From abostick at netcom.com Thu Feb 1 00:50:12 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 1 Feb 1996 16:50:12 +0800 Subject: NOISE: Re: The FV Problem = A Press Problem In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at got.net (Timothy C. May) wrote: > Interesting term, similar to Chomsky's "Manufacturing Consent" (which > obviously must've come later...). Wow, that was fast! Only two days in the FV FUD flamewar, and already someone said "Chomsky". Alan "Still holding out for 'Hitler'" Bostick - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMQ++kOVevBgtmhnpAQExSgL9FmliH59XZQdJYtSg1Ysfh2q80N8fjkuB HEAbSdf24I6m4mcaIVJPq2El/nCnrGazImBWjt85bjnNLr1w7nEafW7PTPXeU4hH NQpB6rPz1gaZC9LmWTSIULU8qYcSNgBn =6F2e -----END PGP SIGNATURE----- From msaraiva at marktest.pt Thu Feb 1 01:22:30 1996 From: msaraiva at marktest.pt (Miguel Saraiva) Date: Thu, 1 Feb 1996 17:22:30 +0800 Subject: Netscape encrypted email!! Message-ID: <01BAEFC3.C50F85E0@leon.marktest.pt> I believe the new microsoft exchange (from msdn level 3 ) also has some sort of security built in. Haven't tried yet. (It needs (?) Exchange Server for it ) >> * Integrated email - Netscape Navigator 2.0 offers full-featured and rich >> email capabilities, allowing you to both read and send secure email >> messages without launching an external email application. >I downloaded it and checked it out. But it was not clear how to use this >secure email - so it may lack something yet in user friendlyness, or I may >have just missed it. Anyway, it should be much easier to use than PGP. >Are we all going to switch to Netscape for email? Is anyone using this? >Want to tell us how? > -- -- -> Leon : Miguel Angelo Saraiva : msaraiva at marktest.pt <- -- -- -- Vince From perry at piermont.com Thu Feb 1 02:58:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 1 Feb 1996 18:58:39 +0800 Subject: Two bits, Four Bits, ETC In-Reply-To: <199601301853.KAA13801@well.com> Message-ID: <199601311558.KAA05088@jekyll.piermont.com> Brian D Williams writes: > Excellent point Bill! Lets not forget that IBM owns Lotus Notes, be > sure to include that in your bashing. They caved in on Lucifer > after all. ;) Lucifer isn't stronger than DES, so it wasn't a cave in. An understanding of differential cryptanalysis makes all the difference... From rishab at dxm.org Thu Feb 1 03:01:49 1996 From: rishab at dxm.org (Rishab Aiyer Ghosh) Date: Thu, 1 Feb 1996 19:01:49 +0800 Subject: FV's blatant double standards Message-ID: <9601311619.AA00825@toad.com> I only just managed to go through my mail backlog and read Simson Garfinkel's original Mercury News article. I was appalled by FV's double standards in evaluating security risks. Both First Virtual and real-time transaction models (without encryption, or with it e.g. Netscape) require that the recipient not be compromised. FV relies on e-mail (domain names); Netscape relies on IP addresses. IP addresses are much harder to intercept than domain names (which can be hijacked - see my earlier posts). This essentially means that while e-mail can be mis-routed, IP packets can't. Additionally, plaintext e-mail as well as IP traffic can often be sniffed along the way. FV demonstrated, through it's "card sharp" or whatever, that real-time transactions are vulnerable to sniffers on the recipient's own machine. Of course. We all knew that. But the mistake is to assume that FV isn't _equally_ vulnerable to that threat. If you can write a trojan that will somehow get privileged access to my machine, trap my keystrokes, and identify my credit card number, you can certainly write one that will, sitting on my machine: "intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply" (to quote from Simson's article). Simson further quotes FV's Lee Stein: "A single user can be targeted, Stein said, but ''it is very difficult. . . . There are too many packets moving . . . to too many different machines.''" - which is of course equally true for real-time Netscape transactions. Simply put, if there's a program sitting on your computer with privileged access, it can read your mail, hide it from you, and reply, as easily as it can read your keystrokes. Even simpler: if there's a privileged program on your machine, NOTHING IS SECURE - not SSL, not FV, not plaintext credit cards, not PGP, NOTHING. This is old hat, and FV has shown nothing new with its one-sided stunt; the only reason there has been little hype recently about card-sniffing trojans is that trojans and viruses and the rest of their ilk have being dying of exposure in the media, ever since the Internet Worm grabbed headlines years ago. Rishab From take at imasy.or.jp Thu Feb 1 03:18:30 1996 From: take at imasy.or.jp (Hayashi_Tsuyoshi) Date: Thu, 1 Feb 1996 19:18:30 +0800 Subject: PGP commercial usage Message-ID: <199601311439.XAA08161@tasogare.imasy.or.jp> At 0:43 PM 96.1.31 +0000, Dave Roberts wrote: >I have read and reread the documentation that is included with the PGP >distribution (although my copy is over a year old now), and am still >trying to work out if commercial use of 2.6ui is allowed outside the USA. > >Could someone elaborate for me, or perhaps point me to some up to date >reference documentation. Few days ago I found good page for it. http://www.ifi.uio.no/pgp/FAQ.shtml#License This page said that: + Can I use PGP 2.6.3i for commercial purposes? + + Yes, you can, but you need to buy a separate license for the IDEA algorithm used in + PGP. (RSA is not patented outside the US, so you don't need a license for this + algorithm.) IDEA licenses can be purchased from Ascom Systec AG in Switzerland. + (The licensing of the IDEA algorithm was formerly administrated by Ascom Tech, but + this responsibility has been transferred to Ascom Systec. Please, do not contact + Ascom Tech about this matter!) The fee is charged on a per-user basis as follows: # Sorry, this is about 2.6.3i, not 2.6ui. P.S. Now I'm studying MacPGP... - Tsuyoshi Hayashi --- hayashi at scs.sony.co.jp is no longer valid. --- Please update to take at imasy.or.jp From frissell at panix.com Thu Feb 1 03:36:31 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 1 Feb 1996 19:36:31 +0800 Subject: France to push for international net legislation Message-ID: <2.2.32.19960201111157.009bffd4@panix.com> At 11:27 PM 1/31/96 -0800, sameer wrote: >> I guess Declan M. won't be visting France or any of the other EU countries >> any time soon! > > That reminds me of a question-- > > If, for example, Germany decides that my company is in >violation of their laws for mirroring the Zundelsite, will they send >us a letter saying that, so we know not to go to Germany? Don't worry. If you actually *read* the Zundsite materials, you find out that the guy who was busted in Denmark and sent to Germany just jumped bail and is in Florida. No prob. The German penal system is a joke. DCF From jwz at netscape.com Thu Feb 1 03:38:09 1996 From: jwz at netscape.com (Jamie Zawinski) Date: Thu, 1 Feb 1996 19:38:09 +0800 Subject: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) In-Reply-To: <310E0EBE.30FD3BCC@netscape.com> Message-ID: <31109E96.4276446A@netscape.com> Jeff Weinstein wrote: > > I think that you are misinterpreting the intent of Jamie's posting, > but I will let him defend himself. Well I'm not particularly interested in arguing about this further (and I suspect this is true of most people reading this too :-)) but my point was: Nathaniel and crew have implemented the easy part (a tiny fraction) of a program which would successfully capture some large number of credit card numbers. Nathaniel thinks that what I'm characterizing as a tiny fraction of the work (the keyboard sniffer and pattern recogniser) is *most* of the work, and "demonstrates" the attack. I said that they have demonstrated nothing without some proof that combining this with an infection vector would yield the desired result, because I don't think that infecting some vast number of credit-card-using computers is any small task; whereas, Nathaniel says (or at least strongly implies) that it's trivial (or so close to trivial that it can be taken as a given.) Nathaniel said: > As I see it, we have implemented every part of the attack that we can > implement without doing anything that is either unethical or illegal. It's far from clear that you need to do something unethical or illegal to prove that coupling it with an infection vector would be effective. For example, you would no doubt agree that evesdropping on some unsuspecting user's transaction on an exportably-crippled SSL connection would be immoral. But it wasn't necessary to do anything immoral to demonstrate conclusively that such an attack was possible. It just required a little creativity, and a lack of handwaving. > Is it your position that no systematic flaw in your security is real > until someone has actually broken it? Of course not. You don't have to actually break it to show that it's possible. Of course, you *do* have to show the likelyhood of success and effort required to pull it off as well before it's interesting at all, whether it's theoretically possible or not. == Jamie From pg at viaweb.com Thu Feb 1 05:39:24 1996 From: pg at viaweb.com (Paul Graham) Date: Thu, 1 Feb 1996 21:39:24 +0800 Subject: your bogus post Message-ID: <199601302249.RAA06492@tintin.uun.org> marketing works, and companies have to use it to stay profitable. I would not mind if fv made bogus claims in their press releases. People expect that in press releases. But I think that they should keep their press releases on their web site, where we can ignore them, instead of disguising them as "discoveries" in netnews. So, what do you think of their product? No client or potential client of our online mall has ever asked us to implement fv payment. Everyone seems happy with credit cards. I think that the people at fv could see what was happening, and this ill-considered post was a desparate attempt to make everyone take fv seriously. In my case it had the opposite effect. -- pg From eli at cs.cmu.edu Thu Feb 1 05:43:29 1996 From: eli at cs.cmu.edu (Eli Brandt) Date: Thu, 1 Feb 1996 21:43:29 +0800 Subject: Apology and clarification In-Reply-To: <+cmu.andrew.internet.cyclists+0l3TCU200UfA00z5cl@andrew.cmu.edu> Message-ID: In a nutshell: FUD Virtual's press release glosses over the hard part of the attack -- distribution and collection. Yes, the credit-card system is broken as designed, but that's already reflected in its cost structure. The proposed attack will never make up a significant fraction of credit-card fraud. You know, FV should put out a press release warning that all encryption-based payment systems are insecure, due to the threat of the proposed "Chinese-lottery virus". Bet you could get the Times to print it... In article <+cmu.andrew.internet.cyclists+0l3TCU200UfA00z5cl at andrew.cmu.edu>, Nathaniel Borenstein wrote: >When you put all four of these together, you have an attack that IS new, >in the sense that nobody we know of has ever mentioned it before, Who would bother? Ask yourself if you'd have been quite so excited about this "new attack" if you were just Nat Borenstein, private citizen, with no financial interest in a competing technology. >and which could in fact be used by a single criminal, with only a few >weeks of programming, to tracelessly steal MILLIONS of credit cards, >if software-encrypted credit-card schemes ever caught on. You wave your hands and say that "consumer machines are insecure", but I don't think you have any conception of what it would take to get your trojan onto "MILLIONS" of machines. There is no historical precedent for such an attack (no, Ping-Pong and Stoned don't make the cut). Your suggestions of such things as rogue GIF viewers aren't even in the ballpark. What fraction of the victims will expose their credit card numbers? what fraction will notice your trojan and warn against it? The ratio has to be very, very large. >and get them back to the program's author by non-traceable >mechanisms. I didn't see the part where you explain how this works, either. >If not, I think it's worth noting that this fact was previously >completely unknown to the bankers and businessmen who are putting >large sums of money at risk on the net. The only way to get the >message to those communities is with a very visible public >announcement of the kind you saw yesterday. You wouldn't have shot your reputation so badly if you weren't so damned disingenuous about the whole thing. Paragraphs like the above really irritate me. -- Eli Brandt eli+ at cs.cmu.edu From declan+ at CMU.EDU Thu Feb 1 06:01:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 1 Feb 1996 22:01:26 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" In-Reply-To: <199602011002.CAA25917@infinity.c2.org> Message-ID: Excerpts from internet.cypherpunks: 1-Feb-96 Tim's paranoid rant about D.. by Just Rich at c2.org > I disagree. It is clear to me that there is absolutely no cloud hanging > over us. If any German court tried to press charges against me for > posting Zendel's materials, they'd be laughed across the Argonne. Most > mainstream Jewish groups *love* me right now. > > I find it curious, and I am beginning to get a little annoyed, that my > name is rarely mentioned, though I set up the first mirror, and Declan got > the files from me. So you're getting pissy that you're not The Only Zundel Mirror. Big fucking deal. Get over it. The more the better. I find it telling that you wrote me mail demanding that I alter my web pages to your satisfaction or you'll smear me in the press, since your web site (you informed me) is going to be featured in the next issue of TIME, Internet World, and the San Francisco Chronicle. Hey, guy, kudos to you. Glad to hear it. Smear the fuck away. > I am very annoyed that Declan has not responded to repeated requests to > remove the cleartext "Stanford University" from the parts of his Web site > that mention me. Of course the stanford.edu, or at least net 36.190, will > remain in the URL, but there is no reason that the link text could not say > "Rich Graves' mirror." First Declan sent me mail saying he would respect > my wishes, but he didn't. Let's get the facts right and ignore Rich's distortions. I wrote: "I'll honor your wishes and take your full name off." I did *not* write that I'd take Stanford's name off the pages. I did take your full name off, as I said I would. The point of mentioning universities by name is to point out that to restrict web access to a university site, Germany will have to cut of *all* web access to that university. (Or at least to that hostname.) (BTW, I did give you credit for supplying much of the Zundelschtuff: http://www.cs.cmu.edu/~declan/Not_By_Me_Not_My_Views/censorship.html) > Then a friend of mine reminded Declan of my > request, and Declan responded with abuse. Your friend, Haggai Kupermintz, sent me unsolicited email demanding to know why I didn't act on a request that was sent earlier that day. I have better things to do than leap on every demand I get, so I flamed him. *shrug* Big deal. I didn't know a rather mild flame was "abuse." If you don't want to be "abused," don't send me demands in unsolicited email. (I'm glad for the sake of other "abusers" at Stanford that your school's speech code was struck down by a California court last year.) > Declan wants me to believe that this disclaimer is enough: > > "Please note that the > existence of a web site at any particular institution does not > in any way imply endorsement. Universities and businesses > do not take responsibility for what their community members > or customers place online." > > This is clearly untrue when the person in question is a staff member, as I > am. Were I still a student, then I could more legitimately say that I'm a > student at Stanford, and that I have the academic freedom to post whatever > I want; but as someone who now merely works for a living at Stanford, I do > whatever I want by the (very) good graces of my (very good) employer. I don't follow. In what way is that disclaimer untrue? You *do* represent Stanford? The concept of academic freedom doesn't apply to staff members? If that's true, you do have a point. > > In Declan's case, I suspect France wants him for the Mitterand book and > > France doesn't want anyone for the Mitterand book, which was not, in > fact, criminally banned. It was censured, not censored, in a civil trial. > Declan is distorting the facts to suit his ego as Mr. Anti-Censorship. I've never claimed to be Mr. Anti-Censorship. I've been trying my best to resist certain specific censorship attempts for the last few years, and I've even met with some limited success. Does the ego good and all. > I find this breast-beating hype embarrassing and dishonest, and I am > seriously beginning to regret giving the Zundel files to Declan. Had I > known what he was going to do with them, and how he was going to behave, I > would have retained closer control. Oh, spare me. You posted to cypherpunks that the files were available via AFS, so I snagged them. You didn't "give" them to me any more than I "gave" people the Zundelhausenfiles if they FTP 'em from my account. How can you "retain closer control" over files that are publicly available on the web? You can make them more difficult to get, I suppose, but I think that defeats the purpose and is a simply fascist thing to do -- if the purpose is to make them available anyway. Hell, your files were out-of-date, so I had to go back to the Zundelsite anyway. > One mirror site was enough. The German providers would not have blocked > stanford.edu had it remained the only mirror site. The President of > Stanford, Gerhard Casper, is a recognized constitutional scholar from > Germany. The Stanford Provost, Condoleezza Rice, was one of the two or > three people most responsible for the Bush Administration's policy > towards German Unification. Dozens of Stanford students have studied in > Berlin. One mirror site may have had a limited effect, but more mirror sites have a more significant effect. The press likes a local angle, and local mirrors are giving them just that. I put a reporter from the Boston Globe in touch with the UMass mirror operator, and a reporter from the Philadelphia Inquirer in touch with the University of Pennyslvania mirror operator. I'd love to see mirrors in every major city for greater coverage in every major paper. If you don't understand that concept, you don't understand the way the media works. > Had they blocked stanford.edu, or had they gotten through to Stanford and > somehow gotten Stanford to force me to take down the pages, then we would > have set up more mirrors. I would have started, and maybe stopped, > by setting up mirrors on c2.org and netcom.com. Graduated response. As I've told you in email, I disagree. This is the first time a Western government has tried to do something like this, and a strong (not a mild or "graduated") response is necessary. If there were just one mirror, I can see the German prosecutors cutting off access to that one too. Sure, we can put up more and more, but if the German government starts along the path of blocking sites one-by-one, it may be difficult for them to back down, and we're faced with a pitched battle. That's why a strong initial showing is necessary, to demonstrate to them the futility of censoring the Internet. So Rich, answer me this: "What articulable and demonstrable harm have additional mirror sites done, besides hurt your ego?" > This is ludicrous. I expect better from you. I'm a big fan of Tim's, and I think that while he may have been jesting, his comments have a serious undertone. I don't really expect to be locked up for the rest of my life in a German cellblock, but harassment at entry/exit points is possible. Perhaps probable, given that other "distributors" of Neo-Nazi spew have experienced just that. > Ernst Zundel is a lying Nazi asshole who wants you to believe that there > is a Global Jewish Conspiracy to censor him. Fuck him. Yep, exactly. The more you know about Mr. "UFOs in Antarctica," the better you can do the job. > Declan, if you don't fix up your page the way I want it by morning (please > not that you have three more hours of morning than I do), I will post a > modified (spell-checked) version of this note on my Web page, to > alt.censorship, and to your "fight-censorship" mailing list. Please send me in private email (or post it here if you really want) exactly what you want me to change. Rich, by now I suspect you've seen this joke, but what the hell: Q: What's a left-wing firing squad? A: Everyone stands in a circle and shoots at each other -Declan From weidai at eskimo.com Thu Feb 1 