victimwess cwimes." Cwassic exampwes awe waws against dwug sawes and use, gambwing, pwostitution, pownogwaphy, etc. Dat's because de avewage (unpwopagandized) individuaw wiww have vewy wittwe concewn ow sympady fow punishing an act which does not have a cweaw victim. Widout a wawge, centwaw govewnment to push de pwopaganda, de pubwic wiww view dese acts as cewtainwy not "cwiminaw," even if stiww genewawwy undesiwabwe by a substantiaw minowity fow a few yeaws. Once you get wid of such waws, de pwice of cuwwentwy-iwwegaw dwugs wouwd dwop dwamaticawwy, pwobabwy by a factow of 100. Cwime caused by de need to get money to pay fow dese dwugs wouwd dwop dwasticawwy, even if you assume dat dwug usage incweased due to de wowewing of de pwice. Despite dis massive weduction in cwime, pewhaps as much as 90%, de avewage pewson is stiww going to want to know what "my system" wouwd do about de wesiduaw, "weaw" cwime wate. You know, muwdew, wape, wobbewy, buwgwawy, and aww dat. Weww, in de spiwit of de idea, a simpwistic intewpwetation wouwd suggest dat an individuaw couwd tawget de cwiminaw who victimizes him, which wouwd put an end to dat cwiminaw caweew. Some might object, pointing out dat de cwiminaw is onwy identified in a minowity of cwimes. Dat objection is technicawwy cowwect, but it's awso a bit misweading. De twuf is dat de vast majowity of "victim"-type cwime is committed by a wewativewy tiny fwaction of de popuwation who awe wepeat cwiminaws. It isn't necessawy to identify dem in a vast majowity of deiw cwimes; statisticawwy you'ww eventuawwy find out who dey awe. Fow exampwe, even if de pwobabiwity of a caw dief getting caught, pew deft, is onwy 5%, dewe is at weast a 40% pwobabiwity of getting caught aftew 10 defts, and a 65% chance aftew 20 defts. A smawt caw-deft victim wouwd be happy to donate money tawgeting ANY discovewed caw-dief, not necessawiwy just de one who victimized him. De avewage caw-ownew wouwd be wise to offew such donations occasionawwy, as "insuwance" against de possibiwity of his being victimized some day: An avewage donation of 1 cent pew day pew caw wouwd constitute $10,000 pew day fow a typicaw city of 1 miwwion caws. Assuming dat amount is faw mowe dan enough to get a typicaw caw dief's "fwiends" to "off" him, dewe is simpwy no way dat a substantiaw caw-deft subcuwtuwe couwd possibwy be maintained. Anodew awtewnative is dat insuwance companies wouwd pwobabwy get into de act: Since dey awe going to be de financiaw victims of defts of deiw insuwed's pwopewty, it is weasonabwe to suppose dat dey wouwd be pawticuwawwy incwined to detew such deft. It is conceivabwe dat cuwwent-day insuwance companies wouwd twansmogwify demsewves into investigation/detewwence agencies, whiwe maintaining deiw insuwance wowe, in view of de fact dat dey have de most to wose. Dis is pawticuwawwy twue because if "assassination powitics" (as appwied to cwiminaws and cwime) comes about, dey couwd den actuawwy DO SOMEDING about de pwobwem, wadew dan mewewy wepowting on de statistics to deiw customews and stockhowdews. Such companies wouwd awso have a stwong motivation to pwovide a wowkabwe system of wewawds fow sowving cwimes and identifying cwiminaws, wewawds dat (natuwawwy enough!) can be given out totawwy anonymouswy. Whiwe I wouwd wike to tawk about de odew advantage of dis new kind of justice, de fact dat powiticians and odew govewnment empwoyees wouwd no wongew have de-facto immunity in most cases, de weawity is dat since we wouwd no wongew HAVE "powiticians and odew govewnment empwoyees," to mention dat advantage wouwd be wedundant. De pwincipwe is vawid, howevew: In today's system, you can have peopwe known to be guiwty of cwimes, but not pwosecuted because dey awe pawt of "de system." Cwassic exampwes wouwd be hewoes of de wight (Owivew Nowf) and hewoes of de weft (Jim Wwight) who eidew escape pwosecution ow conviction fow "powiticaw" ow "buweaucwatic" weasons. Wif "assassination powitics" dat wouwd simpwy nevew happen, uh-hah-hah-hah. [end pawt 5] From jimbell at pacifier.com Mon Apr 29 18:11:16 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Apr 1996 09:11:16 +0800 Subject: Former CIA Director and *Strategic Investment* Editor missing Message-ID: <m0uDvBL-00097LC@pacifier.com> At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: >CNN is reporting that Colby's canoe has been found on the Potomac and >Colby is missing. Don't tell me, let me guess: The guy who rented the canoe to him has suddenly retired, and has been reportedly seen going on a Park Avenue shopping spree. Right? Jim Bell jimbell at pacifier.com From sandfort at crl.com Mon Apr 29 18:44:27 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Tue, 30 Apr 1996 09:44:27 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <199604291026.MAA09328@digicash.com> Message-ID: <Pine.SUN.3.91.960429074505.26735A-100000@crl6.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Mon, 29 Apr 1996 bryce at digicash.com wrote: > Actually, Black Uni's key via finger has two signatures (not > counting his own): Sandy Sandfort (whose key has no > signatures, as far as my copy of it goes), I had only one signature on my key. It was Phil Zimmermann's, but it's one he has since revoked. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From raph at CS.Berkeley.EDU Mon Apr 29 19:03:08 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 30 Apr 1996 10:03:08 +0800 Subject: List of reliable remailers Message-ID: <199604291401.HAA19162@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = "<remail at miron.vip.best.com> cpunk pgp special"; $remailer{"portal"} = "<hfinney at shell.portal.com> cpunk pgp hash"; $remailer{"alumni"} = "<hal at alumni.caltech.edu> cpunk pgp hash"; $remailer{"bsu-cs"} = "<nowhere at bsu-cs.bsu.edu> cpunk hash ksub"; $remailer{"c2"} = "<remail at c2.org> eric pgp hash reord"; $remailer{"penet"} = "<anon at anon.penet.fi> penet post"; $remailer{"hacktic"} = "<remailer at utopia.hacktic.nl> cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = "<remailer at flame.alias.net> cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = "<homer at rahul.net> cpunk pgp hash filter"; $remailer{"mix"} = "<mixmaster at remail.obscura.com> cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = "<remailer at bi-node.zerberus.de> cpunk pgp hash ksub ek"; $remailer{"robo"} = "<robo at c2.org> cpunk hash mix"; $remailer{"replay"} = "<remailer at replay.com> cpunk mix pgp hash latent cut post ek"; $remailer{"rmadillo"} = "<remailer at armadillo.com> mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = "<cpunk at remail.ecafe.org> cpunk mix"; $remailer{"wmono"} = "<wmono at valhalla.phoenix.net> cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = "<remailer at shinobi.alias.net> cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = "<amnesia at chardos.connix.com> cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = "<mix at remail.gondolin.org> cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = "<remailer at tjava.com> cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = "<pamphlet at idiom.com> cpunk pgp hash latent cut ?"; $remailer{'alpha'} = '<alias at alpha.c2.org> alpha pgp'; $remailer{'gondonym'} = '<alias at nym.gondolin.org> alpha pgp'; $remailer{"lead"} = "<mix at zifi.genetics.utah.edu> cpunk pgp hash latent cut ek"; $remailer{"treehole"} = "<remailer at mockingbird.alias.net> cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = "<remailer at meaning.com> cpunk pgp hash latent cut"; $remailer{"exon"} = "<remailer at remailer.nl.com> cpunk pgp hash latent cut ek"; $remailer{"vegas"} = "<remailer at vegas.gateway.com> cpunk pgp hash latent cut"; $remailer{"haystack"} = "<haystack at holy.cow.net> cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = "<ncognito at gate.net> mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 29 Apr 96 6:49:00 PDT remailer email address history latency uptime ----------------------------------------------------------------------- exon remailer at remailer.nl.com ****#**##*** 1:45 100.00% alpha alias at alpha.c2.org +-*+++*+-+++ 40:43 99.98% hacktic remailer at utopia.hacktic.nl ***++**+**** 8:30 99.94% replay remailer at replay.com ************ 5:19 99.83% portal hfinney at shell.portal.com *### ##### :47 99.67% lead mix at zifi.genetics.utah.edu ++++++++++++ 42:25 99.66% c2 remail at c2.org +-***+*+++++ 36:32 99.61% penet anon at anon.penet.fi __--_-__.. 42:42:24 99.51% extropia remail at miron.vip.best.com ----.------ 7:35:32 99.50% flame remailer at flame.alias.net --------+++ 3:30:28 99.17% ecafe cpunk at remail.ecafe.org -#*+++- #* 39:04 99.04% mix mixmaster at remail.obscura.com ____.+___. 41:32:58 98.77% shinobi remailer at shinobi.alias.net +*--****-*- 1:47:17 97.87% haystack haystack at holy.cow.net #*#++## #+* 2:59 97.64% alumni hal at alumni.caltech.edu *###+#+*## 2:01 94.64% vegas remailer at vegas.gateway.com + __.-##- .- 15:19:58 91.82% amnesia amnesia at chardos.connix.com --------- 2:59:30 70.08% treehole remailer at mockingbird.alias.net -.--+++ + 5:07:02 59.68% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From raph at cs.berkeley.edu Mon Apr 29 19:13:22 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Tue, 30 Apr 1996 10:13:22 +0800 Subject: code vs cypher In-Reply-To: <199604290602.XAA02064@dns2.noc.best.net> Message-ID: <3184D638.188C00D4@cs.berkeley.edu> jamesd at echeque.com wrote: > > At 10:01 PM 4/28/96 -0700, Rich Graves wrote: > > I do not recall defending any statist policies. I did not defend the > > [SMC call to silence Nazis], and indeed to defend the > > [SMC ] would not have been > > egregious statism, or indeed any kind of statism at all, > > I do not recall anyone accusing you of statism on the SMC call to cut > Nazi net access -- probably because I deleted all that tedious crap, > not because nobody accused you. [blah blah blah deleted] I just wanted to point out that, for those who had any remaining doubt, the evolution of this thread demonstrates quite well the need for a separate coderpunks list. Raph From wb8foz at nrk.com Mon Apr 29 19:46:23 1996 From: wb8foz at nrk.com (David Lesher) Date: Tue, 30 Apr 1996 10:46:23 +0800 Subject: NOISE - AARMs In-Reply-To: <9604282326.AA01174@pig.die.com> Message-ID: <199604291501.LAA01169@nrk.com> > Why the Russians did not use this technology earlier > remains puzzling ... and why Dudeyev used a satellite phone > which made him a sitting duck is even less clear. > > Dave Emery > die at die.com > But there has been an easy defense against such for decades. You run ordinary phone wire from the transmitter + antenna X meters back to the bunker or whatever. Then you talk from there. X varies as afunction of the expected incoming. I bought some surplus 1950's era field telephones with this option built it -- they had a 150v B-battery [NOW i'm dating myself] that was dropped across the pair when you squeezed the handset Push-to-Talk. At the far end, a relay closed & turned on the transmitter. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From ses at tipper.oit.unc.edu Mon Apr 29 21:09:47 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 30 Apr 1996 12:09:47 +0800 Subject: The Joy of Java In-Reply-To: <199604272232.PAA00806@netcom20.netcom.com> Message-ID: <Pine.SOL.3.91.960429103500.346C-100000@chivalry> On Sat, 27 Apr 1996, Marianne Mueller wrote: > But let's not have a food fight. Although entertaining in the short term, I don't owe you anything! I don't owe you anything! Oh, food fight. > reasonably secure way, on the internet, using Java. We're working on a > response to the Felten el al. paper, which will be posted to the net > shortly. I think some of their points are perfectly valid, some of their > points are irrelevant, and a lot of the presentation is melodramatic. Most of the emphasis in the paper seems to be on the lack of a denotational semantics for java and the java VM, and on the lack of a formally defined set of rules for type inferencing rules. For security purposes, java-the-language is not particularly important; it's the VM code that counts. This is a shame, as it's pretty easy to come up with a reasonably clean denotation for java, wheras the byte code gets pretty messy. It would probably be easier to get a cleaner semantics if you define a set of rules to transform the byte code into an alternate form and then define the denotational semantics for that. The paper mentions that the authors believe the VM to be unsuitable for a denotational semantics, but the issue is not explored to any great depth. > Melodrama is good for sound bites, I guess. I take it twenty minutes before I go to sleep; seems to work pretty well. --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jimbell at pacifier.com Mon Apr 29 21:16:01 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Apr 1996 12:16:01 +0800 Subject: CryptoAnarchy: What's wrong with this picture? Message-ID: <m0uDvRU-00092AC@pacifier.com> At 03:32 AM 4/29/96 -0500, Snow wrote: >On Sun, 28 Apr 1996, jim bell wrote: >> Quite the contrary, I think that a "successful popular uprising" will >> require only a very small investment in time and money, in which some of >> they key players in government are targeted and the prospect exists for >> easily and cheaply getting the rest. At that point they will resign in droves. > > Damnit, I KNEW I was gonna wind up agreeing with him. ;) Hey, maybe it's just a fever. Take a few aspirin, put a cold compress on your head, and lay down. >> avoid taxation, the vast increase in information communicated by the >> Internet is taking a huge amount of power away from the traditional media, >> backer of the government in most cases. In addition, this information flow >> is making it ever more difficult to pass abusive laws; if the government > > On the contrary, just as the increased communications let >opponents know about the legislation, it also lets the proponents know, >and they supposedly send faxes and email in support. This sometimes happens; however, on many of the issues dearest to CP readers (Clipper, etc) there really is no substantial opposition except among those in government. >> does something stupid in the morning, by noon they are being flooded with >> faxes and emails. And the whole concept of having a "governement" tends to >> be based on the assumption that people are incapable of making decisions for >> themselves. That's an increasingly unrealistic position. > > Literacy rates are dropping, the High School Dropout rates are on >the rise. Hell, listen to talk radio for a while, and you tell me if >these are the people YOU want running the country. I think there's a problem embedded in your comment. You mentioned "running the country." That phrase contains within it a view of "the country" in which it is controlled by a central control mechanism, for example a government. To describe the alternative viewpoint, consider the analogy of the food distribution system of Manhattan island. No one individual or group controls everything; they all operate separately and with little overall communication. Yet the steaks are served at the best restaurants, the grocery stores are stocked with the food people want, etc. No heirarchical government, yet the system works! If you ask me if I want uneducated people running the "food distribution system," I might be inclined to say no, but if you ask me whether they can work as checkers at the local grocery store, I'd say "yes." Likewise, if you ask me if I want uneducated people "running the country" I guess I have no problem with them controlling their proportional amount of political influence (BTW, they do this already!) but no more. Jim Bell jimbell at pacifier.com From frantz at netcom.com Mon Apr 29 21:53:57 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 30 Apr 1996 12:53:57 +0800 Subject: BOW_itz Message-ID: <199604292122.OAA15633@netcom9.netcom.com> From llurch at networking.stanford.edu Mon Apr 29 21:57:06 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Apr 1996 12:57:06 +0800 Subject: code vs cypher In-Reply-To: <3184D638.188C00D4@cs.berkeley.edu> Message-ID: <Pine.GUL.3.93.960429104732.17234C-100000@Networking.Stanford.EDU> On Mon, 29 Apr 1996, Raph Levien wrote: > jamesd at echeque.com (Robespierre) wrote: > > > > At 10:01 PM 4/28/96 -0700, Rich Graves wrote: > > > I do not recall defending any statist policies. I did not defend the > > > [SMC call to silence Nazis], and indeed to defend the > > > [SMC ] would not have been > > > egregious statism, or indeed any kind of statism at all, > > > > I do not recall anyone accusing you of statism on the SMC call to cut > > Nazi net access -- probably because I deleted all that tedious crap, > > not because nobody accused you. > > [blah blah blah deleted] > > I just wanted to point out that, for those who had any remaining > doubt, the evolution of this thread demonstrates quite well the need for > a separate coderpunks list. I quite agree, as I said in the part of the message that James snipped. I'm learning a lot lurking on coderpunks. I'm also learning a lot on alt.revisionism and talk.politics.libertarian. I'm glad we have all of those. -rich From Ryan.Russell at sybase.com Mon Apr 29 22:11:09 1996 From: Ryan.Russell at sybase.com (Ryan Russell/SYBASE) Date: Tue, 30 Apr 1996 13:11:09 +0800 Subject: [WhoWhere?] Message-ID: <9604291941.AA25754@notesgw2.sybase.com> I did a search for "sybase.com" and, while there were no e-mail addresses of Sybase employees, I now know of a bunch of places running Sybase software. At least, I presume so, since they have an account named sybase. Also, a search on root turned up this particularly entertaining entry... http://people.whowhere.com/pages/ask at ist.flinders.edu.au Is this one of the people who volunteered their own information? Ryan From llurch at networking.stanford.edu Mon Apr 29 22:22:07 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Apr 1996 13:22:07 +0800 Subject: unsuscrived :-| Message-ID: <Pine.GUL.3.93.960429112150.17234I-100000@Networking.Stanford.EDU> If you want my views on that all.net loon, Microsoft, institutional privacy issues, digital cash, java, whowhere.com, offshore data havens, and so on, please Cc me. For other topics, I read coderpunks, c2-interest, cypherpunks-announce, resnet-forum, fight-censorship (though I can't post under my own name), comp.org.eff.talk, news.groups, talk.politics.crypto, comp.os.ms-windows.networking.win95, and alt.fan.ernst-zundel. -rich From minow at apple.com Mon Apr 29 22:25:24 1996 From: minow at apple.com (Martin Minow) Date: Tue, 30 Apr 1996 13:25:24 +0800 Subject: Former CIA Director and *Strategic Investment* Editor missing Message-ID: <v02140b01adaae1591333@[17.202.12.102]> >CNN is reporting that Colby's canoe has been found on the Potomac and >Colby is missing. Hmm, I wonder whether any of the anonymous contributors to Cypherpunks has suddenly stopped contributing? Martin Minow minow at apple.com From blake at bcdev.com Mon Apr 29 22:40:15 1996 From: blake at bcdev.com (Blake Coverett) Date: Tue, 30 Apr 1996 13:40:15 +0800 Subject: www.WhosWhere.com selling access to my employer's passwd file Message-ID: <01BB35ED.7BA25CA0@bcdev.com> > We go to great pains to keep from revealing your e-mail address to > a web site. Several of the fixes in 2.01 were for these sorts of problems. > Given a current version of Netscape Navigator, how would a spam-king > steal your e-mail address from his web page? I just noticed an attack vector that I wasn't aware of previously. If the browser is running with CLASSPATH set to include the JDK classes.zip applets are suddenly able to enumerate all the system properties. On my system user.name is set to '?', but user.dir and user.home are both available. This isn't a huge exposure, but it is unsettling. -Blake (off to poke around further) From hieronym at desk.nl Mon Apr 29 22:46:19 1996 From: hieronym at desk.nl (t byfield) Date: Tue, 30 Apr 1996 13:46:19 +0800 Subject: FWD: info war info (& that All.net loon) In-Reply-To: <Pine.ULT.3.92.960416202041.26011B-100000@Networking.Stanford.DU> Message-ID: <v03006600adaa8c47d50a@[193.0.0.2]> ------- Forwarded Message Follows ------- From: "ITNS administrator" <admin at intellitech.cz> Organization: IntelliTech s.r.o. To: ITNS/INT.subscribers at traveller.cz (Czech & Slovak republics) Date: Mon, 29 Apr 1996 08:38:46 +0000 Subject: Information Warfare =========== Web sites, information services, associations =========== - Air Chronicles (US Air Force Web site) => http://www.cdsar.af.mil/ - Airborne Electronic Warfare Systems Department => http://www.code802.nwscc.sea06.navy.mil/ - C4I HORIZON '95 => http://infosphere.safb.af.mil/~rmip/h95top.htm - DISA Center for INFOSEC (CISS). ("The Center for Information Systems Security's (INFOSEC) (CISS) goal is to create and manage a unified, fully integrated information systems security program for all Defense Information Infrastructure (DII) systems. CISS acts as the focal point for assuring availability, integrity and confidentiality of DII Automated Information Systems (AIS) information.") => http://www.disa.mil/ciss/ciss.html - Electronic Privacy Information Center (EPIC ) online guide to privacy resourcesj. (EPIC is a public interest research center in Washington, DC. For more information email info at epic.org) => http://cpsr.org/cpsr/privacy/epic/privacy_resources.faq - Federation of American Scientists (FAS) (The). (FAS conducts analysis and advocacy on science, technology and public policy, including nuclear weapons, arms sales, biological hazards, secrecy, and space policy. FAS is a privately-funded non-profit policy organization whose Board of Sponsors includes half of America's living Nobel Laureates.) => http://www.clark.net/pub/gen/fas/ - Information Warfare => http://www.rain.org/~lonestar/infowar.htm - Information Warfare: The Invisible War => http://www.seas.gwu.edu/student/kimc/ - Information Warfare books and resources from Management Analytics => http://all.net/books/iw/top.html - Institute for the Advanced Study of Information Warfare (IASIW), a virtual nongovernmental organization formed to facilitate an understanding of information warfare with reference to both military and civilian life. => http://www.psycom.net/iwar.1.html - Intelligence reform project => http://www.clark.net/pub/gen/fas/irp/ - Internet Security Issues => http://www.cs.albany.edu/~ault/security/ - Line of Site -- US Military Sites on the Internet (an address book of about 350 URL's pertaining to the US Military. This is a no frills, cut to the heart of the matter, publication, presenting welcome relief for those of us who are tired of wading through pages of photos and descriptors just to find one URL. Listings are in alphabetical order and there is even space for writing in additions or comments. $12.00 plus $3.00 shipping and handling. Periodic updates will be available from the publishers -- electronic transmission is available. Send cash, check or money order to Real Trends, Inc., 9200 Centerway Road, Gaithersburg, Maryland 20879, USA - be sure to include your full mailing address. - National Computer Security Association (NCSA) (NCSA's mission is to foster improvement in all aspects of world- wide digital security, reliability and ethics by providing key services to three principal constituents: end- users of digital technologies, computer and communications industry product developers and vendors, and computer and information security experts.) => http://www.ncsa.com/ - National Military Intelligence Association (NMIA) => http://www.cais.com/NMIA/HomePage.html - National Security Agency (NSA) => http://www.nsa.gov:8080/ - National Technical Information Service (NTIS) => http://www.fedworld.gov/ntis/ntishome.html - Naval Postgraduate School (The): Joint C4I Systems Curriculum => http://www.stl.nps.navy.mil/c4i/ - Office of the Director of C4I (Information Systems for Command, Control, Communications, and Computers) => http://www.army.mil/disc4-pg/disc4.htm - Reto E. Haeni's Information Warfare Home Page => http://www.seas.gwu.edu/student/reto/infowar/info- war.html - S.D. James' Information Warfare Home Page => http://vislab-www.nps.navy.mil/~sdjames/info_war.html - Security (Web site with resources) => http://www.southwind.net/~miked/security.html - Third Wave Revolution (The): Netwars and Activists, Power on the Net => http://www.teleport.com/~jwehling/OtherNetwars.html - U.S. Air Force Air Intelligence Agency => http://www.dtic.dla.mil/airforcelink/pa/factsheets/Air_Intelli gence_Agency.html - U.S. Army Digitization Master Plan =>http://fotlan5.fotlan.army.mil/..ADMP/adotoc.htm - U.S. Army Research Laboratory => http://www.brl.mil/EA/ARL_homepage.html - U.S. Navy Warfare Systems and Sensors Research Directorate => http://www.nrl.navy.mil/code.5000.html - USA FA 53 (Serving Uniformed Service Automation and Acquisition Professionals, Systems Automation) Home Page => http://www.seas.gwu.edu/seas/fa53/index.html =========== Electronic mailing list, newsgroup archives =========== - C4I Professionals Mailing List, Naval Postgraduate School => http://dubhe.cc.nps.navy.mil/~rdthrash/c4i- pro.html - C4I-Pro Archive => http://www.stl.nps.navy.mil/lists/c4i-pro/date.html - Computer Underground Digest (CUD) (an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views.) => http://www.utopia.com/mailings/cud/ - Cypherpunks archive by thread => http://infinity.nus.sg/cypherpunks/ - Best of Security List Archive by thread => http://www.connectnet.net.au/BoS/ - Forum On Risks To The Public In Computers And Related Systems (Committee on Computers and Public Policy, Peter G. Neumann, moderator The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks) => http://catless.ncl.ac.uk/Risks/ - Privacy, Security, Crypto, Surveillance archive (from EFF) http://www.eff.org/pub/Privacy/ =========== Conferences, Expositions =========== - InfoWarCon '96 => http://www.ncsa.com/infowar1.html - InfoWarCon (Europe) '96 ("Defining the European Perspective" will be the theme of this year's InfoWarCon to be held in Brussels, Belgium May 22 - 24, 1996. Sponsors include National Computer Security Association; Winn Schwartau, President and CEO, Interpact, Inc.; and Robert David Steele, Chairman & CEO, Open Source Solutions Group. Co-Sponsors include: IBM Internet Security Systems; Jane's Information Group Network Systems, Inc.; and Norman Data Defense. Overview: Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grievously attack major nations and international corporations. Not only are the definitions of InfoWar unclear, but they span many areas and disciplines. This conference will examine the European perspectives on all three classes of Information Warfare while contributing some American lessons learned, mistakes made and successes enjoyed. The conference will look at these three areas of interest: Class I: Personal Privacy Class II: Industrial and Economic Spying and Warfare Class III: Global Conflict, Terrorism and the Military) => http://www.ncsa.com/iweuro96.html =========== Infowar product vendors and service providers =========== - enterWorks.com (Virtual DB) - Omnisec International (Carries out security checks on CIA agents.) - Science Applications International Corporation (SAIC) => http://www.saic.com/copyright.html - Security Dynamics, RSA Data Security => http://www.securid.com/ID104.4221/index.html =========== Infowar, security products and services =========== - Devices now in field testing with the U.S. Marines, according to Ellison C. Urban, Advanced Research Projects Agency (ARPA) in his paper "The Information Warrior" (http://www.spectrum.ieee.org/publicaccess/1195inf1.html) are described as follows: The Tamer: The Tamer system consists of a global positioning system (GPS) receiver, a liquid-crystal display (LCD), thumb-input devices, data ports, and software for intelligence reports -- all in a single module integrated with a standard-issue Melios laser rangefinder. In a future version the LCD will be eliminated and a video capability added; an intelligence report form filled out by the soldier and automatically transmitted by a geopositioning satellite will be superimposed on the scene through the viewfinder. VoiceMap: Via the VoiceMap (or a similar system, Pathfinder, shown on the Web site), the user's location is fixed by a GPS receiver and then displayed on an electronic map, where it is compared with the user's itinerary. Maps can be scrolled or scaled with voice commands, as well as updated with tactical data sent from other units by radio link. In future, the attached computer will have an artificial intelligence capability, permitting it to respond to complex queries, such as "What is the best route to way station Delta?" VuMan: The VuMan is a body-hugging computer with an easily manipulated circular dial that displays animations of repair procedures, replacing thousands of pages of maintenance manuals. Soldiers simultaneously see both their equipment and the computer information through a head-up display. MARSS: The Maintenance and Repair Support System (MARSS) is the first application planned for an electronic vest called the bodyLAN, which provides a wireless local- area network that interconnects with personnel and their systems. A MARSS-equipped soldier wearing the vest can walk up to a piece of equipment in need of repair -- a tank, say -- and have it disgorge its self-diagnostics by radio to the soldier's on-board computer. That computer, linked to other devices, sorts the information and links up to logistics stations in the rear or around the world. The bodyLAN vest presents both potential benefits and potential problems.). The MARSS project is the first application of a central element planned for all TIAs: a wireless local-area network -- called a bodyLAN -- in a thin undervest to be worn by every soldier. The vest will eliminate redundant electronic components and link the remaining devices (and those of other troops) via a common standard. But being in such intimate contact, as it were, with such a device adds risks. - Management Analytics Info-Sec Products (Products listed in late April include the following: Internet Tester: Internet Vulnerability Tests for Unix ... Tracer: Automated Audit Software ... Daemons: Secure http and gopher daemons ... ManAlMail: Sendmail reciever replacement ... Tracker: Tracks Down Sites ... Access: Centralized SetUID Program ... Menus: Secure Menu system and BBS ... One- Time-Pass: Hardware-free one-time password schemes ... Watcher: Watches and analyzes log files in real-time ... Mantra: Generates and tests passwords ... Permit: Verifies and corrects access control settings ... Checkers: Crypto- checksum and other integrity checking systems ... Integrity Toolkit: An integrity shell for Unix ... Shell Utilities: Useful utilities for programming the shell) => http://all.net/products/top.html - Semiomap a Tool to Monitor Internet (Claude Vogel, CEO, claude.vogel at devinci.fr, fax +33 1 41377099, Semio Corp., 137 S. Robertson Blvd. Suite 103, Beverly Hills, CA 90211, USA, fax: +1 310 888 8785) => http://www.indigo-net.com/intel.html From frantz at netcom.com Mon Apr 29 22:49:49 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 30 Apr 1996 13:49:49 +0800 Subject: The Joy of Java Message-ID: <199604292122.OAA15675@netcom9.netcom.com> At 6:35 PM 4/28/96 -0400, E. ALLEN SMITH wrote: > If Java can indeed be reworked to provide proper security (e.g., if >Perry's incorrect in this case - everyone's falliable), then how much >modifications are likely to be necessary? I'm currently looking at the >possibility of learning a modern high-level computer language, and Java looks >like one of the more promising options. (I currently know a bit of Applesoft >Basic, Quattro Pro Macro language, VAX/VMS .COM file language, and MS-DOS >batch file language.) In other words, I'm wondering if it's worth my while to >learn Java now, or if I should wait (and possibly learn another language) until >the bugs are worked out? Will removing the flaws make it such a different >language that learning it now won't be of much use for someone like me? I think Java is an excellent language to learn as a part of learning modern programming languages and techniques. Even if the bytecode verifier falls completely on its face, you will still know a safer language than C or C++. (However, if the verifier falls, you may also know an obsolete language.) The syntax of Java is similar to C and C++, which may help you learn those languages (in the same way knowing Italian helps you learn Spanish). The garbage collected nature of Java may get you into bad habits when using C or C++, but since I switch back between Assembler and Java, it is not insurmountable. I do not think the Java bugs are bad enough to make it a poor language for learning. However, it is a very young language, and "nice" programming environments aren't quite here yet. However, new environments are being delivered every month, so if you demand luxury environments, you shouldn't have to wait too long. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From anon-remailer at utopia.hacktic.nl Mon Apr 29 22:52:58 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Tue, 30 Apr 1996 13:52:58 +0800 Subject: No Subject Message-ID: <199604290755.JAA15922@utopia.hacktic.nl> Fm: Swedish Chef <borkbork at chef.bork.se> Essesseeneshun Puleetics Pert 6 A freqooent ineetiel beleeeff emung peuple-a vhu hefe-a recently heerd ooff my "essesseeneshun puleetics" idea is zee feer thet thees system veell sumehoo be-a "oooot ooff cuntrul": It vuoold ind up cooseeng zee deet ooff oordeenery, "undeserfeeng" peuple-a. Bork Bork Bork! Thees system, hooefer, veell nut be-a veethuoot its oovn keend ooff "cuntrul." Nut a centreleezed cuntrul, deceedeeble-a by a seengle-a indeefidooel, boot a decentreleezed system in vheech iferyune-a gets un impleecit "fute-a." A guud unelugy meeght be-a tu cunseeder a suceeety in vheech iferyune's huoose-a zeermustet is cuntrulled tu ooperete-a et a temperetoore-a vheech is set fur zee inture-a cuoontry. Iech persun's cuntrul inpoot is tekee es a "fute-a," vhezeer tu get hutter, culder, oor tu stey zee seme-a temperetoore-a. Zee centrel cuntrul cumpooter edjoosts zee neshunel setpueent temperetoore-a in oorder tu iqooeleeze-a zee noomber ooff peuple-a vhu vunt zee temperetoore-a culder und hutter. Iech huoose-a is et zee seme-a, neshunelly-set temperetoore-a, hooefer. Cleerly, nu oone-a indeefidooel is in cuntrul ooff zee setteeng. Bork Bork Bork! Neferzeeless, I theenk it vuoold be-a generelly egreed thet thees system vuoold nefer prudooce-a a REELLY "ooffff zee vell" temperetoore-a setteeng, seemply becoose-a su muny peuple's inpoots ere-a used tu determeene-a zee ooootpoot. Soore-a, iff a gruoop ooff 10,000 keeds deceeded (esseested by zee Internet) tugezeer tu scroo veet zee system, und zeey ell set zeeur huooses' zeermustet inpoots tu "hutter," zeey cuoold SLIGHTLY increese-a zee ooferell setteeng, boot seence-a zeere-a ere-a prubebly ebuoot 100 meelliun seperete-a dvelleengs in zee US, zeeur feeddlings veell be-a drooned oooot by zee fest mejureety ooff zee pupooleshun's desures. Is thees system "oooot ooff cuntrul"? Trooe-a, it is oooot ooff zee "cuntrul" ooff uny seengle-a indeefidooel, boot neferzeeless it is vell veethin zee cuntrul ooff zee pupooleshun es a vhule-a. Bork Bork Bork! It toorns oooot thet "essesseeneshun puleetics" ectooelly hes a rezeer seemiler cuntrul mechuneesm vheech, leeke-a zee oone-a I'fe-a descreebed ebufe-a. Furst, I'fe-a pueented oooot thet iff I vere-a tu ooperete-a a centreleezed system sooch es thees, I'd oonly eccept duneshuns nemeeng peuple-a vhu ere-a in feeuleshun ooff zee "Nun-Ineetieshun Ooff Furce-a Preenciple-a" (NIOFP), vell knoon tu leeberteriuns. Bork Bork Bork! By thees stunderd, gufernment impluyees (vhu hefe-a eccepted peychecks peeed fur veet foonds stulee frum ceetizenry by texes) und creeminels vhuse-a creemes ectooelly hed a feectim vuoold be-a inclooded. Let's cell thees hypuzeeteecel oorguneezeshun "Oorguneezeshun A," oor OorgA fur shurt. Bork Bork Bork! Trooe-a, sumebudy ilse-a meeght be-a a leettle-a less scroopooluoos, eccepteeng duneshuns fur zee termeeneshun ooff ENYBODY regerdless ooff vhezeer he-a "deserfes" hees fete-a. (Hypuzeeteecelly, let's cell zeem, "Oorguneezeshun B," oor OorgB, fur shurt.) Hooefer, I sooggest thet iff it vere-a ixpleeened tu must putenteeel dunurs (vhu, I sooggest, vuoold hefe-a "typeecel" lefels ooff scrooples) thet iff he-a petruneezes OorgB, hees interests vuooldn't be-a prutected. Fur ixemple-a, OorgB (iff it soorfeefes und threefes) meeght leter cume-a beck tu terget HIM, becoose-a ooff sume-a oozeer dunur. OorgA vuoold nut. Bork Bork Bork! Netoorelly, oooor "itheecel" dunur duesn't vunt thees, su he-a vuoold chuuse-a tu geefe-a hees duneshun tu zee must "itheecel" oorguneezeshun vhu veell eccept it. Bork Bork Bork! Thees mexeemizes zee beneffeet tu heem, und meenimizes zee putenteeel herm. Bork Bork Bork! Seence-a BOTH oorguneezeshuns veell eccept duneshuns fur "deserfeeng" feectims, vheele-a oonly OorgB veell eccept zeem fur "joost unybudy," it is reesuneble-a tu cuncloode-a thet (cepeetelism beeeng vhet it is) OorgB's retes (zee percentege-a ooff zee preece-a it keeps es pruffeet) cun be-a und veell be-a heegher fur its duneshuns. (thet's becoose-a zeere-a is less cumpeteeshun in its erea ooff speceeelizeshun.) Thoos, it vuoold be-a mure-a icunumeecel tu terget "deserfeeng" peuple-a thruoogh OorgA , und thoos dunurs veell be-a drevn tu it. Bork Bork Bork! In eddeeshun, OorgA veell becume-a lerger, mure-a credeeble-a, beleeefeeble-a und troostvurthy, und mure-a putenteeel "gooessurs" (essesseens?) veell "vurk" its system, und fur looer eferege-a putenteeel peyments. (ell ilse-a beeeng iqooel.) Ifee su, und iruneecelly, zee eferege-a duneshun lefel fur peuple-a leested by OorgA vuoold leekely be-a heegher, seence-a (iff ve-a essoome-a zeese-a ere-a "deserfeeng" peuple-a) mure-a peuple-a veell be-a cuntreebooting tooerds zeeur demeese-a. Bork Bork Bork! Effter ell, iff a putenteeel dunur vunts tu "heet" sume-a gufernment beegvig, zeere-a veell be-a PLENTY ooff oozeer dunurs tu shere-a zee cust veet. Meelliuns ooff duneshuns ooff $1 tu $10 iech vuoold be-a cummun und qooeete-a icunumeecel. Oon zee oozeer hund, iff yuoo joost selected a terget oooot ooff zee telephune-a durectury, un "undeserfeeng" terget, yuoO'll prubebly be-a zee oonly persun vunteeng tu see-a heem deed, vheech meuns thet yuoO'll prubebly hefe-a tu fuut zee vhule-a beell ooff perheps $5K tu $10K iff yuoo vunt tu see-a uny "ecshun." Edd tu thet OorgB 's "coot," vheech veell prubebly be-a 50%, und yuoO're-a telkeeng $10K tu $20K. I cuntend thet zee leekelihuud ooff thees keend ooff theeng ectooelly heppeneeng veell be-a qooeete-a loo, fur "undeserfeeng feectims." Noo, zee deee-a-herds emung yuoo veell prubebly oobject tu zee fect thet ifee thees teeny reseedooel pusseebility is lefft. Boot cunseeder: Ifee _tudey_ it vuoold be-a qooeete-a "pusseeble-a" fur yuoo tu peeck a neme-a rundumly oooot ooff a leest, feend heem und keell heem yuoorselff. Dues thees freqooently heppee? Epperently nut. Fur joost oone-a theeng, zeere's nu reel muteefe-a. Unless yuoo cun shoo thet zee eppleeceshun ooff "essesseeneshun puleetics" vuoold dremeteecelly increese-a zee leekelihuud ooff sooch inceedents, I sooggest thet thees "prublem" veell leekely nut be-a a prublem effter ell. Bork Bork Bork! Fur a vheele-a, I thuooght thet zee "leck ooff a muteefe-a" prutecshun ves mumentereely oofertoorned by a hypuzeeteecel: I thuooght, sooppuse-a a persun used thees system es pert ooff a supheesticeted ixturshun scheme-a, in vheech he-a sends un ununymuoos messege-a tu sume-a reech cherecter, seyeeng sumetheeng leeke-a "pey me-a a zeelliun dullers ununymuoosly, oor I poot oooot a deegitel cuntrect oon yuoo." Fur a vheele-a, thees oone-a hed me-a stoomped. Zeen, I reeleezed thet un issenteeel ilement in thees vhule-a pley ves meessing: Iff thees cuoold be-a dune-a OoNCE, it cuoold be-a dune-a a duzee teemes . Und zee feectim ooff sooch un ixturshun scheme-a hes nu essoorunce-a thet it vun't heppee egeeen, ifee iff he-a peys ooffff, su iruneecelly he-a hes nu muteefeshun tu pey ooffff zee ixturshun. Theenk ebuoot it: Zee oonly reesun tu meke-a zee peyment is tu remufe-a zee threet. Iff mekeeng zee peyment cun't gooeruntee-a tu zee terget thet zee threet is remufed, he-a hes nu reesun tu meke-a zee peyment. Bork Bork Bork! Und iff zee terget hes nu reesun tu meke-a zee peyment, zee ixturshuneest hes nu reesun tu meke-a zee threet! Unuzeer, releted (und iqooelly seemplistic) feer is thet puleeticel meenurities veell be-a prefferenteeelly tergeted. Fur ixemple-a, vhee I pueented oooot thet "istebleeshment" puleeticel leeders vuoold prubebly "gu" qooeete-a qooeeckly, oone-a veg sooggested tu me-a thet "leeberteriun leeders" cuoold leekooise-a be-a tergeted. Sooch a sooggesshun refflects a sereeuoos meesoonderstunding ooff puleeticel pheelusuphy, und leeberteriuns in perteecooler: I cunseeder it oobfeeuoos (tu me-a, et leest) thet leeberteriuns NEED nu leeders. (Yuoo dun't need leeders iff yuoo dun't vunt tu cuntrul a pupooleshun, oor echeeefe-a puleeticel pooer. Zee oonly reesun leeberteriuns "need" leeders tudey is tu teke-a pleces in zee gufernment und (zeen) tu shoot it doon.) Und iff my idea is implemented, "leeberteriun leeders" represent nu mure-a ooff a threet tu unyune-a thun zee eferege-a leeberteriun ceetizee. Bork Bork Bork! Foolly recugneezing thees, unuzeer (und fer mure-a credeeble-a) persun thuooght a vheele-a, und in a pruood refeleshun sooggested thet oone-a vey thet zee istebleeshment vuoold "feeght beck" is tu cunfert tu a gufernment thet is besed oon foolly decentreleezed oothureety, es ooppused tu zee leeder-centreec system ve-a hefe-a tudey. Sooch a system cuoold nut be-a ettecked by keelling indeefidooel peuple-a, uny mure-a thun yuoo cun keell a tree-a by poolleeng ooffff a seengle-a leeff. Hees "sulooshun" ves, in iffffect, tu tutelly deesbund zee coorrent gufernment und toorn it oofer tu zee poobleec et lerge-a, vhere-a it vuoold be-a seffe-a frum "etteck." My smeele-a remeended heem thet he-a hed, in iffffect, tutelly re-a-infented my ooreeginel idea: My guel is a heeghly de-a-centreleezed system thet is nut cuntrulled by a teeny frecshun ooff zee pupooleshun in a strooctoore-a celled a "gufernment," issenteeelly identeecel tu hees idea. Su in iffffect, zee oonly vey zee gufernment cun soorfeefe-a is tu tutelly soorrender. Und oonce-a it soorrenders, zee peuple-a veen. Und in precteece-a, it veell hefe-a nu elterneteefe-a. Bork Bork Bork! Veell thees idea be-a "oooot ooff cuntrul"? Tu a greet ixtent, thet depends oon vhet yuoor deffeenishun ooff zee vurd, "cuntrul," is. I hefe-a cume-a tu beleeefe-a thet "essesseeneshun puleetics" is a puleeticel Rurshech (ink-blut) test: Vhet yuoo theenk ooff it is strungly releted tu yuoor puleeticel pheelusuphy. Bork Bork Bork! [ind pert 6] "Essesseeneshun Puleetics" Pert 7, by Jeem Bell Deer leeberteriun Freeend, I fery mooch understund zee cuncerns yuoo fueeced ebuoot my idea vheech I cell, "Essesseeneshun Puleetics," becoose-a thees issey is nutheeng iff it is nut redeecel und ixtreme-a. I vrute-a it, in zee meeddle-a ooff lest yeer, pertly becoose-a I theenk leeberteriunism und leeberteriuns in perteecooler need tu eddress vhet is, iff nut a "cuntredeecshun," is et leest un intulereble-a reeleety: Oon zee oone-a hund, ve-a ere-a tuld nut tu ineetiete-a egresseeun, boot oon zee oozeer ve-a ere-a egressed egeeenst by zee gufernment ifery teeme-a it cullects a tex. Bork Bork Bork! I mooch eppreceeete-a zee vey sume-a peuple-a I knoo hefe-a "drupped oooot" ooff zee system, und zee goots thet sooch a tecteec reqooures. Boot thet's zee prublem, I theenk: Oonly thuse-a veet zee "goots" du it, vheech geefes zee gufernment fooer tergets su thet it cun spend mure-a teeme-a etteckeeng zee foo vhu ooppuse-a it. Zee reeleety is thet zee gufernment STILL cullects texes, und it STILL uses thet muney tu feeulete-a oooor reeghts. Ve-a ell knoo thet's vrung. Bork Bork Bork! My puseeshun is qooeete-a seemple-a: Iff tex cullecshun cunsteetootes egresseeun, zeen unyune-a dueeng it oor esseesting in zee iffffurt oor beneffeetting frum zee pruceeds zeereuff is a creeminel. Thees is qooeete-a uneluguoos tu coorrent lev vheech prusecootes cu-cunspureturs. Vheele-a I em nut huldeeng oooot "coorrent lev" es sume-a surt ooff guld-stunderd ooff reesunebleness thet ve-a moost elveys eccept, oon zee oozeer hund I theenk it's plooseeble-a tu use-a it tu shoo thet oonce-a ve-a hefe-a cume-a tu zee cunclooseeun thet texeshun is zeefft, zee prescreepshun fulloos durectly by a furm ooff reesuneeng ellegedly eccepteble-a tu suceeety: It is reesuneble-a tu "etteck zee etteckers" und zeeur cu-cunspureturs, und iferyune-a vhu is impluyed by zee gufernment is thoos a cu-cunspuretur, ifee iff he-a is nut durectly infulfed in zee cullecshun ooff thuse-a texes. Thet's becoose-a he-a IS infulfed in _beneffeetting_ frum zee pruceeds ooff zeese-a texes, und he-a presoomebly prufeedes a certeeen lefel ooff "beckoop" tu zee yuoong thoogs thet gufernmentel oorguneezeshuns oofftee hure-a. Bork Bork Bork! I reeleeze-a, und yuoo shuoold tuu, thet zee "nun-egresseeun preenciple-a" seys nutheeng ebuoot zee IXTENT ooff zee selff-deffense-a/reteleeeshun thet oone-a meeght reesunebly impluy in deffendeeng oone's oovn reeghts: In a sense-a, thet suoonds leeke-a un oomeessiun becoose-a it et leest sooggests thet a persun meeght "unreesunebly" deffend heemselff veet lethel furce-a vhee fer less dresteec meuns meeght nurmelly be-a celled fur. Fur vhet it's vurt, I theenk must peuple-a veell behefe-a respunseebly. Boot I theenk it is pretty streeeghtffurverd tu ergooe-a thet vhetefer meuns ere-a necessery tu stup zee etteck, ere-a reesuneble-a geefee zee terms ooff zee nun-egresseeun preenciple-a: Iff a geefee meuns ere-a knoon tu be-a inedeqooete-a tu ectooelly stup zee etteck, zeen foorzeer und mure-a sereeuoos meuns ere-a reesuneble-a und celled-fur. Bork Bork Bork! Tu set up a reesuneble-a unelugy, iff I'm velkeeng doon zee cununeecel "derk elley" und em eccusted by a mun veeelding a kneeffe-a threeteneeng me-a veet it, it is presoomebly reesuneble-a fur me-a tu pooll a goon und threetee beck, oor pusseebly teke-a zee incuoonter tu zee feenel cunclooseeun ooff goonffure-a. Ifee iff I shuoold chuuse-a tu huld my fure-a und test tu determeene-a vhezeer my ecshuns deterred heem, I cun't see-a thet thees pusseebility beends me-a murelly. Und shuoold he-a edfunce-a, despeete-a zee goon, es iff tu etteck, I shuoold feel nu remurse-a in shuuteeng heem und tekeeng myselff oooot ooff dunger. Iff yuoo eccept zee premeeses su fer, yuoo epperently eccept zee preenciple-a thet isceleshun ooff zee selff-deffense-a/reteleeeshun is reesuneble-a es lung es iff zee coorrent lefel ooff retoorned cuoonter-threet is inedeqooete-a tu stup zee egresseeun ineetieted by zee oozeer perty. Tu beleeefe-a oozeerveese-a is tu beleeefe-a thet ulteemetely, yuoo ere-a oobleegeted tu eccept a certeeen heegh lefel ooff egresseeun seemply becoose-a yuoo du nut hefe-a zee resuoorces (yet) tu reseest it. I tutelly reject thees cuncept, es I hupe-a yuoo vuoold. Bork Bork Bork! Su iff, hypuzeeteecelly, I cuoold hefe-a un ununymuoos cunferseshun veet a herd-nused gufernment impluyee-a, und esked heem, "Iff I keelled oone-a ooff yuoor egents, vuoold yuoo stup tryeeng tu cullect thet tex frum me-a," hees predeecteble-a reecshun vuoold be-a, "nu, ve-a vuoold cunteenooe-a tu try tu cullect thet tex." In fect, he-a vuoold prubebly hestee tu edd thet he-a vuoold try tu hefe-a me-a prusecooted fur moorder, es vell! Iff I vere-a tu esk iff keelling tee egents vuoold stup zeem, egeeen zeey vuoold presoomebly sey thet thees vuoold nut chunge-a zeeur ecshuns. Bork Bork Bork! Zee cunclooseeun is, tu me-a, oobfeeuoos: Cleerly, zeere-a is nu precteecel leemit tu zee emuoont ooff selff-deffense-a thet I vuoold need tu prutect my essets frum zee gufernment tex cullectur, und tu ectooelly stup zee zeefft, su I sooggest thet lugeec reqooures thet I be-a murelly und itheecelly ellooed (under leeberteriun preenciples) tu use-a vhetefer lefel ooff selff-deffense-a I chuuse-a. Bork Bork Bork! Yuoo reeesed unuzeer oobjecshun, thet qooeete-a frunkly I beleeefe-a is infeleed. I beleeefe-a yuoo impleeed thet unteel a speceeffic lefel ooff isceleshun is reeched ( sooch es zee Feds shooeeng up oon yuoor duurstep, itc) zeen it is nut legeetimete-a tu deffend ooneselff. Deleecetely, I moost deesegree-a. Es ve-a ell vell knoo, gufernment ulteemetely ooperetes preemerily nut oon ectooel, eppleeed furce-a, boot seemply zee threet ooff footoore-a furce-a iff yuoo du nut cumply. Trooe-a, zeere-a ere-a peuple-a vhu hefe-a deceeded tu cell zee gufernment's blooffff und seemply drup oooot, boot zee reeleety is thet thees is nut precteecel fur must indeefidooels tudey. Bork Bork Bork! Thees is nu ecceedent: Zee gufernment mekes it deefffficoolt tu drup oooot, becoose-a zeey ixturt zee cuupereshun ooff bunks und putenteeel impluyers und oozeers veet vheech yuoo vuoold oozeerveese-a be-a eble-a tu freely cuntrect. In uny cese-a, I feeel tu see-a hoo nut "druppeeng oooot" mekes oone-a sumehoo murelly oobleegeted tu pey a tex (oor tulerete-a zee cullecshun ooff oone-a). I troost yuoo deed nut inedfertently meun tu sooggest thees. Bork Bork Bork! Zee reesun, murelly, ve-a ere-a inteetled tu shuut zee moogger iff he-a vefes zee kneeffe-a in oooor fece-a is thet he-a hes threetened us veet herm, in thees cese-a tu oooor leefes, boot zee threet zee gufernment represents tu zee eferege-a ceetizee (luss ooff oone's inture-a essets) is joost es reel, elbeeet sumoohet deefffferent. Bork Bork Bork! Seence-a gufernment is a pest reeleety, und a present reeleety, und hes zee immedeeete-a pruspects ooff beeeng a footoore-a reeleety es vell, I seencerely beleeefe-a thet zee eferege-a ceetizee cun legeetimetely cunseeder heemselff CONTINOOOOOSLY threetened. Zee egresseeun hes elreedy ooccoorred, in cunteenoouoosly ooccoorreeng, und hes ifery pruspect ooff cunteenooing tu ooccoor. Iff unytheeng vuoold joosteeffy feeghting beck, thees vuoold. Bork Bork Bork! Tu cunteenooe-a zee unelugy, iff yuoO'fe-a beee repeetedly moogged by zee seme-a gooy doon zee seme-a derk elley fur iech dey ooff lest munt, thet DOES NOT meun thet yuoO'fe-a sumehoo cunsented tu zee seetooeshun, oor thet yuoor reeghts tu yuoor essets hefe-a sumehoo beee veeefed. Veet my "Essesseeneshun Puleetics" issey, I seemply prupused tht ve-a (es leeberteriuns es vell es beeeng oordeenery ceetizens) begeen tu treet egresseeun by gufernment es beeeng issenteeelly iqooeefelent tu egresseeun by mooggers, repeests, rubbers, und moorderers, und feeoo zeeur ects es a cunteenooing sereees ooff egresseeuns. Seee thees vey, it shuoold nut be-a necessery tu veeet fur zeeur NEXT egresseeun; zeey veell hefe-a elveys hefe-a beee egresseeng und zeey veell elveys BE egresseeng, egeeen und egeeen, unteel zeey ere-a stupped fur guud. Bork Bork Bork! Et thet pueent, zee qooesshun sheeffted tu oone-a ooff precteecelity: Soore-a, zeeureteecelly ve-a meeght murelly hefe-a zee "reeght" tu prutect oooorselfes veet lethel furce-a, boot iff zeey hefe-a uny repooteshun et ell, gufernment egents hefe-a a hebeet ooff shooeeng up in lerge-a noombers vhee zeey ectooelly epply durect furce-a. Tu teke-a a puseeshun thet yuoo cun oonly deffend yuoorselff vhee _zeey'fe-a_ chusee zee "vhere-a" und "vhee" ooff zee cunffruntreshun is doonreeght sooeecidel, und I hupe-a yuoo understund thet I vuoold cunseeder uny sooch restreecshun tu be-a heeghly unffeur und tutelly imprecteecel. Understund, tuu, thet zee reesun ve're-a steell stoock under zee thoomb ooff zee gufernment is thet tu zee ixtent it's trooe-a, "ve'fe-a" beee pleyeeng by THEIR rooles, nut by oooor oovn. By oooor oovn rooles, THEY ere-a zee egressurs und ve-a shuoold be-a eble-a tu treet zeem eccurdeengly, oon oooor oovn terms, et oooor oovn cunfeneeence-a, vhenefer ve-a chuuse-a, ispeceeelly vhee ve-a feel zee oodds ere-a oon oooor seede-a. Bork Bork Bork! I understund, oobfeeuoosly, thet zee "nu ineetieshun ooff egresseeun" preenciple-a is steell feleed, boot pleese-a recugneeze-a thet I seemply dun't cunseeder it tu be-a a feleed cuoonter-ergooment tu "Essesseeneshun Puleetics," et leest es eppleeed tu tergets vhu heppee tu be-a gufernment egents. Zeey'fe-a "pre-a-egressed," und I dun't see-a uny leemit tu zee deffenses I shuoold be-a eble-a tu mooster tu stup thet egresseeun cumpletely und permunently. Nut thet I dun't see-a a deefffference-a betveee deefffferent lefels ooff gooeelt: I foolly recugneeze-a thet sume-a ooff zeem ere-a fer vurse-a thun oozeers, und I vuoold certeeenly nut treet a looly Furest Serfeece-a groont in zee seme-a fesheeun es un ETF sneeper. Bork Bork Bork! Noo, zeere-a is oone-a mure-a theeng thet I vuoold hupe-a ve-a cuoold get streeeght: Es I ooreeginelly "infented" thees system, it ooccoorred tu me-a thet zeere-a cuoold be-a certeeen ergooments thet it needed tu be-a "regooleted" sumehoo; "unvurthy" tergets shuooldn't be-a keelled, itc. Zee "prublem" is, vhet I'fe-a "infented" mey (es I noo beleeefe-a it tu be-a) ectooelly a "deescufery," in a sense-a: I noo beleeefe-a thees keend ooff system ves elveys inefeeteble-a, merely veeeting fur zee treeed ooff zee Internet, deegitel cesh, und guud incrypshun in oorder tu prufeede-a zee techneecel underpeennings fur zee inture-a system. Iff thet is genooeenely zee cese-a, zeen zeere-a is nu reel vey tu cuntrul it, ixcept by free-a-merket preenciples. Bork Bork Bork! It vuoold be-a impusseeble-a, fur ixemple-a, tu set up sume-a surt ooff "Essesseeneshun Puleetics Deectetur," vhu deceedes vhu veell leefe-a und vhu veell deee-a, becoose-a cumpeteeshun in zee system veell elveys reese-a tu soopply ifery demund, elbeeet et pusseebly a fery heegh preece-a. Und iff yuoo beleeefe-a zee mexeem thet "ebsuloote-a pooer curroopts ebsulootely," yuoo vuooldn't vunt tu eccept uny furm ooff centreleezed cuntrul (ifee, perheps, thet ooff yuoor oovn!), becoose-a uny sooch cuntrul vuoold ifentooelly be-a curroopted. Must reshunel peuple-a recugneeze-a thees, und I du tuu. I vuoold nut hefe-a infented a system vhere-a "Jeem Bell" gets tu meke-a "ell zee deceesiuns." Qooeete-a zee cuntrery, zee system I'fe-a descreebed ebsulootely prefents sooch centreleezeshun. Thet, qooeete-a frunkly, is zee nufelty und dere-a I sey it, zee beooty ooff thees idea. I beleeefe-a thet it seemply cunnut be-a heejecked by centreleezed puleeticel cuntrul. Bork Bork Bork! Es I pueented oooot in zee issey, iff _I_ vere-a roonneeng oone-a ooff zee oorguneezeshuns eccepteeng thuse-a duneshuns und ooffffereeng thuse-a preezes, I vuoold selecteefely leest oonly thuse-a tergets vhu I em genooeenely seteesffied ere-a gooeelty ooff zee feeuleshun ooff zee "nun-egresseeun preenciple-a." Boot es a precteecel metter, zeere-a is nu vey thet I cuoold stup a DIFFERENT oorguneezeshun frum beeeng set up und oopereteeng under DIFFERENT murel und itheecel preenciples, ispeceeelly iff it oopereted ununymuoosly, es I unteepete-a zee "Essesseeneshun Puleetics"-type-a systems veell be-a. Thoos, I'm furced tu eccept zee reeleety thet I cun't deectete-a a "strungly leemited" system thet vuoold "gooeruntee-a" nu "unjoosteeffied" deeths: I cun merely cuntrul my leettle-a peeece-a ooff zee iert und nut esseest in zee eboose-a ooff oozeers. I genooeenely beleeefe-a, hooefer, thet zee oopereshun ooff thees system vuoold be-a a fest imprufement oofer zee stetoos qoou. Bork Bork Bork! Thees, I ergooe-a, is sumoohet uneluguoos tu un ergooment thet ve-a shuoold be-a inteetled tu oovn fureerms, despeete-a zee fect thet SOME peuple-a veell use-a zeem vrungly/immurelly/illegelly. Zee oovnersheep is a reeght ifee thuoogh it mey ulteemetely elloo oor ineble-a un eboose-a thet yuoo cunseeder vrung und pooneesheble-a. Bork Bork Bork! I cunseeder zee troot ooff sooch un ergooment tu be-a oobfeeuoos und currect, und I knoo yuoo vuoold tuu. Bork Bork Bork! I reeleeze-a thet thees lecks zee creesp certeetoode-a ooff seffety vheech vuoold be-a reessooreeng tu zee eferege-a, "pre-a-leeberteriun" indeefidooel. Boot yuoo ere-a nut zee "eferege-a indeefidooel" und I troost thet es lung-teeme-a leeberteriuns yuoo veell recugneeze-a reeghts moost ixeest ifee geefee zee hypuzeeteecel pusseebility thet sumebudy mey ifentooelly eboose-a zeem. Bork Bork Bork! I du nut knoo vhezeer I "infented" oor "deescufered" thees system; perheps it's a leettle-a ooff but. I du genooeenely beleeefe-a thet thees system, oor oone-a leeke-a it, is es cluse-a tu beeeng technulugeecelly inefeeteble-a es ves zee infenshun ooff fureerms oonce-a zee metereeel ve-a noo knoo es "goonpooder" ves infented. I theenk it's oon zee vey, regerdless ooff vhet ve-a du tu stup it. Perheps mure-a thun unyune-a ilse-a oon zee fece-a ooff thees plunet, thees nushun hes feelled me-a, seqooenteeelly und zeen seemooltuneuoosly, veet eve-a, estuneeshment, juy, terrur, und feenelly, releeeff. Bork Bork Bork! Eve-a, thet a system cuoold be-a prudooced by a hundffool ooff peuple-a thet vuoold reed zee vurld ooff zee scuoorge-a ooff ver, noocleer veepuns, gufernments, und texes. Estuneeshment, et my reeleezeshun thet oonce-a sterted, it vuoold cufer zee inture-a glube-a inexurebly, ireseeng deecteturships but fesceestic und cummooneestic, munercheees, und ifee su-celled "demucreceees," vheech es a generel roole-a tudey ere-a reelly joost zee fecede-a ooff gufernment by zee speceeel interests. Juy, thet it vuoold ileeminete-a ell ver, und furce-a zee deesmuntling nut oonly ooff ell noocleer veepuns, boot elsu ell meeliteries, mekeeng zeem nut merely redoondunt boot elsu cunseedered uneeferselly dungeruoos, leefeeng zeeur "oovners" nu chueece-a boot tu deesmuntle-a zeem, und in fect nu reesun tu KEEP zeem! Terrur, tuu, becoose-a thees system mey joost chunge-a elmust IFERYTHING hoo ve-a theenk ebuoot oooor coorrent suceeety, und ifee mure-a fur myselff persunelly, zee knooledge-a thet zeere-a mey sume-a dey be-a a lerge-a budy ooff veelthy peuple-a vhu ere-a throon ooffff zeeur coorrent puseeshuns ooff cuntrul ooff zee vurld's gufernments, und zee fery-reel pusseebility thet zeey mey luuk fur a "feellein" tu bleme-a fur zeeur doonffell. Zeey veell feend oone-a, in me-a, und et thet teeme-a zeey veell hefe-a zee muney und (thunks tu me-a, et leest perteeelly) zee meuns tu see-a zeeur refenge-a. Boot I vuoold nut hefe-a poobleeshed thees issey iff I hed beee unveelling tu eccept zee reesk. Bork Bork Bork! Feenelly, releeeff. Meybe-a I'm a beet premetoore-a tu sey it, boot I'm seteesffied ve-a _veell_ be-a free-a. I'm cunfeenced zeere-a is nu elterneteefe-a. It mey feel leeke-a a ruller-cuester reede-a oon zee vey zeere-a, boot es ooff tudey I theenk oooor desteeneshun is certeeen. Pleese-a understund, ve-a _veell_ be-a free-a. Bork Bork Bork! Yuoor leeberteriun freeend, Jeem Bell "Essesseeneshun Puleetics" Pert 9, by Jeem