06:02:32 1996 From: weidai at eskimo.com (Wei Dai) Date: Thu, 1 Feb 1996 22:02:32 +0800 Subject: Revisitting Blum-Macali "digital signatures" In-Reply-To: <199601291842.NAA27974@metlab1.my.mtu.edu> Message-ID: On Mon, 29 Jan 1996, Paul E. Campbell wrote: > There was some discussion on Usenet a while back about doing "digital > signatures" with the Blum-Macali public key method. > > Briefly, Blum-Macali relies on the BBS generator to generate a "one-time pad". > And the pad can be reversed by taking repeated square roots on the random > number seed (assuming you know the factorization) to get back to the starting > seed. > > So, the author suggested that one calculate a digest of the message, call it > D. > > Then the author suggested that one calculate D^(1/2), as per the Blum-Micali > method. > > Then he goes on to do the signature check by checking whether or not > > D^2 == X^4 > > where X is the "signature". > > I understand that there is some sign ambiguity involved in calculating square > roots mod B where B is a Blum integer (that causes 4 possible roots). And > that's the source of ambiguity problems in Rabin digital signatures, but if > the Blum-Micali public key method works, then this sign ambiguity shouldn't > exist (because they define a SPECIFIC root to use), and the method can be > simplified to simply calculating D^(1/2) and the check is simply D==X^2. > > What am I missing here? Let me see if I understand you correctly. The scheme you describe says to calculate X=(D^2)^(1/4) as the signature and check D^2==X^4 for verification. You are wondering why you can't just calculate Y=D^(1/2) as the signature and check D==Y^2 for verification. The problem here is that some D's don't have square roots. For a Blum integer n, only 1/4 of the numbers between 1 and n-1 have square roots mod n (they are called quadratic residues mod n). For a D that is a quadratic residue, the X and Y above are equal. But for a D that is not a quadratic residue, Y can't be calculated. X can still be calculated in this case, but X^2 != D. Wei Dai From ponder at mail.irm.state.fl.us Thu Feb 1 06:04:30 1996 From: ponder at mail.irm.state.fl.us (pj ponder) Date: Thu, 1 Feb 1996 22:04:30 +0800 Subject: Visa & MC Std Message-ID: <199602011325.AA30614@mail.irm.state.fl.us> just heard this on NPR Friday am on the east coast of NA. http://www.nytimes.com/library/cyber/week/0201internet-safety.html February 1, 1996 Group to Unveil Industry Standard for Electronic Payments ---------------------------------------------------------------------- Forum Join a discussion on Computers and Society: On-Line Economics. ---------------------------------------------------------------------- By JOHN MARKOFF AN FRANCISCO -- Hoping to remove a major impediment to credit card transactions over the Internet, a business group led by Mastercard International and Visa International plans to announce an industry-standard technology Thursday for protecting the security of electronic payments. The new technical standard brings together previously warring camps -- one led by the giant Microsoft Corp., the other by an Internet software upstart, Netscape Communications Corp. The standard, which industry executives expect to go into commercial use before the end of the year, is intended to give merchants of goods and services in cyberspace the convenience of a single, universally employed means for protecting the privacy of on-line credit card transactions. And for customers, the new technology promises a much higher level of security for electronic purchases than has previously been available on the Internet. The new approach "is more secure than the system in use in the physical world in which you give your card to a waiter in the restaurant," said Mark Greene, vice president for electronic payments for the Internet division of IBM, which is one of the companies endorsing the new standard. To the extent that the end of this technology face-off gives a lift to electronic commerce, Netscape can only benefit, since it is the provider of the leading software used for "browsing" the Internet's World Wide Web and for conducting on-line transactions on the Web. Netscape is already on a financial roll, announcing fourth-quarter revenue Wednesday that was nearly double the level of the previous quarter and profits that exceeded analysts' expectations. "This will make it a lot easier for consumers to buy and sell things electronically," said Taher Elgamal, chief scientist of Netscape. "We won't have to face the issue of competing standards." Netscape will be working to incorporate the new technology into its Navigator Web-browsing software. Microsoft, in turn, will be adding the technology to its Explorer software, which competes with Netscape's Web browser. The software standard, called Secure Electronic Transactions, or SET, will permit a user to send a credit card account numbers to a merchant in a scrambled form. The scrambled number is supposed to be unintelligible to electronic eavesdroppers and thieves -- and even to the merchants receiving the payment. But a special code is supposed to enable the merchant to check electronically and automatically with the bank that issued the credit card to make sure that it is a valid card number and that the customer is the authorized user of the card. The number-scrambling part of the system is based on a well-known and widely used national software standard known as the Data Encryption Standard. Besides being added to Netscape's and Microsoft's Web browser, the SET technology would need to be incorporated into Internet server computers -- the machines that function as storage terminals and gateways that individual users' computers interact with on the global computing network. Testing of SET will begin this spring, according to Dick Lonergan, executive vice president of Visa, who said that commercial service was expected to begin late this year. Currently, many powerful types of encryption technology are barred from export because the government fears that foreign enemies or terrorists may be able to conspire electronically. But the new credit card security standard will not be subject to such strictures, its developers said, because it is designed to protect only financial information -- not electronic messages or other types of computer documents. In addition to Mastercard, Visa, IBM, Microsoft and Netscape, the other big organizations endorsing the new SET standard include GTE Corp. and Science Applications International Corp., a technology and military consulting business. Two other backers include Terisa Systems Inc. and Verisign Inc., both Silicon Valley companies that have developed some of the underlying technology for the SET standard. Last September, Microsoft and Visa together proposed a security standard known as Secure Transaction Technology, which would have competed directly with a system being developed by a group led by Mastercard, IBM and Netscape. Shortly afterwards, however, Visa and Mastercard -- the two largest credit card associations -- said publicly that they would pursue a single standard to avoid forcing merchants and consumers to choose between competing technologies. "We took the best of both technologies," said Edward Hogan, senior vice president for electronic commerce at Mastercard International. "There was a blip in the road, but both associations realized that their memberships wanted a single standard." Home | Sections | Contents | Search | Forums | Help Copyright 1996 The New York Times Company ---------------------------------------------------------------------- From dm at amsterdam.lcs.mit.edu Thu Feb 1 06:18:44 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Thu, 1 Feb 1996 22:18:44 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <310E7DAE@hamachi> Message-ID: <199602010938.EAA20003@amsterdam.lcs.mit.edu> > Changing the subject doesn't change the point. Your announcement implies > that users are liable, and that is incorrect. This is misleading, and in > my view, reprehensible. This was the point of my post. The fact that > the fraud is traceable when detected should have been self evident. I think there is an even stronger point to be made. We can be relatively sure that VISA is not going to go out of business any time soon. On the other hand, if an E-mail intercepting virus lost FV tons of money, FV might conceivably go belly up sticking their customers with the bill. With FV, there might indeed be a risk to the user. David From dm at amsterdam.lcs.mit.edu Thu Feb 1 06:18:51 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Thu, 1 Feb 1996 22:18:51 +0800 Subject: Domain hijacking, InterNIC loopholes In-Reply-To: <9601301819.AA00964@toad.com> Message-ID: <199602010926.EAA19923@amsterdam.lcs.mit.edu> I don't think Domain hijacking is a terribly big threat. First of all, the modification process insn't fully automated. Second of all, it takes several weeks for the changes to go through. Before the changes go through, the internic sends out mail to a bunch of people, including all previous administrators and administrators of all domains which contain old or new nameservers. Thus, I'd say the domain modification process is slightly more secure than First Virtual :-) :-) :-). It relies on the security of the network routers and existing nameservers, and requires one or more active attacks or viruses to defeat. Probably your best is to wait for as many as possible of the relevant sysadmins to go on vacation, and then mail-bomb them rest so hard they end up not reading all of their real E-mail. Then again, there's always the possibility that the domain administrator knows how to use procmail... David From declan+ at CMU.EDU Thu Feb 1 06:20:04 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 1 Feb 1996 22:20:04 +0800 Subject: Declan appearing on "Europe's Most Wanted" In-Reply-To: Message-ID: <0l4AOdC00YUrE1PsVc@andrew.cmu.edu> Excerpts from internet.cypherpunks: 1-Feb-96 Declan appearing on "Europe.. by Timothy C. May at got.net > The situation with Declan, Sameer, Duncan, and others, is even less clear. > Things are moving much faster now that the Net is the means of > distribution. I was of course half-joking about Declan visiting Europe, but > surely France could decide to throw the book at him, and any EU country he > entered (such as Ireland, judging from his name) could hold him at their > entry point and ship him off to France to "set an example." Tim, you really know how to scare a fellow with this Subject: line this early in the morning! My take on the situation, from cyberia and WELL discussions, is that if a book is banned under French law, it may be difficult to sue for copyright violations. (Intuitively, this sorta makes sense. If you are *unable* to sell it, what damages are there?) Also, international law would require that the copyright holder sue in my local U.S. court. I have not heard from either the publisher or author, even though French ISPs have linked to my page and it's been getting a decent amount of traffic. Interestingly, almost all the comments I've received have been positive -- only two negative responses, including one email bombing attempt. I would be interested to know what the publisher and author's perspectives are on this. Reports from France indicate that the publisher, Plon, is *not* going to sue the guy who first put it online. > In Declan's case, I suspect France wants him for the Mitterand book and > Germany wants him for the Zundelsite mirrors. The lesser European countries > will of course follow their leads. I'm not too worried about France, but I'm having second thoughts about Germany. Let's just say I'm not planning a vacation there anytime soon. :) > Seriously, Declan, I admire what you've done, but I hope you don't plan to > leave the U.S. for Europe anytime soon. Thanks, Tim. I haven't actually spoken to my attorney (the former head of the local ACLU) about this, and perhaps I should have. *sigh* He'll probably yell at me for getting involved in yet another controversy... -Declan From jimbell at pacifier.com Thu Feb 1 06:27:27 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 1 Feb 1996 22:27:27 +0800 Subject: Time codes for PCs (fromn German Banking) Message-ID: At 11:42 PM 1/29/96 +0100, JR at ROCK.CNB.UAM.ES wrote: >From: SMTP%"jimbell at pacifier.com" 27-JAN-1996 03:43:05.83 > >>A peripheral I've long wanted to see, commonly available: ACCURATE time, >>broadcast to the millisecond/microsecond/nanosecond, available from sources >>as varied as TV VIR's, FM subcarriers, and other sources, available as an >>easy input (via a peripheral card) to a computer. >> > Yup! Do you think it is really possible? If I remember well >speed of light is 300.000 Km/s. That means that light takes around >1 ms. to cover 300 Km. If you use a satellite, antenna, whatever >to broadcast a timing signal, the accuracy will depend on when >do you receive it, and that in turn on your distance from the >source. I am well aware of the facts you indicate, and many more of which you aren't even aware. But one of the functions (in fact, the basic, intended one) of GPS is to locate, as precisely as possible, the exact location of the receiver. Thus, time delays can be compensated to the accuracy of the location fix, at the very least. If we assume 100 meters error, max, that's about 300 nsec error. (GPS receivers AUTOMATICALLY compensate for such delays!) >>I have a 12-year-old Heathkit "Most Accurate Clock" that I assembled myself, >>and had the foresight to install it with its computer interface option. >>(receives 5, 10, or 15 MHz signals broadcast from Boulder, Colorado, >>containing "exact" time.) >> > Just remember that the best you can get would be microseconds if >you're in a 300 meter radius, or milliseconds on a 300 Km. And possibly >nanoseconds at 0.3 m. Well, this clock doesn't pretend to be better than about 5-10 milliseconds even in signal-locked condition. However, there is a dipswitch on the bottom of the unit, settable in 500 mile increments, from Boulder, Colorado. 500 miles corresponds to 3 milliseconds. Clearly this was a good device when made, but has obviously been supplanted by at least a factor of 1000 by GPS. > Then remains the cypherpunk part on all this: how can you >trust the *signal* your receptor receives? How do you know no one is >interferring it or sending an inaccurate or false one? Simple answer: You don't. More complicated answer: Most such devices don't merely input the time signal, but they use an accurate internal clock to maintain good time when signals go away. In fact, the best units "discipline" the local oscillator, either actually changing its frequency or at least following its errors over time. The result is that sudden errors would be noticed. A good TCXO is stable to well better than 1 ppm. > And that on a broadcast system. A system owned by someone who >you may not trust (say a private TV channel, radio or satellite). So >you may want to have several sources, and to be able to verify that >the signals you receive all come from their respective sources. Well, since "everybody" in one locale can receive a particular (local) TV channel, one solution might be to compare time with respect to the beginning of a particular scan line.. You may not trust the signal, but you know its a signal that "everybody" receives. There may be no other provision for adding time to it, but a relatively low accuracy crystal oscillator could identify particular frames, etc. > Yum! a nice problem to think about. One factor is that you >wouldn't expect changes in public sources used by sensible systems >since those could not pass unnoticed and might raise big protests. >But you still have the MITM attack to consider... From rich at c2.org Thu Feb 1 06:28:55 1996 From: rich at c2.org (Just Rich) Date: Thu, 1 Feb 1996 22:28:55 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" Message-ID: <199602011002.CAA25917@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- OK, I didn't want to sow dissension in the ranks, but this is just too much, and Declan has not given a satisfactory response to direct email. On Thu, 1 Feb 1996, Timothy C. May wrote: > At 7:27 AM 2/1/96, sameer wrote: > >> I guess Declan M. won't be visting France or any of the other EU > >> countries any time soon! > > > > That reminds me of a question-- > > > > If, for example, Germany decides that my company is in > >violation of their laws for mirroring the Zundelsite, will they send > >us a letter saying that, so we know not to go to Germany? > > The Nebraska-based neo-Nazi publisher who was picked up in Denmark and > extradited to Germany pretty much knew his actions were illegal in Germany, > but I doubt (sheer speculation on my part) he had ever been formally > notified that an arrest warrant had been issued by Germany and could be > exercised in Denmark. > > The situation with Declan, Sameer, Duncan, and others, is even less clear. I disagree. It is clear to me that there is absolutely no cloud hanging over us. If any German court tried to press charges against me for posting Zendel's materials, they'd be laughed across the Argonne. Most mainstream Jewish groups *love* me right now. I find it curious, and I am beginning to get a little annoyed, that my name is rarely mentioned, though I set up the first mirror, and Declan got the files from me. I am very annoyed that Declan has not responded to repeated requests to remove the cleartext "Stanford University" from the parts of his Web site that mention me. Of course the stanford.edu, or at least net 36.190, will remain in the URL, but there is no reason that the link text could not say "Rich Graves' mirror." First Declan sent me mail saying he would respect my wishes, but he didn't. Then a friend of mine reminded Declan of my request, and Declan responded with abuse. I do not object to the cleartext "Stanford University" because anyone is pressuring me to remove the page. Far from it; almost every personal response has been positive, and the student newspaper, at www-daily.stanford.edu, is going to run a positive story tomorrow or the next day. Rather, I object simply because I do not represent Stanford University, and it is an intellectually dishonest abuse of power to suggest in any way that I do. Declan wants me to believe that this disclaimer is enough: "Please note that the existence of a web site at any particular institution does not in any way imply endorsement. Universities and businesses do not take responsibility for what their community members or customers place online." This is clearly untrue when the person in question is a staff member, as I am. Were I still a student, then I could more legitimately say that I'm a student at Stanford, and that I have the academic freedom to post whatever I want; but as someone who now merely works for a living at Stanford, I do whatever I want by the (very) good graces of my (very good) employer. Should we have forced Marianne to state her affiliation for the TV cameras last Saturday? > Things are moving much faster now that the Net is the means of > distribution. Yes, far too fast. Otherwise good people aren't thinking about what they're doing in their glee to "fight censorship." > I was of course half-joking about Declan visiting Europe, but > surely France could decide to throw the book at him, and any EU country he > entered (such as Ireland, judging from his name) could hold him at their > entry point and ship him off to France to "set an example." Bullshit. > I suspect the U.S. never officially notified that Monterrey, Mexico alleged > drug dealer that he was wanted in the U.S., and as other kidnappings of > foreigners have shown, the U.S. feels it unnecessary to formally announce > to foreigners that they may be arrested in the U.S. (or kidnapped into the > U.S.). Thus, I strongly suspect that France will not bother to notify > Declan or Sameer or any of us that they face arrest in France (or > affiliated EU countries). > > In Declan's case, I suspect France wants him for the Mitterand book and France doesn't want anyone for the Mitterand book, which was not, in fact, criminally banned. It was censured, not censored, in a civil trial. Declan is distorting the facts to suit his ego as Mr. Anti-Censorship. I find this breast-beating hype embarrassing and dishonest, and I am seriously beginning to regret giving the Zundel files to Declan. Had I known what he was going to do with them, and how he was going to behave, I would have retained closer control. One mirror site was enough. The German providers would not have blocked stanford.edu had it remained the only mirror site. The President of Stanford, Gerhard Casper, is a recognized constitutional scholar from Germany. The Stanford Provost, Condoleezza Rice, was one of the two or three people most responsible for the Bush Administration's policy towards German Unification. Dozens of Stanford students have studied in Berlin. Had they blocked stanford.edu, or had they gotten through to Stanford and somehow gotten Stanford to force me to take down the pages, then we would have set up more mirrors. I would have started, and maybe stopped, by setting up mirrors on c2.org and netcom.com. Graduated response. Germany has in fact blocked no sites beyond webcom.com. I have the patience to wait a week for the German political authorities to wake up and smell the bratwurst. Declan is himself becoming a sort of revisionist, loose with the facts. > Germany wants him for the Zundelsite mirrors. The lesser European countries > will of course follow their leads. This is ludicrous. I expect better from you. > Seriously, Declan, I admire what you've done, but I hope you don't plan to > leave the U.S. for Europe anytime soon. This is paranoid bullshit. Most of the Jewish organizations I have talked to grudgingly applaud the Zundelsite mirrors. Some actively applaud them. The Wiesenthal Center, of course, is "different." They haven't answered email, and I haven't had time to call them. Censorship is dying, destroyed by truth. Please don't spoil the party with this paranoid bullshit. Ernst Zundel is a lying Nazi asshole who wants you to believe that there is a Global Jewish Conspiracy to censor him. Fuck him. Declan, if you don't fix up your page the way I want it by morning (please not that you have three more hours of morning than I do), I will post a modified (spell-checked) version of this note on my Web page, to alt.censorship, and to your "fight-censorship" mailing list. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRCMdY3DXUbM57SdAQGBVgP8DOOtrKoV5bBDEICmRSlokkn91KnKdXXS 231Qv5mEWrrin9Jf8Zj80Zl/gTX/8J08s40v0vQUHi9G8It1hpzAFKz5k8lFZdTW dbcSyRMDwXz8pHvNxiGyQShZOIs1m/rnO7Z0iiuA0Y9r1+nBqeu1rQSeIyriBFUw UfWqjk8iWdk= =cODd -----END PGP SIGNATURE----- From jsw at netscape.com Thu Feb 1 06:30:38 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 1 Feb 1996 22:30:38 +0800 Subject: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards) In-Reply-To: <01BAEF34.AA95ECC0@ploshin.tiac.net> Message-ID: <311088AC.2891@netscape.com> Nathaniel Borenstein wrote: > I should also apologize for the fact that I couldn't resist in pointing > out lots of little problems with your proposed attack, and that I'm > responding to your plan in the order you described it. This means that > we don't get to the really major flaw in your strategy towards the end, > so what comes at first will seem like nitpicking. No problem. This is how we find flaws and make systems stronger. > Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F.. > Jeff Weinstein at netscape. (2739*) > > > It would not be much harder than the demonstrated keyboard attack > > to create a hacked version of winsock that would implement an > > attack against First Virtual. If the attacker had a list of web > > pages that accept FV payments it would be very easy to collect > > the ID numbers. > > A list of stores? First of all, this attack is already amazingly > focused. Our DLL to implement the attack on credit cards is 16K, and > doesn't need to target any specific buyers, sellers, or programs. The > more complex the attack & the bigger the software, the more likely it is > to be noticed. But this is just a minor nit. Read on. A gigabyte drive has lots of corners to hide stuff. A list of the top 1000 first virtual sites would not be very large. On a windows system it could be hidden in the c:\windows\system directory, where a 100k file with an unintelligible name would not seem unusual. > > There is no need to attack the large datastream > > of keyboard input when the search can be easily narrowed. Since > > FV doesn't use encryption the attack could easily be implemented > > in winsock, making it independent of any client software. > > What's really funny (to me, at least) here and in a lot of other aspects > of the cypherpunk reaction to FV is the continuing assumption that the > choice of FV vs encryption is an either/or thing. Combine FV's Virtual > PIN mechanism with transport encryption and you've indiputably got > something that's a LOT safer than just using credit cards with > encryption, and a bit safer than our current system, too. But I know, > the correct focus here is FV's current system. So read on. > > At this point in your attack, you skip a step: You don't explain how > you correlate the FV ID to email address. This means that your attack > will ONLY work for systems where the user is always using the same PC to > web browse and read his mail. In practice, even if this is true 99% of > the time, the remaining 1% would probably cause your attack to be > detected pretty quickly if deployed on a large, automated scale. But, > for the sake of argument, let's imagine that it's true 100% of the time. > Read on. You would not send the FV ID to the "bad guys" until you saw a complete FV transaction take place. You remember the ID when you see it, but only send it after seeing the e-mail verification message. > > A version > > that infected the win95 IP stack could be quite effective. The list > > of FV accepting sites would be easily obtainable via a query of > > altavista. Since the infected system is on the internet and has > > to periodically send its results to the attacker, it could download > > an updated list of FV pages at the same time. > > Seems to me your "not much harder" claim is starting to break down here, > with an automated virus spreading itself all over the net and > downloading lists from altavista weekly. And the amount of net traffic > you're generating may make this attack a lot more quickly detected than > ours. (In fact, I imagine that if the folks at AltaVista or Lycos noted > thousands of identical searches focused on merchants accepting First > Virtual, they'd probably contact us, more out of concern for their own > load management than anything else.) But still, read on -- we're > finally coming to the good part. I guess I didn't explain this well enough. The attacker would do a single altavista query, and then broadcast it via some existing mechanism over the net. Weekly postings to some low volume junk newsgroup would do the trick. > > Attacking the e-mail verification step of the FV system could also > > be accomplished via a hacked winsock. A bit of POP3 aware code > > in the winsock could intercept the verification messages and keep > > the e-mail client from ever seeing them. It could automatically > > generate "Yes" responses for all such messages. > > OK, so you're only interested in POP3 mail tools? That's wonderful, but > there's also systems that use IMAP, systems that use raw SMTP to locally > resident message stores, and many odder things. There's also people who > get their mail through AOL, Compuserve, Prodigy, etc. There's people > who live on a PC or Mac, but who read mail on a UNIX system (e.g. many > Delphi and Netcom users). So I only get half or a third of the millions of people conducting commerce over the internet. If this stuff ever really takes off that will be plenty. > You're not going to catch all of them. Moreover, even if you say > "that's fine, we only need some of them", your attack is now dead in the > water. Why? Because you have no way of telling, in your attack virus, > what kind of technology is going to be used to read mail. This means > that your attack will inevitably, and quickly, hit some people who DO > receive the mail. Our fraud department will be quickly notified (when > the user answers "fraud" to our query, a human sees it right away) and > we'll be off to the races, collecting clues. It will be work tracking > it down, but we'll have a good shot in identifying the attack and > producing a program that helps users spot it on their system (the moral > equivalent of an anti-viral program) in less time than it would take you > to even suspect that the attack FV outlined had taken place in the world > of software-encrypted credit cards. It should be quite easy to determine what protocol a user uses to read their mail from within winsock. If we want to limit it to pop3 users, we could just keep track of connections to port 110. As noted before, if they don't use pop we don't target them. > Your attack would be caught by us relatively quickly because our model > is based not on a single fail-safe piece of security software, but on > *process* security. The overall process is multifaceted, with many > checks and balances. What if, for example, I go to someone else's > machine and use their web browser to buy something using MY First > Virtual ID? Your attack will capture my ID and allow you to try to use > it, but the email confirmation will go elsewhere, quite possibly to an > uninfected machine. When reproduced on a mass scale, this kind of thing > will be noticed pretty fast. In contrast, credit cards are a one-way > payment mechanism -- the number (and sometimes some other info typed in > close proximity) is basically all you need. Just steal that without > getting noticed and the crime is done. With the explosive growth of internet connected PCs, I think that the number of people who "surf" and read e-mail on different machines is dwindling rapidly. I am happy to skip those old guard of the internet and concentrate on the newbies who only have one computer and one account. > > I believe that FV is just as vulnerable to these types of > > attacks as any of the encryption based credit card schemes, if > > not more so. The thing that really protects FV is that it can > > only be used to buy bit, not real goods, and the bad guys don't > > generally care about stealing bits. This is also what makes FV > > not generally useful to people who want to shop over the internet. > > Actually, you're a bit behind the times. We removed that restriction > from our system a couple of months ago. There still aren't many people > using our system for physical goods, mostly because of our 91-day fund > holding period, but we have gotten the green light from our financial > partners to waive that for qualified, established merchants, once we > make a few technical changes behind the scenes. > > The fact is that our original restriction against physical goods was > never designed to protect against fraud. Rather, it was a conscious > attempt to do two things: 1) bound the risk our bank perceived in being > the first bank ever to explicitly agree to handle an Internet-based > payment system (this was mid-1994, remember), and 2) to focus the > attention of our prospective users on the situations that were in fact > reasonably well-suited to an economic model in which consumers had the > explicit option of refusing payment. Some of our sellers very quickly > realized that no matter what we said, it was straightforward to use our > system for physical goods, shipping them only after the consumer said > "yes", and we eventually changed our terms and conditions to reflect > that reality. The 91 day hold, on the other hand, WAS designed to > protect against fraud -- from the *merchant* side, which is why we have > no qualms about waiving it for qualified merchants. Well this means that an attack against First Virtual would be more interesting. > Now, actually, I want to commend you. This is as close as I've ever > seen anyone come to constructing a plausible automated attack on FV. > The IP stack is a very clever attack vector, and I honestly can't claim > to have anticipated it. However, I do think that the flaw in your > approach reinforces my belief in the importance of multi-layered > defenses. In fact, a multi-layered security strategy is the ONLY > defense against vulnerabilities you haven't thought of yet. That's the > real reason why ANY scheme based on one-way instruments like credit card > numbers is particularly hard to make secure. -- Nathaniel I still think that someone could construct an attack against the current FV system using the techniques I've described. It would be more complicated to construct than the keyboard attack but that has been proven time and again not to be a barrier. Someone who could construct the Morris worm or the year ago IP spoofing attacks could do it. I think that you may have to rethink some of your assumptions that were valid back when you designed the system, but are no longer given the current growth and changing demographics of the internet. I'd really like to see some effort spent on closing some of the more gaping holes in the underlying systems. Why should it be so easy for one program to snoop on the keystrokes directed to another? Why should it be so easy for a program downloaded from the net to patch a part of the operating system? --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Thu Feb 1 06:36:17 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 1 Feb 1996 22:36:17 +0800 Subject: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) In-Reply-To: <310E0EBE.30FD3BCC@netscape.com> Message-ID: <31108BA5.30BB@netscape.com> Nathaniel Borenstein wrote: > > Excerpts from mail.cypherpunks: 30-Jan-96 Re: Apology and clarification > Jamie Zawinski at netscape. (4170*) > > > Nathaniel Borenstein wrote: > > > > > > What we at FV have done is to demonstrate how easy it is to develop an > > > FULLY AUTOMATED attack that undermines the security of all > > > software-based credit card commerce schemes. > > > You have done no such thing. You have written *one component* of that > > attack, and the easiest part of it at that. > > > Combine it with a virus, or self-replicating worm, and demonstrate that > > it is immune to all known virus checkers, and *then* you will have > > spoken the truth when you say you have "demonstrated" anything. > > This is a particularly fascinating reaction, Jamie. As I see it, we > have implemented every part of the attack that we can implement without > doing anything that is either unethical or illegal. Is it your position > that no systematic flaw in your security is real until someone has > actually broken it? > > Actually, that position would in fact be quite consistent with your > company's earlier implicit assertion that 40-bit encryption was > sufficient (for international consumers) until somebody actually broke > it, even though everyone who understood cryptography already knew > otherwise. Actually that position would in fact be quite inconsistent with our more recent actions. For example we have implemented blinding code to protect against Paul Kocher's timing attack, even though it has not been demonstrated against any real world system. I think that you are misinterpreting the intent of Jamie's posting, but I will let him defend himself. I just wanted to say that the company takes security problems very seriously, even if there has not been an active exploit. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From rishab at best.com Thu Feb 1 07:03:45 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Thu, 1 Feb 1996 23:03:45 +0800 Subject: Declan appearing on "Europe's Most Wanted" In-Reply-To: Message-ID: <199602011430.GAA11531@shellx.best.com> > Seriously, Declan, I admire what you've done, but I hope you don't plan to > leave the U.S. for Europe anytime soon. > > --Tim I guess this sort of thing does involve extradition rules. For example, Sweden has a Nazi party, which would offend Germans, who can, I'm sure, see them on TV leave alone on the Net. Sweden's Information (or something) Ministry has said that by law anyone can start a party, but if the Nazis due something illegal (such as killing people, or threatening them) the courts will handle it. And Norway is not even _in_ the EU. Rishab From olbon at dynetics.com Thu Feb 1 07:12:51 1996 From: olbon at dynetics.com (Clay Olbon II) Date: Thu, 1 Feb 1996 23:12:51 +0800 Subject: Visa & MC Std Message-ID: At 8:25 AM 2/1/96, pj ponder wrote (much elided): >AN FRANCISCO -- Hoping to remove a major impediment to credit card >transactions over the Internet, a business group led by Mastercard >International >and Visa International plans to announce an industry-standard technology >Thursday for protecting the security of electronic payments. ... > >The software standard, called Secure Electronic Transactions, or SET, >will permit a user to send a credit card account numbers to a merchant >in a scrambled >form. > >The scrambled number is supposed to be unintelligible to electronic >eavesdroppers and thieves -- and even to the merchants receiving the >payment. > >But a special code is supposed to enable the merchant to check >electronically and automatically with the bank that issued the credit >card to make sure that it is a >valid card number and that the customer is the authorized user of the >card. The number-scrambling part of the system is based on a well-known >and widely used >national software standard known as the Data Encryption Standard. ---------------- A few psueudorandom points regarding this post: First, it seems silly to implement a separate standard that only works for the credit card number. What about the privacy of the rest of the info (what I am ordering, how much, etc.). Can (or will) this be layered with Netscape's SSL? How is this to be implemented? It sounds like the merchants will just pass the encrypted number to the credit card company. If this is the case, key management could become an issue. I suppose this could easily be implemented using public key crypto, but only DES was mentioned. If only DES is used and everyone uses the same DES key, that would be a valuable key to break! How about a MITM attack. Get the encrypted credit card #, and change the purchase amount, delivery info, etc if that is not encrypted. If there is anyone on the list with more info on this, I would love to hear it (heopfully we will hear something from Netscape, since they are quoted in the article). From what I know so far, it seems like a poor compromise. --------------------------------------------------------------------------- Clay Olbon II | olbon at dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon at mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 "To escape the evil curse, you must quote a bible verse; thou shalt not ... Doooh" - Homer (Simpson, not the other one) --------------------------------------------------------------------------- From frissell at panix.com Thu Feb 1 07:16:34 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 1 Feb 1996 23:16:34 +0800 Subject: Let a Thousand Zundsites Bloom Message-ID: <2.2.32.19960201142442.006ee22c@panix.com> I'm sure that Rich vs Declan is exciting but I have to agree with Declan that the more Zundsites the merrier. It rarely pays to be subtle with nation states. They don't have good information processing capabilities. It helps to really hit them over the head with things. It also means more to the public if you can say "Sure the Germans banned this site but we put up a dozen copies within a few hours." It is this casual ability to defeat nation states that is the significance of the net and should be emphasized. DCF "Few Generals have ever lost a battle because they brought too many troops." From declan+ at CMU.EDU Thu Feb 1 07:18:57 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 1 Feb 1996 23:18:57 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most In-Reply-To: Message-ID: Forwarded from another mailing list. (Charles is a journalist/author...) ---------- Forwarded message begins here ---------- Date: Thu, 1 Feb 1996 09:11:19 -0500 (EST) From: Charles Platt Subject: Out of Control Rich Graves' suggestion that Declan is "out of control" is interesting. Perhaps Rich merely meant that Declan made a mistake but the subtext suggests that Declan should be in some sense marching in step, following a consensus, obeying a policy. I don't like the smell of this. In my experience, having read MUCH literature from revisionists and from organizations such as Wiesenthal and ADL, it is IMPOSSIBLE for anyone to adopt an independent or middle path without raising the wrath of those on both sides of Jewish issues. I also suggest that public statements, especially from ADL/Wiesenthal, cannot be taken at face value. For instance: > * The ADL is tracking racist sites, but the goal is to expose them and > educate the public. Anyone who believes that this is the totality of ADL activities and intentions is simply unaware of the history of the ADL. I have personally witnessed an ADL representative trying to recruit hackers to paralyze a BBS