Bell, Febrooery 27, 1996 Fur ebuoot a yeer I hefe-a beee cunseedering zee impleeceshuns ooff "Essesseeneshun Puleetics," und fur mure-a thun seex munths I'fe-a beee shereeng zee soobject und my mooseengs veet yuoo, zee interested reeder. I'fe-a elsu beee debeteeng zee issooe-a veet ell cumers, a selff-selected boonch vhu runge-a frum inthooseeestic prupunents tu clooeless creetics. Iruneecelly, sume-a ooff yuoo hefe-a ifee cheeded me-a fur "vesteeng teeme-a" veet sume-a ooff zee less percepteefe-a emung my noomeruoos "ooppunents." In deffense-a, my respunse-a hes elveys beee thet vhee I respund tu a persun, I du it nut preemerily fur hees beneffeet, boot fur oozeers vhu meeght be-a fence-a-seetting und ere-a veeeting tu see-a iff my idea veell breek doon unyvhere-a. Bork Bork Bork! Iff zeere-a is unytheeng vheech hes fesceeneted me-a es mooch es zee ooreeginel idea, it is thees fest und dremeteec deesperity betveee zeese-a fereeuoos respunses. Bork Bork Bork! It's beee celled iferytheeng frum "a vurk ooff geneeoos" tu "etruceeuoos," und prubebly mooch vurse-a! Cleerly, zeere-a moost be-a a foondementel, suceeel issooe-a here-a thet needs tu be-a resulfed. Bork Bork Bork! Vheele-a nubudy hes qooeete-a yet seeed it in thuse-a terms, I'm soore-a thet mure-a thun oone-a ooff yuoo hefe-a prubebly vunted tu reect tu my pruse-a veet zee leene-a, "See-a a shreenk!" [Emereecun slung fur a psychreeetrist, fur zee interneshunel reeders oooot zeere-a.] Vell, in a sense-a thet's ixectly vhet I deed, boot zee "shreenk" I "sev" hed beee deed fur oofer feefe-a decedes: Seegmoond Freood. Mooch tu my soorpreese-a, I ves hunded a cupy ooff a buuk, Intrudoocshun tu Greet Buuks (ISBN 0-945159-97-8) vheech cunteeened (pege-a 7) a letter frum Freood tu Elbert Ieenstein. Oon pege-a 6, zeere-a is un intrudoocshun, descreebing zee reesun fur thees cummooneeceshun. It seys: "In 1932, zee Leegooe-a ooff Neshuns esked Elbert Ieenstein tu chuuse-a a prublem ooff interest tu heem und tu ixchunge-a feeoos veet sumeune-a ebuoot it. Ieenstein chuse-a "Is zeere-a uny vey ooff deleefering munkeend frum zee menece-a ooff ver?" es hees prublem und Seegmoond Freood es hees currespundent. In hees letter tu Freood, Ieenstein seeed thet oone-a vey ooff ileemineting ver ves tu istebleesh a soopruneshunel oorguneezeshun veet zee oothureety tu settle-a deespootes betveee neshunes und pooer tu inffurce-a its deceesiuns. Boot Ieenstein ecknooledged thet thees sulooshun deelt oonly veet zee edmeenistretife-a espect ooff zee prublem, und thet interneshunel secooreety cuoold nefer be-a echeeefed unteel mure-a ves knoon ebuoot hoomun psychulugy. Moost reeght elveys be-a sooppurted by meeght? Ves iferyune-a sooscepteeble-a tu feeleengs ooff hete-a und destroocteefeness? It ves tu zeese-a qooesshuns Freood eddressed heemselff in hees reply." Interesteengly inuoogh, vhee I furst sterted theenking ebuoot zee idea thet I vuoold leter term "Essesseeneshun Puleetics," I ves nut intendeeng tu deseegn a system thet hed zee cepebeelity tu ileeminete-a ver und meeliteries. Vhet I ves tergeteeng, preemerily, ves puleeticel tyrunny. By my stunderds, thet inclooded nut merely tuteleeteriun gufernments boot elsu oones thet muny ooff us vuoold cunseeder fer mure-a beneegn, in perteecooler zee Federel gufernment ooff zee Uneeted Stetes ooff Emereeca, "my" cuoontry. Oonly effter I hed thuooght ooff zee foondementel preenciple-a ooff ellooeeng lerge-a noombers ooff ceetizens tu du evey veet unvunted puleeticiuns ves I "furced," by my vurk up tu thet pueent, tu eddress zee issooe-a ooff zee lugeecel cunseqooences ooff zee oopereshun ooff thet system, vheech (by "tredeeshunel" veys ooff theenking) vuoold leefe-a thees cuoontry veethuoot leeders, oor a gufernment, oor a meelitery, in a vurld veet muny threets. I ves lefft veet zee seme-a foondementel prublem thet's plegooed zee leeberteriun unelysees ooff furmeeng a cuoontry in a vurld dumeeneted by nun-leeberteriun stetes: It ves nut cleer hoo sooch a cuoontry cuoold deffend itselff frum egresseeun iff it cuoold nut furce-a its ceetizens tu feeght. Bork Bork Bork! Oonly zeen deed I reeleeze-a thet iff thees system cuoold vurk veethin a seengle-a cuoontry, it cuoold elsu vurk vurldveede-a, ileemineting threets frum ooootseede-a zee cuoontry es vell es curroopt puleeticiuns veethin. Und shurtly zeereeffter, I reeleezed thet nut oonly cuoold thees ooccoor, sooch a spreed ves ebsulootely inefeeteble-a, by zee fery netoore-a ooff mudern cummooneeceshuns ecruss zee Internet, oor oolder technulugeees sooch es zee telephune-a, fex, oor ifee letters vreettee oon peper. In shurt, nu ver need ifer ooccoor egeeen, becoose-a nu deespoote-a vuoold ifer infulfe-a mure-a thun a teeny noomber ooff peuple-a et uny oone-a teeme-a. Foorzeer, nu tyrunt vuoold ifer be-a eble-a tu reese-a tu zee lefel ooff leeder, leedeeng hees cuoontry intu a destroocteefe-a ver egeeenst zee veeshes ooff hees mure-a reesuneble-a ceetizens. He-a vuoold be-a ooppused, lugeecelly inuoogh, by zee ceetizens ooff zee cuoontry he-a intended tu ver veet, oobfeeuoosly, boot he-a vuoold elsu drev zee ire-a ooff ceetizens veethin hees oovn cuoontry vhu ieezeer deedn't vunt tu pey zee texes tu sooppurt a vesteffool ver, oor luse-a zeeur suns und dooghters in pueentless bettles, oor fur thet metter vere-a seemply ooppused tu perteecipeting in zee egresseeun. Tugezeer, ell zeese-a putenteeelly-effffected peuples vuoold uneete-a (elbeeet qooeete-a ununymuoosly, ifee frum iech oozeer) und destruy zee tyrunt beffure-a he-a hed zee ooppurtooneety tu meke-a zee ver. Bork Bork Bork! I ves utterly estuneeshed. Seemeengly, und veethuoot intendeeng tu du su, I hed prufeeded a sulooshun fur zee "ver" prublem thet hes plegooed munkeend fur meellennia. Boot hed I? I reelly dun't knoo. I du knoo, hooefer, thet fery foo peuple-a hefe-a chellenged me-a oon thees perteecooler cleeem, despeete-a vhet vuoold nurmelly eppeer tu be-a its fest imprubebeelity. Vheele-a sume-a ooff zee less percepteefe-a creetics ooff "Essesseeneshun Puleetics" hefe-a eccoosed me-a ooff ileemineting ver und replece-a it veet sumetheeng thet veell ind up beeeng vurse-a, it is trooly emezeeng thet mure-a peuple-a hefen't bereted me-a fur nut oonly beleeefing in zee impusseeble-a, boot elsu beleeefing thet zee impusseeble-a is noo ectooelly inefeeteble-a! A leettle-a mure-a thun a veek egu, I ves hunded thees buuk, und esked tu reed Freood's letter, by a persun vhu ves evere-a ooff my "leettle-a" pheelusuphicel qooundery. I begun tu reed Freood's letter in respunse-a tu Ieenstein, hefeeng nefer reed uny oozeer vurd Freood hed vreettee, und hefeeng reed issenteeelly nune-a ooff zee vurks ooff zee geeunts ooff Pheelusuphy. (Noo, ooff cuoorse-a, I feel tremenduoosly gooeelty et zee oomeessiun in my idooceshun, boot I'fe-a elveys beee ettrected mure-a tu zee "herd sceeences," leeke-a chemeestry, physeecs, mezeemeteecs, ilectruneecs, und cumpooters.) Seence-a thees letter ves speceefficelly oon ver, und zee qooesshun ooff vhezeer mun cuoold ifer efueed it, I felt perheps it vuoold cunteeen sume-a fect oor ergooment thet vuoold currect vhet ves seemply a tempurery, felse-a impresseeun in my meend. Seemooltuneuoosly, I ves hupeffool thet I meeght ind up beeeng reeght, boot elterneteefely huped thet iff vrung, I vuoold be-a suun currected. I ves feerffool thet I ves vrung, boot elsu feerffool thet zeere-a vuoold be-a nutheeng in thees issey thet vuoold esseest me-a in my unelysees ooff zee seetooeshun. Bork Bork Bork! Ebuoot a thurd ooff zee vey thruoogh Freood's letter, I hed my unsver. Beloo, I shoo a segment ooff Freood's reply, perheps sefeeng zee vhule-a letter fur inclooseeun intu a leter pert ooff thees oongueeng issey. Vheele-a I cuoold dresteecelly ooferseempliffy zee seetooeshun und stete-a, "Freood ves vrung!," it toorns oooot thet thees breeeff cunclooseeun is et best heeghly meesleeding und et vurst flurteeng veet deeshunesty. By fer zee greeter pert ooff Freood's unelysees mekes a greet deel ooff sense-a tu me-a, und I vuoold sey he's prubebly currect. Bork Bork Bork! Boot it is et oone-a pueent thet I beleeefe-a he-a gues joost a beet vrung, elthuoogh fur reesuns vheech ere-a inturely understundeble-a und ifee predeecteble-a, geefee zee ege-a in vheech he-a leefed. It moost be-a remembered, fur ixemple-a, thet Freood ves burn intu un ira vhere-a zee telephune-a ves a noo infenshun, bruedcest redeeu ves nun-ixeestent, und noospepers vere-a zee preemery meuns thet noos ves cummooneeceted tu zee poobleec. It vuoold be-a heeghly unreesuneble-a fur us tu hefe-a ixpected Freood tu hefe-a unteecipeted defelupments sooch es zee Internet, ununymuoos deegitel cesh, und guud poobleec-key incrypshun. Bork Bork Bork! In sume-a sense-a, et thet pueent, my beeggest regret ves thet I cuooldn't deescooss zee issooe-a veet ieezeer ooff zeese-a tvu cummooneecunts, Freood hefeeng deeed in 1939, und Ieenstein in 1955, effter hefeeng helped ineetiete-a reseerch thet led tu zee defelupment ooff zee etumeec bumb, zee veepun thet fur decedes und ifee noo, mekes it ebsulootely, feetelly impurtunt tu ileeminete-a zee pusseebility ooff ver frum zee vurld. Bork Bork Bork! Boot I'll let Dr. Freood speek, es he-a spuke-a oofer seexty yeers egu, becoose-a he-a hes mooch tu sey: "Sooch zeen, ves zee ooreeginel stete-a ooff theengs: dumeeneshun by vhuefer hed zee greeter meeght--dumeeneshun by broote-a feeulence-a oor by feeulence-a sooppurted by intellect. Es ve-a knoo, thees regeeme-a ves eltered in zee cuoorse-a ooff ifulooshun. Bork Bork Bork! Zeere-a ves a pet thet led frum feeulence-a tu reeght oor lev. Vhet ves thet pet? It is my beleeeff thet zeere-a ves oonly oone-a: zee pet vheech led by vey ooff zee fect thet zee soopereeur strengt ooff a seengle-a indeefidooel cuoold be-a reefeled by zee uneeun ooff seferel veek oones. "L'ooneeun feeet la furce-a." [French; In uneeun zeere-a is strengt.] Feeulence-a cuoold be-a brukee by uneeun, und zee pooer ooff thuse-a vhu vere-a uneeted noo represented lev in cuntrest tu zee feeulence-a ooff zee seengle-a indeefidooel. Thoos ve-a see-a thet reeght is zee meeght ooff a cummooneety. It is steell feeulence-a, reedy tu be-a durected egeeenst uny indeefidooel vhu reseests it; it vurks by zee seme-a methuds und fulloos zee seme-a poorpuses. Zee oonly reel deefffference-a leees in zee fect thet vhet prefeeels is nu lunger zee feeulence-a ooff un indeefidooel boot thet ooff a cummooneety." [Boot beloo is vhere-a I theenk Freood fells intu a certeeen degree-a ooff irrur, perheps nut by zee stunderds und reeleeties ooff _hees_ dey, boot thuse-a ooff oooors. Bork Bork Bork! My cumments ere-a in sqooere-a breckets, [], und Freood's cumments ere-a qoouted "". Bork Bork Bork! Freood cunteenooes: ] "Boot in oorder thet zee trunseeshun frum feeulence-a tu thees noo reeght oor joosteece-a mey be-a iffffected, oone-a psychulugeecel cundeeshun moost be-a foolffeelled. Zee uneeun ooff zee mejureety moost be-a a steble-a und lesteeng oone-a. Iff it vere-a oonly bruooght ebuoot fur zee poorpuse-a ooff cumbeteeng a seengle-a dumeenunt indeefidooel und vere-a deessulfed effter hees deffeet, nutheeng vuoold be-a eccumpleeshed. Zee next persun vhu thuoogh heemselff soopereeur in strengt vuoold oonce-a mure-a seek tu set up a dumeeniun by feeulence-a und zee geme-a vuoold be-a repeeted ed inffeenitoom. Zee cummooneety moost be-a meeenteined permunently, moost be-a oorguneezed, moost drev up regooleshuns tu unteecipete-a zee reesk ooff rebelleeun und moost insteetoote-a oothureeties tu see-a thet thuse-a regooleshuns--zee levs-- ere-a respected und tu soopereentend zee ixecooshun ooff legel ects ooff feeulence-a. Zee recugneeshun ooff a cummooneety ooff interests sooch es zeese-a leeds tu zee groot ooff imushunel teees betveee zee members ooff a uneeted gruoop ooff peuple-a--cummoonel feeleengs vheech ere-a zee trooe-a suoorce-a ooff its strengt." [ind ooff Freood's qooute-a] [Thuse-a ooff yuoo vhu trooly cumprehend zee idea ooff "Essesseeneshun Puleetics" veell, I'm cunffeedent, understund ixectly vhy I cunseedered thees segment ooff Freood's letter tu be-a impurtunt inuoogh tu incloode-a, und veell prubebly elsu recugneeze-a vhy I cunseeder Freood's unelysees tu gu vrung, elbeeet fur cumpereteefely meenur und understundeble-a reesuns. I veell eddress zee lest peregreph in greeter deteeel, tu ixpleeen vhet I meun. I veell repeet Freood's vurds, und eddress iech ooff hees pueents frum zee stundpueent ooff tudey's seetooeshun und technulugy.] "Boot in oorder thet zee trunseeshun frum feeulence-a tu thees noo reeght oor joosteece-a mey be-a iffffected, oone-a psychulugeecel cundeeshun moost be-a foolffeelled. Zee uneeun ooff zee mejureety moost be-a a steble-a und lesteeng oone-a." [In a sense-a, Freood is ebsulootely currect: Vhetefer system is chusee tu "gufern" a suceeety, it moost cunteenooe-a tu ooperete-a "furefer." ] Freood cunteenooes: " Iff it vere-a oonly bruooght ebuoot fur zee poorpuse-a ooff cumbeteeng a seengle-a dumeenunt indeefidooel und vere-a deessulfed effter hees deffeet, nutheeng vuoold be-a eccumpleeshed." [Thees is vhere-a zee prublem begeens tu creep in. Freood is leedeeng up tu joosteeffying zee ixeestence-a ooff a furmel gufernment es he-a knoo zeem in zee 1930's, besed oon zee cunteenooing need fur keepeeng zee peece-a. Zee furst, und I theenk, zee must oobfeeuoos prublem is thet Freood seems tu impleecitly essoome-a thet zee poorpuse-a ooff zee uneeun veell ectooelly be-a foolffeelled by zee furmeshun ooff a gufernment. Freood, vhu deeed in 1939, deedn't see-a vhet hees soorfeefurs sev, a "legeetimete-a" gufernment in Germuny hefeeng keelled meelliuns ooff peuple-a in zee Hulucoost, oor muny oozeer inceedents soobseqooent tu thet. Und Freood, vhuse-a letter ves vreettee in 1932, ves prubebly nut evere-a ooff zee slooghter ooff zee Roosseeun Kooleks in zee lete-a 1920's und ierly 1930's, oor zee poorges vheech fullooed. Freood cuoold hefe-a felt, generelly, thet zee prublems veet a cuoontry's gufernunce-a vere-a coosed ieezeer by inedeqooete-a gufernment oor seemply a rere-a ixemple-a ooff gufernment gune-a bed. Ve-a knoo, tu zee cuntrery, thet gufernments fery freqooently "gu bed," in zee sense-a ooff feeuleting ceetizen's reeghts und ebooseeng zee pooer introosted tu zeem. Foo mey ind up keelling meelliuns, boot tu essoome-a thet ve-a moost cunteenooe-a tu tulerete-a gufernments joost becoose-a zeey dun't gu qooeete-a es fer es Nezee Germuny vuoold be-a fuuleesh in zee ixtreme-a.] [Zee secund prublem is zee impleecit essoompshun thet zee lung-term cuntrul he-a (currectly) sees MOOST cume-a frum un oorguneezeshun leeke-a a tredeeshunel gufernment. Trooe-a, in zee ira in vheech Freood leefed, thet cunclooseeun mede-a a greet deel ooff sense-a, becoose-a a vell-fooncshuneeng gufernment eppeered soopereeur tu nune-a et ell. Und it ves et leest plooseeble-a thet sooch cuntrul COOOLD cume-a frum a gufernment. Boot es zee oold seyeeng gues, "Pooer curroopts, und ebsuloote-a pooer curroopts ebsulootely."] [Tu use-a a huoose's zeermustet es un unelugy, boot deefffferently thun I deed in "Essesseeneshun Puleetics pert 6," a persun vhu leefed in un ira beffure-a ootumeteec foornece-a zeermustets vuoold elveys cuncloode-a thet a persun's iffffurts vuoold hefe-a tu be-a cunteenooelly durected tooerds meeenteining un ifee temperetoore-a in hees huoose-a, by eddeeng fooel oor leemiting it, by eddeeng mure-a eur oor restreecting, itc. Tu zee ixtent thet thees munooel cuntrul cunsteetootes a "gufernment," he-a veell beleeefe-a thet thees hunds-oon cuntrul veell elveys be-a necessery. Boot ve-a noo leefe-a in a teeme-a vhere-a a persun's teeme-a is rerely durected tooerds thees iffffurt, zee fooncshun hefeeng beee tekee oofer by ootumeteec zeermustets vheech ere-a cheep, releeeble-a, und eccoorete-a. Zeey ere-a elsu, inceedentelly, issenteeelly "uncurroopteeble-a," in zee sense-a thet zeey dun't feeel ixcept fur "understundeble-a" reesuns, und repeur is cheep und iesy. (Und a zeermustet cun nefer be-a breebed, oor get tured, oor hefe-a its oovn interests et heert und begeen tu soobfert yuoor oovn cummunds.) Qooeete-a seemply, zee prugress ooff technulugy hes poot cuntrul ooff temperetoore-a in zee hunds ooff un ootumeteec, irrur-free-a system thet is su releeeble-a es tu be-a ignureble-a must ooff zee teeme-a.] [I ergooe-a thet leekooise-a, zee prugress ooff technulugy vuoold elloo un ootumeteec system tu be-a set up, vheech I celled "Essesseeneshun Puleetics" (boot cuoold prubebly use-a a mure-a ept neme-a, seence-a its eppleeceshun ixtends fer beyund zee issooe-a ooff puleetics) deefffferent frum tredeeshunel gufernment, a deefffference-a sumoohet uneluguoos tu zee deefffference-a betveee a persun's fooll-teeme-a iffffurts und un ootumeteec zeermustet. Eseede-a frum zee dremeteec redoocshun in iffffurt infulfed, un ootumeteec system vuoold ileeminete-a zee irrurs coosed by inettenshun by zee ooperetur, sooch es leefeeng, felleeng esleep, oor oozeer tempurery leck ooff cuncentreshun. Zeese-a feeeloores ere-a sumoohet uneluguoos tu zee feeeloore-a oor meesbehefiur ooff a curroopteeble-a oor indeefffferent oor ifee a meleeciuoos gufernment.] [Thees mekes a gufernment leeke-a Freood sev tutelly unnecessery. Ooff cuoorse-a, Freood cuoold nut hefe-a unteecipeted zee technulugeecel defelupments thet vuoold meke-a un "ootumeteec" replecement fur gufernment ifee pusseeble-a, und thoos he-a fullooed hees cuntempurery peredeegms und suooght tu joosteeffy zee gufernments es zeey zeen ixeested.] Freood cunteenooes: "Zee next persun vhu thuooght heemselff soopereeur in strengt vuoold oonce-a mure-a seek tu set up a dumeeniun by feeulence-a und zee geme-a vuoold be-a repeeted ed inffeenitoom." [Thees stetement is currect, boot I theenk it meesses zee pueent: Muny fooncshuns ooff indeefidooels und mecheenes ere-a nefer "cumpleted", und moost "be-a repeeted ed inffeenitoom." (Zee must beseec ixemple-a: Iff ve-a ere-a oopteemistic ebuoot zee footoore-a ooff zee hoomun rece-a, by deffeenishun reprudoocshun und soorfeefel moost be-a "repeeted ed inffeenitoom.") Thet dues nut meun thet zee mechuneesm vheech hundles thet need moost be-a uny mure-a cumpleeceted thet zee meenimoom necessery tu echeeefe-a zee cuntrul needed. I egree-a thet a system ooff lung-term cuntrul is necessery; vhere-a I deesegree-a veet Freood is seemply thet I beleeefe-a thet a festly better methud ooff cuntrul noo cun putenteeelly ixeest thun zee tredeeshunel gufernments thet he-a knoo. Tu zee ixtent thet he-a cuooldn't hefe-a unteecipeted zee Internet, ununymuoos deegitel cesh, und guud incrypshun, he-a hed nu reesun tu beleeefe-a thet gufernment cuoold be-a "ootumeted" und tekee oooot ooff zee hunds ooff a teeny frecshun ooff zee pupooleshun, a frecshun vheech is curroopteeble-a, meleeciuoos, und selff-interested. Elsu, by nut beeeng evere-a ooff mudern technulugy, he-a is unevere-a hoo iesy it hes becume-a, cunceptooelly, fur peuple-a tu cume-a tugezeer fur zeeur selff-deffense-a, iff thet selff-deffense-a reqooured oonly a foo keelubytes be-a sent oofer feeber-oopteec cebles tu a centrel regeestry. Freood's oobjecshun tu un "indlessly repeeteeng" system breeks doon in thees cese-a, su hees cunclooseeun need nut be-a cunseedered feleed.] Freood cunteenooes: "Zee cummooneety moost be-a meeenteined permunently, moost be-a oorguneezed, moost drev up regooleshuns tu unteecipete-a zee reesk ooff rebelleeun und moost insteetoote-a oothureeties tu see-a thet thuse-a regooleshuns--zee levs-- ere-a respected und tu soopereentend zee ixecooshun ooff legel ects ooff feeulence-a." [Egeeen, I theenk Freood meesses zee pueent. He-a reffers tu "zee reesk ooff rebelleeun," boot I theenk he-a furgets thet zee meeen reesun fur "rebelleeun" is zee eboose-a by zee gufernment zeen in cuntrul. (Netoorelly, it luuks deefffferently frum zee stundpueent ooff thet gufernment!) Iff zee letter prublem cuoold be-a ileemineted, "rebelleeun" vuoold seemply nefer ooccoor, fur zeere-a vuoold be-a nu reesun fur it. Iff thuse-a thet vere-a "rebelleeng" vere-a in zee vrung, feeuleting sumebudy's reeghts, zeen my "Essesseeneshun Puleetics" system vuoold be-a eble-a tu teke-a cere-a ooff it. Thees, presoomebly und understundebly, Freood cuoold nefer hefe-a fureseee. Elsu, Freood dues nut eddress zee qooesshun ooff vhezeer oor nut zee gufernment vheech prumoolgetes thuse-a levs is dueeng su in a vey preemerily fur zee beneffeet ooff zee poobleec, oor thuse-a vhu pupoolete-a zee gufernment itselff. Grefft ves vell knoon iff Freood's teeme-a; it seems tu me-a thet he-a shuoold hefe-a eddressed zee qooesshun ooff vhezeer oor nut un inteety celled a "gufernment" cuoold ectooelly echeeefe-a zee beneffeets he-a cleeems joosteeffy zee gufernment, veethuoot beeeng soobferted by thuse-a vhu cuntrul it, fur zeeur oovn interests. Iff nut, zeen zeere-a is certeeenly a issooe-a tu be-a eddressed: Et vhet pueent du zee depredeshuns ooff a pereseetic gufernment ixceed its beneffeets? Und cun ve-a feend a vey tu du veethuoot it?] Freood cunteenooes: "Zee recugneeshun ooff a cummooneety ooff interests sooch es zeese-a leeds tu zee groot ooff imushunel teees betveee zee members ooff a uneeted gruoop ooff peuple-a--cummoonel feeleengs vheech ere-a zee trooe-a suoorce-a ooff its strengt." [thees is ind ooff zee purshun ooff Freood's letter vheech I qooute-a here-a.] Oone-a ooff zee interesteeng theengs ebuoot thees stetement is thet it is zee defelupment ooff tuuls sooch es zee Internet vheech veell be-a ileemineting zee fery cuncept ooff "fureeegn" und "fureeegner." Zeey veell becume-a erteefficiel deestincshuns. Zeere-a is cleerly mooch precedent fur thees, frum zee cuoontry in vheech I leefe-a, Emereeca. Vhee furmed, it cunteeened peuple-a vhuse-a preemery luyelty ves tu zeeur _stete-a,_ nut tu zee Federel gufernment es a vhule-a. Ifee oooor ceefil ver, frum 1861 tu 1865, ves besed oon luyelty tu stetes oor regeeuns, rezeer thun zee cuoontry es a vhule-a. Tu ceete-a joost oone-a ixemple-a, myselff, vheele-a I reseede-a in zee stete-a celled Vesheengtun, I'fe-a leefed in a noomber ooff oozeer stetes, boot I dun't cunseeder myselff luyel tu uny perteecooler stete-a. Bork Bork Bork! (Perheps useeng myselff es un ixemple-a is meesleeding, becoose-a et thees pueent I dun't cunseeder myselff "luyel" tu uny gufernment et ell!) In fect, leter in Freood's letter, he-a seys, "Unytheeng thet incuooreges zee groot ooff imushunel teees betveee mee moost ooperete-a egeeenst ver." Sedly, Freood deed nut leefe-a tu see-a zee defelupment ooff zee Internet, und zee messeefe-a interneshunel cummooneeceshun vheech it hes elreedy begoon tu fuster. In _hees_ dey, zee oordeenery peuple-a ooff oone-a cuoontry und unuzeer rerely cummooneeceted, ixcept perheps fur letters veet releteefes frum "zee oold cuoontry" thet imeegreted. Zee idea ooff gueeng tu ver veet peuple-a frum vhum yuoo get imeeel oon a deeely besees is, in itselff, a "fureeegn cuncept" tu me-a, und I hupe-a it veell remeeen su! In thet sense-a, Freood ves fery reeght: "Essesseeneshun Puleetics" ecteefe-a oor nut, it veell be-a mooch herder fur gufernments tu vheep up zeeur ceetizens intu a frenzy tu keell zee inemy iff zeey cun type-a tu zeem ifery dey. Bork Bork Bork! Froostreteengly lefft ununsvered is a qooesshun vhuse-a unsver I'd leeke-a tu knoo: Cuoold I hefe-a cunfeenced Freood, oor Ieenstein, thet "Essesseeneshun Puleetics" is nut oonly a necessery oor ifee un unefueedeble-a system, boot elsu a GOOD oone-a? Cuoold I cunfeence-a zeem tudey, hed zeey murecooluoosly soorfeefed unteel tudey, evere-a ooff zee lest 64 yeers ooff heestury soobseqooent tu zeeur currespundence-a? Jeem Bell jeembell at peceeffier.cum From steve at edmweb.com Mon Apr 29 22:53:29 1996 From: steve at edmweb.com (Steve Reid) Date: Tue, 30 Apr 1996 13:53:29 +0800 Subject: The Joy of Java In-Reply-To: <199604290530.WAA25425@jobe.shell.portal.com> Message-ID: <Pine.BSF.3.91.960429122114.12216A-100000@kirk.edmweb.com> > Somewhat independent of the security/safety issues regarding Java > applets, there are also questions about their suitability for crypto > applications. Applets currently labor under several restrictions (at > least when part of the Netscape browser) which make it hard to do crypto: > > Applets cannot accept net connections, and they can only make outgoing > connections to the host which provided them to the browser. > > Applets cannot read or write local disk files. > > Applets cannot access other local hardware, such as smart cards, > printers, or microphones. [SNIP] > So there are limits to how much safety you can expect. Hopefully with > signed applets it will be OK to authorize some overrides of the current > restrictions so that these other kinds of applications can be provided. My understanding is, Java applications (as opposed to applets) don't have those limitations, and can do _almost_ anything a C program can. The applications still have the full cross-platform compatability. IMO dumping the security of applets in favour of the capability of applications is a good idea. After all, the applet security features have a lot of flaws, so why limit your programs when it's not offering any real security? Signing programs is a good idea. It will provide better security than we currently have, without having to limit the capabilities of the software. JMHO. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6 8C 09 EC 52 44 3F 88 30 | | -- Disclaimer: JMHO, YMMV, IANAL. -- | ===================================================================:) From hfinney at shell.portal.com Mon Apr 29 22:58:08 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 30 Apr 1996 13:58:08 +0800 Subject: The Joy of Java Message-ID: <199604292144.OAA20003@jobe.shell.portal.com> Unfortunately in order to run Java applications it is necessary to have the Java interpreter for your host. You may also have to set up various scripts or filetype assignments so that java files can be easily and automatically run by that interpreter. Right now the Java interpreter is not (AFAIK) available separately, but only as part of the Java Development Kit (which is free, but is a big package). So generally the infrastructure is not really there for Java applications to be easily downloaded and run by end users. The attraction with applets is that if you have a recent version of Netscape and a 32 bit OS you are already set up to run them (whether you like it or not, for probably the majority of end users). Also those security and safety features which exist for applets (buggy as they may be at this time) don't exist at all for applications. Java applications can delete or modify files, make arbitrary net connections, etc. So certainly more care must be taken in choosing to download and run a Java application than an applet, comparable to what is necessary when you download and run a new PC application program. Signed binaries are probably again the way to go here. Hal From rah at shipwright.com Mon Apr 29 23:04:52 1996 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 30 Apr 1996 14:04:52 +0800 Subject: DCSB: Gold Denominated Burmese Opium Futures? Message-ID: <v03006604adaae1031021@[199.0.65.105]> Notice the *corrected* reservation deadline of May 4th, 1996, and the meeting day of Monday instead of the usual Tuesday... -RAH -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Perry E. Metzger "Possible Futures: The Impact of Ubiquitous High Speed Networking on Intermediation and Regulation" or "With Spring Street Brewing shares trading on the web, are gold denominated Burmese opium futures inevitable?" *Monday*, May 6, 1996 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Perry Metzger is the President of Piermont Information Systems Inc., a consulting firm specializing in communications and computer systems security. He has worked for, or consulted to, the New York financial community for most of the last decade. He has been strongly involved with the Internet Engineering Task Force's security area for some time, and is the author of several security related RFCs. He is also the co-chair of the IETF's Simple Public Key Infrastructure working group, which is developing public key cryptographic standards for the internet. Networking technology is racing far ahead of culture. Fiber optics offer the possibility of cheap truly ubiquitous internet service in the tens of gigabits per second within the decade, and cheap high speed mobile connectivity is also likely. We will likely live in a world where anyone can sit in a park with a cheap laptop and communicate over a multi-megabit per second channel to any other civilized location on the planet. This development may radically change our culture, and with it the nature of regulation and intermediation in the marketplace. Although opium futures trading might not be inevitable, the scope of the trends we are facing should not be underestimated. Mr. Metzger will discuss these and similar developments; he will also discuss the limits to our ability to predict or alter the course such changes will take. This meeting of the Digital Commerce Society of Boston will be held on *Monday*, May 6, 1996 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. Please note that this meeting is on *Monday* this month, due to a scheduling problem at the Harvard Club. We go back to meeting on the first Tuesday of the month in June. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, May 4, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: June Dan Shutzer FSTC July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYUw3PgyLN8bw6ZVAQGhqQQAkO9V9nCDK728Wbi6/niEWlViu8Lg6SKA EuxUJYUxPSF1IQJ1v9PRs1R22+BdsROrTnYhunpwbz/keuYW1qMotnzfvwpgsI57 GEHWl5lefbTfo3v+11RZsjFUHaWTCUYLC5b3j1VwfclkWgw7iK89ou29lAIWNoZh Er9ggqU8FDg= =IeSs -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From Ryan.Russell at sybase.com Mon Apr 29 23:09:34 1996 From: Ryan.Russell at sybase.com (Ryan Russell/SYBASE) Date: Tue, 30 Apr 1996 14:09:34 +0800 Subject: Cell Kill 2 Message-ID: <9604292018.AA26791@notesgw2.sybase.com> It's all just an elaborate plot to help discourage cell-phone cloning. Ryan From frantz at netcom.com Mon Apr 29 23:20:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 30 Apr 1996 14:20:58 +0800 Subject: trusting the processor chip Message-ID: <199604292122.OAA15639@netcom9.netcom.com> At 10:13 AM 4/27/96 -0800, Norman Hardy wrote: >At 9:53 AM 4/25/96, Jeffrey C. Flynn wrote: >.... >> >>It looks like I may have no other option than to give some processor some >>degree of trust. Which processor I should choose, and why that one? >.... >In the days of microcode this was my best (worst?) scenario. Setting up for >fast divide has been an art long before Pentium divide fame. In microcode >you don't spend time testing for cases that you can prove won't happen. >Some obscure cases can arise only with a rare combinations of two 48 bit >operands. The microcode flaw would be to put the processor into privileged >mode even while getting the right answer. There would plausible deniability >even if the flaw were discovered. (Gosh, I didn't test for this fall thru >case because here is the proof that it can't happen.) Of course there is a >bug in the proof but no one reads proofs. This can now be exploited by >anyone that knows what division leaves the machine in privileged state. > >This is an attack on those systems that are rated to run untrusted machine >code, using privileged mode code to limit the operation of the untrusted >code. > >Only one person is necessary to pull this off. He must be trusted to >produce microcode and the implementer of the divide algorithm. Test code >will not find the transition to privileged code just because you can't test >the whole machine state after every tested instruction. Normally the bogus >privileged state of the machine will quickly expire (on the next interrupt) >and will cause no permanent state change even in those few cases where a >magic division occurs naturally. There are some limits to the extent of this kind of problem. If the hardware/OS you are using provides a completely disjoint memory map based on the privileged mode state, it may be hard to exploit the ability to switch to privileged mode. With maps which allow access to the user's address space while in privileged mode (e.g. Solaris), it may be possible to just keep running, and so complete a successful attack. On the other hand, with most systems I have seen, setting yourself into privileged state will persist thru the next interrupt. The system Norm and I worked on would detect it later. (It checked every 5 minutes or so.) The IBM operating systems I have used would not detect, or correct this change. The ray of hope in this area is that there are so many other easier attacks on modern systems. People will have a tendency to use them first. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From perry at piermont.com Mon Apr 29 23:21:53 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 30 Apr 1996 14:21:53 +0800 Subject: The Joy of Java In-Reply-To: <199604292229.SAA08088@universe.digex.net> Message-ID: <199604292245.SAA10827@jekyll.piermont.com> Scott Brickner writes: > I don't understand what you mean by "insufficiently powerful". It's as > expressively powerful as most high-level languages, and computationally > Turing equivalent. It's lack of power seems entirely in the performance > arena, which may be solved, eventually. Java applications can't save files to disk or use data files on disk. If you were, for instance, buying two CPU weeks of idle time on some machines, you would need stuff like checkpointing or the ability to save intermediate results. Perry From frantz at netcom.com Mon Apr 29 23:34:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 30 Apr 1996 14:34:27 +0800 Subject: Mindshare and Java Message-ID: <199604292302.QAA24610@netcom9.netcom.com> At 3:56 PM 4/27/96 -0700, Marianne Mueller wrote: >One thing I don't understand, why do you trust signed code? > >So you know the code is signed by Jack the Ripper. so what? How do >decide what you want the code to be allowed to do? I think there's >nothing for it but a kind of limited capabilities model built on top >of the authentication mechanism. I have extensive experience in design and implementation of a pure capability operating system (KeyKOS). If you think my professional services would be of use to the Java group, please let me know. Resume available on request. Thanks - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From sameer at c2.org Mon Apr 29 23:35:03 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 30 Apr 1996 14:35:03 +0800 Subject: The Joy of Java In-Reply-To: <199604292245.SAA10827@jekyll.piermont.com> Message-ID: <199604292322.QAA25776@atropos.c2.org> > > Java applications can't save files to disk or use data files on > disk. Uh, yes they can. It's the applets that can't. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer at c2.net From adam at lighthouse.homeport.org Mon Apr 29 23:35:44 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 30 Apr 1996 14:35:44 +0800 Subject: Bold Assertion: there are no Men in the Middle In-Reply-To: <199604290915.LAA04182@digicash.com> Message-ID: <199604292343.SAA21804@homeport.org> Eavesdropping prevention is important, and is an important feature that PGP provides. If a MITM can subvert the privacy, but not the authenticity of the data, PGP becomes pretty pathetic. Adam bryce at digicash.com wrote: | I still have a strong intuition that I could keep my cash if | I made such a proposal and gave it a few simple stipulations | (such as that the attacker would have to forge important | material in the victim's name rather than just use the | attack to eavesdrop...). The successful attacker would -- It is seldom that liberty of any kind is lost all at once." -Hume From llurch at networking.stanford.edu Mon Apr 29 23:37:55 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 30 Apr 1996 14:37:55 +0800 Subject: [Pointer] fight-censorship-discuss Message-ID: <Pine.GUL.3.93.960429145535.17234U-100000@Networking.Stanford.EDU> FYI. -rich "Have you no decency, sir?" To: majordomo at c2.org Subject: ignored info fight-censorship-discuss From btmoore at iquest.net Mon Apr 29 23:38:01 1996 From: btmoore at iquest.net (Benjamin T. Moore) Date: Tue, 30 Apr 1996 14:38:01 +0800 Subject: Smartcards are coming to the US Message-ID: <m0uDzVt-0048voC@iquest.net> -----BEGIN PGP SIGNED MESSAGE----- At 06:00 PM 4/20/96 -0700, Lucky Green wrote: >Years after smartcards have become ubiquitous in such countries as Pakistan >and Nepal, not to mention Europe, I just saw my first smartcard commercial >ever on US television. > >Way to go :-) > > > >Disclaimer: My opinions are my own, not those of my employer, DigiCash, Inc. > >-- Lucky Green <mailto:shamrock at netcom.com> > PGP encrypted mail preferred. Hummm... Did you ever wonder *why* this was introduced to the "third-world" countries first? If you've been following the progress of the so called "smart- card," you will have noticed it was first introduced to areas that are extremely "low-tech" and well off the beaten path. Also the areas it was *first* introduced were generally marked by a high population density. Notice, "low-tech," high population density and in locations that are definitely out of the loop when it comes to news coverage. There was obviously a strategy involved and I think it would be prudent to wonder why. The U.S. is one of the most technologically advanced nations on the face of the earth. The citizenry are very familiar with technology and are quite adept in it's uses. Not to mention the fact that some of the worlds pivotal financial markets are located here, it makes one wonder why they didn't introduce the card here. I for one am not nearly so intrigued with the benefits of these "smart cards." I see too much room for mischief. Already, where I live, there are Insurance com- panies that have access to the data bases of grocery stores in this area. If one uses one's "debit card" to purchase groceries... and say, purchases a carton of cigarettes for a loved one or friend, the insurance company has access to that information. There is a growing collection of information being gathered on every- one in this country. Although it appears to be harmless, using sophisticated collation and analysis techniques, the accuracy of the inferences *I* believe constitute an invasion of privacy and a clear and present danger. Consider a scheme used by local law enforcement here several years ago. They set up an operation with the several horticulture stores. Anyone purchasing "grow lights" was noted, their license plates were copied and later... based on the fact, a person purchased a "grow light" a search warrant was issued for the search of their homes. Although grow lights are used all the time for legitimate purposes it was assumed that anyone purchasing one was growing marijuana. Imagine being awakened at 6:00 am by a team of narcotics officers with dogs and a warrant allowing them to search your premises. Given the current asset forfeiture laws, and given that well over 75% of the money supply by government studies has been contaminated with cocaine, you could lose your home if the dogs happen to "hit" on any money in your home. Never mind you're not one who grows or deals in narcotics, this is extremely dangerous! In the new anti-terrorism bill recently signed, the FBI has been given the ability to tap 1 out of 10 phone lines without the need to actually come out and set up a tap on your line. This will now be handled automatically for them by your friendly phone company. I see "smart cards" as one more twist in the ever tightening noose around our necks and the Bill of Rights. Not only will the cards be able to keep your complete history from cradle to the grave on them, but what's to prevent them from being used in the future as an internal passport of sorts? We are rapidly approaching the point where we will be stopped and required to produce our papers. This information will be readily available to any government agency... and not a few corporations to exploit at will. No I'm not at all enthused with the advent of the smart card. Currently there is much discussion regarding various banking institutions charging excessive amounts for transaction fees at your local "ATM." Wonder how much they will be looking to charge for this service? Something to think about. Benjamin T. Moore, Jr. (btmoore at iquest.net) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYT0c4SAJOVFNaChAQG6kAf/SF/cMlbkj+0FQCBjHe29wJR93UMBqykf Fz0N9dUB+TLksddhcEMWzwY0oDGjT87DOjYmimzvDQgwinxQEemxe4pS2ph2ydJZ 3iELOWRcyKdD4Hi+RB2O9gjKNR6M1O2I/cvdnxjV6r+L9Ysd1ea35jJ2R7LhVVMf MRQQuMs3zx5zJafp2LNI43JCGvWweHy0ZEzHex65Ee9FdRTLNT5KIbl/QHaFP6Ij gMWysxBnj3bBCoBx0l511GMmPN0W/tycec45EvRFhJOUPR+H0bKhzoYs46tSQAkr NPPTFCdvFae539xgWlvVpIffp/mGigsjaKv7WJRu4hEpQeRV9lNGmA== =GGwf -----END PGP SIGNATURE----- --------------------------------------------------------------------------------------------------------------- "When they came for the Fourth Amendment I didn't say anything because I had nothing to hide. When they came for the Second Amendment I didn't say anything because I wasn't a gun owner. When they came for the Fifth and Sixth Amendments I didn't say anything because I had committed no crimes. When they came for the First Amendment I couldn't say anything." -------------------------------------------------------------------------------------------------------------- PGP Key available from key servers, or on request. Key Fingerprint = 3D 90 0C 58 EE 65 AE 89 28 C5 58 A2 D5 F4 A8 -------------------------------------------------------------------------------------------------------------- From unicorn at schloss.li Mon Apr 29 23:40:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 30 Apr 1996 14:40:44 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <199604290846.KAA01661@digicash.com> Message-ID: <Pine.SUN.3.93.960429161730.5790A-100000@polaris.mindport.net> On Mon, 29 Apr 1996 bryce at digicash.com wrote: > > In the meantime, I cannot have much confidence in the > security of my private communications with Black Unicorn, > which makes me hesitant to exchange money with him. That's ok, I prefer cash. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From philip at cs.brandeis.edu Mon Apr 29 23:53:06 1996 From: philip at cs.brandeis.edu (Philip Trauring) Date: Tue, 30 Apr 1996 14:53:06 +0800 Subject: WSJ on Crypto Push - Irony In-Reply-To: <199604291431.KAA03328@pipe2.nyc.pipeline.com> Message-ID: <v03006601adaaf856a406@[129.64.2.184]> > Sen. Conrad Burns (R., Mont.) is expected to introduce > tomorrow a bill that would ease the federal government's > export rules. At the same time, industry-trade groups and > privacy advocates will seek grass-roots support via the > Internet. Anyone else see the irony that the senator comes from Montana? Philip --=--=====--=--=====--=--=====--=--=====--=--=====--=-- Philip Trauring philip at cs.brandeis.edu 617-736-6702 "knowledge is my addiction, information is my drug" http://www.cs.brandeis.edu/~philip/ --=--=====--=--=====--=--=====--=--=====--=--=====--=-- From nobody at REPLAY.COM Mon Apr 29 23:55:30 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 30 Apr 1996 14:55:30 +0800 Subject: No Subject Message-ID: <199604300025.CAA28426@utopia.hacktic.nl> "I am sorry if you misunderstood my previous email. We are ex-Stanford grad, not current students! The WhoWhere? database is collected through a combination of technolofy, partnerships, and self-registrations by end-users. Our content is from publicly available sources." http://ergos-home.stanford.edu/whowhere.logo.gif name: Doremieux, Francois Yves Jean e-mail: 96francoid at Gsb department: Business year: Graduate phone: (415) 497-4334 From sjb at universe.digex.net Tue Apr 30 00:29:41 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Tue, 30 Apr 1996 15:29:41 +0800 Subject: The Joy of Java In-Reply-To: <199604270123.VAA01708@jekyll.piermont.com> Message-ID: <199604292229.SAA08088@universe.digex.net> "Perry E. Metzger" writes: >You can do that safely without making it dangerous for your machine. I >know how I would build a restricted execution environment for such >markets. However, Java is 1) too slow, since if you are selling >rendering cycles or such you don't want to be running an interpreter, >2) insufficently safe, and 3) paradoxically, insufficiently powerful >for the sort of code you would want to run in such an environment. The speed can be significantly addressed by compiling the byte-code to local machine instructions, but given the sheer number of junk cycles that are made available by letting a Java interpreter sell them, it doesn't much matter for some applications. I agree that Java is currently too unsafe. The current Java model may not even be salvageable (that being where I got in on this thread). It's the concept embodied by Java (and it's many conceptual cousins, Scheme, Safe-TCL, E, etc.) that I was talking about. I don't understand what you mean by "insufficiently powerful". It's as expressively powerful as most high-level languages, and computationally Turing equivalent. It's lack of power seems entirely in the performance arena, which may be solved, eventually. From adam at lighthouse.homeport.org Tue Apr 30 00:30:24 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 30 Apr 1996 15:30:24 +0800 Subject: PGP and pseudonyms In-Reply-To: <Pine.BSF.3.91.960429000141.11364B-100000@kirk.edmweb.com> Message-ID: <199604292347.SAA21881@homeport.org> The solution is to store your keys on an encrypted filesystem, such as Cryptdisk or CFS. Thus, possession of the keyrings does no good, because they're encrypted. I've found that leaving PGP on the encrypted partition makes me less likely to get error messages like 'keyring unavailable,' and I do get the obvious: pgp: Command not found Adam Steve Reid wrote: | > > I suppose a temporary fix would be to not use an ordinary PGP passphrase, | > > but rather encrypt the whole secring.pgp file. Decrypt it when you need | > > it, and be very careful to properly clean up when you're done. | > Huh? | > Just use multiple secring.pgp files, and toggle PGPPATH. What's the | > problem? | | You don't understand the problem we're concerned about... The problem is, | the "real" person is in posession of the pseudonym's secret PGP key, and | PGP doesn't try to hide that fact. | | Suppose John Doe is using the pseudonym "Evil Bastard". Naturally, he has | a PGP key for his Evil Bastard identity. Now suppose someone gets into his | computer. This person would be able to find Evil Bastard's secret key. | Fortunately, the snoop would not be able to use the key, since it would be | encrypted with a secure PGP passphrase. However, they would still be able | to use the command "pgp -kvv secring.pgp", and that shows the key ID of | each secret key. -- "It is seldom that liberty of any kind is lost all at once." -Hume From tallpaul at pipeline.com Tue Apr 30 00:34:07 1996 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 30 Apr 1996 15:34:07 +0800 Subject: [DETWEILING?] Re: The Iron Mountain Report Message-ID: <199604300048.UAA28939@pipe6.nyc.pipeline.com> On Apr 25, 1996 00:17:25, 'Rich Graves <llurch at networking.stanford.edu>' wrote: >On second thought, this is so *obviously* a troll that it *must* be >intended to be obvious. Of course there are a lot of really stooooopid >Nazis out there, but this last round is too much. Did you see the one >about Smart Cards being the Mark of the Beast? Follow the URL that message >gave -- it's even loonier than it looks. > The sense I have is that the highest liklihood is that it springs from a standard run-of-the-mill loon on the conservative side of the spectrum. The net nazis are busy with far more creative trolls and the leftists have no record of picking up on this particular report (since, if nothing else, it was designed as a semi-humor piece when originally published in hardcover.) It more reminds me of the space-alien kidnapping piece on "Penelope Kuntz" from one of the fake newspapers that the _National Lampoon_ ran a few years ago. It was picked up and reposted by some of the paranoids. >Only nobody at replay.com knows... > >Possibilities: > >1. Some anti-Nazi (such as Tallpaul -- note this is *not* an accusation!) >trying to make the Nazis look bad. > I didn't take it as an accusation. There's nothing wrong with running through a complete(ish) list of hypotheses when working on a problem. However, this hypothesis is not likely since: 1) I don't think it came from nazis; 2) I (modestly) think I can make the nazis "look bad" by quoting them, not inventing trolls; 3) I don't troll political issues for political reasons. (OK, the BABYLON-5 troll was sort of political but I thought the reference for people to "bite my third secondary grasping tentacle" made it obvious but a couple of left-wing dufuses still took it seriously). 4) I am a generalist, without the detailed technical knowledge for really good trolls. Similar arguments against your other hypotheses. >2. Some really, really stupid Nazi who doesn't realize that he looks bad >(if you don't believe sich people exist, look up just about any Usenet >post from Les Griswold or A HUBER). >3. Some Detweiler tentacle/clone trolling just for kicks. >4. Declan, trying to troll me. >5. Me, trying to troll Declan, or myself. > ><pot-kettle-black=on> > >In any case, the person doing it is an asshole, and there is little call >for substantive replies. Don't feed the animals. > ></pot-kettle-black> > >-rich > > From die at pig.die.com Tue Apr 30 00:40:22 1996 From: die at pig.die.com (Dave Emery) Date: Tue, 30 Apr 1996 15:40:22 +0800 Subject: NOISE - AARMs (fwd) Message-ID: <9604300117.AA25708@pig.die.com> > David Lesher writes: > > > But there has been an easy defense against such for decades. > > You run ordinary phone wire from the transmitter + antenna X meters > back to the bunker or whatever. Then you talk from there. > Another division of a company I did some consulting work for makes a box that goes between the transmitter and control head of a current generation tactical UHF satellite terminal (LST-5 TACSAT) of the type used by US military commanders in the field. It connects the control and talking part of the radio with the transmitter and antenna via up to a mile of optical fiber cable with no metal conductors. As you can imagine, it is hard to use RF sniffing techniques to find the command post at the other end of the fiber. Dave Emery die at die.com From declan+ at CMU.EDU Tue Apr 30 00:42:24 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 30 Apr 1996 15:42:24 +0800 Subject: DRAFT agenda for DC net-conference in early May Message-ID: <IlVKVFu00YUzNGufRD@andrew.cmu.edu> I recently saw a DRAFT agenda for a day-long Net-conference to be held in early May, hosted by Congressmen Jack Fields and Rick White. Panels include Future of the Internet, Electronic Commerce, Intellectual Property, Law Enforcement and Encryption, and Education on the Net. Highlights include a POSSIBLE luncheon address by The Honorable Newt Gingrich. Thought DC-area cypherpunks might like an advance heads-up. -Declan From perry at piermont.com Tue Apr 30 00:44:41 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 30 Apr 1996 15:44:41 +0800 Subject: The Joy of Java In-Reply-To: <199604292322.QAA25776@atropos.c2.org> Message-ID: <199604300108.VAA10986@jekyll.piermont.com> sameer at c2.org writes: > > Java applications can't save files to disk or use data files on > > disk. > > Uh, yes they can. It's the applets that can't. Same difference -- we were talking about applets (or at least "safe java" to coin a phrase) as a way of selling compute cycles. .pm From dlv at bwalk.dm.com Tue Apr 30 01:00:45 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 30 Apr 1996 16:00:45 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <m0uDvBL-00097LC@pacifier.com> Message-ID: <mm86mD267w165w@bwalk.dm.com> jim bell <jimbell at pacifier.com> writes: > At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: > >CNN is reporting that Colby's canoe has been found on the Potomac and > >Colby is missing. > > Don't tell me, let me guess: The guy who rented the canoe to him has > suddenly retired, and has been reportedly seen going on a Park Avenue > shopping spree. Right? Jim, I don't find dumb jokes about dead people I liked particularly funny. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From schryver at radiks.net Tue Apr 30 01:01:59 1996 From: schryver at radiks.net (Scott Schryvers) Date: Tue, 30 Apr 1996 16:01:59 +0800 Subject: Freedom and security Message-ID: <199604300129.UAA19944@sr.radiks.net> At 11:08 PM 4/28/96 -0700, you wrote: > >>No. "Those who sacrifice security for freedom, will have neither" is >>not consistent with Franklin's statement, nor is it true. Security and >>freedom are antithetical, and worse than that, security is always an >>illusion. But you can have your illusion, as long as you keep it out of >>my life. Censor yourself if you wish, but don't censor anything I might >>want to look up. >> >The Internet may once have been one of those small close knit communities, >small enough not to require law enforcement - although even then it had >rules that had to be followed. But that Internet is gone, and it will >never return, because now its the biggest city in the world, and the >history of the change from pastoral communities to urban life, to the >development of nation states and power blocs is also the history of crime. >And as the Internet grows, so will its security problems. > >My position is to seek a balance between the freedom of the individual and >the security of the community. My argument is that when the security of >the community is threatened by the freedom of the individual, the community >will always prioritise its safety. "When the security of the community is threatened by the freedom of the individual?!" >From what socio-political ideology do you run your group? >Good government of course means >maintaining individual freedoms *and* maintaining community security. I >actually disagree that they are antithetical. On the contrary they are a >balance that any society has to find. Where individual freedom takes over >you have the urban jungle where predators consume prey. Where security >takes over you have the totalitarian state. Neither is necessary nor >inevitable. By the way government serves best when it serves least. Remember that. >We are simply concentrating on the problem from two different angles. My >concern is to maximise community safety while protecting individual >freedom. Your angle is to maximise individual freedom while protecting >community safety. There is IMHO very little difference between the two. No there is a major difference, I feel society is served best when each individual has the freedom to defend and protect themselves apposed to what you want us to do in essence you want us to lay down those liberties to an outsied group who are supposed to protect us. The internet is not a city, it is a computer network that spans the globe. What you are asking for in analogy is not a cop walking a city street but fucking U.N. tanks driving through neiborhoods enforcing rights by way of brute force. >From what I have seen of what your group does you are as hypicritical as law enforcement in your techniques and attacks on others. Often unwarranted and justified in the name of some supposed higher ideal. PGP encrypted mail preferred. Scott J. Schryvers <schryver at radiks.net> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzFX9usAAAEH/2r2eovPAoYZbxzmfJ1DW7yjjdVnckXjUVKU/zZNAUV/IjzF GDEq040wbAG1rFHDYoBOjjJTOGWMFuZ9apqoAvvI7Q4NAmVrNif0Rp8q/j4jib13 dlAA4Q0nvJZ5YNw4sf4r0iug76+9i0WpIZoP60DEB8BTuyCP55+nsbe7Ii3xLRyq ThZ2fhNqK2hD/rFugXK29Ynyzuc6TuFfu78kVOsYUUbQpplXyaLjhGKN94pZ5jox x7/wvqmBoH9E3rnaIPY9vOwy3kvMmCTlkjhlCzMXZHDn0e3UHWAax2mUTMttRzzi +SUv45h6ua+eSwUkA8uojojn/JiPOKIPwPk3hq0ABRG0KFNjb3R0IEouIFNjaHJ5 dmVycyA8c2Nocnl2ZXJAcmFkaWtzLm5ldD4= =58dK -----END PGP PUBLIC KEY BLOCK----- From vznuri at netcom.com Tue Apr 30 01:04:15 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 30 Apr 1996 16:04:15 +0800 Subject: CryptoAnarchy: What's wrong with this picture? In-Reply-To: <Pine.SUN.3.91.960427153644.3252A-100000@crl12.crl.com> Message-ID: <199604300014.RAA15577@netcom3.netcom.com> >The MODERN state is doomed and, thanks to technology, the people >have too much power to permit more "traditional" governments to >control them. States may not go quietly into that gentle night, >their death throes may be very bloody, but go they will. the question is of course, what will the "modern" state be replaced with? imagine a system in which everyone coordinates their public or community projects via web pages, or groupware, or the internet, or cyberspace, or something like that. would this be a "government"? to cryptoanarchists, "government" is a four-letter word, even though there may be other systems that they embrace that effectively perform similar functions. the cryptoanarchists tend to define government in weird ways that most people don't agree with. "government is the entity that collects taxes with the threat of force". "government is the entity with a monopoly on force". "the only purpose of government is to prevent people from hurting each other and to protect private property". what amazes me is that many so-called "cryptoanarchists" are committed to their communities and interested in the welfare of their peers. when you formalize this, you have government. granted, it often goes astray, but in my view our government is out of control not because of the evil of politicians, but because of the apathy and resignation of the public, which could have checked it before it got out of hand. instead the attitude in this country is, "here is my tax money, 20% of my earnings. did I send you the right amount? are you not going to audit me? good. then please leave me alone". if the attitude were instead, "what the @#$^%^&* are you doing with MY MONEY?!?!?" we would have had a different system. I intend to write an essay on that here. what I think everyone can believe is that our current system is broken and it being replaced with something better is fairly inevitable. but labelling the inevitable alternative "anarchy" doesn't quite make sense to me nor do I think that is really what some anarchists are advocating. small self-governed communities that are in themselves autonomous, and aren't manipulated by an outside authority, is what most people have in mind. From ses at tipper.oit.unc.edu Tue Apr 30 01:59:38 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 30 Apr 1996 16:59:38 +0800 Subject: The Joy of Java In-Reply-To: <199604292245.SAA10827@jekyll.piermont.com> Message-ID: <Pine.SOL.3.91.960429203250.2355A-100000@chivalry> On Mon, 29 Apr 1996, Perry E. Metzger wrote: > > Java applications can't save files to disk or use data files on > disk. If you were, for instance, buying two CPU weeks of idle time on > some machines, you would need stuff like checkpointing or the ability > to save intermediate results. See the documentation for FileOutputStream; unsigned java applets can't make persistent changes, but signed ones can. Applications can always access the file system Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Tue Apr 30 02:03:49 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 30 Apr 1996 17:03:49 +0800 Subject: Calling other code in Java applications and applets Message-ID: <adaadb06040210042638@[205.199.118.202]> At 11:22 PM 4/29/96, sameer at c2.org wrote: >> >> Java applications can't save files to disk or use data files on >> disk. > > Uh, yes they can. It's the applets that can't. And I believe that even applets can read and write data files on disk IF THE APPLET ENVIRONMENT PERMITS this. Netscape and similar environments at this time of course _don't_ let this happen, but this is a choice (as I understand it) made at this time and perhaps for this version of the respective pieces of software. (As I understand it, an explicit decision not to allow file i/o, for some obvious though not necessarily permanent reasons.) Certainly the InputStream and OutputStream classes handle file i/o for Java applications--if not applets in general, and presumably not with Netscape 2.0. I can imagine future developments which will allow browsers or similar environments to have full file i/o capability. (Sure, there are dangers. There are always dangers in running code gotten from others. These are recurring problems. I expect lots of flavors of solutions, from signed classes to "playpen" holding tanks (which allow file i/o, but only within some constrained environment), and so on.) By the way, I had a discussion at a party with several Sun folks and other Java programmers, and they agreed that external code (C, for example) could be called, even by an _applet_, if arranged. For example, various underlying graphics routines in the AWT (Alternative Window Toolkit) package are of course using underlying code written in various other languages, code that has been reasonably optimized for speed. "import java.awt.