where white-supremacist materials were stored. And this I think is just the tip of the iceberg. From nobody at REPLAY.COM Thu Feb 1 07:49:20 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 1 Feb 1996 23:49:20 +0800 Subject: Message-ID: <199601311713.MAA12059@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMQ+jNCoZzwIn1bdtAQEgAwF+LRiwIlumqj6P2/pft8804Cbbttz3R7yL Pwd44+uUTk1SxJZePCt7O1jReYfDohTB =Ii6p -----END PGP SIGNATURE----- From rishab at best.com Thu Feb 1 08:01:19 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Fri, 2 Feb 1996 00:01:19 +0800 Subject: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards) In-Reply-To: <311088AC.2891@netscape.com> Message-ID: <199602011518.HAA22905@shellx.best.com> Jeff Weinstein wrote: > I think that you may have to rethink some of your assumptions that > were valid back when you designed the system, but are no longer given > the current growth and changing demographics of the internet. This is all getting unnecessarily complicated. As I pointed out in another post ("FV's blatant double standards") NO SYSTEM FOR SECURITY IS SAFE when one allows for recipient compromise, i.e. privileged access to a recipient's system by a malicious program. > I'd really like to see some effort spent on closing some of the more > gaping holes in the underlying systems. Why should it be so easy > for one program to snoop on the keystrokes directed to another? Easy or difficult is not the point. In DOS it's possible for any program, in Unix only for those with root access. Security fails when it is not possible to make a distinctionbetween a program that _should_ have access and one that _shouldn't_. Anyone who's tried to teach novice DOS users what to do when one of those anti-virus TSR tools complains that something is doing something it shouldn't will know how hard it is for _users_ to guard themselves. > Why should it be so easy for a program downloaded from the net > to patch a part of the operating system? I would think that most viruses are transmitted by floppy disk, even now, or by programs _intentionally_ downloaded and _intended_ to patch the OS (such as a screen blanker). The possibility of mass net-based creepy-crawlies has been remote due to the uniquely multi-platform nature if Internet protocols; they're Unix-based, but end-users have PCs. Only metaplatforms such as Java, perlCCI, Telescript could change this. Rishab ---------------------------------------------------------------------- The Indian Techonomist - newsletter on India's information industry http://dxm.org/techonomist/ rishab at dxm.org Editor and publisher: Rishab Aiyer Ghosh rishab at arbornet.org Vox +91 11 6853410; 3760335; H 34 C Saket, New Delhi 110017, INDIA From nsb at nsb.fv.com Thu Feb 1 08:12:57 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Fri, 2 Feb 1996 00:12:57 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. zinc at zifi.genetics.utah. (3361*) > this program is not specific to credit card numbers. it sounds like > it could have just as easily been written to watch for a login: or > password: prompt and then record everything entered after that. Yeah, but the real payoff is in the automated theft of items of value, such as credit cards. Since that's the real payoff for criminals, it's also one of the biggest practical risks to watch for. > the point is not that this can be done, the point is that users need > tools that would check for programs like this running on their > system. is fv making a 'fix' available? i would imagine a 'fix' > would be a program that would look for tsr type programs (or inits on > a mac) that do this sort of thing. That's why we've used terms like "fatal flaw" that have led to charges of overinflated rhetoric, but the truth is that THERE IS NO GENERAL WAY TO PREVENT THIS. Our program only uses standard OS hooks. There's no way to distinguish a general program of this type from a legitimate screen saver, keyboard macro package, etc. We could easily write a program that detects our demonstration program, but would good would that do? It wouldn't detect a malicious program using a similar approach. You can detect the last known attack, but not the next attack. That's why we say it is a fatal flaw for software-encrypted credit card numbers. I believe it truly is. > this is the sort of thing that crypto can help with. there should be > a site that PGP signs the programs available from their site. these > signed programs will have been testing on the appropriate system and > verified to be free of small malicious programs such as the one you > describe. alternatively, the author themselves could PGP sign the app > (this is already done) and this would be what users should d/l. Do you really believe that the average Internet consumer can be trained never to download any software before performing such checks? Do you really believe that the average Internet consumer can be trained in the proper management of his crypto keys that will make such a check meaningful? With nearly 100,000 paying customers, we're seeing first-hand what the average Internet consumer is like. We have seen customers who complain (seriously!) that they get so lost in our web pages that they have to reboot their machines. You want to explain key management to these people? > it's disapointing to see the spin put on this by fv. instead of > going with scare tactics, they could encourage PGP signatures and suggest > solutions to this problem like the ones i mentioned above. in fact, > fv could even volunteer to help set up a site where all software has > been tested and signed by someone who has had their PGP key signed by > fv, sort of an expansion of the web of trust. I'm very big on PGP signatures. In fact, the next major change scheduled in our commerce system functionality will be the addition of PGP signatures to the messages that FV sends to its merchants, which are A) the ones most worth forging, B) sent to merchants, who are more likely to be able to check them properly than consumers, and C) dependent on the integrity of only one party's keys (FV's), which will be changed VERY frequently. I don't think that a software repository site of the kind you mention will provide enough security to make credit cards on the desktop safe. It will certainly, however, make the people who use it safer than they would be without it. Having said that, I will that add we'd *love* to help set up a site like that, but we don't have deep pockets to simply fund it ourselves (yet). We'd be very interested in working with others, signing keys, providing some expertise, and so on. What you're really talking about here is an "underwriters lab" of the net. The big question is: who will pay for it? My guess is that you really have to end up having people subscribe to the site, and they'll need a safe way to pay for it. That's what we've been working on all along. -- Nathaniel From sai at comp.vuw.ac.nz Thu Feb 1 08:16:41 1996 From: sai at comp.vuw.ac.nz (Simon McAuliffe) Date: Fri, 2 Feb 1996 00:16:41 +0800 Subject: Apology and clarification Message-ID: <199601302254.LAA00347@caesar.sans.vuw.ac.nz> For those that are sick of this thread (as I am), I apologize in advance for throwing another log on the fire. I just can't help trying to get through... Nathaniel Borenstein writes: > First of all, I believe that I owe the cypherpunk community an > apology for an error in judgement on my part. The message that I [...] > Our approach combines the following four known problems into a > fatal attack: > > 1) Consumer machines are insecure and easily compromised. > 2) Keyboard sniffers are easy to write. > 3) Credit card numbers are self-identifying (they have check digits) > and can easily be extracted from a huge stream of input data. > 4) Once intercepted, small amounts of information (e.g. a cc #) > may be distributed completely tracelessly over the Internet. > > When you put all four of these together, you have an attack that > IS new, in the sense that nobody we know of has ever mentioned it > before, and which could in fact be used by a single criminal, with > only a few weeks of programming, to tracelessly steal MILLIONS of > credit cards, if software-encrypted credit-card schemes ever caught > on. You're right, the four problems you mention are known and have been for a long time, and have also been used in attacks. What you don't seem to understand is that the overall attack from the combination of these isn't new either. In many ways a credit card number, name and expiry date form a password. It's a password that the bank accepts to allow money transfers in much the same way as a computer accepts a password to allow information transfers. On this very list (amongst other places), there has been discussion of trojans and viruses for grabbing passwords, and of methods of determining what is a password and what isn't a password. In the same way you can decide if a number is a credit card number, there are heuristics you can use to determine if a user is entering a password, though often it may require more than just monitoring keystrokes. To collect expiry dates and names for credit cards, monitoring additional side information may also be useful. So I see no fundamental difference between the two, credit card numbers _are_ passwords. I myself have used precisely this technique many years ago, as I'm sure many others here have, to demonstrate security problems. The only difference is the heuristic for determining what constitutes a password in the domain you're snooping. What's more, the methods in existence before your post can be and have been built in viruses which are considerably more prolific than a trojan. Not only is your attack not new, it is less powerful that some similar attacks that predated yours. Implying credit card numbers are more valuable than passwords is dubious. There are organisations that could lose millions of dollars if their password security was compromised, but it's hard to say the same for credit cards. In this country, although I don't know about yours, I'm not even liable if somebody steals my credit card and uses it. I would consider a "credit card password" as a lesser commodity than a password for giving access to an entire computer system. [...] > So here's the factual claim, to be proven or disproven: One good > programmer, in less than a month, can write a program that will > spread itself around the net, collect an unlimited number of credit > card numbers, and get them back to the program's author by > non-traceable mechanisms. Does anyone on this list doubt that > this is true? If so, I'd like to know the flaw in my thinking, -- > I am *not* too proud to withdraw any claims that aren't true. If > not, I think it's worth noting that this fact was previously > completely unknown to the bankers and businessmen who are putting > large sums of money at risk on the net. The only way to get the > message to those communities is with a very visible public > announcement of the kind you saw yesterday. Of course this is a threat, I don't think _anybody_ will deny that, but this is not a new threat. True, the attack may not have been known to businesspeople and bankers, but there are many others areas of security they also know nothing about. Trying to claim an old invention as your own just looks like hype, PR and lies, not to mention showing a lack of knowledge which could do the reverse from what you set out to achieve. It is certainly a Good Thing for the public to know about the potential for various types of snooping, but surely it could be done in some way which doesn't make it look like you invented it. I don't think anybody here objects to the attack itself, but rather the claims you made about it and the way you communicated it. --- E-mail: sai at comp.vuw.ac.nz/sai at kauri.vuw.ac.nz +64 4 233 9427 PGP Fingerprint: 65 5B B4 6C CB 6A 65 F1 01 91 B9 FE 34 23 99 D3 PGP Key by mail, finger or from http://www.vuw.ac.nz/~sai/pgp-key.html From alanh at infi.net Thu Feb 1 08:20:49 1996 From: alanh at infi.net (Alan Horowitz) Date: Fri, 2 Feb 1996 00:20:49 +0800 Subject: Escrowing Viewing and Reading Habits with the Governmen In-Reply-To: <01I0OF2L9QGAA0UO1J@mbcl.rutgers.edu> Message-ID: > from a library's user. Thus, when I made one and got it back from the CIA's > lending library (yes, they have one), they didn't know who I was... > fortunately, given the book in question. "Petty Officer Smith, route this CP intercept over to Langley Internal Security" From sameer at c2.org Thu Feb 1 08:22:56 1996 From: sameer at c2.org (sameer) Date: Fri, 2 Feb 1996 00:22:56 +0800 Subject: France to push for international net legislation In-Reply-To: Message-ID: <199602010728.XAA09493@infinity.c2.org> > I guess Declan M. won't be visting France or any of the other EU countries > any time soon! That reminds me of a question-- If, for example, Germany decides that my company is in violation of their laws for mirroring the Zundelsite, will they send us a letter saying that, so we know not to go to Germany? -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From mixmaster at alpha.c2.org Thu Feb 1 08:24:37 1996 From: mixmaster at alpha.c2.org (Anonymous) Date: Fri, 2 Feb 1996 00:24:37 +0800 Subject: NoneUnix swapfile security issues... Message-ID: <199602010730.XAA09785@infinity.c2.org> I'm working on a unix application where I want to store a key in memory and don't want it to get written out to a swap file. If the key is in any of the application's memory pages, it could be swapped out at any time, and potentially left in the swap file when the computer is turned off. But, what if the program creates a pipe() and writes the key into it, then reads the key out when necessary? A pipe has a 4K buffer, but that buffer is in the kernel's memory, not in the application's pages. Could a kernel buffer get written out to a swapfile? From tcmay at got.net Thu Feb 1 08:25:18 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 2 Feb 1996 00:25:18 +0800 Subject: Declan appearing on "Europe's Most Wanted" Message-ID: At 7:27 AM 2/1/96, sameer wrote: >> I guess Declan M. won't be visting France or any of the other EU countries >> any time soon! > > That reminds me of a question-- > > If, for example, Germany decides that my company is in >violation of their laws for mirroring the Zundelsite, will they send >us a letter saying that, so we know not to go to Germany? The Nebraska-based neo-Nazi publisher who was picked up in Denmark and extradited to Germany pretty much knew his actions were illegal in Germany, but I doubt (sheer speculation on my part) he had ever been formally notified that an arrest warrant had been issued by Germany and could be exercised in Denmark. The situation with Declan, Sameer, Duncan, and others, is even less clear. Things are moving much faster now that the Net is the means of distribution. I was of course half-joking about Declan visiting Europe, but surely France could decide to throw the book at him, and any EU country he entered (such as Ireland, judging from his name) could hold him at their entry point and ship him off to France to "set an example." I suspect the U.S. never officially notified that Monterrey, Mexico alleged drug dealer that he was wanted in the U.S., and as other kidnappings of foreigners have shown, the U.S. feels it unnecessary to formally announce to foreigners that they may be arrested in the U.S. (or kidnapped into the U.S.). Thus, I strongly suspect that France will not bother to notify Declan or Sameer or any of us that they face arrest in France (or affiliated EU countries). In Declan's case, I suspect France wants him for the Mitterand book and Germany wants him for the Zundelsite mirrors. The lesser European countries will of course follow their leads. Seriously, Declan, I admire what you've done, but I hope you don't plan to leave the U.S. for Europe anytime soon. --Tim Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pjp at wane-leon-mail.scri.fsu.edu Thu Feb 1 08:55:25 1996 From: pjp at wane-leon-mail.scri.fsu.edu (PJ Ponder) Date: Fri, 2 Feb 1996 00:55:25 +0800 Subject: Visa and MC announce Thursday Message-ID: sorry about screwing up the day of the week, today is really *Thursday*, not Friday. . . . first post of the day, & so forth. My earlier message: From: ponder at mail.irm.state.fl.us (pj ponder) To: cypherpunks at toad.com Subject: Visa & MC Std Sender: owner-cypherpunks at toad.com just heard this on NPR Friday ^^^^^^ am on the east coast of NA. http://www.nytimes.com/library/cyber/week/0201internet-safety.html February 1, 1996 Group to Unveil Industry Standard for Electronic Payments p.s. went right out and bought the NY Times and the WSJ, but they didn't have any more info than what is on the nytimes.com server. [return to signal mode] From hauke at supra.kodak.com Thu Feb 1 09:00:03 1996 From: hauke at supra.kodak.com (Ron Hauke x75966 ins 114225) Date: Fri, 2 Feb 1996 01:00:03 +0800 Subject: No Subject Message-ID: <9602011608.AA00654@supra.Kodak.COM> unscribe cypherpunks at toad.com From tallpaul at pipeline.com Thu Feb 1 09:01:52 1996 From: tallpaul at pipeline.com (tallpaul) Date: Fri, 2 Feb 1996 01:01:52 +0800 Subject: The FV Problem = A Press Problem Message-ID: <199602011625.LAA17577@pipe8.nyc.pipeline.com> At 6:42 PM 1/30/96, Jonathan Rochkind wrote: >I'd say _all_ news, not just software news, is P.R. controlled, these days. >You can largely hold Edward L. Bernays, the "father of public relations" >(who just died last year) responsible for that--or the societal conditions >that allowed Bernays to do his thing. Bernays developed expertise in >"engineering of consent" turned the news into a commercialized and On January 13, 1996 I had the lead article in _Computer underground Digest_ (Volume 8, Issue 04) on the CyberAngels and how they were patrolling cyberspace against the Four Horsemen types. Rockland is certainly welcome to tell the cypherpunks list the press release(s) from which I wrote this "public relations." cc Tim May, CAF founder, chief technical officer, and media relations specialist From jirib at sweeney.cs.monash.edu.au Thu Feb 1 09:16:30 1996 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Fri, 2 Feb 1996 01:16:30 +0800 Subject: Lotus, NSA sing in same key In-Reply-To: <2.2.32.19960123150421.0067c0c0@arn.net> Message-ID: <199601300655.RAA08590@sweeney.cs.monash.edu.au> Hello cypherpunks at toad.com and "David K. Merriman" DKM wrote [reformatted]: > Article of that title in Jan 22 issue of EE Times: ... > the encrypted data. Foreign hackers will find the encrypted messages as > difficult to decrypt as a message with a 64-bit RSA key, ... ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^ Wow! Jiri -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) From ses at tipper.oit.unc.edu Thu Feb 1 09:16:43 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 2 Feb 1996 01:16:43 +0800 Subject: short FV question Message-ID: When my CTS plays up like it has this past week, I use a Dragon dictate Voice Recognition system. Since I' Not actually touching a keyboard, does this make me secure? Simon ---- RSA - The Canadian For Butt From nsb at nsb.fv.com Thu Feb 1 09:27:24 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Fri, 2 Feb 1996 01:27:24 +0800 Subject: I hate over-hyped claims Message-ID: Perception in some quarters to the contrary, I am very averse to over-hyped claims, and I would therefore like to publicly acknowledge a factual error in my previous announcement. I wrote: > The only known Internet-based solution that does not require such > hardware is the First Virtual Internet Payment system, details of which > are available at http://www.fv.com. This is not quite true, and I should have known better, but I forgot about the one other example I'd heard of. I should have said: > The only known Internet-based solutions that do not require such > hardware are the First Virtual Internet Payment system, details of which > are available at http://www.fv.com, and the GC Tech system, described at > http://www.gctec.com/. I apologize to the good folks at GC Tech for this unfortunate mistake. They are our competitors, but that does not mean we intended to make any false or misleading claims about them. I stand by all my other claims. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From jpp at software.net Thu Feb 1 09:39:54 1996 From: jpp at software.net (John Pettitt) Date: Fri, 2 Feb 1996 01:39:54 +0800 Subject: VISA /MC Press release Message-ID: <2.2.32.19960201171228.00ccae34@mail.software.net> 10:20 PR Visa And Mastercard Combine Security Specifications For Card Transactions On The Internet Into One Standard Companies: X.MST X.VSA Move Expected to Accelerate Development of Electronic Commerce and Bolster Consumer Confidence in the Security of Cyberspace Transactions PURCHASE, N.Y. & SAN FRANCISCO, Feb. 1 /PRNewswire/ -- Addressing consumer concerns about making purchases on the Internet, MasterCard International and Visa International joined together today to announce a technical standard for safeguarding payment card purchases made over open networks such as the Internet. Prior to this effort, Visa and MasterCard were pursuing separate specifications. The new specification, called Secure Electronic Transactions (SET), represents the successful convergence of those individual efforts. A single standard means that consumers and merchants will be able to conduct bankcard transactions in cyberspace as securely and easily as they do in retail stores today. The associations expect to publish SET on their World Wide Web sites in mid-February. Following a comment period, the joint specification is scheduled to be ready for testing in the second quarter of 1996. Visa and MasterCard expect that banks will be able to offer secure bankcard services via the Internet to their cardholders in the fourth quarter 1996. Participants in this effort with MasterCard and Visa are: GTE, IBM, Microsoft, Netscape Communications Corp., SAIC, Terisa Systems and Verisign. Also, SET will be based on specially developed encryption technology from RSA Data Security. "This is the first step in making cyberspace an attractive venture for banks and merchants. A single standard limits unnecessary costs and builds the business case for doing business on the Internet," said Edmund Jensen, president and CEO of Visa International. "Further, our work with MasterCard demonstrates our unwavering commitment to address the needs of our member financial institutions and their merchants and cardholders." H. Eugene Lockhart, CEO of MasterCard, said: "MasterCard has viewed one standard for secure card purchases on the Internet as a critical catalyst for electronic commerce because it bolsters consumer confidence in the security of the electronic marketplace. A single standard has always been our objective because it is in the best interests of not only consumers, but also merchants and financial institutions worldwide. We are glad to work with Visa and all of the technology partners to craft SET. This action means that consumers will be able to use their bankcards to conduct transactions in cyberspace as securely and easily as they use cards in retail stores today." The card associations will separately test SET with consumers, merchants and financial institutions. A joint interoperability test will be conducted after the individual tests to ensure SET, where necessary, operates as smoothly as the point-of-sale system used today. Upon conclusion of the tests, an updated version of the specification will be published for software providers. MasterCard's Web address is http://www.mastercard.com. Visa's Web address is http://www.visa.com. MasterCard International Incorporated is a global payments company that provides consumer credit, debit and other payment products in partnership with 22,000 member financial institutions worldwide. MasterCard's family of brands, MasterCard, Maestro and Cirrus, represent approximately 300 million cards in circulation, and over 13 million acceptance locations, including 243,000 MasterCard/Cirrus ATMs worldwide. MasterCard's pioneering work in the areas of transaction processing and delivery systems continues to revolutionize the way consumers pay for goods and services. Headquartered in the San Francisco Bay Area, Visa is the world's largest payment system. It plays a pivotal role in developing and implementing new technologies that benefit its 19,000 member financial institutions and their cardholders, businesses, governments and the global economy. Visa's 442 million cards are accepted by more than 12.2 million merchants worldwide. Visa/PLUS is the largest global ATM network. /CONTACT: David Melancon of Visa International, 415-432-2427; or Dorea Smith of MasterCard International, 914-249-1421/ 10:00 EST John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch From frissell at panix.com Thu Feb 1 09:41:31 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 2 Feb 1996 01:41:31 +0800 Subject: Anonymous Interview Message-ID: <2.2.32.19960201170657.006d9ebc@panix.com> "Anonymous" the author(s) of "Primary Colors" (the Clinton Campaign novel) conducted an interview with a Time Magazine writer using his/her/their agent's online account. A demonstration that borrowed accounts can overcome account ID control attempts. DCF From erc at dal1820.computek.net Thu Feb 1 09:57:14 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Fri, 2 Feb 1996 01:57:14 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <310D9904.4487@netscape.com> Message-ID: <199601300416.XAA23931@dal1820.computek.net> > > >It's considerably more than that. Please read on. > > > > No, Nathaniel, it is not. You watch keystrokes and record the ones you're > > interested in. This technique has interesting possibilities, but all your > > PR screaming won't make it anything more than what it is. > > > > How interesting are these possibilities? It's hard to say. > > I'll bet they could get a patent on it... There's probably some > money to be made with that approach. Oh, shit. Don't give them any ideas ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From jwz at netscape.com Thu Feb 1 09:57:27 1996 From: jwz at netscape.com (Jamie Zawinski) Date: Fri, 2 Feb 1996 01:57:27 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: <9601300006.AA15845@sulphur.osf.org> Message-ID: <310D9904.4487@netscape.com> Rich Salz wrote: > > >It's considerably more than that. Please read on. > > No, Nathaniel, it is not. You watch keystrokes and record the ones you're > interested in. This technique has interesting possibilities, but all your > PR screaming won't make it anything more than what it is. > > How interesting are these possibilities? It's hard to say. I'll bet they could get a patent on it... There's probably some money to be made with that approach. == Jamie From futplex at pseudonym.com Thu Feb 1 09:59:49 1996 From: futplex at pseudonym.com (Futplex) Date: Fri, 2 Feb 1996 01:59:49 +0800 Subject: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling) In-Reply-To: <199601300335.WAA20456@dal1820.computek.net> Message-ID: <199601300412.XAA23037@opine.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- (sorry, no discussion of FV or pleasant coffee aromas in this message) Tim Philp writes: > I have been wondering about the possibility of using a JAVA applet to do > keyboard sniffing. As I am not familiar with this language, does anyone > know if this would be possible? If you are running a broken or Trojan interpreter or class loader, then you're probably sunk regardless, because it can execute whatever deleterious code it wishes. (I say "probably" because I suppose you might have some separate watchdog program monitoring the actions of the interpreter. But ultimately that's just part of an infinite regress: the watchdog could also be compromised, etc. ad infinitum.) The I/O class libraries don't offer calls anywhere near as deep as the hardware keyboard interrupts. About all you can do is read a byte or a line of input, as in any common programming language, but that's different than surreptitiously reading bits when they are read as input by some other program. I don't see how you could build a keyboard sniffer in Java unless you could somehow trick the interpreter into feeding an input stream to an additional process. Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops up an innocuous dialog box and asks you to enter some sensitive piece of information, then sends it off somewhere. About all it takes to write that is a modicum of skill in user interface design. You could write it in any programming language, but in Java it may be particularly effective, since people may come to expect to be prompted for sensitive info over the net by Java apps. Maybe the Java folks who just left Sun decided to seize the opportunity ;> Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ2afinaAKQPVHDZAQFfkAf/SKDoP6D8BvbBPBScMTS5t51k6n4uI9KJ AcmIFxheQzpWcJd0qh1Vo2OClHmgWWUbekWsNcC9vfWPMqcQTju+DFc+/ncbg7PQ F4dTgRm2pIVs70lsTd8hFaAauAagqmuEzyhYXv3XGT/gdMuSOJ/z84cp/yK0VpdQ N0UpsONTjarx9DIvun14x8UU77SqXgvOz0F/n309TiLkVYSNBsUzk7ub6hdk4Q1a ay/8rP6m7ZqpFTWXKGmPjUne7gfX0VmJPcePB5d9hr585e/0oCgCWHg40kfUJnOs MRrj7ot86yGEVEdR3ykmEo5XoFD1WxuvXpdDq5EwR3QvtNyTfMh/Ew== =1j5R -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Thu Feb 1 10:01:14 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 2 Feb 1996 02:01:14 +0800 Subject: "German service cuts Net access" (to Santa Cruz) In-Reply-To: <4ejdoq$ppt@jyusenkyou.cs.jhu.edu> Message-ID: arromdee at jyusenkyou.cs.jhu.edu (Ken Arromdee) writes: > >Is it constitutionally protected in US to knowingly hurt other > >people's feelings and to trample on graves????? > > Yes. Free speech for the nonoffensive is not free speech at all. A couple of years ago I'd probably howl about the hypocricy of one of Serdar's chief censors daring to utter the words "free speech" in public, but this time I simply laughed for a few minutes. Thanks, Ken. ObCP: I've been encouraging the descandants of Serdar to make use of cpunk remailers. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From erc at dal1820.computek.net Thu Feb 1 10:04:23 1996 From: erc at dal1820.computek.net (Ed Carp, KHIJOL SysAdmin) Date: Fri, 2 Feb 1996 02:04:23 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: <199601300255.VAA17086@dal1820.computek.net> [general back-patting hysterical text elided] > Our basic approach was to write a computer program that runs undetected > while it monitors your computer system. A sophisticated version of such > a program can intercept and analyze every keystroke, mouse-click, and > even messages sent to your screen, but all we needed was the keystrokes. > Selectively intercepted information can be immediately and secretly > transmitted via Internet protocols, or stored for later use. "Sophisticated"? Any first-year comp sci student could do the same. Hooking into the keyboard interrupt is child's play. Reading the display memory is even easier. Who is this guy trying to bullshit, anyway? > First Virtual's research team has built and demonstrated a particular > implementation of such a program, which only watches for credit card > numbers. Whenever you type a credit card number into your computer -- > even if you are talking to "secure" encryption software -- it captures > your card number. Our program doesn't do anything harmful with your > credit card number, but merely announces that it has captured it. A > malicious program of this type could quietly transmit your credit card > number to criminals without your knowledge. > > The underlying problem is that the desktop -- the consumer's computer -- > is not secure. There is no way of ensuring that all software installed No shit. > on the consumer's machine can be trusted. Given this fact, it is unwise > to trust ANY software such as a "secure" browser, because malicious > software could have easily been interposed between the user and the > trusted software. Uh-huh. So, no one should ever use a computer ever again, if this nonsense is to be believed... > The bottom line for consumers is that, on personal computers, Oh? So non-personal computers are secure? > INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY. We have OH-MY-GOD-PLEASE-FIRST-VIRTUAL-SAVE-ME-FROM-MY-EVIL-COMPUTER-AND-MAKE-THE- NET-SAFE-FOR-ONLY-YOUR-PRODUCTS!! > dramatically proven that security ends the moment you type sensitive The only thing that this post "dramatically proves" is that the poster is an idiot. Double for his company. Even LD was never this stupid. > information into your computer. The vulnerability lies in the fact that > information must travel from your keyboard, into your computer's > operating system, and then to your "secure" application. It can be > easily intercepted along the way. > > This kind of insecurity is very frightening, and has implications far Oh, yeah, please save me from my evil computer. Give me a break. > In short, credit card numbers are an almost perfect example of how NOT > to design a payment instrument for an insecure public computer network > such as the Internet. Unless, of course, you use *our* products, services, etc. > DETAILS: HOW TO TOTALLY UNDERMINE SOFTWARE ENCRYPTION OF CREDIT CARDS > > First Virtual's demonstration credit-card interception program, once > installed, observes every keystroke that you type, watching for credit > card numbers. It recognizes credit card numbers with almost perfect > accuracy, because credit card numbers are specifically designed to match > a simple, self-identifying pattern, including a check digit. Our > program is even smart about punctuation and simple editing functions, so > that nearly any credit card number that you type into your computer is > immediately recognized as such by this program. So what? Any first-year comp sci student could do the same. > First Virtual's intent is to educate the public, certainly not to > endanger it. For that reason, our program incorporates four important > precautions intended to prevent any possibility of harm: First Virtual's apparant "intent" is to scare the public and panic people into believing that they, and only they, have some sort of "magic bullet" that will save us all from Evil Computer Geniuses. Just another scam to try and make money off of unsuspecting people by trying to scare them to death. Just another version of the "Good Times Virus". > It is frankly difficult to overstate the severity of the problem > demonstrated by our program. A clever criminal could use viral It is frankly difficult to overstate the idiocy of this post. > First Virtual believes that the flaw we have uncovered is fatal. In the > foreseeable future, all commerce schemes based on software encryption of > credit cards on the desktop are completely vulnerable to this sort of > attack. And the sky is falling, too... > The basic problem is that software encryption of credit cards is > predicated on the notion of "trusted software". On the consumer > computing platforms, however, general purpose operating system > functionality makes it unwise to assume too strong a level of trust in > such software. No operating system with anything less than > military-grade security (B2) is likely to be safe from an attack such as > this one. Nonsense. This also implies that Windows, MS-DOS, NT, etc., are all some sort of "insecure platform" and they are presumably infected from the start. I suppose that when Bill Gates picks himself up off the floor from laughing, he just might send his lawyers after you. Maybe. > This does not mean that Internet commerce is dead. Any scheme that is > not based on self-identifying one-way financial instruments such as > credit cards will be essentially unaffected by this problem. Moreover, > even credit cards may be made safe on the Internet using one of two > approaches: secure hardware add-ons and the First Virtual approach. Gee, why did I know this was coming? > There's simply no other way to keep credit cards safe on the net. The > program we have demonstrated completely undermines the security of all > known programs that claim to handle credit card numbers safely on the > Internet. With a Windows program? I guess it runs on every known platform, under every known OS. My, that *is* one hell of a program... I guess I'd better stop using my linux box .. it could've been infected with the "FV Windows Virus" ... hehehe -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes From abostick at netcom.com Thu Feb 1 10:10:48 1996 From: abostick at netcom.com (Alan Bostick) Date: Fri, 2 Feb 1996 02:10:48 +0800 Subject: NOISE Re: Page one, NY Times, 29 January 1996 In-Reply-To: <199601292207.RAA25259@nsa.tempo.att.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199601292207.RAA25259 at nsa.tempo.att.com>, Matt Blaze wrote: > One of those microscopic bottom-of-page-one ads from John Young: > "BOYCOTT ESPIONAGE-ENABLED SOFTWARE", with phone number and email > address to contact for more information. What? No cutesy six-character code (BOY_cot) for the respondent's subject line? ;-) > > I'd be curious as to what the response has been like. Me, too. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMRA8r+VevBgtmhnpAQHz3AL+NjA48B5ivbhWYwSCW34PnZR/e/GU9J4O FdqHpktvBW9Gok0J48IRfRNDi2UKgo8JbGv7bkNsFxa/xocpbD8KVneXKMpk5leM VjeqO2plAys9L6qoAzM7D4TfHr7Ade5O =UuUU -----END PGP SIGNATURE----- From tcmay at got.net Thu Feb 1 10:11:47 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 2 Feb 1996 02:11:47 +0800 Subject: Unscribe Message-ID: At 1:34 AM 2/2/96, Ewout Meij wrote: >unscribe cypherpunks at toad.com ^^^^^^^^ > >unscribe emeij at pi.net ^^^^^^^^ > >There is a theory which states that if ever anyone discovers exactly >what the Universe is for and why it is here, it will instantly >disappear and be replaced by something even more bizarre and >inexplicable. There is a theory which states that the correct way to unsubscribe from mailing lists is defined by the mailing list charter and principles, and that sending misspelled "unscribe" messages to the wrong place, and including "unscribe" messages intended for other lists, is bizarre and inexplicable. --TCM P.S. to Ewout: Send a message to "majordomo at toad.com" with a body message consisting only of "unsubscribe cypherpunks". Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jk at digit.ee Thu Feb 1 10:14:51 1996 From: jk at digit.ee (Jyri Kaljundi) Date: Fri, 2 Feb 1996 02:14:51 +0800 Subject: new release of apache-ssl In-Reply-To: <199601310936.BAA27103@infinity.c2.org> Message-ID: On Wed, 31 Jan 1996, sameer wrote: > Apache-SSL 0.4.4 will soon be on the ftp site, and commercial > licensees may request upgrades from apachessl at c2.org. If someone put's this up on some European ftp site, please tell us. Right now only version 0.4.2 is available on utopia.hacktic.nl and ftp.funet.fi. Juri Kaljundi, DigiMarket jk at digit.ee From dlv at bwalk.dm.com Thu Feb 1 10:16:15 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 2 Feb 1996 02:16:15 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601300015.AA15891@sulphur.osf.org> Message-ID: Rich Salz writes: > >There are many ways to spread it besides a virus. Zillions of 'em. And > > There are zillions (what, more than one thousand?) ways to get someone > to run a random piece of software that will capture their keystrokes? > > I don't believe you. Name six. I think I'll go on a tangent: Many, many, many years ago, when I was a little kid, I wrote several "cool" games that I uploaded to various BBS's. The games kept track of high scores and saved them in a file. At that time there were a few popular BBS programs for PC DOS (Fido, PC Board, RBBS, et al) which stored their passwords in fairly standard locations. When the games saved the high scores, they also looked in these standard locations. Invariably, when I downloaded the same games a few days later, I would discover that the BBS's sysops played the game, and made the archive with their high scores available for downloading. ObCrypto: the high scores were encrypted together with the shell passwords. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From bplib at wat.hookup.net Thu Feb 1 10:19:42 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Fri, 2 Feb 1996 02:19:42 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit In-Reply-To: <9601300015.AA15891@sulphur.osf.org> Message-ID: On Mon, 29 Jan 1996, Rich Salz wrote: > >There are many ways to spread it besides a virus. Zillions of 'em. And > > There are zillions (what, more than one thousand?) ways to get someone > to run a random piece of software that will capture their keystrokes? Not wishing to get in the middle of this controversy, I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible? Regards, Tim Philp From schneier at winternet.com Thu Feb 1 10:19:52 1996 From: schneier at winternet.com (Bruce Schneier) Date: Fri, 2 Feb 1996 02:19:52 +0800 Subject: RC2 code on sci.crypt Message-ID: <199601300312.VAA06064@parka> For those not paying attention, there is RC2 code on sci.crypt. RSADSI is acting as if it is real, and will publish some legal posturing about it real soon now. Bruce ************************************************************************** * Bruce Schneier APPLIED CRYPTOGRAPHY, 2nd EDITION is * Counterpane Systems available. For info on a 15% * schneier at counterpane.com discount offer, send me e-mail. ************************************************************************** From Andrew_Barrett at checkfree.com Thu Feb 1 10:20:00 1996 From: Andrew_Barrett at checkfree.com (Andrew Barrett/CheckFree Corporation) Date: Fri, 2 Feb 1996 02:20:00 +0800 Subject: Japanese Firm Announces E-cash Implementation Message-ID: <9602012054.AA3141@6thstreetcheckfree.com> Multimedia Business Analyst via Individual Inc. : NTT has developed a secure electronic cash system for smart cards and Internet-based transactions, reports Reuter. Using very secure encryption algorithms, the system allows users to transfer cash from their bank accounts to smart cards after verification by the issuing bank. NTT researcher Mikio Suzuki said the Japanese telecom operator plans to begin trials of the system with a number of major city banks in the near future. These are expected to include Fuji Bank and Sakura Bank. From markm at voicenet.com Thu Feb 1 10:20:21 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 2 Feb 1996 02:20:21 +0800 Subject: digital signatures and "meaning" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Digital signatures can have many different uses and meanings. The most popular application of digital signatures is proof of authorship. A person signs something when he claims that he wrote it and if the signature is invalid, the message must have been altered. However, digital signatures are used for many other applications. Typical applications include timestamping, digital cash, and validating a document or statement. The problem with these applications is that there must be some way to distinguish and timestamp signature from a proof of authorship. There are several different ways to do this: - Make all digital signatures prove proof of authorship. Someone would include the text of the document he wants to sign and put a message saying at the end such as: "This document existed on such and such date" or, in the case of digital cash, "This coin was blinded and signed by the bank using standard protocols." - Append some kind of electronic tag to the message that represents a certain kind of authorization. This is identical to the previous method except it relies more on protocols. - Specify the type of signing that is to be done with a key. This could be included in the text of the user-ID field of the public key in a PGP-like program. It could also be done by extending a key generation and management protocol to include a tag on the key itself specifying what this key is to be used for. There are advantages and disadvantages to each of these. The first has the advantage that it requires no protocol modification but relies on "legaleese." The second method does require that protocols be slightly modified, but these modifications could be made by just pre-processing and post-processing the message with another program. However, this is more limited than the first method because it essentially uses "canned" messages. The final method relies on either no modification to the crypto program used or a non-trivial modification. Personally, I tend to think that anything that uses a standardized protocol is a Good Thing. This is why I think that the second and third methods listed above would work better than the first. Comments? - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 PGP: Because sometimes, a _Captain Midnight_ decoder ring simply isn't enough. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMQ1agLZc+sv5siulAQFKtwP/Xs7gOm1vP2FeDJDjahymYbMum3JrFqh0 VKXrkjmlh42ygX9y2sLfivN7DMsAGIF86NRaW67x0LD2uPuBl00KyvC18bqEPfiF kMbvOZv96xL4fBssheRR7F4YH/oaASxCagxuAkIqBxi9uEzAppNloxMYHy87w0kY h+48n+YH3D0= =QTZp -----END PGP SIGNATURE----- From nsb at nsb.fv.com Thu Feb 1 10:20:30 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Fri, 2 Feb 1996 02:20:30 +0800 Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards In-Reply-To: Message-ID: Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. zinc at zifi.genetics.utah. (1368*) > so what? fv has a keyboard sniffer... It's considerably more than that. Please read on. > for what it's worth, this sort of program could easily be used to get > info more important than credit card numbers. passphrases and > passwords of all kinds could be obtained leading to broken accts or > worthless cryptography. Yes, but I think you've missed the main point, probably because we haven't made it clear enough. What's unique about credit card numbers is that they're very small amounts of data, self-identifying, and of direct financial value as a one-way financial instrument (i.e. with no confirmation process). The attack we've outlined -- and partially demonstrated -- is based on the combination of several known flaws: -- It's easy to put malicious software on consumer machines -- It's easy to monitor keystrokes -- It's trivial to detect credit card numbers in larger data streams -- It's easy to disseminate small amounts of information tracelessly We don't claim to have "discovered" any of these flaws. However, when you combine these known flaws, you have something new: a plan for stealing MILLIONS of credit card numbers without a trace. That's the new threat, and we think it's very real. The other kinds of information you mention are certainly all vulnerable to keyboard-sniffer attacks. But the unique aspects of credit card numbers make them particularly vulnerable to large scale automated theft by this kind of attack. I don't know of any other kind of sensitive information that is as easily recognized and as worthwhile to steal. Do you? > additionally, this hardly has anything to do with netscape. this is not > a 'bug' in netscape. You're right, and I feel very bad about the fact that the article in the Merc made it sound like this was specifically targeting Netscape. While it's true that we submitted this to Netscape's "bugs bounty" program -- which is probably what created the Netscape angle in the story -- we really weren't targeting Netscape at all. We consider this flaw to be a very serious "design bug" in the whole software-encryption-of-credit-cards approach to Internet commerce. Netscape is just one of several companies that have gone down this path, but we think it's a very dangerous path, and one that Netscape, as a vendor of web browsers and servers, can do quite well without. it's a malicious program. No, ours is a demonstration program, not a malicious program. Our program never installs itself automatically, always puts up an icon when it's running, never does anything bad when it intecepts your credit card number, and is easy to un-install. However, it demonstrates a technique that could be used by a malicious program to do some very nasty things. > the only way to prevent > malicious programs from causing you problems is to know what your > computer is doing; what it's loading when you boot and what data it sends through your phone lines when you're online. This is fine for you & me. But Internet commerce has to work for the hundreds of millions of non-technical consumers who are swarming onto the Internet. If someone emails them a program that purports to show them pretty pictures (dirty movies?) for free, how many of them will stop to try to make sure that this program isn't going to do something malicious in the process? The bottom line is that the consumer platform is never going to be a very safe place, so commerce mechanisms shouldn't assume that it is. We may not like that fact, but it's true nonetheless. -- Nathaniel From m5 at dev.tivoli.com Thu Feb 1 10:40:34 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 2 Feb 1996 02:40:34 +0800 Subject: Tivoli In-Reply-To: <199602011802.NAA24147@pipe3.nyc.pipeline.com> Message-ID: <9602011810.AA18227@alpha> John Young writes: > Is it fair to assume that it's your Tivoli that's in the NYT > and WSJ today, bought by IBM? Yes, it is. It was a big surprise (like, absolutely nobody knew what was going on except for two or three VP's, and the CEO) (and I guess the board, of course, but they mostly don't hang out around here anyway). Lots of ex-IBMers sorta freaked a little, but I think everybody's happy. > If so, congrats on never again having to sell your body for > everlasting fame and glory. Uhh, well, I might have to sell myself a little... But thanks very much. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * I want more, I want more, m5 at tivoli.com * m101 at io.com * I want more, I want more ... *_______________________________ From rsalz at osf.org Thu Feb 1 11:05:37 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 2 Feb 1996 03:05:37 +0800 Subject: Lotus Notes Message-ID: <9601310353.AA19147@sulphur.osf.org> Thanks for the explanation -- in all my discussion with RSA and explanation to our lawyers I was thinking strictly API. Your quote of the RSAREF license says they won't refuse anythign reasonable, and one would be hard-pressed to say that changing keysize for something already not exportable isn't reasonable. I'll have to read our license when I get to work tomorrow. /r$ From jim at SmallWorks.COM Thu Feb 1 11:18:45 1996 From: jim at SmallWorks.COM (Jim Thompson) Date: Fri, 2 Feb 1996 03:18:45 +0800 Subject: Tivoli In-Reply-To: <199602011802.NAA24147@pipe3.nyc.pipeline.com> Message-ID: <9602011244.ZM1060@butthead.smallworks.com> Its the same Tivoli, (my spouse works there as well). Jim From ses at tipper.oit.unc.edu Thu Feb 1 11:27:26 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 2 Feb 1996 03:27:26 +0800 Subject: The Boys From Brazil - thoughts on cloning Nazi servers Message-ID: I've tried to stay out of this thread, as it is mostly off topic, but I do have one suggestion to people setting up clones of the zundel site. There's a fine line between defending someones freedom of speech, and actively promoting that speech. The reason these mirrors have been set up is to counter the restriction on access to the original site that has been put in place by Deutche Telecom; however, in addition to defeating this restriction, this approach also makes the material more widely available than it was previously, which could be seen as crossing the line between defence of free speech, and active promotion. One approach that would stop this line being crossed would be to configure the clone servers to only allow access to sites in Germany affected by the original restriction. This compromise defends freedom of speech, but does not give the site any wider promulgation than it would have had had no government restrictions been emplaced. Simon From vingun at rgalex.com Thu Feb 1 11:35:41 1996 From: vingun at rgalex.com (Vincent S. Gunville) Date: Fri, 2 Feb 1996 03:35:41 +0800 Subject: GTE and Cylink ATM Crypto In-Reply-To: <199602010340.EAA16216@utopia.hacktic.nl> Message-ID: <31110DCA.2218@rgalex.com> Anonymous wrote: > > GTE & Cylink Team On Encryption For ATM > > Washington, D.C., 31 January 1996 -- During a press > conference last night at Comnet, GTE and Cylink unveiled > InfoGuard 100, a jointly developed offering billed as the > first encryption system able to work with ATM > (asynchronous transfer mode). > > InfoGuard 100 is meant to provide the security needed to > induce business and government to use ATM public > networks, said Michael M. Guzelian, GTE's marketing > director for broadband systems, speaking at the press > conference. > > GTE is the number one provider of encryption to the > federal government, while Cylink holds a 70 percent share > of the commercial encryption market, according to Kamy > Kavianian, senior product marketing manager at Cylink for > SecureWAN. > > GTE and Cylink will also jointly market the new ATM > encryption system. "The deal (for InfoGuard 100) is > mutually exclusive, but we don't know anyone else who can > do it," noted Jeff Callo, Cylink's director of business > development. > > InfoGuard consists of two main components, according to > the officials. An ATM adapter from GTE provides ATM > interfaces and cell processing and control functions. > > Cylink's CIDEC-VHS contributes "high-speed data > encryption and decryption," in addition to physical > security and "full automated key functions." > > Kavianian told the journalists that InfoGuard 100 is > based on DES encryption. Users of InfoGuard will foil > "key exhaustion," a method used for breaking encryption > codes, if they "change their codes frequently," Guzelian > added. > > Essentially, CIDEC-VHS has turned out to be "the first > encryption method fast enough to keep up with ATM," > Guzelian maintained. > > The agreement between Cylink and GTE represents "an > excellent example of coopetition," Callo said. > > -- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |Vincent S. Gunville |Robbins-Gioia |209 Madison St Email vingun at rgalex.com |Alexandria, Va 22309 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From usura at utopia.hacktic.nl Thu Feb 1 11:38:46 1996 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Fri, 2 Feb 1996 03:38:46 +0800 Subject: Unscribe Message-ID: <199602011859.TAA15481@utopia.hacktic.nl> TCM sez: : At 1:34 AM 2/2/96, Ewout Meij wrote: : >unscribe cypherpunks at toad.com : ^^^^^^^^ : > : >unscribe emeij at pi.net : ^^^^^^^^ : > : >There is a theory which states that if ever anyone discovers exactly : >what the Universe is for and why it is here, it will instantly : >disappear and be replaced by something even more bizarre and : >inexplicable. : There is a theory which states that the correct way to unsubscribe from : mailing lists is defined by the mailing list charter and principles, and : that sending misspelled "unscribe" messages to the wrong place, and : including "unscribe" messages intended for other lists, is bizarre and : inexplicable. : --TCM [pi.net] 'Planet Internet' is the dutch equivalent of AOL. -AJ- From ravage at ssz.com Thu Feb 1 11:53:49 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 2 Feb 1996 03:53:49 +0800 Subject: The Boys From Brazil - thoughts on cloning Nazi servers (fwd) Message-ID: <199602011937.NAA00214@einstein.ssz.com> Forwarded message: > Date: Thu, 1 Feb 1996 10:49:19 -0800 (PST) > From: Simon Spero > Subject: The Boys From Brazil - thoughts on cloning Nazi servers > > There's a fine line between defending someones freedom of speech, and > actively promoting that speech. The reason these mirrors have been set up > is to counter the restriction on access to the original site that has > been put in place by Deutche Telecom; however, in addition to defeating > this restriction, this approach also makes the material more widely > available than it was previously, which could be seen as crossing the > line between defence of free speech, and active promotion. > I would counter and say that there is no distinction between free speech and promoting said speech. How does one say one party has the right to make a statement and a second party does not have the right to agree? The whole point of freedom of speech is to prevent limitations on distribution of information (aka speech, writting, source code, executables, video, audio tapes, etc.). Even use of these materials (ie running a virus) would not violate either the spirit or the letter of the law unless it harmed another person or somehow took advantage of their property (physical or intellectual) without their prior consent. Jim Choate CyberTects ravage at ssz.com From dm at amsterdam.lcs.mit.edu Thu Feb 1 12:11:59 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Fri, 2 Feb 1996 04:11:59 +0800 Subject: Domain registration Message-ID: <199602011939.OAA23286@amsterdam.lcs.mit.edu> Well, several people have told me it is possible to get response times of 8 hours on domain registration requests. The last MODIFY request I sent in was in mid January. They sent back an autoreply telling me they were still working on modify requests from the third week in december, and then didn't change my domain until last week. (The inaddr.arpa modify request was considerably faster, however.) Maybe they just don't like me, or maybe they have very very recently automated the process. At any rate, I stand corrected. David From jonathon at pobox.com Thu Feb 1 12:16:47 1996 From: jonathon at pobox.com (Jonathon Fletcher) Date: Fri, 2 Feb 1996 04:16:47 +0800 Subject: cypher-list noise levels Message-ID: <199601310201.VAA26901@pobox.com> Hi, Can someone on the PGPdomo cypher-list tell me how good the signal to noise ratio currently is, and how good the content is. I've not signed up, but I'm tempted to try and get away from the noise on here recently. -Jon -- Jonathon Fletcher From pmonta at qualcomm.com Thu Feb 1 12:18:03 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Fri, 2 Feb 1996 04:18:03 +0800 Subject: Crypto-smart-card startup Inside Technologies Message-ID: <199601310830.AAA06778@mage.qualcomm.com> There's an article in the January 29 _EE Times_ about a French cryptographic-smart-card startup called Inside Technologies. Tidbits: ..."In public-key cryptography, 512-bit keys are typical and already vulnerable. So we are looking at 640-bit-long keys supported by a scalable design." ..."Users want their own, custom algorithms, which can be downloaded at the time of use". ..."The CLU [cryptographic logic unit] will operate at a higher clock frequency than the RISC---60 MHz, in our design---yielding 640-bit RSA decrypt in less than 50 ms". The article goes on to say that they plan to both manufacture smart cards, presumably for ecash and communications, and license the design at the macrocell level, possibly for use in embedded systems like mass storage. By my count, six European companies mentioned, zero American. Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From dlv at bwalk.dm.com Thu Feb 1 12:20:36 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 2 Feb 1996 04:20:36 +0800 Subject: Downsizing the NSA In-Reply-To: Message-ID: A semiparanoid thought struck me: Maybe the NSA doesn't these extra 20K people, they just don't want them to go out into the industry and build crypto for the outside world. So they continue to pay them salaries and have them do nothing useful. This would be kind of analogous to how when Russia no longer needed so many nuclear scientists, the U.S. helped create "make work" jobs for them, just so they wouldn't go to work for the likes of Iraq. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From dm at amsterdam.lcs.mit.edu Thu Feb 1 12:29:37 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Fri, 2 Feb 1996 04:29:37 +0800 Subject: CONTEST: Name That Program! In-Reply-To: Message-ID: <199601301030.FAA03072@amsterdam.lcs.mit.edu> In article Nathaniel Borenstein writes: > As you may have read in my previous message, First Virtual has developed > and demonstrated a program that completely undermines all known schemes > for using software-encrypted credit cards on the Internet. More details > are avialable at http://www.fv.com/ccdanger. You are a liar. Your program does not undermine all known schemes for transmitting software-encrypted credit cards on the internet. You have no way of obtaining my credit card number, because I will not run your software. Furthermore, because I use a Unix-like operating system (specifically OpenBSD) which I re-build from source code every week or so, you would need to hack my compiler to keep mis-compiling itself and compromise my kernel or netstat, ps, etc, for which you would need to be root. The first virtual protocol seems to have some real weeknesses. However, I do not feel like wading through all the pages of text to figure out what is going on. I challenge you to post a concise description of the protocol, using syntax such as: A -> B: {ID, xxx, ...}_Ks With short descriptions where necessary. If you do, I'm sure we can rip your protocol to shreds (which is why you won't). David From ses at tipper.oit.unc.edu Thu Feb 1 12:30:11 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 2 Feb 1996 04:30:11 +0800 Subject: The Boys From Brazil - thoughts on cloning Nazi servers (fwd) In-Reply-To: <199602011937.NAA00214@einstein.ssz.com> Message-ID: On Thu, 1 Feb 1996, Jim Choate wrote: > > I would counter and say that there is no distinction between free speech and > promoting said speech. How does one say one party has the right to make a > statement and a second party does not have the right to agree? The whole > point of freedom of speech is to prevent limitations on distribution of > information (aka speech, writting, source code, executables, video, audio > tapes, etc.). Even use of these materials (ie running a virus) would not I think you missed my point (run on sentences do that :). To give one of the standard illustrations; I've written a short story, and the evil mind-control freaks at Analog and IASFM refuse to publish it with the flimsy excuse of it being crap and written in crayon. You are not required to send me millions of dollars so I can publish it myself. Howevr, if I did raise the millions of dollars, and TPTB tried to stop me from publishing, there would be an obligation to fight that censorship by permitting me to publish. Freedom of speech means that it other peoples speech shouldn't be censored; however there is no obligation for anyone to fund or lend other support towards that speech. This situation is somewhat complicated in that in order to fight the censorship, the mirror sites must 're-publish' the material; however as a side effect they are also publishing the material in a prominent way to people whose access has not been censored. From ravage at ssz.com Thu Feb 1 12:36:03 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 2 Feb 1996 04:36:03 +0800 Subject: Freedom of speech question... Message-ID: <199602012012.OAA00279@einstein.ssz.com> It is a commenly held belief that shouting 'fire' in a crowded theatre is a crime because of the potential for harm to persons and property. It is one of the most commen examples given for limiting freedom of speech even though the Constitution says "Congress shall make no law...". This view is proposed as a equaly valid rationale for limiting crypto, virus technology, drugs, etc. My question to the list is would it be a crime if you were alone in the theatre? If you developed a virus and didn't distribute it would that be a crime? If you give it to one person is it a crime? How about if you give it to millions? How many people must know a fact, posses source code or executable. In short, does freedom of speech rest on how many people are aware of your expression? My position is that if you answer in the affermative then you are basicaly stating there is no freedom of speech. It should be perfectly permissible to shout 'fire' in a theatre filled to the brim. If anyone takes you seriously and is harmed then you should be liable for the damage. Your right to shout 'fire' is not relevant. If you accept the premise then what you are buying into is preemptive justice, in short judging somebody guilty by what they might do, not what they have done. If this is permitted then we have a serious problem in that anyperson is therefore guilty of whatever crime is desired. From jimbell at pacifier.com Thu Feb 1 12:59:38 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 2 Feb 1996 04:59:38 +0800 Subject: Crypto-smart-card startup Inside Technologies Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:41 PM 1/31/96 -0800, Peter Monta wrote: >jim bell writes: > >> > [ Inside Technologies ] >> > ..."In public-key cryptography, 512-bit keys are typical and >> > already vulnerable. So we are looking at 640-bit-long keys >> > supported by a scalable design." >> >> This kind of thing disgusts me. We already know 512-bit keys are weak. As >> I recall, I was told that 512 bit keys could be cracked in 20,000 >> MIPS-years. If the ballpark formula holds that adding 10 bits doubles the >> security, that merely means that 640 bits is 2**(128/10) or 8000 times >> strong. While obviously better than 512, it is not ENOUGH better to make me >> confident that this is a long-term secure length. 768 or 1024 bits should >> be considered the minimum. A deliberate design of 640 bits makes it look >> like it's intended to be crackable in 5-10 years, much as DES was suspected >> of a similar design decision in limiting its keylength to 56 bits. > >But the "scalable design" presumably means the hardware can deal >with a variety of modulus lengths. As you say, they would be >short-sighted to make a fixed choice. I hope you're right about this. But there's something to keep in mind. Let's suppose that in 10 years 640 bits are "easily" cracked. Anybody with the storage (money) to keep all these messages will have the power to sort through everything you said in 1996, '10 years later.' Who has the money to even store these messages, as well as the inclination? You guessed it, the government. I realize that it is arguable that this would be possible, no matter what keylength is chosen. True, someday 1024-bit keys might be easily cracked, but that will probably be 30-50 years from now, not 10. In other words, "stretching" the technology today on the "encrypt" side makes storing these messages far less attractive, meaning that the government will have less motivation to do it, and will not be able to make the effort pay off for a few more decades. I would like to see laws: 1. Prohibiting the government from storing encrypted messages it can't currently decrypt for over, say, a couple of years. 1a. Prohibiting any USE by the government of such messages obtained and stored by other entities, including individuals and private corporations, without the express permission of the sender AND receiver of the message. 2. Prohibiting the government from even ATTEMPTING to decrypt a domestically-obtained encrypted message, without a warrant which is simultaneously given to the source of the message: In other words, alerting him to the government's interest. This is just a start. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMREY2/qHVDBboB2dAQGZdgP+MjIK02fU6iysN77g1aWb1gx9bzDrZoh4 ePWmd9RRD3gnzYOSIng5dRCxEpT+0Cqe4cFQEqbD6GhHlfNOKwkTU/LAfhvOdKpo QJ9t93Af3aCaLtFmtXyj1Ce20GNqkp7qqP5DLKjYSEH/bR64aTA0pfZ70aes/8C1 w1AYLdvglXA= =p+3A -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Thu Feb 1 13:02:06 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 2 Feb 1996 05:02:06 +0800 Subject: Crypto-smart-card startup Inside Technologies In-Reply-To: Message-ID: One other little point about 640 bit rsa; there's no way I'd ever buy an RSA accellerator tuned for 640, for one very simple reason. Most of the important keys I want an acellerator for are 1024 bits or longer - C/As, SETT banks, etc. I want to be able to clear 20 PKOPs per second without impacting the main CPUS; if I need to buy a busful of these babies they'd better be damn cheap and be available with duplicate keys... Simon From m1tca00 at FRB.GOV Thu Feb 1 13:03:43 1996 From: m1tca00 at FRB.GOV (Thomas C. Allard) Date: Fri, 2 Feb 1996 05:03:43 +0800 Subject: American Banker article on First Virtual Message-ID: <9602012019.AA23304@bksmp2.FRB.GOV> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From llurch at networking.stanford.edu Thu Feb 1 13:43:39 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 2 Feb 1996 05:43:39 +0800 Subject: Comision del EC contra el racismo en la red (Re: CRAX Mix Rax) In-Reply-To: <199602010519.GAA19612@utopia.hacktic.nl> Message-ID: Dude, while these subject lines are very quaint, given the level of traffic, I would really appreciate more descriptive subject headings. You may use any official UN language that can be written in 8-bit characters. On Thu, 1 Feb 1996, Anonymous wrote: > European Commission Moves To Stamp Out Racism On Internet > > Burssels, 31 Jan 1996 -- The European Commission (EC) has > formed a pan-European group to "encourage the mixing of > people of different cultures" from both inside and > outside Europe. I knew Euro-Disneyland was going to catch on some time. > According to EC officials, the first task of the > Consultative Commission on Racism and Xenophobia (CRAX), Geez, so that wasn't a joke. > as it is called, will be to investigate and, using legal > means, stamp out the current wave of racism on the > Internet. OK, then maybe it is a joke. > In a prepared statement, CRAX said that it hopes that the > EC "will take all needed measures to prevent the Internet > from becoming a vehicle for the incitement of racist > hatred." Prevent? How about "Band-Aid?" Recall that in many cases, Band-Aids actually promote infection by providing a dark, humid place for growth. > As reported previously, the "Thule Network" first came > to the public's attention when the January, 1994, issue > of Chip magazine (a popular computer monthly in Germany) > claimed to have unearthed eight Thule BBSs. > > According to Chip magazine at the time, "The (Thule) > network distributes information on demonstrations and > invitations to meetings, addresses for contacting parties > and groups, and it reviews and offers books and > magazines. One of the mail-boxes contained instructions > for producing military explosives and letter bombs. A > great deal of space is taken up by 'political > discussions' among the users." Um, OK. So force these people above ground, and they will need to restrict their activities to political discussions. > Thule is Norse or Viking terminology for "top of the > world." The Thule Network's name actually derives from > the small, elitist 1920s movement which was considered to > be the Nazi vanguard. Read: a bunch of stupid thugs who don't want to be seen in daylight. > Thule movement leaders included > Rudolf Hess. Some BBSs on the Thule network have names > such as "Wolf Box" and "Resistance," while many Internet > messages are signed by people calling themselves "The > Wolf," among other names. What's the matter? Their mothers didn't like them or something? Just try holding a debate with a person with a handle like that. The audience would just crack up. -rich From master at internexus.net Thu Feb 1 13:43:43 1996 From: master at internexus.net (Laszlo Vecsey) Date: Fri, 2 Feb 1996 05:43:43 +0800 Subject: DSN Message-ID: Anyone heard of DSN? I think thats the right order of the initials... ... its supposedly the only crypto-hardware solution for protecting an entire network on the Internet. You put one of these $5,000 units at one end of a lan, and another one somewhere else on the Internet, and the company gaurantees secure, encrypted transmissions. The TCP/IP headers and data are mangled, encrypted, etc. It uses 512bit keys and I was just wondering how the authentication is done. Does anyone have any specs on these units? Supposedly it does not require a 3rd party entity to verify that the two units are both valid, when determining the initial public/key pairs. Perhaps there is hardcoded data in the units that is used to verify this? The company supposedly has some proprierty method ... how can we be sure this expensive unit can do its job if information on the encryption has not been released. Is there any freeware software solution that has been put through more of a torture test, and proven to work? It seems to be the best approach would be to put such a program on a server that is acting as the gateway/firewall on each network. (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) "SGI and Linux both run Motif and X11. They both compile c++ cleanly (using gnu g++). They're the same!" From emeij at pi.net Thu Feb 1 14:39:32 1996 From: emeij at pi.net (Ewout Meij) Date: Fri, 2 Feb 1996 06:39:32 +0800 Subject: Unscribe Message-ID: unscribe cypherpunks at toad.com unscribe emeij at pi.net There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another which states that this has already happened on 02/01/96 From baldwin at RSA.COM Thu Feb 1 15:01:28 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Fri, 2 Feb 1996 07:01:28 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <9601018232.AA823213189@snail.rsa.com> WARNING NOTICE It has recently come to the attention of RSA Data Security, Inc. that certain of its confidential and proprietary source code has been misappropriated and disclosed. Despite such unauthorized use and disclosure, RSA Data Security reserves all intellectual property rights in such source code under applicable law, including without limitation trade secret and copyright protection. In particular, RSA Data Security's RC2 (TM) symmetric block cipher source code has been illegally misappropriated and published. Please be advised that these acts, as well as any retransmission or use of this source code, is a violation of trade secret, copyright and various other state and federal laws. Any person or entity that acquires, discloses or uses this information without authorization or license to do so from RSA Data Security, Inc. is in violation of such laws and subject to applicable criminal and civil penalties, which may include monetary and punitive damages, payment of RSA's attorneys fees and other equitable relief. RSA Data Security considers misappropriation of its intellectual property to be most serious. Not only is this act a violation of law, but its publication is yet another abuse of the Internet. RSA has begun an investigation and will proceed with appropriate action against anyone found to have violated its intellectual property rights. Anyone having information about the misappropriation identified above is encouraged to contact RSA directly. From mpd at netcom.com Thu Feb 1 15:13:56 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 2 Feb 1996 07:13:56 +0800 Subject: The Boys From Brazil - cloning Nazi servers Message-ID: <199602012239.OAA04660@netcom2.netcom.com> ses at tipper.oit.unc.edu (Simon Spero) writes: > There's a fine line between defending someones freedom of > speech, and actively promoting that speech. The reason these > mirrors have been set up is to counter the restriction on > access to the original site that has been put in place by > Deutche Telecom; however, in addition to defeating this > restriction, this approach also makes the material more > widely available than it was previously, which could be seen > as crossing the line between defence of free speech, and > active promotion. I think you have to look at the balance between two things. First, there is the effect of making the material more widely available and publicized than it was prior to the attempted censorship. This effect is definitely real. Indeed, prior to a few days ago, I wouldn't have known a Zundelsite from a hole in the ground. Second, however, is the unprecedented opportunity for people running mirrors to guarantee that large numbers of the public will encounter said material for the first time enveloped within their chosen "context wrapper." Now it is well known that the crafty art of propaganda rarely consists of deliberate falsehoods, like "yellow rain" or "spy dust". It mostly consists of making sure one is in complete control of the circumstances in which potentially damaging information is disclosed. The opportunity to present Mr. Zundel's views brightly gift-wrapped in paper bearing the legend - "Here are the offensive views of a hate-mongering Nazi whose victims are supporting his right to be heard" - is worth more than a thousand press releases denouncing Mr. Zundel by the anti-defamation brigade. I would expect that it is this second effect which predominates, and therefore the proliferation of mirror sites is in fact a victory for Mr. Zundel's detractors, and not a promotion of Mr. Zundel's views. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From syshtg at gsusgi2.Gsu.EDU Thu Feb 1 15:20:30 1996 From: syshtg at gsusgi2.Gsu.EDU (Tom Gillman) Date: Fri, 2 Feb 1996 07:20:30 +0800 Subject: The Boys From Brazil - thoughts on cloning Nazi servers (fwd) In-Reply-To: Message-ID: <199602012236.RAA17176@gsusgi2.Gsu.EDU> Simon Spero wrote: > Freedom of speech means that it other peoples speech shouldn't be > censored; however there is no obligation for anyone to fund or lend other > support towards that speech. This situation is somewhat complicated in > that in order to fight the censorship, the mirror sites must > 're-publish' the material; however as a side effect they are also > publishing the material in a prominent way to people whose access has > not been censored. > Is voluntarily offering support funding or lending? I never thought so. I'm also unsure that web pages can be considered publishing in this partic- ular sense. Certainly files put up on anonymous ftp cannot be considered to be publishing. I would also dispute your use of the term 'prominent'. How does making them available make them any more prominent than they were to begin with? Censorship doesn't work. It doesn't stop people from believing in a point of view. In fact, it only strengthens that point by making them martyrs. The only combat to offensive thoughts or speech is more speech. When you show their viewpoints to be a fallacy, they will slink away. Censorship is a dull, poisoned, double-edged blade. It doesn't cut cleanly, and the wound that it creates festers and makes the entire body sick. It's also a blade that cuts both ways. If you're not careful, you might get cut yourself. Oh, and BTW, before anybody asks: Yes, I am the sysadmin at the site where Joe Bunkley (We call him Racist Boy) has his web site. I personally despise his views, and might cheerfully cause him pain, given the opportunity. But I won't...because he has just as much right to believe the way he does as any of the rest of us do. Of course, the decision ultimately rests in the hands of those who have far more power than I do. Tom -- Tom Gillman, Unix/AIX Systems Weenie |"Personally, I have always found the Wells Computer Center-Ga. State Univ. |First Amendment to be a little irksome (404) 651-4503 syshtg at gsusgi2.gsu.edu |and a nuisance" Patrick A. Townson, I'm not allowed to have an opinion. |moderator, comp.dcom.telecom key to UNIX: echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc From tedwards at Glue.umd.edu Thu Feb 1 16:08:33 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Fri, 2 Feb 1996 08:08:33 +0800 Subject: Prediction about new credit card number scheme Message-ID: >By JOHN MARKOFF AN FRANCISCO -- >Hoping to remove a major impediment to credit card transactions over the >Internet, a business group led by Mastercard International and Visa >International plans to announce an industry-standard technology Thursday >for protecting the security of electronic payments. My prediction about the new CC standard: it will be a mistake if they don't pass on the details to cypherpunks. BTW - are any micropayment schemes reving up to commerciality yet??? -Thomas From llurch at networking.stanford.edu Thu Feb 1 16:08:35 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 2 Feb 1996 08:08:35 +0800 Subject: Copyright fight against unauthorized racist "Zundelsite" mirrors (was Re: INTERNET FREE SPEECH WEB SITE !) (fwd) Message-ID: FYA. ---------- Forwarded message ---------- Date: Thu, 1 Feb 1996 15:09:07 -0800 (PST) From: Rich Graves To: "E. Zundel" Cc: "Declan B. McCullagh" , Blake D Mills IV , fight-censorship+ at andrew.cmu.edu, sameer at c2.org, lmccarth at cs.umass.edu, llurch at networking.stanford.edu, webmaster at nizkor.almanac.bc.ca, webmaster at wiesenthal.com Newgroups: alt.censorship, comp.org.eff.talk, alt.revisionism, misc.int-property, misc.legal Subject: Copyright fight against unauthorized racist "Zundelsite" mirrors (was Re: INTERNET FREE SPEECH WEB SITE !) -----BEGIN PGP SIGNED MESSAGE----- Declan: Please take down the "build your own Zundelsite" files immediately, because it appears that they are being used improperly. Surely you do not want to violate Mr. Zundel's copyright. Ingrid/Zundel: I am pleased to hear that you do not agree with Mr. Bunkley's use of your materials. You should pursue legal action against Mr. Bunkley for copyright infringement. I think an injunction and a seizure of assets might be in order. I'm serious. Think about it. Please let us know which of the mirror sites linked by Declan are authorized. I know mine and Declan's were, and I assume that you approve of the partial IHR mirror. Because so many unblocked mirror sites currently exist, I have restricted access to my mirror to stanford.edu and a few other places. A limited number of closely controlled mirrors is certainly in your interest, because then it wold be much easier for you to update them. For example, your lack of control leads to the perception that well after Nizkor responded to your call for open debate, you have still not acknowledged their response. You look like a bunch of liars claiming that Nizkor won't answer you. Surely this is not what you want. - -rich On Thu, 1 Feb 1996, E. Zundel wrote: > Rich, > > all I can say is: Oh, my God! > > I know Rich Bunkley, but only be name and only from a few days ago. He > wrote us a very nice letter and wanted some additional information. We > promised it to him, but I don't know if it has even been sent. > > All I can add is that a few days ago Ernst put an editorial online that > explained where he stood with this kind of stuff. It is on our English > News page. I don't have time to do anything more except to send you the > HTML form, but you will see that we do not condone what Joe Bunkley is > doing. > > Here is the editorial: > > January 25, 1996 >