*" makes this code available to applications, and (I believe) to applets within Netscape-type environments. (I suspect there's a simple chart someplace showing what will run under what constraints.) The interesting thing here is that a crypto package, perhaps with speed-optimized underlying routines in C or even hand-coded machine language, could be released. It might be that patent holders (not that I am endorsing this) could license such packages to users. Thus, import java.bignum.* import.java.entropy.* import java.rsa.* import java.digicash.* ... (Such packages may need approval by Sun, etc., and formal integration, a la AWT. But certainly there is talk of replacing AWT with something else, so changes and additions are clearly possible.) Lastly, I don't believe that discussing the implications of Java justifies the claim that "males are posturing." To me, discussing Java, virtual machines, security issues, and advantages/disadvantages is what the list is about, at least as much as the other topics we so often discuss. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From shamrock at netcom.com Tue Apr 30 02:15:48 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 30 Apr 1996 17:15:48 +0800 Subject: connecting Uni to the Web O Trust Message-ID: <v02120d20adab4429605e@[192.0.2.1]> At 17:56 4/28/96, bryce at digicash.com wrote: >I mean, I could explain it to him, but not even counting the >difficulties of communicating such complex concepts among >humans, there is the fact that if Mitch is here, he can >prevent the real Uni from seeing the explanation, and he can >act in Black Uni's place as if he understands. Then he can >go through the necessary steps to increase our trust in his >pubkey, as if Uni were going through them. It is generally acceptable to sign a key after seeing a very easily forgable driver license. Even if you have seen the person before on TV, a similar looking actor could be substituted, the true person could be brainwashed, and what if the person has multiple personality disorder? Should Jim's public key become invalid once John or Alexis have taken over? The PGP web of trust is a practical solution for an imperfect world. Yes, someone might have wrapped Uni into a bubble. But that would have to be some damed good bubble for it to last so many years. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From rich at c2.org Tue Apr 30 02:19:07 1996 From: rich at c2.org (Rich Graves) Date: Tue, 30 Apr 1996 17:19:07 +0800 Subject: WhoWhere.com v. that stanford.edu loon Message-ID: <199604300342.UAA22910@Networking.Stanford.EDU> -----BEGIN PGP SIGNED MESSAGE----- Several people asked for an update, so here it is. WhoWhere.com has been provided a dump of the password file that they may never have seen before, and they will be purging all 27,128 addresses therein from its database. Of course, many of those addresses may also be available from other, publicly available sources, and the Stanford community has been made well aware of whowhere.com's service (for user entries), so I expect that thousands of these addresses will return soon. I am confident that the Parsec folks are now acting in good faith, and that they are now sensitive to the relevant privacy and ethical issues. Myself, I'm cognizant of the hypocrisy and foolishness inherent in my position, but hey, we do what we can with what we got. Until the system is fixed, I gotta defend my people the best I can. I'm still reasonably serious about that "Hack Stanford Privacy" thing. If there is an easy way for outsiders to glean our whole kerberos namespace (outside of other major universities interconnected via AFS, and we'll get that fixed Real Soon Now), I want to know about it. - -rich [not on cypherpunks, so please Cc any responses] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYWLdo3DXUbM57SdAQF9fAP+Pw4ra8Q5JfDy/DnmfrDauP5/4x+sH+SY qOwGk+GDgKW1p9yO+31OhuLsatPK5sXDGjTtwseRZXZXizylGmwQtgs2g9gQMxNR feZLyo0WBVnYw600ppms7nfay0uqEjM25nw/z+HDrUZ7VlWuAXZ/yctqLadiO3P8 +vCGbDfSQWA= =dP6F -----END PGP SIGNATURE----- From alanh at infi.net Tue Apr 30 02:23:39 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 30 Apr 1996 17:23:39 +0800 Subject: On computer face recognition: In-Reply-To: <199604120630.XAA14255@dns1.noc.best.net> Message-ID: <Pine.SV4.3.91.960429213705.3330B-100000@larry.infi.net> << "Results were successful (else why write about it?" >> Another believer in the tooth fairy. Send this kid to the "Real World Academic Life" bootcamp, please. Note that I am not making any comment on the success of this particular work. From alanh at infi.net Tue Apr 30 02:23:39 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 30 Apr 1996 17:23:39 +0800 Subject: On computer face recognition: In-Reply-To: <ad931cb2140210040b59@[205.199.118.202]> Message-ID: <Pine.SV4.3.91.960430000646.15711A-100000@larry.infi.net> What task is the human brain optimized for ? From geeman at best.com Tue Apr 30 02:27:01 1996 From: geeman at best.com (geeman at best.com) Date: Tue, 30 Apr 1996 17:27:01 +0800 Subject: On computer face recognition: Message-ID: <199604300335.UAA01760@dns2.noc.best.net> At 09:39 PM 4/29/96 -0400, you wrote: ><< "Results were successful (else why write about it?" >> > > > Another believer in the tooth fairy. Send this kid to the "Real World >Academic Life" bootcamp, please. No (sigh) I'm not a believer in the tooth fairy, nor a kid. I take the time and trouble to post to the list something of bona-fide value and interest and all you can do is snipe at some side-comment, tongue-in-cheek at that? I see we're not talkin' bout a 1-percenter here, are we? Let's see if you can't do something more useful next time. > >Note that I am not making any comment on the success of this particular >work. Probably because you haven't a clue. > > From stewarts at ix.netcom.com Tue Apr 30 02:47:00 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 30 Apr 1996 17:47:00 +0800 Subject: Mindshare and Java Message-ID: <199604292357.QAA17206@toad.com> At 03:56 PM 4/27/96 -0700, mrm at netcom.com (Marianne Mueller) wrote: >One thing I don't understand, why do you trust signed code? >So you know the code is signed by Jack the Ripper. so what? How do >decide what you want the code to be allowed to do? I think there's >nothing for it but a kind of limited capabilities model built on top >of the authentication mechanism. Some code comes from random sources; signatures there mainly buy you the ability to blame someone if the code hoses your machine, and thus reduces the chance that someone will hose you. But as Java develops, there'll be more commercial code available; I'd trust Java code signed by Microsoft just as much as I'd trust any other Microsoft code I'm running on my machines. Maybe more, given the quality of some of the Microsoft code I'm running now :-) # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 From shamrock at netcom.com Tue Apr 30 03:00:05 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 30 Apr 1996 18:00:05 +0800 Subject: arbiter/escrow agent for hire Message-ID: <v02120d1eadab4107a3eb@[192.0.2.1]> -----BEGIN PGP SIGNED MESSAGE----- At 17:43 4/28/96, bryce at digicash.com wrote: >-----BEGIN PGP SIGNED MESSAGE----- > > Black Unicorn <unicorn at schloss.li> wrote: >(> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) >> > IIRC, currently Black Unicorn doesn't have any signatures on >> > his public key of others. Therefore, this requirement, while >>understandable, >> > could cause a bit of a difficulty in the current situation. >> >> Please obtain a copy of my current key by finger. > > >Oh please. My respect for Uni's acumen just decremented a >couple of notches. A 2048-bit key, and no signatures? >Rather like a front door with welded plate armor and an open >window, no? We had once had a thread on the list that discussed if it makes sense to sign keys for nyms you have never met. I think it does. Even seeing a driver licencse isn't 100% proof that the name stated on the doccument is the True Name of the person. However, I am firmly convinced that the person using the PGP key pub 2048/4E685D39 1995/03/26 Black Unicorn <unicorn at access.digex.net> Key fingerprint = 00 B9 28 9C 28 DC 0E 55 E1 6D 53 78 B8 1E 1C 96 is the same Black Unicorn that is frequently posting to Cyphperpunks. Therefore, I am willing to sign his key. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQEPAy91JFIAAAEIALRKcL9qZZnqMn3fuDDxOd8+d2F+rqKB3Ff1U7+9Cp2CGugx zfygey2nBEZQXiXG8fBi44iGAuHNc7TRRkQCr8srMwKXeU1Ue/fe5ACcDGy0H1ki C0YYOuWFY2mtKCiqW3kcXWGFlDf418FbXftqJwSvMiIWIzgtepSWfzl5ApmguHjA lTngdR+R557Cb6mgLV0Vug9yGyqXGeCqIs7Yx5SpakoIRwkkfniGa3m6L8+OgREY bW6MoDPOfUox90xqJsDePB7b11l05I87V28s4FaTYH8CdmtdAun52/hLEAQKMXyz g7jPlSQzpLObZ0OL3eiulHyC0aR4LWieb05oXTkAEQEAAbQoQmxhY2sgVW5pY29y biA8dW5pY29ybkBhY2Nlc3MuZGlnZXgubmV0PokAlQMFEDGFkHEEkJHpt/K8BQEB nXgEAIe4FNcBuzXHT3VR1jfLcL+5vbjSH6Cxv06vEhpV3UpZonpD8C9Y+Mv2YSea iOV5aKf98xgRpGNqxuofkDsQu9fJPJizOaFQFEFJXbjT/NcnzYKBFDX3XyDF45Uq n6OM9t5ysRQOCPMzRlf05tu48qVwpx3qSU4yWDok3F6hQhMuiQEVAwUQL3VAdC1o nm9OaF05AQH/oAgAp/ZME1rM4o2lnKRuI/n+IrrBZVMrB59tzgpDzt0KNoOkIRsE 4YIC1bgZKbcfKYr8ovaH0R2/xGe8V2HPcZZocCNCtQJodOPgwHGwU44E7JSugMTC XsqtRt1Ost7n6X5e0AklQo2bYvTv5ylhrEybZA4Yeg1VYTITMxoTVdG4kKSQ4LWf SV9qGV74kPldNfScTjfw/eP2hnIKvDDlveFgoeJD3/kN0sLkckzVkP+jkygMc2QZ 6h8278cvRjXzGndP+2jm0DrNBF9P8tGka9HSZZwyCDCwSlAdNy4EgYEpWNbFOSUn g02GKEVZ5dz7CYQz3gd40VYYl5/B4Hktj69V+w== =dPns - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYWSfwSQkem38rwFAQE4+QP+Jzh1AJjwCMCDuWZoe5Tf3AaOz/M0x1AV 6VLmy5A2dk4Kqm/40bOd5PPzq6fQJUcke/PRKP55gXoXyFnZrurXBzB+ogpurzH3 +FKfpBEPjfZRvZzDF7/MNUCq7TpgEucIpe0jXNoCg/DxYkl84ZbEPdudnRhUjfaW dE2XgLK+iUk= =LD50 -----END PGP SIGNATURE----- Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From tcmay at got.net Tue Apr 30 03:14:21 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 30 Apr 1996 18:14:21 +0800 Subject: The Joy of Java Message-ID: <adaae2b906021004f53b@[205.199.118.202]> At 10:45 PM 4/29/96, Perry E. Metzger wrote: >Scott Brickner writes: >> I don't understand what you mean by "insufficiently powerful". It's as >> expressively powerful as most high-level languages, and computationally >> Turing equivalent. It's lack of power seems entirely in the performance >> arena, which may be solved, eventually. > >Java applications can't save files to disk or use data files on >disk. If you were, for instance, buying two CPU weeks of idle time on >some machines, you would need stuff like checkpointing or the ability >to save intermediate results. Java applications _can_ save files to disk, and read them. Further, even the presently-more-constrained applets can retrieve certain types of files. For example, "getImage" and "getAudioClip" methods. I mention this point for two reasons. First, it says the applet model is not forever and totally blocked from reading disk files. (And I would not be surprised to see additional file retrieval methods "allowed." To be sure, this raises more and more security issues to look at, but TANSTAAFL.) Second, the relevance for providing sources of entropy for Java applets. I haven't looked in detail, but I'll be willing to bet quite a bit that someone has already or soon will run a QuickCam video input, not to mention sound input, in a Java applet, and that this could easily be used as a source of entropy bits. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Tue Apr 30 03:36:44 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 30 Apr 1996 18:36:44 +0800 Subject: arbiter/escrow agent for hire In-Reply-To: <v02120d1eadab4107a3eb@[192.0.2.1]> Message-ID: <Pine.SUN.3.93.960430002241.513E-100000@polaris.mindport.net> On Mon, 29 Apr 1996, Lucky Green wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > At 17:43 4/28/96, bryce at digicash.com wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > > > > Black Unicorn <unicorn at schloss.li> wrote: > >(> "E. ALLEN SMITH" <EALLENSMITH at ocelot.Rutgers.EDU> wrote:) > >> > IIRC, currently Black Unicorn doesn't have any signatures on > >> > his public key of others. Therefore, this requirement, while > >>understandable, > >> > could cause a bit of a difficulty in the current situation. > >> > >> Please obtain a copy of my current key by finger. > > > > > >Oh please. My respect for Uni's acumen just decremented a > >couple of notches. A 2048-bit key, and no signatures? > >Rather like a front door with welded plate armor and an open > >window, no? > > We had once had a thread on the list that discussed if it makes sense to > sign keys for nyms you have never met. I think it does. Even seeing a > driver licencse isn't 100% proof that the name stated on the doccument is > the True Name of the person. > > However, I am firmly convinced that the person using the PGP key > pub 2048/4E685D39 1995/03/26 Black Unicorn <unicorn at access.digex.net> > Key fingerprint = 00 B9 28 9C 28 DC 0E 55 E1 6D 53 78 B8 1E 1C 96 > is the same Black Unicorn that is frequently posting to Cyphperpunks. > > Therefore, I am willing to sign his key. I hate to ask this of you. Could you sign the new one (same ID, but it has my more current addresses on it) You can get it by finger, but I'll include it here too. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQEPAy91JFIAAAEIALRKcL9qZZnqMn3fuDDxOd8+d2F+rqKB3Ff1U7+9Cp2CGugx zfygey2nBEZQXiXG8fBi44iGAuHNc7TRRkQCr8srMwKXeU1Ue/fe5ACcDGy0H1ki C0YYOuWFY2mtKCiqW3kcXWGFlDf418FbXftqJwSvMiIWIzgtepSWfzl5ApmguHjA lTngdR+R557Cb6mgLV0Vug9yGyqXGeCqIs7Yx5SpakoIRwkkfniGa3m6L8+OgREY bW6MoDPOfUox90xqJsDePB7b11l05I87V28s4FaTYH8CdmtdAun52/hLEAQKMXyz g7jPlSQzpLObZ0OL3eiulHyC0aR4LWieb05oXTkAEQEAAbQiQmxhY2sgVW5pY29y biA8dW5pY29ybkBzY2hsb3NzLmxpPokAlQMFEDF8faNVZJN3Wse4ZQEBcpYD/jQL XhtkgYmvhqBUb65iidOMhq3jP+xMIw9K6ucYcjskf0yYLhq68QevAWxdGrfL4Gsg PWW9db9v7Q3PTifokuVRrTA32S6l0rVPX3HSiwEgGLfQCNWz4jKcDYyaZolyFFWT oAFqjzSo96M3H/MRT8nPoZqlcsu8WieU3QsNiKEkiQCVAwUQMXgRyE5ULTXct1Iz AQGUrgQAs7tgiSzZOjiWFf0BAyk36gBpBJBevZHzUD05RSdIqyNsdKVmRgUxJlGU SjBe01Qr+P2pfmV8EN1IhCju/1ZZsFAGN+iiVBpywTmUPpJIL2Gdx7f8u7pfFEdy YmNGHZP+VLwnBBCyhfmvVUxdMCg6P77Wt4raBGJCz96dh3vtlvOJARUDBRAxcERY LWieb05oXTkBAcjyB/sGnfvkOFbOv02/cvhktcME8EdonWVAaBremCyxwcoJ3XgJ qBAJbU9SzwpqW5Apu1ulP7GmlpOYE9Umg2+VY9IsBIDg5orZtext7VCWbVjjfWGL JJWFvEWgqflJ9yskz1VUE8VzSu6KFDRzDMXmKL4dH1PVh4J6byePJu9QplZUY+ed k5vJXgVSlH/OXmjI/Z+YOpbH04g6by8pzBKCg/8LJeih3DHvjoVeBn4DdPHgAYwt sPNbr3MAM+hW1cyG/EpO679CDjad3jSadkyXzBUKx3R7DRWqvzYEry3gKyLTlOAQ Qyj9qY7/ajKEssjjb3f3IKFzxdOok1rd46KlWCHDtCRCbGFjayBVbmljb3JuIDx1 bmljb3JuQG1pbmRwb3J0Lm5ldD4= =lURs -----END PGP PUBLIC KEY BLOCK----- --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From attila at primenet.com Tue Apr 30 03:52:44 1996 From: attila at primenet.com (attila) Date: Tue, 30 Apr 1996 18:52:44 +0800 Subject: Social Transformation, Not Tax Evision Message-ID: <199604300501.WAA23276@primenet.com> ** Reply to note from Duncan Frissell <frissell at panix.com> 04/29/96 10:28am -0400 = "God fights on the side with the heaviest artillery. These days MarketEarth = has the heaviest artillery." just because you carry, like everyone else, carrying God's banners does not mean God is on your side, or the side with the heaviest artillery. God is on the side of those who have faith and charity-- nothing else required. the heaviest artillery is nothing more than man's pride, not his humility; pride will not bring you to the celestial kingdom, nor will you inherit the earth. -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. cc: Cypherpunks <cypherpunks at toad.com> From erc at dal1820.computek.net Tue Apr 30 04:34:34 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Tue, 30 Apr 1996 19:34:34 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <mm86mD267w165w@bwalk.dm.com> Message-ID: <Pine.3.89.9604300101.A16052-0100000@dal1820.computek.net> On Mon, 29 Apr 1996, Dr. Dimitri Vulis wrote: > jim bell <jimbell at pacifier.com> writes: > > At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: > > >CNN is reporting that Colby's canoe has been found on the Potomac and > > >Colby is missing. > > > > Don't tell me, let me guess: The guy who rented the canoe to him has > > suddenly retired, and has been reportedly seen going on a Park Avenue > > shopping spree. Right? > > Jim, I don't find dumb jokes about dead people I liked particularly funny. CNN is reporting that although the search is continuing, the authorities are presuming Colby drowned in a boating accident. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From bwern at jaxnet.com Tue Apr 30 05:14:41 1996 From: bwern at jaxnet.com (Ben Wern) Date: Tue, 30 Apr 1996 20:14:41 +0800 Subject: Neuron Magnetics (Data Needed) Message-ID: <2.2.16.19960430073154.6ee7f202@192.1.1.9> There has been a recent discussion on dc-stuff about Dallas Semiconductor's Touch Memory stuff. (http://www.dalsemi.com) Has anyone played with these? Any info on the security / insecurity of the methods they use? Perhaps a cheap way to encode pgp / similar keys onto a card technology? Ben Wern bwern at jaxnet.com or bwern at unf.edu Try New and Improved Jello: V 2.0 "I may not have gone where I intended to go, but I think I have ended up where I intended to be." From shamrock at netcom.com Tue Apr 30 05:23:59 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 30 Apr 1996 20:23:59 +0800 Subject: On computer face recognition: Message-ID: <v02120d2dadab77dc7e53@[192.0.2.1]> At 0:07 4/30/96, Alan Horowitz wrote: >What task is the human brain optimized for ? None. Which put us on top of the food chain. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From shamrock at netcom.com Tue Apr 30 06:01:03 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 30 Apr 1996 21:01:03 +0800 Subject: Calling other code in Java applications and applets Message-ID: <v02120d2eadab7900c2ca@[192.0.2.1]> At 21:50 4/29/96, Timothy C. May wrote: >By the way, I had a discussion at a party with several Sun folks and other >Java programmers, and they agreed that external code (C, for example) could >be called, even by an _applet_, if arranged. For example, various >underlying graphics routines in the AWT (Alternative Window Toolkit) >package are of course using underlying code written in various other >languages, code that has been reasonably optimized for speed. I understand that calling C libs from Java is possible, but the details how to go about that are still hazy to me. It is also unclear if Sun will support this dual coding as a general capability that can be used by all Java apps (don't think of Java just as downloadable applets) or require that all modules, to give an example, for a certain soon to be very relevant Java application to be written in 100% Java. [...] >The interesting thing here is that a crypto package, perhaps with >speed-optimized underlying routines in C or even hand-coded machine >language, could be released. It might be that patent holders (not that I am >endorsing this) could license such packages to users. > >Thus, > >import java.bignum.* >import.java.entropy.* >import java.rsa.* >import java.digicash.* >... > >(Such packages may need approval by Sun, etc., and formal integration, a la >AWT. But certainly there is talk of replacing AWT with something else, so >changes and additions are clearly possible.) Presumably, such packages would have to be signed by Sun. Needless to say, these certificates would cost money. A potentially lucrative source of revenue for Sun. Nothing wrong with that. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock at netcom.com> PGP encrypted mail preferred. From jimbell at pacifier.com Tue Apr 30 06:54:33 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 30 Apr 1996 21:54:33 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: <m0uE9Zb-00092YC@pacifier.com> At 07:40 PM 4/29/96 EDT, Dr. Dimitri Vulis wrote: >jim bell <jimbell at pacifier.com> writes: >> At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: >> >CNN is reporting that Colby's canoe has been found on the Potomac and >> >Colby is missing. >> >> Don't tell me, let me guess: The guy who rented the canoe to him has >> suddenly retired, and has been reportedly seen going on a Park Avenue >> shopping spree. Right? > >Jim, I don't find dumb jokes about dead people I liked particularly funny. Aren't you making an assumption that Colby is dead? No body has been found, last I heard. Maybe he just decided that he wanted to disappear in a comparatively non-suspicious fashion? Jim Bell jimbell at pacifier.com From alanh at infi.net Tue Apr 30 07:16:46 1996 From: alanh at infi.net (Alan Horowitz) Date: Tue, 30 Apr 1996 22:16:46 +0800 Subject: Money supply is fake anyway In-Reply-To: <199604112204.RAA22999@cdale1.midwest.net> Message-ID: <Pine.SV4.3.91.960430051631.26612C-100000@larry.infi.net> The S&L crisis was not the result of a "run on the banks" syndrome. It was the result of criminal fraud and in some other cases, imprudent bank management. Ie, grown men who thought that, in the long run, they could attain non-economic rates of return on investments. Human nature hasn't changed in 100,000 years. From bryce at digicash.com Tue Apr 30 08:46:05 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 30 Apr 1996 23:46:05 +0800 Subject: connecting Uni to the Web O Trust In-Reply-To: <Pine.SUN.3.93.960429161730.5790A-100000@polaris.mindport.net> Message-ID: <199604301019.MAA24346@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The entity calling itself "Black Unicorn" <unicorn at schloss.li> probably wrote: > On Mon, 29 Apr 1996 bryce at digicash.com wrote: > > > > In the meantime, I cannot have much confidence in the > > security of my private communications with Black Unicorn, > > which makes me hesitant to exchange money with him. > > That's ok, I prefer cash. It _was_ going to be cash! :-) Bryce P.S. For the record, I'm just talking about my offer to settle cypherpunk bets. This is all hypothetical. I'm not actually exchanging any money with Uni. I've never met him. Whatever he's doing, I'm not involved. You can't prove anything. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMYXpJkjbHy8sKZitAQGyZAMAs4O9+WN1WBtt3hXPgiE6BEiuuQmj/u6u RMqG3WRlhG3kMfCHZ1ypfV2SCCHYxmbBTa+olVp2yIJ5Qan13Qvr4KwI+o1JN/KO JLG9ShEF9Uk5sduAuYUK526QJYhhce4d =SYeA -----END PGP SIGNATURE----- From cpunk at remail.ecafe.org Tue Apr 30 09:01:12 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Wed, 1 May 1996 00:01:12 +0800 Subject: [Joke] It Takes a Village Message-ID: <199604300949.KAA05650@pangaea.hypereality.co.uk> Friend, Here's Timothy May, the self-appointed village headman. He's surrounded by a bunch of arse-kissing accolytes: -"Gosh, I thought that Java was garbage, but now that Tim mentions it, it's the best thing in the world" -"Tim's right, Java is terrific." Village Jester: "Tim's dead wrong. Java isn't good--it's great!" Then there's Perry Metzger, the local squire, who's embittered over the fact that, while he's got some worthwhile things to say, he's always overpowered by the "charisma" and new clothes of May. Jim Bell, village idiot. He's always good sport for the village bully, Black Unicorn. His pretentions aside ("the black unicorn has been in my family crest for a thousand years"), he is in actuality a short, portly Philadelphia accountant by the name of Irving Lipshitz-Groins. Cordially, Your village historian From frantz at netcom.com Tue Apr 30 09:39:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 1 May 1996 00:39:30 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto Message-ID: <199604300808.BAA17923@netcom9.netcom.com> The moderator, David Morris of Cylink, introduced the field by discussing the problems of corporate espionage, and privacy concerns vs. public and private databases. He said that the old security paradigms present with face to face business don't work with electronic commerce. He introduced Jim Omura, who gave an overview of PK encryption and introduced Martin Hellman, Ralph Merkle, and Whitfield Diffie. Louis Morris, Cylink CEO, presented them with inscribed glass trophies. Hellman described the key to the early years as being willing to be a fool, because you need to step out of the standard thought patterns. Diffie described the genesis from 1974 to 1978 as going from Merkle's paper, "Secure Communication Over Insecure Channels", thru DH key exchange, to RSA. Since 1976 is the center of gravity of these steps, this year makes a good 20th anniversary. Merkle said it is most striking how long it has taken to be adopted. Networks lead to a need for security, lead to a questioning of regulations on Crypto, which leads to changes in those regulations. Diffie said it is absolutely amazing that it is happening so quickly. "How wonderfully lucky it is we started working 20 years ago." Senator Larry Pressler (R, SD) was introduced via video projector from Washington D.C. He talked about bad government rules and that government should help or at least get out of the way. He talked about the need for exports and to assist US multi-national businesses. The controls hurt US companies. Encryption is the future of industry. If we don't fix the export problem, there are two outcomes. (1) Foreign competition will provide the function, or (2) US companies will move the R&D offshore. Either will cost US jobs. After listing his [off topic] pet bills, he mentioned that he was talking about encryption in software. He said Senator Burns' bill will be introduced tomorrow. Senator Conrad Burns (R, MT) spoke from the podium in a joke filled speech. He talked about the Telecom Bill as a way to do something about giving more people access to the glass highway. He talked about the problem of how do we make sure that people have agreed to a deal on the highway and supporting sales. He said we need the crypto bill to support them. His bill provides for, (1) Export of publicly available software (e.g. PGP and browsers), (2) no GAK, (3) limiting the authority of the Department of Commerce to set standards, and (4) export to countries which equivalent technology. He wants to have public hearings in Silicon Valley. Then questions came from the floor: Q: Why are we streamlining the Department of Commerce when the Department of State and NSA are the problem? Burns: Legislation will deal with this problem and prevent them from blocking export. You may still need a license, but there should be no fences. Pressler: We need to streamline relations between State and Commerce in this area. We need to streamline trade in hi tech. I don't think that state and NSA should have the say. Export is a trade problem. It is a "disaster for American exports." Burns: We are going to need grass-roots support to pass this bill. Q: Where do California's senators (Feinstein and Boxer) stand? Burns: We don't know. Pressler: We didn't have their support on tort reform. Stick with your friends and work for them. Q: Who is against the bill? Burns: People who listen to NSA. People who feel the US needs to be able to watch you. Q: How do you expect administration opposition to show up? A: We don't know yet. Q: Currently encryption is classified as a munition. Will your legislation reclassify it. Pressler: We don't see encryption as a threat to national security. People in Washington D.C. who make a living suppressing information oppose the bill. Burns: We need your knowledge to pass this bill. The senators bid us goodbye and the Congressman Robert Goodlatte (R, VA) was introduced. He said that President Clinton testified for 4.5 hours over an encrypted communication link on the McDougall trial. His bill is called Security And Freedom thru Encryption (SAFE). Local congressmen Campbell and Eshoo are co-sponsors. We need to broaden the base of support for this bill. Everyone should talk to their customers/vendors/and companies with web sites about this issue. If we don't change the rules, it could cost $60B in 2000. There are 500 foreign encryption software products. He talked about how fast 40 and 56 bit encryption could be cracked and said that, in his opinion, the administration's desire to read everything, foreign and domestic is the greatest threat. He argues it is the wrong approach and we should be encouraging everyone to use encryption routinely. We need it for counter terrorism against attacks on computer systems used in design, manufacturing and e.g. controlling nuclear power plants. We need your help getting the word out. Write your member of congress. We will have hearings on the bill in the next month or two. Q: What do you say to techies/CEOs who want to run for public office? A: Well are you a Democrat or Republican? (laughter). Seriously, congress needs a variety of backgrounds to help with technical issues. Get good expert advice on running your campaign. James Freeman, Special Agent in Charge, San Francisco Office, FBI, discussed the tools the FBI needs to do its job. He talked about foreign espionage on US companies. He mentioned 800 cases involving 23 countries, 20% in the SF Bay area. Counterfeit drugs cost US drug companies $1.5B/year. The FBI does not have adequate laws to pursue theft of intellectual property. It could use a computer fraud/abuse law. In the last few years, the FBI and local law enforcement have identified 9 gangs dealing in stolen electronic components thru undercover operations and wiretaps. Each set of arrests have reduced the rate of reported armed robbery. They used RICO to help prosecute these gangs. He stated the FBI can do the same for intellectual property given the right tools. He stated that in some cases, foreign students are sent here to spy on US corporations. In some cases they are released from military service for their spying. Inside theft is responsible for most spying, but hacking and computer intrusion are increasing. He said that terrorists, money launders, drug dealers using crypto is a serious threat, and he thinks GAK is a good solution. If congress takes GAK away from law enforcement, they will use the tools they have. However we need a balanced approach. Q: If any high school student can implement unbreakable crypto, what can you do? A: Regulation of crypto is the responsibility of congress. Edward Kozel of Cisco Systems spoke about the problems they have had with the export regulations. He said that the Internet was important because it lowered the barriers to market entry. He offered the example that the big 3 American auto manufactures are requiring network links for their suppliers. He talked about attacks on hosts and networks. He said that right now, Atlanta is a boom area for telecommuting because Atlanta companies fear the Olympics will bring gridlock this summer. He suggested micro payments as a solution to copyright problems. We must see the problem as a global problem. PK is a fundamental component of commerce, authentication, and non-repudiation. Q (Dave Del Toro (sp?)): RSA patent license imposes significant limitations on what we can do with RSA. How can we overcome that barrier? Morris (Cylink): Cylink owns the DH patents. We are opening the technology with no-cost licenses. Patents should not be used to block the technology. Kozel: We certainly support open dissemination. In 1990 we couldn't export routers to e.g. Russia. So they used PCs and public domain software to build their nets. Now they are converting to routers. Now is the time to unleash encryption. Q: What is the best way to go given the new laws and IPv6? Kozel: 40 bits is no good. Even people in rural Australia know that. Industry needs to recognize the need for controls, if only by the customer. The technology is moving to the mass market. Encryption will be needed to keep everyone from reading data on cable networks. Paul Raines, Project Manager, United States Postal Service described the post offices digital postmark and certificate services. Cylink is the technical developer. The post office brings four things that private industry can't: (1) The postal fraud statutes, (2) A long track record and well established reputation, (3) 40,000 existing post offices (vs. 10,000 McDonald's), and (4) it can act as a trusted third party. Q: How much will you charge for these services and when will they be available? A: Postmarking: $.10, 7/96. Certificates: $10-$15/person/year, 4Q96. Q: Do you see the post office acting as an ISP? A: Only to the extent necessary to provide electronic delivery of digital postmarks and certificates. Q: Do you see the post office going into transaction verification? What limits your future business directions? A: We will make sure not to compete with private business. Because we must go through a rate commission to change prices makes it hard to compete. The evening closed with a Diffie, Hellman, Merkle panel. Hellman: After these 20 years, I feel less of a fool. When we wrote "New Directions in Cryptography" in 1976, we envisioned our ideas would be widespread in five years. Diffie: I was excessively optimistic about the spread of PKC in two of my papers. Hellman: We were off for two reasons. (1) Lack of public concern. With cell phone fraud approaching 40% that may change. And (2) ITAR. This new legislation will have a very positive effect. Merkle: I wish I could pipe the comments this evening back 20 years. I would particular like to pipe them to my rejection letter from Communications of the ACM which said my contribution was not mainstream. One is often over optimistic about the early rate of progress and under optimistic about the later rate. OK, I was wrong before, but things are going to happen fast now. Morris: Where are the new frontiers? Diffie: Quantum computing (if it works). Elliptic curve crypto. The next decade or so will be used to sort out the social effects. Passive listening by major governments is moving to active computer penetration. What will our high-level security specifications be? What are fair rules for intellectual property, privacy etc? We closed with David Morris reading email from Phil Mellinger, Chief Engineer, Government Securities Association. He said the US and Canada are discussing inter operability on Certificate authorities. The government is using DH with DES and SHA for government communications. Short of the automobile, PKC has had the largest effect on the world of any 20th century technology. Impressions: In conversation afterwards, I noted that discussion of personal privacy seemed to be politically incorrect in this group. Unless it directly supported corporate commerce, we didn't discuss it. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From woutput at earthlink.net Tue Apr 30 10:29:35 1996 From: woutput at earthlink.net (Andrew Purshottam) Date: Wed, 1 May 1996 01:29:35 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <adaadb06040210042638@[205.199.118.202]> Message-ID: <31856BCD.463A@earthlink.net> > > And I believe that even applets can read and write data files on disk IF > THE APPLET ENVIRONMENT PERMITS this. Netscape and similar environments at > this time of course _don't_ let this happen, but this is a choice (as I > understand it) made at this time and perhaps for this version of the > respective pieces of software. (As I understand it, an explicit decision > not to allow file i/o, for some obvious though not necessarily permanent > reasons.) This is correct. A class called the SecurityManager enforces this, and it can be changed or shut off if one builds a custom version of the classes zip file that has the appropriate changes to the security manager. There was a posting to a java news group or mailing list about how to do this a few months ago, I can find it if anyone cares. Andy From jsw at netscape.com Tue Apr 30 11:37:56 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 1 May 1996 02:37:56 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <v02120d2eadab7900c2ca@[192.0.2.1]> Message-ID: <3185E5B6.3EE8@netscape.com> Lucky Green wrote: > > At 21:50 4/29/96, Timothy C. May wrote: > > >By the way, I had a discussion at a party with several Sun folks and other > >Java programmers, and they agreed that external code (C, for example) could > >be called, even by an _applet_, if arranged. For example, various > >underlying graphics routines in the AWT (Alternative Window Toolkit) > >package are of course using underlying code written in various other > >languages, code that has been reasonably optimized for speed. > > I understand that calling C libs from Java is possible, but the details how > to go about that are still hazy to me. It is also unclear if Sun will > support this dual coding as a general capability that can be used by all > Java apps (don't think of Java just as downloadable applets) or require > that all modules, to give an example, for a certain soon to be very > relevant Java application to be written in 100% Java. Our Navigator 3.0 release will allow java and javascript to call into plugins. Since plugins are native code, you will be able to freely mix C and Java. Of course you will have to get the user to install your plugin on their disk. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From rah at shipwright.com Tue Apr 30 14:24:15 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 1 May 1996 05:24:15 +0800 Subject: (fwd) E-Commerce Info. Needed Message-ID: <v03006617adabbad31be3@[199.0.65.105]> Reply directly to this person, and not me, please... Cheers, Bob Hettinga --- begin forwarded text From: aiq005 at teix.uib.es Date: Tue, 30 Apr 1996 09:46:56 +0200 To: RAH at shipwright.com Subject: E-Commerce Info. Needed Status: U Dear sir, I'm doing a project on Security and E-Commerce. I would like to know if you could help me on my search of information on two subjects: * Graphics and statistics about the growth of the e-commerce in the last years, and also on the attacks to comercial sites on this period. * Future tendencies, projects... on e-commerce, and how security is going to affect the future on the commercial sites. When I say 'information' I'm talking about URL's (of course) Thanks a lot, and please forgive my bad use of English! Joan Andreu (Universitat de les Illes Balears) aiq005 at teix.uib.es --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From sdt at zilker.net Tue Apr 30 15:50:36 1996 From: sdt at zilker.net (Steve Tonnesen) Date: Wed, 1 May 1996 06:50:36 +0800 Subject: Austin, TX meeting notice Message-ID: <199604301359.IAA14894@oak.zilker.net> There will be a physical meeting of cypherpunks in Austin, TX. Location: Central Market Cafe 4001 N. Lamar Blvd. Time: Saturday, May 4 at 6:00PM This will be a general meeting covering the existing projects (the video, the web page rebuild, and remailer planning), events in the news, and assorted other topics. As usual, look for a table with a stack of crypto-related books. From frissell at panix.com Tue Apr 30 15:56:49 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 1 May 1996 06:56:49 +0800 Subject: LolitaWatch v1.1 Message-ID: <2.2.32.19960430141123.0071edcc@popserver.panix.com> -----BEGIN PGP SIGNED MESSAGE----- At 08:02 PM 4/17/96 -0700, Dave Del Torto wrote: >[ Newt Gingrich and his ilk being the mensches they are, I expect v2.0 may ] >[ add support for the "Jew," "Nigger," "Kike," "Fag," "Nerd" and "Wop" bits ] >[ -dave ] > Slick Willie and his ilk being the copraphagic cretins they are, I expect v2.0 may add support for the "religion", African-American, "Person of the Jewish Faith", "Lesbian", "Gay man", "Itellectually enhanced but socially challenged", and "Euro-American" bits. DCF -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYYXfIVO4r4sgSPhAQGLlQP/dB4ElSyHbDEqdOMNGESh6UNrzTcvbsZH BKvXiPBAz2HUitD5lX3AdJ0KqJmZkPo+nRKe48rE19H370M9hFuvkOT04Jsydf6E IOt3EyOw2McZw66rRjN0HxWiS4yHu1Bj+bhjASX7QpZoG1XKO2wozUb/AHhH1dvA UroHHC6bJFc= =uHho -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Tue Apr 30 16:22:26 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 1 May 1996 07:22:26 +0800 Subject: Netscape 3 betas Message-ID: <199604301453.JAA06960@homeport.org> I'd like to commend Jeff and Phil, and any other members of the netscape team who are here, for the strong list of security controls available in Atlas (beta 2) They include control of caching SSL protected docs, alerts before showing a cookie or submitting a form via email, control over email address as ftp password, and, best of all, Java and JavaScript come turned off by default. Nice work! (I'll also offer a pet peeve, which is I can't refuse to accept server pushes, and the stop button doesn't really seem to affect them. I should be able to prevent keep-alive if I don't want it.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From hfinney at shell.portal.com Tue Apr 30 16:31:19 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 1 May 1996 07:31:19 +0800 Subject: Calling other code in Java applications and applets Message-ID: <199604301429.HAA08069@jobe.shell.portal.com> I understand that Sun is considering including a bignum package and possibly other crypto support in native form in a future release of Java. There has been considerable discussion of this on the coderpunks list. Apparently Sun has said they will release their crypto API within the next week or so. However these kinds of things are often delayed, in my experience. An earlier version of the crypto API was shared with Java developers at a meeting a few months ago, and the response was quite negative, according to list memebers. The class and method design in many cases seemed awkward, spotty, and inconsistent. Apparently there are also export considerations, with the NSA resisting the inclusion of too many explicitly crypto oriented classes. Hal From froomkin at law.miami.edu Tue Apr 30 17:04:44 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 1 May 1996 08:04:44 +0800 Subject: Smartcards are coming to the US In-Reply-To: <m0uDzVt-0048voC@iquest.net> Message-ID: <Pine.SUN.3.91.960430100509.16499H-100000@viper.law.miami.edu> On Mon, 29 Apr 1996, Benjamin T. Moore wrote: > Hummm... Did you ever wonder *why* this was introduced to the "third-world" > countries first? If you've been following the progress of the so called "smart- Lack of entrenched competitors? E.g. credit cards? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From attila at primenet.com Tue Apr 30 17:44:04 1996 From: attila at primenet.com (attila) Date: Wed, 1 May 1996 08:44:04 +0800 Subject: [Joke] It Takes a Village Message-ID: <199604301538.IAA16842@primenet.com> ** Reply to note from cpunk at remail.ecafe.org 04/30/96 10:49am +0100 well, might as well flesh it out and get the rest of us who were slighted --and don't forget yourself. if you can not laugh at yourself occasionally, check your pulse = Friend, = = Here's Timothy May, the self-appointed village headman. = He's surrounded by a bunch of arse-kissing accolytes: = -"Gosh, I thought that Java was garbage, but now that Tim mentions it, = it's the best thing in the world" = -"Tim's right, Java is terrific." = = Village Jester: "Tim's dead wrong. Java isn't good--it's great!" = = Then there's Perry Metzger, the local squire, who's embittered over the = fact that, while he's got some worthwhile things to say, he's always = overpowered by the "charisma" and new clothes of May. = = Jim Bell, village idiot. He's always good sport for the village bully, = Black Unicorn. His pretentions aside ("the black unicorn has been in = my family crest for a thousand years"), he is in actuality a short, = portly Philadelphia accountant by the name of Irving Lipshitz-Groins. = = Cordially, = = Your village historian -- Overseeing first-rate programmers is a managerial challenge roughly comparable to herding cats. From sandfort at crl.com Tue Apr 30 17:46:31 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 1 May 1996 08:46:31 +0800 Subject: [Joke] It Takes a Village In-Reply-To: <199604300949.KAA05650@pangaea.hypereality.co.uk> Message-ID: <Pine.SUN.3.91.960430072415.969A-100000@crl14.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Tue, 30 Apr 1996, ECafe Anonymous Remailer wrote: > Here's Timothy May, the self-appointed village headman...[and > a lot more sophomoric garbage.] > ... > Your village historian But not a very good one, unfortunately. Humor only works if it has at least a nodding acquaintence with the truth. This silly screed had none. Once again we are treated to an attack on his betters by an anonymous nobody in the form of a feigned (and strained) mask of "witty" commentary. What disappointments in life could have produced such an impotent, resentful loser? S a n d y Village Apologist ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From angels at wavenet.com Tue Apr 30 17:54:17 1996 From: angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) Date: Wed, 1 May 1996 08:54:17 +0800 Subject: Freedom and security Message-ID: <v01510100a9e5fbebce39@[198.147.118.199]> Mike McNally wrote >If.... (freedom and security) ....weren't antithetical, there'd be no need >for a balance. If they were antithetical then as freedom increased security would decrease, and as security increased freedom would decrease. It is not IMHO inevitable that if we increase security we will jeopardize freedom. My concern is that if we ignore security we will have no freedom left to protect. I don't believe the Internet community is split into two camps on this issue - there appear to me to be many places where people draw their lines at different points. I don't believe that security is the enemy of freedom. I believe that freedom needs security in order to exist at all. ********************************************************* Colin Gabriel Hatcher - CyberAngels Director angels at wavenet.com "Two people may disagree, but that does not mean that one of them is evil" ********************************************************* From cp at proust.suba.com Tue Apr 30 18:10:19 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Wed, 1 May 1996 09:10:19 +0800 Subject: Calling other code in Java applications and applets In-Reply-To: <3185E5B6.3EE8@netscape.com> Message-ID: <199604301512.KAA05052@proust.suba.com> > Our Navigator 3.0 release will allow java and javascript to call into > plugins. Since plugins are native code, you will be able to freely mix > C and Java. Of course you will have to get the user to install your > plugin on their disk. That's the problem, installing the plugin. I (and some others, I think) was hoping that it would be possible to build powerful crypto applets and put them up on web pages. That way everyone with a java enabled copy of Netscape could use a remailer or send crypted mail without having to download, install, and configure software. If people have to download and install a plugin to use a java mixmaster applet, why not just download and install a native mixmaster client? Of course there are other reasons to use java -- platform independence, for example. But it's the user's ability to download and run applets just by jumping to a web page that has everyone excited. With that gone (for crypto), java loses a lot of its lustre (again, for crypto work). From jimbell at pacifier.com Tue Apr 30 18:57:52 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 09:57:52 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: <m0uEI2K-00092BC@pacifier.com> At 01:59 AM 4/30/96 +0100, Ed Carp wrote: >On Mon, 29 Apr 1996, Dr. Dimitri Vulis wrote: > >> jim bell <jimbell at pacifier.com> writes: >> > At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: >> > >CNN is reporting that Colby's canoe has been found on the Potomac and >> > >Colby is missing. >> > >> > Don't tell me, let me guess: The guy who rented the canoe to him has >> > suddenly retired, and has been reportedly seen going on a Park Avenue >> > shopping spree. Right? >> >> Jim, I don't find dumb jokes about dead people I liked particularly funny. > >CNN is reporting that although the search is continuing, the authorities >are presuming Colby drowned in a boating accident. I'd like to hear more about the timeline. From a snippet I heard yesterday, he telephoned his wife and said he'd be renting a canoe. Okay, who and why did "they" visit a cabin (?) to find him? (If somebody called me from a cabin, and he had a telephone, I would not consider his failure to later answer the phone to be particularly suspicious...) And one version I heard said that the canoe was at the cabin. How often do fatal canoe accidents occur what might have been a few feet from shore? (You can't sink a modern canoe, especially a rental, because they have floats under the seats to prevent this.) We can't tell, because the information being released is so sparse. Somebody's not telling us the whole story. From perry at piermont.com Tue Apr 30 19:36:15 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 10:36:15 +0800 Subject: Freedom and security In-Reply-To: <v01510100a9e5fbebce39@[198.147.118.199]> Message-ID: <199604301630.MAA14089@jekyll.piermont.com> CyberAngels Director : Colin Gabriel Hatcher writes: > If they were antithetical then as freedom increased security would > decrease, and as security increased freedom would decrease. > > It is not IMHO inevitable that if we increase security we will jeopardize > freedom. My concern is that if we ignore security we will have no freedom > left to protect. > > I don't believe the Internet community is split into two camps on this > issue - there appear to me to be many places where people draw their lines > at different points. I don't believe that security is the enemy of > freedom. I believe that freedom needs security in order to exist at all. You will pardon my asking this, but, security from what? Who are the evil Network Terrorists throwing Bit Bombs or whatever? The only security you need on the internet is keeping your site from being broken in to, which is mostly a matter of setting it up properly. What, exactly, is the "Security" that you are offering us? Perry From abostick at netcom.com Tue Apr 30 19:41:59 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 1 May 1996 10:41:59 +0800 Subject: [Joke] It Takes a Village In-Reply-To: <199604300949.KAA05650@pangaea.hypereality.co.uk> Message-ID: <Ugihx8m9LQQW085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <199604300949.KAA05650 at pangaea.hypereality.co.uk>, cpunk at remail.ecafe.org (ECafe Anonymous Remailer) wrote: > Jim Bell, village idiot. He's always good sport for the village bully, > Black Unicorn. His pretentions aside ("the black unicorn has been in > my family crest for a thousand years"), he is in actuality a short, > portly Philadelphia accountant by the name of Irving Lipshitz-Groins. jim bell is really a short, portly Philadelphia accountant named Irving Lipshitz-Groins? - -- Alan Bostick | They say in online country there is no middle way mailto:abostick at netcom.com | You'll either be a Usenet man or a thug for the CDA news:alt.grelb | Simon Spero (after Tom Glazer) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMYYojuVevBgtmhnpAQEEiwL+NzhAqo33OFDUKWqc0eL5PlPLFTHlmGzk ZDaUg7ReYuh1UIiTzb9/oSLxTN8r4oT9LjV1jqByb0NkiQiLS1jfLF7xzIvvwSWg 9QSNY/JLaqvzpsjDYYL74e1W10yFUoZo =HJUe -----END PGP SIGNATURE----- From rah at shipwright.com Tue Apr 30 19:44:47 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 1 May 1996 10:44:47 +0800 Subject: Smartcards are coming to the US In-Reply-To: <m0uDzVt-0048voC@iquest.net> Message-ID: <v03006607adabfc90e2ad@[199.0.65.105]> At 10:06 AM -0400 4/30/96, Michael Froomkin wrote: > Lack of entrenched competitors? E.g. credit cards? Proof that cash is cheaper than credit? Certificates cheaper than book-entries? ;-). Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From tcmay at got.net Tue Apr 30 19:56:22 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 10:56:22 +0800 Subject: "Scruffies" vs. "Neats" Message-ID: <adab97e00502100451c2@[205.199.118.202]> (The version I apparently just sent out was not quite complete. I saved it in my mail program, intending to work on it later today, but it got queued for sending inadvertently. Sorry it got sent. But maybe it's just as well, as I can look at the commentary--if any--and make additions and clarifications later.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Tue Apr 30 20:03:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 11:03:03 +0800 Subject: once again Message-ID: <199604301802.OAA14241@jekyll.piermont.com> Lots of people seem to have misread my statement about java programs and I/O. To repeat: I fully understand that Java is a general programming language and can do I/O. However, "Safe" Java subsets, like the ones used for writing applets or presumably the ones that would be needed for markets in CPU cycles, do not do i/o. One could add i/o to the suite, but that would be dangerous. Perry From ses at tipper.oit.unc.edu Tue Apr 30 20:05:28 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 1 May 1996 11:05:28 +0800 Subject: Smartcards are coming to the US In-Reply-To: <m0uDzVt-0048voC@iquest.net> Message-ID: <Pine.SOL.3.91.960430105230.3273A-100000@chivalry> Much as we Englishmen like to pretend, it is a bit of a reach to describe France as a third-world country... --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Tue Apr 30 20:25:51 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 11:25:51 +0800 Subject: "Scruffies" vs. "Neats" Message-ID: <adab8d3e04021004d25b@[205.199.118.202]> PREFACE I haven't written many essays lately...something about having several hundred or more of them on this list over the past three and a half years makes writing another one less urgent for me. But I've been thinking a lot about the interesting discussion we are having over the Java security issues and basic security model for running applets, and note some similarities with similar approaches in AI (artificial intelligence). I think it important that people here not "firmly commit" to positions they may have to change, as this leads to a "sticking coefficient" that retards changes (note that I am not commenting on which positions may need to change!). No one language is the end-all and be-all of programming, nor is any one approach the inevitable winner. But it certainly behooves us to think about likely future (and current) computing platforms. (We've done this many times, as with discussions a few years ago about which environments to put effort into...we had advocates of Emacs, Eudora, Perl, TCL, Safe-TCL, the clipboard of Mac and Windows systems, pure text only, and so on. In fact, an extensive poll was taken--by Eric Hughes, I believe--in November 1992, with the conclusion that at least a dozen major choices were popular, with none having a share over 10%.) So, it is a mistake to assume that I am making a "primate display" of supporting Java. At this point, and with having seen many fads come and go, my strong hunch is that "Web plus browsers plus applets plus Java" is likely to become the main choice of many people. (I am hardly alone in this judgment, natch. Any look at the trade press, the stock market, the shelves of new books, etc., will confirm this. But just because something is popular does not mean it is not in fact the likely future.) And I am sure that even the critics of various aspects of this model--including the studies of Java security--see this same scenario unfolding. I view their criticisms as being necessary and helpful, though I tend to dismiss the conclusions of some that the model is so deeply flawed that it should be discarded completely and a new model and/or language should be awaited....this just ain't gonna happen anytime soon. (The thrust of this essay is not how and why new computing paradigms spread, so I won't get into my views on this. Suffice it to say that historically the world has gotten a major new model (paradigm) no more than twice a decade, and usually only once per decade. Left as an exercise is what those have been.) SCRUFFIES AND NEATS On to "scruffies" and "neats." The AI world had two main camps, according to a popular view. The "scruffies" and the "neats." The scruffies believed intelligent behavior in a program would likely only come from gobs and gobs of code. They believed in cobbling together apps as quickly as possibly, racing out into the new landscape of computing and rigging something up to work. Loosely speaking, they favored hacking Lisp until something worked...a checkers program (a la ur-hacker Greenblatt), a vision system, a robot, etc. Scruffies like messy desks, because they like to be blasted with lots of random inputs, lots of unrelated ideas and concepts, and "inspiration." More recently, the scruffies have embraced neural nets, emergent computation, stochastic computing, genetic algorithms, and similar buzzwords. The recent work on "subsumption architectures" (a la Brooks) and agent architectures is consistent with viewpoint (though elements of logic are of course involved). (These are all gross overgeneralizations, caricatures, to clearly show what the polar viewpoints are.) The neats, on the other hand, believed that logic rules. Epitomized by Newell and Simon, and by the early Winograd, they believed intelligent behavior would come when the logical principles of thought could be found and implemented in a programming language. Much of the work on theorem proving and logic programming came out of this camp. According to the caricature (and caricatures can be useful, even if overstated), the neats have neat desks, work in neat languages, and favor mathematical rigor. (Of course, not all neats are neat. Some are scruffy, as Ted Kaczynski shows!) SCRUFFIES AND NEATS IN SECURITY The "security neat" believes in applying rigor to security. Machines and languages should be "provably secure." (Better yet, machines should be "provably correct," a la Viper, and operating systems and languages should produce provably correct code.) The "security scruffy" believes things are moving too quickly to insist his machine must be Orange Book top-rated, or that his OS must be fully secure....in fact, he doubts that such definitions have real meaning. [Aside: This polar caricature overstates things, as I said earlier. For example, even the "security scruffies" are not in favor of bad cryptographic code, of seriously-flawed PGP implementations, or of Java applets that can reach into user files and read or corrupt them. And even the security neats use machines hooked up to networks rather than running programs in some secure kernel on a machine locked in a secure room....] The scruffies believe that it may ultimately produce more overall security (not to mention producing interesting other results!) to race out into the new terrain, to establish outposts and colonies.... Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From m5 at vail.tivoli.com Tue Apr 30 20:32:13 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 1 May 1996 11:32:13 +0800 Subject: Freedom and security In-Reply-To: <v01510100a9e5fbebce39@[198.147.118.199]> Message-ID: <3186400F.43CA@vail.tivoli.com> CyberAngels Director : Colin Gabriel Hatcher wrote: > > Mike McNally wrote > > >If.... (freedom and security) ....weren't antithetical, there'd be no need > >for a balance. > > If they were antithetical then as freedom increased security would > decrease, and as security increased freedom would decrease. Ok then, if they're *not* antithetical, why do we need a balance? Why not just go ahead and maximize both? > It is not IMHO inevitable that if we increase security we will jeopardize > freedom. My concern is that if we ignore security we will have no freedom > left to protect. What exactly do you consider "security" and "freedom" to mean here? Whose security? Whose freedom? I can take responsibility for ensuring that any Internet communications I make are protected from inspection or interception by using technological solutions. I call that "security". If you're interested in "security", what are you doing to protect my freedom to use encryption and anonymous remailer technologies? ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * <URL:http://www.io.com/~m101> * suffering is optional From jimbell at pacifier.com Tue Apr 30 20:45:52 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 11:45:52 +0800 Subject: Freedom and security Message-ID: <m0uEJnz-000930C@pacifier.com> At 07:47 AM 4/29/96 -0500, Mike McNally wrote: >CyberAngels Director : Colin Gabriel Hatcher wrote: >> My position is to seek a balance between the freedom of the individual and >> the security of the community. My argument is that when the security of >> the community is threatened by the freedom of the individual, the community >> will always prioritise its safety. Good government of course means >> maintaining individual freedoms *and* maintaining community security. I >> actually disagree that they are antithetical. On the contrary they are a >> balance that any society has to find. > >If they weren't antithetical, there'd be no need for a balance. Game, set, and match McNally! From sjb at universe.digex.net Tue Apr 30 21:03:35 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Wed, 1 May 1996 12:03:35 +0800 Subject: The Joy of Java In-Reply-To: <199604292245.SAA10827@jekyll.piermont.com> Message-ID: <199604301749.NAA11738@universe.digex.net> "Perry E. Metzger" writes: >Scott Brickner writes: >> I don't understand what you mean by "insufficiently powerful". It's as >> expressively powerful as most high-level languages, and computationally >> Turing equivalent. It's lack of power seems entirely in the performance >> arena, which may be solved, eventually. > >Java applications can't save files to disk or use data files on >disk. If you were, for instance, buying two CPU weeks of idle time on >some machines, you would need stuff like checkpointing or the ability >to save intermediate results. It is false that Java applications "can't" save files to disk. Java has no I/O facilities, exactly like C and C++ have none. Any I/O capability must be provided in external functions. The applet environment doesn't include file I/O functions, but it can be easily added in a reasonably safe way (filesystem object only allocates a fixed region of real disk space, applets are charged to use it, after the "rent" is gone, the blocks are freed, etc.) Java applications may also send checkpoint data or intermediate results back "home", even in the current environment. From mmiller at netcom.com Tue Apr 30 21:05:59 1996 From: mmiller at netcom.com (Mark S. Miller) Date: Wed, 1 May 1996 12:05:59 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto In-Reply-To: <199604300808.BAA17923@netcom9.netcom.com> Message-ID: <199604301701.KAA14257@netcom5.netcom.com> Paul Raines, Project Manager, United States Postal Service described ... The post office brings four things that private industry can't: ... (2) ... well established reputation, ... (4) it can act as a trusted third party. Oh. Well that's good to know. --MarkM -------------------------------------------------------------------- After all, the Internet was built to help defend the free world from attack by governments. -------------------------------------------------------------------- From tcmay at got.net Tue Apr 30 21:27:38 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 12:27:38 +0800 Subject: ITARs and the Export of Classes and Methods Message-ID: <adaba38d060210041091@[205.199.118.202]> At 3:12 PM 4/30/96, Alex Strasheim wrote: >> Our Navigator 3.0 release will allow java and javascript to call into >> plugins. Since plugins are native code, you will be able to freely mix >> C and Java. Of course you will have to get the user to install your >> plugin on their disk. > >That's the problem, installing the plugin. > >I (and some others, I think) was hoping that it would be possible to build >powerful crypto applets and put them up on web pages. That way everyone >with a java enabled copy of Netscape could use a remailer or send crypted >mail without having to download, install, and configure software. > >If people have to download and install a plugin to use a java mixmaster >applet, why not just download and install a native mixmaster client? > >Of course there are other reasons to use java -- platform independence, >for example. But it's the user's ability to download and run applets just >by jumping to a web page that has everyone excited. With that gone (for >crypto), java loses a lot of its lustre (again, for crypto work). Hmmmhhh.... It may be--from the comments of Dan W. about the NSA, export, and Java, and from other signs--that the NSA and its allies see the same opportunities many of us see. And that they don't like what they see. I hope Marianne and the other Sun and/or Netscape folks can keep us informed on what, if anything, the NSA is telling them they can do with Java and what they cannot do. Under the guise of "export," of course, as there is no legal basis for restricting domestic (within the Greater Unites States and Canada Coprosperity Sphere) crypto. An interesting situation for the ITARs, if they try to restrict bignum classes, for example. A class-based system, if done correctly (in whatever language, e.g., C++ or Java), should have _most_ of the hard crypto work already implemented in classes and methods (for bignums, modular exponentiation, etc.), with the final crypto program much more easily implemented and exported. (I presume that PGP 3.0 is being done largely this way (class libraries), and, speculatively, PGP 4.0 might be Java-based, and rely on small applets calling the various classes.) Does the battle for restricting exports of programs, a la PGP or Lotus Notes, then shift to controlling the export of computer languages?! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue Apr 30 21:32:22 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 12:32:22 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: <adabb34c08021004c3f4@[205.199.118.202]> At 5:11 PM 4/30/96, jim bell wrote: >I'd like to hear more about the timeline. From a snippet I heard yesterday, >he telephoned his wife and said he'd be renting a canoe. Okay, who and why >did "they" visit a cabin (?) to find him? (If somebody called me from a >cabin, and he had a telephone, I would not consider his failure to later >answer the phone to be particularly suspicious...) Then read the damned newspapers or watch the damned news broadcasts or read the damned Web news accounts, rather than mentioning that you've seen "snippets" but that you have other Unanswered Questions which They are Not Answering. Looking for conspiracies in the almost certainly accidental drowning of Colby is an even bigger waste of time than spending vast efforts trying to show that Vince Foster was killed by the O.T.O. Jeesh. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Tue Apr 30 21:34:10 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 12:34:10 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <adab8d3e04021004d25b@[205.199.118.202]> Message-ID: <199604301838.OAA14274@jekyll.piermont.com> Timothy C. May writes: > SCRUFFIES AND NEATS IN SECURITY > > The "security neat" believes in applying rigor to security. Machines and > languages should be "provably secure." (Better yet, machines should be > "provably correct," a la Viper, and operating systems and languages should > produce provably correct code.) Don't take this the wrong way, Tim, but you have totally misinterpreted the position many of us who dislike Java take. You completely mischaracterize our attitude. There are two philosophies in opposition here, the optimistic model versus the realistic model. 1) "We are smart, so we simply build something that feels good and provided we can't find a way to break it we declare it secure." This is the Java model. Java isn't "scruffy". Its a very elegant and cleanly built system, far more elegant than most. I contend that it is flawed, but not because it is "scruffy". I contend that the flaw is that its security depends on all its parts working flawlessly, and that we can't build flawless systems. Such systems are made on the liberal assumption that humans can design something perfect in all its parts. To trust a system built on such an assumption, you ultimately need a proof of its security from top to bottom. The very reason I think such a system is impractical is that I agree with the notion that such proofs are not possible or if they are made are often as buggy as the code was, proofs merely being a formalism in a different language. This is the wrong paradigm, from the start. 2) "We are ignorant, so we build something that does as little as we can get away with, makes the assumption at every stage that every component of the system might be broken, and put seventeen layers of armor around it on the assumption that we still have probably made a mistake or two in designing the system." This is the model that modern firewalls built by the likes of me take -- systems that are designed to be tolerant of multiple engineering failures. Such systems are built on the assumption that humans are fallible. Such systems, unlike Java, do not depend on flawless operation of all their components for their security. Such systems are built on the conservative assumption that humans are going to make mistakes and that you have to take account of your own fallibility when designing secure systems. In such a system, one can have breeches of the security of four major subsystems and the fifth still keeps you alive. The "belt and suspenders" model doesn't require mathematical proofs of security because it was engineered, from the start, to be robust. Tim misunderstands, thinking this is a case of some foolish perfectionists getting mad at the guys who throw things together and hope that they work. Not at all. Our problem with Java is the security model, which inherently requires perfect design and operation. We build our own systems to be robust enough to survive our own mistakes. Java is built such that any mistake is fatal. Essentially, this is the optimists versus the realists. Perry PS BTW, Tim, Java is great for the theorem prover fetishizers -- look no further than Java's bytecode verifier. I have never built a system that required an "active defense" like that. They fill me with the same sort of dread I would get from a skyscraper design that required a constant flow of electricity to the building lest it collapse. Sure, its cool. Maybe it even saves some money. However, can you sleep at night inside it? From wendigo at gti.net Tue Apr 30 21:42:29 1996 From: wendigo at gti.net (Mark Rogaski) Date: Wed, 1 May 1996 12:42:29 +0800 Subject: LolitaWatch v1.1 In-Reply-To: <2.2.32.19960430141123.0071edcc@popserver.panix.com> Message-ID: <199604301950.PAA05651@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Duncan Frissell wrote: : : At 08:02 PM 4/17/96 -0700, Dave Del Torto wrote: : >[ Newt Gingrich and his ilk being the mensches they are, I expect v2.0 may ] : >[ add support for the "Jew," "Nigger," "Kike," "Fag," "Nerd" and "Wop" bits ] : >[ -dave ] : > : : Slick Willie and his ilk being the copraphagic cretins they are, I expect : v2.0 may : add support for the "religion", African-American, "Person of the Jewish Faith", : "Lesbian", "Gay man", "Itellectually enhanced but socially challenged", and : "Euro-American" bits. : : DCF I hear that a proposal for v1.2b is to AND this bit field with 0xFFFF. If the result is 0, the packet is assumed to come from an oppressor and is dropped. I am unsure if this will be supported in Livingston's ChoiceNet. - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo at gti.net | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYZu8A0HmAyu61cJAQG//wQAvLujj3H+sJi/CsTzE0y1OhbVVx2qq6z9 ocO5huw3/IyeqR/q9QvtClniBeHAr6JFf+pos9fEAPWD076XCkpfymRPY0P2ntFF Alw2chky9HWhJMH8/6YWHBrbghEL5Pvi4Vldg2Kqc2K0W+w0nYOJ3PG+QBPzVKlc GuqRjAm3Q7E= =aqSn -----END PGP SIGNATURE----- From tcmay at got.net Tue Apr 30 21:46:49 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 1 May 1996 12:46:49 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") Message-ID: <adabb253070210048971@[205.199.118.202]> At 6:38 PM 4/30/96, Perry E. Metzger wrote: >Timothy C. May writes: >> SCRUFFIES AND NEATS IN SECURITY >> >> The "security neat" believes in applying rigor to security. Machines and >> languages should be "provably secure." (Better yet, machines should be >> "provably correct," a la Viper, and operating systems and languages should >> produce provably correct code.) > >Don't take this the wrong way, Tim, but you have totally >misinterpreted the position many of us who dislike Java take. You >completely mischaracterize our attitude. Perry, that essay was, as I said, sent out before it was finished. I did not even get to the part I was planning about classifying the Java supporters/detractors as either scruffies or neats! Now, while you may have _anticipated_ the point I was going to make in the completed essay, you cannot say I have "mischaracterized" anyone's attitude at this point! Unless you have a source of thiotimoline I'm not aware of. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Tue Apr 30 21:59:18 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 12:59:18 +0800 Subject: [Joke] It Takes a Village In-Reply-To: <Ugihx8m9LQQW085yn@netcom.com> Message-ID: <Pine.SUN.3.93.960430165902.614F-100000@polaris.mindport.net> On Tue, 30 Apr 1996, Alan Bostick wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > In article <199604300949.KAA05650 at pangaea.hypereality.co.uk>, > cpunk at remail.ecafe.org (ECafe Anonymous Remailer) wrote: > > > Jim Bell, village idiot. He's always good sport for the village bully, > > Black Unicorn. His pretentions aside ("the black unicorn has been in > > my family crest for a thousand years"), he is in actuality a short, > > portly Philadelphia accountant by the name of Irving Lipshitz-Groins. > > jim bell is really a short, portly Philadelphia accountant named Irving > Lipshitz-Groins? Nono, that's ME! ME! How in bloody hell am I supposed to keep this cover going if people attribute perfectly good disinformation to Mr. Bell? (Sigh). --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From perry at piermont.com Tue Apr 30 21:59:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 12:59:19 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <adabb253070210048971@[205.199.118.202]> Message-ID: <199604302018.QAA14545@jekyll.piermont.com> Timothy C. May writes: > At 6:38 PM 4/30/96, Perry E. Metzger wrote: > >Timothy C. May writes: > >> SCRUFFIES AND NEATS IN SECURITY > >> > >> The "security neat" believes in applying rigor to security. Machines and > >> languages should be "provably secure." (Better yet, machines should be > >> "provably correct," a la Viper, and operating systems and languages should > >> produce provably correct code.) > > > >Don't take this the wrong way, Tim, but you have totally > >misinterpreted the position many of us who dislike Java take. You > >completely mischaracterize our attitude. > > Perry, that essay was, as I said, sent out before it was finished. [...] > Now, while you may have _anticipated_ the point I was going to make in the > completed essay, you cannot say I have "mischaracterized" anyone's attitude > at this point! I could only respond to the statments you made, not the ones you could have made. In any case, I'm not sure that there is such a thing either as a "Security Scruffy" or a "Security Neat" in the argument about Java; the breakdown in opinions occurs along very different lines. Perry From perry at piermont.com Tue Apr 30 22:10:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 13:10:08 +0800 Subject: no-cost DH? In-Reply-To: <Pine.SUN.3.93.960430130125.8652A-100000@eskimo.com> Message-ID: <199604302115.RAA14679@jekyll.piermont.com> Wei Dai writes: > On Tue, 30 Apr 1996, Bill Frantz wrote: > > Morris (Cylink): Cylink owns the DH patents. We are opening the > > technology with no-cost licenses. Patents should not be used to block > > the technology. > > Does anyone know more about these no-cost licenses? I wouldn't mind > getting free DH a year early... They don't give out licenses for free, but they are selling flat rate licenses for given products... .pm From unicorn at schloss.li Tue Apr 30 22:31:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 13:31:08 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <m0uE9Zb-00092YC@pacifier.com> Message-ID: <Pine.SUN.3.93.960430164418.614B-100000@polaris.mindport.net> On Tue, 30 Apr 1996, jim bell wrote: > At 07:40 PM 4/29/96 EDT, Dr. Dimitri Vulis wrote: > >jim bell <jimbell at pacifier.com> writes: > >> At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: > >> >CNN is reporting that Colby's canoe has been found on the Potomac and > >> >Colby is missing. > >> > >> Don't tell me, let me guess: The guy who rented the canoe to him has > >> suddenly retired, and has been reportedly seen going on a Park Avenue > >> shopping spree. Right? > > > >Jim, I don't find dumb jokes about dead people I liked particularly funny. > > > Aren't you making an assumption that Colby is dead? No body has been found, > last I heard. Maybe he just decided that he wanted to disappear in a > comparatively non-suspicious fashion? Having met Colby and being somewhat familiar with his political skills I would be surprised if he would ever think a drowning accident was "non-suspicious." William Colby, whatever anyone may think of intelligence, was quite a man, respected in the community, a major in the OSS and a World War II hero decorated 5 times. His like are not common. I hope he is found alive and well. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From loki at infonex.com Tue Apr 30 22:33:27 1996 From: loki at infonex.com (Lance Cottrell) Date: Wed, 1 May 1996 13:33:27 +0800 Subject: connecting Uni to the Web O Trust Message-ID: <adabfc74000210044343@[206.170.115.3]> -----BEGIN PGP SIGNED MESSAGE----- Look at the signators and judge for your self. When I look at the people I trust through one level of introducer, I find I have a very high degree of confidence in their identities. Two introducers out, it still looks fairly good. I have not looked farther than that. It is the limit of my trust. In many ways it is easier to establish the authenticity of a pseudonym than a verinym. The only question with a pseudonym is whether the nym who posts is the same nym who posted last time, and the time before that. If, over the course of a year or two, there are no attempts to spoof the pseudonym, then the key will have become well connected with the nym. That is all that matters. Even if a "Sameer" has posted for years, I still have to worry if the person's real name is Sameer (given the current understanding of the meaning of a signature on a key). I once refused to sign a key because I thought the driver's license was forged, but I would be likely to accept a better forgery at authentic. I am at least as confident of the identity of Uni as I am of many of the other keys I have signed. The only ones I have more confidence in are those of long time close friends, and family. -Lance Cottrell At 10:21 PM 4/28/96, sameer at c2.org wrote: >> (Sigh). I'll say it yet a third time. Get a current copy of my key which >> is signed by at least three people on the web of trust. > > As if this "web of trust" was actually worth something. > >-- >Sameer Parekh Voice: 510-601-9777x3 >Community ConneXion, Inc. FAX: 510-601-9734 >The Internet Privacy Provider Dialin: 510-658-6376 >http://www.c2.net/ (or login as "guest") sameer at c2.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMYZOkPPzr81BVjMVAQGwOggA1xZguRBMxrjZisk/3Imf4VKLzTr7wNaO J5141lamYinHEnmvNZ9VTkq7kdkoTKw572RkC+tAeMI5PjAEOhxtbnRBMumVh7u6 wnxx1BD0Onka5r4M4avr8VFsPc2CYOicG5Yk33FJKuGT9JlSKgCOOeD8U5XQlbCD 8KGr6RPyYmEkKhEA3uhAE+vUjBN5ihCYglU+9U1wlRHX6bsS2gD3xjN2jaLCRcpv vlPPGLrxQbxi7jVKOjXM6flTpYmjnV5gDLtEKMtpF08LsvL+t51NleDGCBmV7aBp 5xIpFvFb/PRyZpZa21yESrZ13Dx+0qOgXpXEFB3A3SPGWKFQGILm0A== =sGly -----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From jimbell at pacifier.com Tue Apr 30 22:37:33 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 13:37:33 +0800 Subject: [LONG] Churchill Club: 20th Anniversary PK Crypto Message-ID: <m0uENB7-0008yqC@pacifier.com> At 10:01 AM 4/30/96 -0700, Mark S. Miller wrote: > Paul Raines, Project Manager, United States Postal Service described > ... The post office brings four things that private > industry can't: ... (2) ... well established reputation, ... > (4) it can act as a trusted third party. > >Oh. Well that's good to know. > > --MarkM I agree that the Post Office has a "well-established reputation." Too bad it isn't a GOOD "well-established reputation." Jim Bell jimbell at pacifier.com From liberty at gate.net Tue Apr 30 22:39:54 1996 From: liberty at gate.net (Jim Ray) Date: Wed, 1 May 1996 13:39:54 +0800 Subject: Freedom and security Message-ID: <199604302039.QAA26070@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- angels at wavenet.com (CyberAngels Director : Colin Gabriel Hatcher) wrote: >Mike McNally wrote > >>If.... (freedom and security) ....weren't antithetical, there'd be no need >>for a balance. > >If they were antithetical then as freedom increased security would >decrease, and as security increased freedom would decrease. There may be some word-definition problems here. I believe Mr. McNally refers to the words freedom and security as applied to individuals, and CyberAngels refers to them as applied to the whole of society. When all the flowery rhetoric is removed, society is made up of individuals, and individuals almost by definition disagree on the meanings and relative importance in their own lives of freedom and security. For example, I feel not-a-lot of freedom being Vince's munition exporter #17, but Louis Freeh doubtless feels more secure with a statist law like ITAR around. FBI Director Freeh and I are both part of society, and I can refer to the two of us as "we," but "we" clearly disagree on freedom and security. His side has more guns, along with the media, and my side has more people who tell the truth. He is free to open up all his private email to government snoops if he wants to, but he may not open mine, because I do not trust him. He also may not dictate the content of my webpage, which includes my possibly-indecent babypictures. >It is not IMHO inevitable that if we increase security we will jeopardize >freedom. My concern is that if we ignore security we will have no freedom >left to protect. I agree. Freedom is already diminishing at an alarming pace. That is why cypherpunks spread crypto, and why Libertarians like me rant. Freedom does not increase through more laws. _Parents_, NOT governments, ISPs, cops, villages, and so on, are responsible for raising children. Parents sometimes raise kids in ways that I disagree with, but I am unwilling to advocate laws that prevent it because such laws only breed more laws, which always lead to less freedom. >I don't believe the Internet community is split into two camps on this >issue - there appear to me to be many places where people draw their lines >at different points. I am unsure what this means. I want Jim Ray drawing my lines, because I think he does a better job of it than Director Freeh, even if his side has more/better guns than mine. I feel that his side is in a different, much better armed, and much more trigger- happy "camp" than mine. >I don't believe that security is the enemy of >freedom. I believe that freedom needs security in order to exist at all. Good. Join us in spreading cryptography around, and security will bloom (along with freedom). JMR Regards, Jim Ray <liberty at gate.net> "My cynical belief is that there is a lack of motivation in either party to fully and properly investigate [Mena] because the results will damage as many Republicans as Democrats." - former prosecutor Charles Black, in April 22, 1996's Wall Street Journal, p.A22 [NOTE TO MEDIA TYPES LURKING: Must the W$J and "High Times" magazine be the only journalists to cover the Mena, Arkansas story???]<sigh> _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMYZ5Rm1lp8bpvW01AQEHCwQAgPyle05vnwDqeWJvWSjFLBm4w6JzZe/F dxYWsYTLmprySNO45Eu5UMfWiIyN0auW8vndS32Y67/HAgxvPFxfA1J95m//ty/l qoSDTeeKjuHi4NIMo1gHIVvsWI0cSL/4gJSUJEeI9Ck5xXnWiP1okZAgyLj2HtYS Wzag+PrHk0M= =hMTU -----END PGP SIGNATURE----- From weidai at eskimo.com Tue Apr 30 22:42:56 1996 From: weidai at eskimo.com (Wei Dai) Date: Wed, 1 May 1996 13:42:56 +0800 Subject: no-cost DH? In-Reply-To: <199604300808.BAA17923@netcom9.netcom.com> Message-ID: <Pine.SUN.3.93.960430130125.8652A-100000@eskimo.com> On Tue, 30 Apr 1996, Bill Frantz wrote: > Morris (Cylink): Cylink owns the DH patents. We are opening the > technology with no-cost licenses. Patents should not be used to block > the technology. Does anyone know more about these no-cost licenses? I wouldn't mind getting free DH a year early... Wei Dai From unicorn at schloss.li Tue Apr 30 22:52:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 13:52:57 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <m0uEN3x-00091PC@pacifier.com> Message-ID: <Pine.SUN.3.93.960430174510.614K-100000@polaris.mindport.net> On Tue, 30 Apr 1996, jim bell wrote: > At 04:46 PM 4/30/96 -0400, Black Unicorn wrote: > >> last I heard. Maybe he just decided that he wanted to disappear in a > >> comparatively non-suspicious fashion? > > > >Having met Colby and being somewhat familiar with his political skills I > >would be surprised if he would ever think a drowning accident was > >"non-suspicious." > > Notice that I said "comparatively" non-suspicious. Can you think of any > LESS suspicious way to appear to die and still explain no body being found? Many. You lack imagination. [...] > >I hope he is found alive and well. > > He might very well be alive. But it's almost certain he won't be found... Your conspiracy nut side is showing. > BTW, the news item I read this morning stated that his neighbors called the > cops when they noticed that his car was still at the cabin Sunday > night...after the time he normally left to return home. While most people > wouldn't see a problem with this, I do: How many citizens are so aware of > the schedules and habits of their neighbors that they would become > suspicious if their neighbor stayed TOO LONG? Colby was well known and friendly to his neighbors. He was an impressively outgoing person, a trait which showed both in his unprecidented opening of the Agency (he was dismissed for cooperating too completely with congress), and his personal life. His neighbors in Virginia were all close friends and the community there is very close knit. A pile of leaves in the wrong place attracts attention. I used to run a private seminar in D.C. The two times I asked, he was happy to come and speak for us. He was always amazingly frank and engaging. Not at all a secretive man when it came to his personal beliefs and activities. > Not days and days too long, > just a few hours? Or were Colby's habits so precise and predictable (and > known to be so!) that his neighbor would call the cops just because he, > ONCE, stayed a little longer than normal? Yes, they were. He ran an active consulting business in D.C. and returned to the city on a regular schedule. In addition, he was very prudent about letting people know when he was about to go out on the river. The man was in his 70s, of course he generated a good deal of concern amongst his neighbors. > What's wrong with this picture? It's not hard to see. As usual you are theorizing and speculating about issues and persons you have no connection to. Even in the face of someone with personal experience as to the matter at hand you persist in asserting that you are more 'in the know.' In this particular case you are discussing someone I know personally. Given the circumstances, your rumor mongering is both classless and distasteful. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From gnu at toad.com Tue Apr 30 22:59:01 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 1 May 1996 13:59:01 +0800 Subject: SF area: Bernstein victory beach volleyball party, this Sunday Message-ID: <199604302019.NAA11079@toad.com> Remember how much fun it was to get all dressed up in banker's clothes to go to the Bernstein court hearing and show the judge that we cared? Well, now it's time to get UNdressed and come to the beach to celebrate the results! See you there! -- John From: Joseph Arceneaux <jla at arceneaux.com> To: vball at arceneaux.com Subject: Bernstein victory beach volleyball party, take 2 Let's try again to celebrate the Berstein victory at the beach. Hopefully, the weather will be better this Sunday. Last weekend was beautiful and we saw several whales just offshore. WHEN: Sunday, May 5, from 1:00 on, weather permitting. WHERE: Grey Whale Cove, off Highway 1 south of Pacifica but before Montara. To check for weather conditions, call (415) 728-5336 NOTICE: This is a clothing-optional beach and costs $5 per person. It's well worth it, however. No one is under any obligation to take their clothes off, or to leave them on, for that matter. >From SF: take 280 to Hwy 1 South, through Pacifica. After the road rises to the cliff level, look for the abandoned bunker on the cliff to your right. Just after it, watch for the parking lot on your left. Park and walk down. >From the South Bay: take 92 across to the ocean. Turn north (right) on Hwy 1. After Montara, the road rises into the cliffs. Watch for the only parking lot on the right-hand side of the road. Park and walk down. Hope to see you there. Please invite others. The more, the merrier. Joe & Cindy PS: The first person to spot a naked NSA guy wins a prize. ---- Joseph Arceneaux Arceneaux Consulting http://www.arceneaux.com jla at arceneaux.com +1 415 648 9988 (direct) +1 415 341 1395 (fax) +1 500 488 9308 Cindy A. Cohn McGlashan & Sarrail, P. C. 177 Bovet Road, 6th Floor San Mateo, CA 94402 (415) 341-2585 (tel) (415)341-1395 (fax) Cindy at McGlashan.com http://www.McGlashan.com From unicorn at schloss.li Tue Apr 30 22:59:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 13:59:28 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <m0uEN3x-00091PC@pacifier.com> Message-ID: <Pine.SUN.3.93.960430181407.614M-100000@polaris.mindport.net> I typoed. Virginia should read "Maryland" in my last post. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From jimbell at pacifier.com Tue Apr 30 22:59:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 13:59:49 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: <m0uEN3x-00091PC@pacifier.com> At 04:46 PM 4/30/96 -0400, Black Unicorn wrote: > >> Aren't you making an assumption that Colby is dead? No body has been found, >> last I heard. Maybe he just decided that he wanted to disappear in a >> comparatively non-suspicious fashion? > >Having met Colby and being somewhat familiar with his political skills I >would be surprised if he would ever think a drowning accident was >"non-suspicious." Notice that I said "comparatively" non-suspicious. Can you think of any LESS suspicious way to appear to die and still explain no body being found? > >William Colby, whatever anyone may think of intelligence, I think their mis-usage of the word "intelligence" is hilariously presumptuous. > was quite a man, >respected in the community, a major in the OSS and a World War II hero >decorated 5 times. His like are not common. > >I hope he is found alive and well. He might very well be alive. But it's almost certain he won't be found... BTW, the news item I read this morning stated that his neighbors called the cops when they noticed that his car was still at the cabin Sunday night...after the time he normally left to return home. While most people wouldn't see a problem with this, I do: How many citizens are so aware of the schedules and habits of their neighbors that they would become suspicious if their neighbor stayed TOO LONG? Not days and days too long, just a few hours? Or were Colby's habits so precise and predictable (and known to be so!) that his neighbor would call the cops just because he, ONCE, stayed a little longer than normal? What's wrong with this picture? From unicorn at schloss.li Tue Apr 30 23:07:38 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 1 May 1996 14:07:38 +0800 Subject: [Joke] It Takes a Village In-Reply-To: <199604300949.KAA05650@pangaea.hypereality.co.uk> Message-ID: <Pine.SUN.3.93.960430164925.614C-100000@polaris.mindport.net> On Tue, 30 Apr 1996, ECafe Anonymous Remailer wrote: > Friend, [...] > Jim Bell, village idiot. He's always good sport for the village bully, > Black Unicorn. His pretentions aside ("the black unicorn has been in > my family crest for a thousand years"), he is in actuality a short, > portly Philadelphia accountant by the name of Irving Lipshitz-Groins. Bullies have to be somewhat superior to intimidate and even Philadelphia accountants have family crests on occasion. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Opp. Counsel: For all your expert testimony needs: jimbell at pacifier.com From mdiehl at dttus.com Tue Apr 30 23:24:22 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Wed, 1 May 1996 14:24:22 +0800 Subject: Free speech debate on MSN Encarta Message-ID: <9603308309.AA830914378@cc1.dttus.com> IMO, it's simpler than that: suppose your favorite rater (SafeForChildren, SafeForCongressCritters, SafeFor<our>Church, ...) has a PGP-style key. If they rate a page as OK for their subscribers to read, the rater signs the page with it's private key and requests the page owner to include that signature on the page. If you want to limit what you read to what they approve, you read only those pages whose signatures can be verified with the trusted rater's public key. BTW, you could put the signature verification into the WEB browser rather than the proxy and keep the overhead out in the user's PC. Would need extensions to HTML standards; e. g. <rated_by xxxyyyzzz = 0123456789abcdef_hash>. This would be the hash over the entire page _excluding_ the "rated_by portion(s) so that multiple raters could exist and interoperate. Martin G. Diehl Just my own opinion. ______________________________ Reply Separator _________________________________ Subject: Re: Free speech debate on MSN Encarta Author: jpb at miamisci.org (Joe Block) at Internet-USA Date: 3/24/96 4:06 PM At 8:57 PM 3/23/96, Mark M. wrote: On Sat, 23 Mar 1996, I wrote: >> However, I don't think it likely that many ISPs will go this route from a >> liability point of view - if some parent is paying them to filter out smut, >> and little Zippy finds a brand new x-rated site, chances are some irate [snip] I agree, if you're going to bother with rating pages, digitally signing the signature so that terrorist X can't just copy the "Good Clean Fun" rating code into his Phosgene formula page is the only rational solution. Gotta love that overhead, though. Joseph Block <jpb at miamisci.org> "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From jimbell at pacifier.com Tue Apr 30 23:25:16 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 14:25:16 +0800 Subject: Smartcards are coming to the US Message-ID: <m0uEOvQ-00091FC@pacifier.com> At 10:54 AM 4/30/96 -0700, Simon Spero wrote: >Much as we Englishmen like to pretend, it is a bit of a reach to describe >France as a third-world country... "The Wogs begin at Dover." From smith at sctc.com Tue Apr 30 23:30:39 1996 From: smith at sctc.com (Rick Smith) Date: Wed, 1 May 1996 14:30:39 +0800 Subject: The Joy of Java Message-ID: <199604302303.SAA27753@shade.sctc.com> Scott Brickner <sjb at universe.digex.net> quoted the Princeton paper's concerns about Java's lack of a formal semantic basis, and mpd at netcom.com (Mike Duvos) replied: >This is overly pessimistic. Java primitive data types are fully >specified and Java operators are well-defined in the sense that >their results are unambiguous with specified input. ... Having some familiarity with application of formal methods to computer security, I'd like to point out a few things. >Saying that the current specification does not support formal >proofs of correctness is far different than saying that the >language itself is broken. The experience in the multilevel security world was that a weak or nonexistent specification pretty much guaranteed that there would be holes in the design -- limitations that kept you from being able to block covert channels or other flaws in the kernel. Language design is as tough a problem, if not more so. Brinch Hansen told a story over a decade ago about how he tried to specify a language with good semantics, and had Tony Hoare review his attempts. There always seemed to be a flaw somewhere and they weren't trying to capture object semantics back then, just types. So, in the absense of rigor there's probably not much sense in assuming correctness. >... he is not saying that the type verifier isn't correct, >merely that the materials with which to construct a proof have >not yet been dumped on top of his desk. When doing formal specification of a high assurance MLS system, a large proportion of flaws were found simply through the process of producing the formal specifications, both of the device design and of the security requirements. A large proportion of the design flaws are found while doing the formal proofs. Note that Java operating in the Internet environment acquires two sets of security requirements: the original ones for the language plus another set that applies to the platform (workstation) it runs on. The former set of requirements were pretty thoroughly worked out, though it doesn't appear that they were ever formalized. This seems to be the primary topic of discussion here, but not the only one. As of last winter, when I last checked into it, the latter set of requirements hadn't been specified in any reasonable detail. Such a spec would reflect the security requirements for running on a workstation that requires some measure of confidentiality. For example, consider the CEO's workstation: the SEC has rules about keeping certain things secret, and that stuff tends to live in files on a CEO's workstation. Of course, the problem also applies to anyone who has unwrapped PGP keys lying about when some applet turns malicious. >In any case, the anarchy of the free market rarely takes notice >of the theoretical musings of academicians. Until Java >experiences a catastrophic and public train wreck, people will >continue to use it and its reputation will continue to grow. The only reason MLS systems were formally specified and analyzed was because the DOD wanted to avoid a computer based train wreck involving intelligence data or other stuff of comparable sensitivity. They had money and market clout, at least when they started. Rick. smith at sctc.com secure computing corporation From jimbell at pacifier.com Tue Apr 30 23:32:54 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 1 May 1996 14:32:54 +0800 Subject: Former CIA Director and *Strategic Investment* Editor Message-ID: <m0uEOQO-0008yoC@pacifier.com> At 06:03 PM 4/30/96 -0400, Black Unicorn wrote: >On Tue, 30 Apr 1996, jim bell wrote: >> Notice that I said "comparatively" non-suspicious. Can you think of any >> LESS suspicious way to appear to die and still explain no body being found? > >Many. You lack imagination. You lack specifics. And how applicable are these to a person like Colby? >> He might very well be alive. But it's almost certain he won't be found... > >Your conspiracy nut side is showing. Who said "conspiracy"? If Colby wanted to disappear, are you trying to suggest that he wouldn't have been able to engineer this himself? The word "conspiracy" requires the actions of more than one person, or have you forgotten? If anything, your misuse of the word "conspiracy" reveals your knee-jerk thought processes. >> Not days and days too long, >> just a few hours? Or were Colby's habits so precise and predictable (and >> known to be so!) that his neighbor would call the cops just because he, >> ONCE, stayed a little longer than normal? > >Yes, they were. He ran an active consulting business in D.C. and returned >to the city on a regular schedule. In addition, he was very prudent about >letting people know when he was about to go out on the river. The man was >in his 70s, of course he generated a good deal of concern amongst his >neighbors. If the guy went out, alone, in a canoe in (reportedly) 2-foot waves without a life vest, the term "intelligence" is doubly wasted on him. >> What's wrong with this picture? > >It's not hard to see. As usual you are theorizing and speculating about >issues and persons you have no connection to. Even in the face of someone >with personal experience as to the matter at hand you persist in asserting >that you are more 'in the know.' What a brainless statement! Quite the opposite, I didn't claim to be "in the know." Rather, I merely pointed out that what was being said by others about the incident was without appreciable support and rather inconsistent and not believeable, and very much inadequate. I can do this very effectively without knowing, for certain, what really did happen. >In this particular case you are discussing someone I know personally. > >Given the circumstances, your rumor mongering is both classless and >distasteful. I'm starting no rumors. Rather, if anything, I'm ATTACKING a rumor being portrayed as fact: The rumor that he died in a canoeing accident. Jim Bell jimbell at pacifier.com From alanh at infi.net Tue Apr 30 23:38:17 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 1 May 1996 14:38:17 +0800 Subject: Why were smart cashcards first introduced in the third world? In-Reply-To: <Pine.SUN.3.91.960430100509.16499H-100000@viper.law.miami.edu> Message-ID: <Pine.SV4.3.91.960430200147.10617A-100000@larry.infi.net> On Tue, 30 Apr 1996, Michael Froomkin wrote: > Subject: Re: Smartcards are coming to the US > > Lack of entrenched competitors? E.g. credit cards? Let's talk about the boondocker provinces of the Philippines, with which I am intimately familiar. Domestic credit cards exist, but only are accepted at larger establishments. Although some, for example, Philippine Airlines, will _not_ accept the local cards, but are happy to accept foreign-issued cards. There is a major shortage of coins and currency. I am not joking. From alanh at infi.net Tue Apr 30 23:38:55 1996 From: alanh at infi.net (Alan Horowitz) Date: Wed, 1 May 1996 14:38:55 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <Pine.SUN.3.93.960430164418.614B-100000@polaris.mindport.net> Message-ID: <Pine.SV4.3.91.960430201351.10617C-100000@larry.infi.net> The guy I really liked was what's-his-face, the DCI who passed away during the REagan gameshow. Guy was cool, cause he always wore a hat. Just like the Soviet leaders, now that I think about it. Someday, walking sticks and hats will return to fashion. The South will rise again. From perry at piermont.com Tue Apr 30 23:39:34 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 14:39:34 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <adabfd860b0210043451@[205.199.118.202]> Message-ID: <199605010047.UAA15120@jekyll.piermont.com> Timothy C. May writes: > Just as when you claimed Java applications can't do file i/o, and several > people point out that you are wrong and that it is _applets_ that you must > have been thinking of (and not even always for applets, by the way). > Instead of admitting you were wrong, or misread the post, you just say > "Same difference." Yup. Same difference. I typed the wrong word when producing my post. The context was using "safe java" for markets in CPU cycles. In that context, yes indeed, "safe" Java programs, applets, or whatever you want to call them that you get over the network and can "trust" aren't supposed to be able to do file i/o. The whole point was that Java doesn't provide the execution environments you need for CPU cycle markets. Sometimes my statements are incorrect, but its very rare indeed that I don't know what I was trying to say. > I suggest you wait until you see what I have to say on this before jumping > the gun by assuming you know what it is I'm going to say (or that someone > saying "application" must have really meant to say "applet"). As I said (and you called me a smartass for saying -- how polite of you, by the way) I could only reply to what you posted, not to what you could have posted. There was no indication in your accidental partial post that it was an accidental partial posting. I'm not a psychic. Perry From vznuri at netcom.com Tue Apr 30 23:51:45 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 1 May 1996 14:51:45 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199604301838.OAA14274@jekyll.piermont.com> Message-ID: <199605010015.RAA15723@netcom15.netcom.com> PM: >2) "We are ignorant, so we build something that does as little as we > can get away with, makes the assumption at every stage that every > component of the system might be broken, and put seventeen layers > of armor around it on the assumption that we still have probably > made a mistake or two in designing the system." This is the model > that modern firewalls built by the likes of me take -- systems that > are designed to be tolerant of multiple engineering failures. Such > systems are built on the assumption that humans are fallible. Such > systems, unlike Java, do not depend on flawless operation of all > their components for their security. Such systems are built on the > conservative assumption that humans are going to make mistakes and > that you have to take account of your own fallibility when > designing secure systems. In such a system, one can have breeches > of the security of four major subsystems and the fifth still keeps > you alive. The "belt and suspenders" model doesn't require > mathematical proofs of security because it was engineered, from the > start, to be robust. well, are you saying it would be impossible to do such a thing in a distributed programming language? why does Java not fit this description? it seems to have the internal equivalent of "firewalls" (a "sandbox" is a similar concept). furthermore, you are imposing a virtual military-level degree of security to something that does not seem to require it. if a virus gets loose on someone's computer because of Java, what's the harm? you are designing systems that when broken cost bazillions of dollars, potentially. what does Java cost when it breaks? who is saying that one should use Java for extremely mission critical situations such as funds transfer? yes, there are different kinds of security, and it would be foolish for anyone to assume or think that the security offered by Java is the same security referred to by people such as PM writing financial applications, or people inside the NSA, etc-- you know PM, you often write as if you are an authority on security, but I'll wager that people inside NSA think you are "playing in the sandbox" so to speak. let us agree that no matter how secure something is, there is someone that demands more security, and actually pays for it. sort of like no matter how much you make in salary, there is someone who makes more than you do. or no matter how much you know about subject [x], someone else knows more. PM, you go on the defensive against TCM, but he was not really stating that either the "scruffies" or the "neaties" have an inherent advantage. it's a feedback loop in security as much as it is in AI as he described. neither view is incorrect. they both have their applications. >Tim misunderstands, thinking this is a case of some foolish >perfectionists getting mad at the guys who throw things together and >hope that they work. Not at all. Our problem with Java is the security >model, which inherently requires perfect design and operation. again, no one said that you have to use Java for mission critical applications. please don't criticize it for using the term "secure" when in fact that is appropriate for its environment. has it ever claimed to do something it doesn't? have the java designers ever said, "our code is bug free"? We >build our own systems to be robust enough to survive our own mistakes. >Java is built such that any mistake is fatal. y'know, it may be possible to create an *implementation* for java that fulfills your demands. you seem to be talking a lot more about hardware than software. you are free to create any kind of environment you want for the Java interpreter, including a paranoid system with multiple firewalls that assumes Java may not do what it claims it does. >Essentially, this is the optimists versus the realists. I've noticed how there are two types of thinking: dualistic and unified. people that are stuck in dualistic thinking always think that because someone disagrees with them, they are putting them down. they can't conceive of multiple alternative views on the same subject, all with relative merits. they may paint their supposed adversaries as "optimists" and themselves as the "realists". a silly game that can go on ad infinitum. I've noticed that women (well, the ones that are feminine, anyway) don't seem to get into this kind of debate much, even when they are present. it's a real man kind of thing. >PS BTW, Tim, Java is great for the theorem prover fetishizers -- look no >further than Java's bytecode verifier. I have never built a system >that required an "active defense" like that. They fill me with the >same sort of dread I would get from a skyscraper design that required >a constant flow of electricity to the building lest it collapse. Sure, >its cool. Maybe it even saves some money. However, can you sleep at >night inside it? again, I reiterate: no one asked you to use Java, PM. it has a very useful place where it was designed for: on the desktop of computer geeks who get a kick out of mandelbrot generators or remailers or whatever. you are a businessman in a mission critical situation. why are you ramming your standards down the throat of a place where it is inappropriate? did the creators of Java say that it is going to be used in the banking industry? why do you write all your attacks on it as if they have? do you realize it was intended at first to be put into *home*appliances*? are you going to die if you occasionally have to reboot your toaster because a bug? hee, hee, maybe I should bite my tongue. maybe you have a "firewall protected toaster arrangement." From dlv at bwalk.dm.com Tue Apr 30 23:55:27 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 1 May 1996 14:55:27 +0800 Subject: Former CIA Director and *Strategic Investment* Editor In-Reply-To: <Pine.SUN.3.93.960430164418.614B-100000@polaris.mindport.net> Message-ID: <wu68mD278w165w@bwalk.dm.com> Black Unicorn <unicorn at schloss.li> writes: > On Tue, 30 Apr 1996, jim bell wrote: > > At 07:40 PM 4/29/96 EDT, Dr. Dimitri Vulis wrote: > > >jim bell <jimbell at pacifier.com> writes: > > >> At 04:06 AM 4/29/96 -0700, anonymous-remailer at shell.portal.com wrote: > > >> >CNN is reporting that Colby's canoe has been found on the Potomac and > > >> >Colby is missing. > > >> > > >> Don't tell me, let me guess: The guy who rented the canoe to him has > > >> suddenly retired, and has been reportedly seen going on a Park Avenue > > >> shopping spree. Right? > > > > > >Jim, I don't find dumb jokes about dead people I liked particularly funny. > > > > Aren't you making an assumption that Colby is dead? No body has been found > > last I heard. Maybe he just decided that he wanted to disappear in a > > comparatively non-suspicious fashion? > > Having met Colby and being somewhat familiar with his political skills I > would be surprised if he would ever think a drowning accident was > "non-suspicious." > > William Colby, whatever anyone may think of intelligence, was quite a man, > respected in the community, a major in the OSS and a World War II hero > decorated 5 times. His like are not common. > > I hope he is found alive and well. Having met Colby, I found him a very remarkable person, and also very pleasant. Unfortunately, I believe he's dead. R.I.P. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From perry at piermont.com Tue Apr 30 23:56:47 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 1 May 1996 14:56:47 +0800 Subject: Why I dislike Java. (was Re: "Scruffies" vs. "Neats") In-Reply-To: <199605010015.RAA15723@netcom15.netcom.com> Message-ID: <199605010033.UAA15101@jekyll.piermont.com> "L. Detweiler" writes: > well, are you saying it would be impossible to do such a thing > [produce a safe execution environment] in a distributed programming > language? It is difficult. The way Java does this, with the protection relying solely on the correctness of the runtime (the interpreter isn't emasculated so flaws in the runtime can cause unexpected behavior) it is nearly impossible. Humans aren't good enough at designing systems this century. > furthermore, you are imposing a virtual military-level degree of > security to something that does not seem to require it. if > a virus gets loose on someone's computer because of Java, what's > the harm? The Web is the universal marketplace these days. Being unable to use the web is the equivalent of being unable to use the phone. I have research analysts at large trading houses begging for Netscape. Unfortunately, these people have a need for top notch security, because vast amounts of money are at stake. So, yes, if you are going to create a product that everyone on earth has to be able to use, it had damn well not explode in your face every once in a while. Imagine if all the world's refrigerators had a 1 in 10,000 chance of blowing up on you. "Whats the harm" you say. Well, most people don't expect that sort of behavior in a friendly consumer appliance that nice people from Sun and Netscape guarantee is absolutely positively safe except for all the bugs. > you are designing systems that when broken cost bazillions > of dollars, potentially. what does Java cost when it breaks? It costs all the same things the the firewalls are protecting. > who is saying that one should use Java for extremely mission > critical situations such as funds transfer? No one. Unfortunately, when the same machine runs Netscape so the trader can read the UUNet/MFS merger press release and also has the big shiny red "trade!" button on some application, you get nervous. As I said, the traders don't expect that their phone will explode when they pick it up, or that every piece of literature they get in the mail may be coated with contact poison. Well, Java is a silent killer. It soon is going to be sitting on every desktop at every company in America and its being sold as the new paper or phone. Its also sitting on all those PCs running "Quicken" that helpfully now can do direct electronic funds transfer from your account, etc. If you don't care about the security of your bank account, well, sure, you have nothing to worry about. In short, my clients need security today. Your home computer probably needs it soon if not now, and if you think your business can survive a few days without its computers, please, by all means, run without security. > again, no one said that you have to use Java for mission critical > applications. Its not Java crashing that I worry about. Its everything else on the computer and the network it is attached to that needs protection. > did the creators of Java say that it is going > to be used in the banking industry? Well, sorry, you try to keep it off the desks in the banking industry if you can. > do you realize it was intended at first to be put into > *home*appliances*? are you going to die if you occasionally have to > reboot your toaster because a bug? No, but you could die if someone gets your toaster to catch fire, or gets your microwave oven to do something the hardware wasn't supposed to. It might also be very annoying if your home security system stopped working, or if your smoke detectors didn't detect smoke, or even if your fridge decided that it didn't like a string overflow in the interpreter and decided to stop refrigerating. Life critical applications or important financial applications are all around us. You just don't seem to notice. Perry