> >

Hate on the Internet

>

(Ernst Zundel)

>
> > The last few weeks have seen a number of new "skin head" and other fringe > group web pages appear on the Internet. I have at first watched with > dismay and now with horror how crude, vicious and disgusting cartoons > appear on some of these web pages, and how others openly promote an uncouth > and barbaric form of verbal and symbolic violence. >

> At first I thought that the electronic "counter measures" agencies of our > opponents had put up these sites to deliberately give Revisionists, > racialists and National Socialists a bad name. The timing seemed to > coincide with the Simon Wiesenthal Center's censorship efforts, as > elaborated on in the Front Page New York Times article January 10. The > censors claim they want to ban "pornography" and "hate groups" from the Net > - and what easier way to do that than to point to vulgar, smutty, uncouth > web sites? >

> Censors are appealing to Internet providers and servers to adopt a > "responsible citizens of the community" standard and to keep smut and hate > from the curious eyes of the impressionable young net surfers. We all know > that the United States Congress is currently working on just such > legislation, (H.R. 1555 / S. 652), as is the Canadian government and > undoubtedly other governments around the world. Germany's ban of > Compuserve is a perfect example. This is a very dangerous development for > all freedom-loving people. >

> I have felt uncomfortable in publicly defending the free speech rights of > Internet pornographers in the CompuServe controversy of late December and > early January, for I abhor pornography. Nevertheless, others abhor my > Revisionist viewpoint and I would be loath to let them censor me. Now I am > even more uncomfortable with the "Hate pages" of so-called "Right Wingers" > or "Skin Head" groups on the Internet and their foul language and vicious > cartoons of certain racial minorities. >

> Let me state unequivocally: I condemn and abhor this kind of material - in > print and on the Net. As a German person, whose ethnic group has been > negatively stereotyped since 1914 in thousands of vicious cartoons > depicting my people as Neanderthal brutes goose-stepping over other > people's rights while shouting "Heil Kaiser!" or "Heil Fuhrer!" I am > particularly sensitive to this issue. I have collected stacks and stacks > of these anti-German cartoons, and I dislike intensely how they distort my > ethnic group, particularly the World War II generation that spilled its > blood to stop the Marxist New World Order that is now strangling freedom > the world over with censorship measures like "Hate Laws." >

> Therefore, I appeal to all the web page owners or web masters, particularly > those who supposedly espouse Aryan ideals or views, as well as to those who > participate in various "alt.revisionism"-type news groups, to clean up > their acts, to behave like true Aryans who have a long and proud tradition > of being builders of civilization and inheritors of a great culture - and > to stop this anarchistic, selfish and childish Hollywood-induced behavior. > Look at yourselves and at your work! Every time you write or talk, your > mind if not your soul goes on parade. Nietzsche once wrote: ". . . There > is filth at the bottom of their souls; and it is worse if this filth still > has something of the spirit in it. . . !" >

> Haters who produce hate cartoons, hate literature, hate lines and hate web > sites are what our enemies have defined us to be. Up to now it was > self-serving enemy propaganda. Why hand them the "proof" with those > disgusting images? Why legitimize their past propaganda slogans and give > them their very own weapons on a silver platter or computer screen? You > are playing right into the censors' hands. Grow up! It's time to grow up, > wake up, and act responsibly! >

> Yes, to be an Aryan is a responsibility and also a privilege. It imposes > certain codes of behavior and ethics as well as morals on all those who > claim to be "Champions of White Rights" or Aryan causes. The struggle for > survival is on. This is no time or place for a handful of imbalanced > people, lacking self-control and self-esteem, to lay claim to "leadership" > roles because they can scrape the money together for a web site. > > Some of you bemoan the lack of public support by our own people - > financially and politically. Why are you surprised when decent white > people want nothing to do with you after they see what you do, and what you > say and write? I am disgusted that I have to spell out what ought to be > perfectly obvious to normal, decent poeple. >

> The struggle to protect the majority rights or White rights in the United > States and Canada - and, for that matter, in many other so-called > "democratic" countries - is not fought in order to have license to hate and > abuse people of other races but in order to love your own kind, to protect > them, to cherish them, and to assure their future in a world where white > people are already a minuscule minority and an endangered species. I am > shocked that people don't think before they act. I am shocked and > disgusted that grown men would not have more self-control and foresight. >

> Anybody wanting to link to the Zundelsite who has hateful material on their > site does not have my approval. That's final. This is my line I draw > today in the sand. >

> Ernst Zundel > > > > > > > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >In article <4ep2he$msc at sphinx.Gsu.EDU>, the well-known Neo-Nazi (in the > >strictest sense of the word) gs02jwb at panther.Gsu.EDU (Joe Bunkley) > >writes: > > > >>Hello Folks, > >> I have established a brand new page on my web site. It's called: > >> > >> "ERNST ZUNDEL AND THE WORLD WIDE FREE SPEECH CAMPAIGN" > >> located at: > >> http://www2.gsu.edu/~gs02jwb/zundel.ind > > > >I recognize and encourage your right to speak freely, and I will link to > >your page. However, the only thing "new" about this site is the addition > >of more obvious lies claiming that Mr. Zundel is being censored in any > >meaningful way. > > > >I *demand* that you add a link to my site, which as you know and as Mr. > >Ernst Zundel's own press release clearly states, was the first. I will > >continue to maintain Mr. Zundel's files in place and unmodified as long as > >you and Zundel continue to make spurious claims of censorship, you worm. > > > >Lies written in ink can never disguise facts written in blood. - Lu Xun > > > >>If you look closely, you'll find that the REAL net censors have something > >>in common. This very tight knit group will deny it and will call you a > >>"Hater" if you recognize this fundamental truth. Are we going to let > >>this small group of people run the Internet like they do the news and > >>entertainment media in North America and Europe. Let me tell you, they > >>are sure going to try! Only your vigilance for truth, justice, and > >>freedom of speech and expression will stop this cabbal. Shine the light > >>of truth and facts upon them. Like a fungus, their doctrines of hatred > >>and domination cannot thrive in an environment of truth. These sick > >>puppies need us to stand up to their Orwellian schemes. Only by > >>following a truly evil doctrine of hatred for several thousand years do > >>they maintain the audacity that they are CHOSEN to rule the world. > > > >Exactly. Let's put these white supremacist assholes like Joe Bunkley in > >their place. > > > >> You see folks, your idealism and principles of fair play simply > >>get in the way of their ultimate success. Expressing your ideas freely > >>on the Internet has infuriated them. How dare you disagree with they who > >>are CHOSEN only in their own sick minds! This whole Internet and World > >>Wide Web just ain't working out like they planned. You see, the Internet > >>is supposed to FACILITATE the creation of a ONE WORLD GOVERNMENT. The > >>inherent nature of Cyberspace has taken us in an opposite direction > >>entirely! It facilitates autonomy, freedom, and individual expression. > >>Heck, Cyberspace is actually lessening their clutches upon your world and > >>environment. > > > >This is what cypherpunks have known for years, you Nazi bastard. > > > >It has nothing to do with you, freak. > > > >In a truly free society, you will only be laughed at. > > > >Only our strict adherence to the most cherished tenets of freedom is what > >allows people like us to tolerate people like you. > > > >> The shocking truth is being learned: WE DON'T NEED THEM; BUT > >>THEY DESPERATELY NEED US. Yes, they are paracites. With our > >>magnanimity, they may one day get over their trans-millennial delusion of > >>ruling the world. We can help them get over their sickness - but only > >>when they RECOGNIZE and ADMIT they have one big bugger of a problem. > >>That is the hardest thing for a CHOSEN ONE to do. It contradicts all the > >>poison these sick puppies have been led to believe about themselves. > >>With courage and vigilance, we can lead them to the light once they admit > >>their sickness. > > > >Exactly. Joe Bunkley, please tell us The Fourteen Words. > > > >>14words+14words+14words+14words+14words+14words+14words+14words+14words+14 > >>14 14 > >>14 FOURTEEN WORDS ! | I am sincerely yours, 14 > >>14 "We must secure the existence of our | Joe Bunkley 14 > >>14 People, and a future for White children."| gs02jwb at panther.gsu.edu 14 > >>14 14 > >>14 The Coming Fall Of The American Empire 14 > >>14 http://www2.gsu.edu/~gs02jwb 14 > >>14 14 > >>14words+14words+14words+14words+14words+14words+14words+14words+14words+14 > > > >Oh. I see that you did. Goodie. > > > >- -rich > > > >-----BEGIN PGP SIGNATURE----- > >Version: 2.6.2 > > > >iQCVAwUBMREteo3DXUbM57SdAQFKQwP+KHHvwVDp5QYGeQKUsuAW80PAufN1+ybK > >iFglKGsu5khfhP+5shwo8vAwtiH9tKEOxHob/pA6e9RU/Ktn0OW+zBQFflS9y1ee > >vPHELAN/DxihU7Wv4gAYsZW9fjC0KJbvzx8XYu7MA1po7pudMzue0bUpmoV0y/VB > >tzDmW59FLRs= > >=iYAQ > >-----END PGP SIGNATURE----- > > ***** Revisionism is the great intellectual adventure at the end of the > Twentieth Century. > > ***** Revisionismus ist das grosse intellektuelle Abenteuer am Ende des > Zwanzigsten Jahrhunderts. > > http://www.webcom.com/ezundel/english -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRFG1I3DXUbM57SdAQHrAwP/UTeg5XvpVrRQ8QYaaMCbOxG7TqP7KjLo A1Q0AmBPHWkBIUDXHyRPQGMrBXDIGrZ4Brj0pv4e1aTR5qxTkLoNEajcX9Z6yhSe nmRL6tF669369mDX/s6WvcNzBtGIQL4B5eg3UEP0Y2FWuUWjTiBOXLX2hCpRX++X R4Mf300rIGA= =BA6j -----END PGP SIGNATURE----- From hua at chromatic.com Thu Feb 1 16:51:54 1996 From: hua at chromatic.com (Ernest Hua) Date: Fri, 2 Feb 1996 08:51:54 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI In-Reply-To: Message-ID: <199602020011.QAA24870@chromatic.com> > > WARNING NOTICE > > > > It has recently come to the attention of RSA Data > > Security, Inc. that certain of its confidential and > > proprietary source code has been misappropriated and > > disclosed. Despite such unauthorized use and disclosure, > > RSA Data Security reserves all intellectual property rights > > in such source code under applicable law, including without > > limitation trade secret and copyright protection. In > > Well, now we know it really was RC2. > > Is there a law-knowing type out there who can tell us what's going on > legally? As I understand things, RSA is just bullshitting here. When > something has 'trade secret' status, the only people with legal obligations > toward it are those with contractual obligations to RSA--you can only > enforce 'trade secrets' through contractual obligations, non-disclosure and > confidentiality agreements, etc. Once something has been disclosed, as I > understand it, people without contractual obligations in regards to it are > free to do whatever they want to it--trade secret status of RC2 has nothing > to do with me, who has no contractual obligations to RSA regarding RC2. > (Unless the license agreement for RSAref could be stretched to apply > somehow, but I don't think so). Uh ... wait ... better check on the stupid Scientology cases because they did win some small battles regarding what they considered trade secrets. Did they win that on copyright basis or trade secret basis? There must be some case history here. Ern From 72124.3234 at compuserve.com Thu Feb 1 16:59:28 1996 From: 72124.3234 at compuserve.com (Kent Briggs) Date: Fri, 2 Feb 1996 08:59:28 +0800 Subject: Beta Testers Wanted Message-ID: <960201205224_72124.3234_EHJ92-1@CompuServe.COM> I'm looking for volunteers interested in testing the latest beta version of Puffer 2.0. Puffer is my shareware data file & e-mail encryption utility for Windows and has been significantly improved since version 1.0. It is now a full-fledged public key encryption program utilizing Diffie-Hellman technology. The exportable shareware version will support 512-bit public keys and 40-bit PC1 (RC4 clone) encryption. The U.S./Canada registered version will also support 1024-bit public keys and 160-bit Blowfish encryption. All versions support digital signatures, multi-pass data wiping (files, slack, & unused space), LZ77 compression, a built-in editor, and Windows clipboard encryption. I am currently negotiating a patent license for the D-H algorithm with Cylink and an export license with the State Dept. Testers must be residents of the U.S. or Canada. I am looking for cryptography novices through experts using a wide range of PC hardware running Win 3.1, Win 95, or OS/2. I also have detailed text files describing the security protocols and file formats used. I would like experts to take a look at these to make sure I didn't do something stupid. Those that can help will get a free copy of the final registered version. The software will be a 417 K zip file available via http. I will e-mail the protocol and file format specifications to anyone interested. Please respond by private e-mail. Thanks. Kent Briggs 72124.3234 at compuserve.com From rsalz at osf.org Thu Feb 1 17:09:47 1996 From: rsalz at osf.org (Rich Salz) Date: Fri, 2 Feb 1996 09:09:47 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <9602020046.AA23769@sulphur.osf.org> Once lost, trade secret can never be regained. The person(s) responsible can be sued so they never work again :), but it's unclear if RSA can stop anyone using unpublished trade-secret source. At any rate, I'll stop my comparison of the distributed RC2 and the licensed RC2 since RSA's done it for us. :) /r$ From llurch at networking.stanford.edu Thu Feb 1 17:11:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 2 Feb 1996 09:11:42 +0800 Subject: CONFIRMED: German Universities' ISP lifts webcom.com filter Message-ID: >From Declan's fight-censorship list. My mirror has now been disabled, because it is completely unnecessary. If you have no idea what this is about, see: http://36.190.0.210/~llurch/Not_By_Me_Not_My_Views/ -rich ---------- Forwarded message ---------- Date: Fri, 2 Feb 1996 00:35:22 +0100 (MET) Some minutes ago: | sobolev:~ % traceroute www.webcom.com | traceroute to s1000e.webcom.com (206.2.192.66), 30 hops max, 40 byte packets | 1 gatekeeper.rhein.de (193.175.27.1) 241.515 ms 224.741 ms * | 2 wan-gw.su.golden-net.rhein.de (193.175.27.6) 221.028 ms 194.252 ms 199.246 ms | 3 su-gw.cs.bn.golden-net.rhein.de (193.175.27.250) 358.375 ms 534.402 ms 359.005 ms | 4 131.220.6.2 (131.220.6.2) 258.929 ms 277.339 ms 249.133 ms | 5 131.220.241.3 (131.220.241.3) 301.754 ms 328.01 ms 429.14 ms | 6 131.220.1.199 (131.220.1.199) 369.062 ms 397.582 ms 399.12 ms | 7 Duesseldorf4.WiN-IP.DFN.DE (188.1.133.69) 408.983 ms 516.393 ms 599.211 ms | 8 ipgate2.win-ip.dfn.de (193.174.74.200) 608.828 ms 454.999 ms 399.153 ms | 9 pppl-frg.es.net (192.188.33.9) 559.177 ms * 599.775 ms | 10 umd2-pppl2.es.net (134.55.12.162) 618.292 ms 597.956 ms 629.111 ms | 11 mae-east.psi.net (192.41.177.245) 408.889 ms 328.154 ms 399.18 ms | 12 38.1.2.16 (38.1.2.16) 449.041 ms 718.307 ms 599.023 ms | 13 * 38.146.147.2 (38.146.147.2) 930.251 ms * | 14 SJT1E0.webcom.com (206.2.192.34) 989.108 ms 488.372 ms 629.073 ms | 15 * 206.2.192.65 (206.2.192.65) 750.307 ms 608.356 ms | 16 s1000e.webcom.com (206.2.192.66) 808.935 ms 888.363 ms 769.091 ms From pope at auditnet.tamu.edu Thu Feb 1 17:15:37 1996 From: pope at auditnet.tamu.edu (Jon L. Pope) Date: Fri, 2 Feb 1996 09:15:37 +0800 Subject: unscribe Message-ID: <170F31D140CE@AUDITNET.TAMU.EDU> unscribe cypherpunks at toad.com TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU Jon L. Pope, CISA, CIA Supervisory Internal Auditor Texas A&M University Mail Stop #1280 e-mail: pope at auditnet.tamu.edu College Station, Tx, 77843-1280 Phone: (409)845-1323 Fax: (409)845-6437) TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU-TAMU From baldwin at RSA.COM Thu Feb 1 17:55:25 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Fri, 2 Feb 1996 09:55:25 +0800 Subject: Thanks for not flaming the messenger Message-ID: <9601018232.AA823224197@snail.rsa.com> Well, I've read a whole bunch of replies to the legal warning I posted for my employer. I want to thank everyone for being thoughtful enough for not flaming me personally. My apologies to people who received multiple copies. The goal was to ensure that anyone searching for the original article would get the warning with it, and that any CD-ROM containing sci.crypt would also contain the warning. Sorry for the inconvenience. --Bob From bal at martigny.ai.mit.edu Thu Feb 1 18:30:40 1996 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 2 Feb 1996 10:30:40 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI In-Reply-To: Message-ID: <9602020205.AA14789@toad.com> Date: Thu, 1 Feb 1996 18:26:15 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Sender: owner-cypherpunks at toad.com Precedence: bulk Now, copyright might be another matter. But you can't copyright an algorithm, only specific text in fixed form (ie, the source code). So this would mean you couldn't use the particular code posted to sci.crypt, but wouldn't stop anyone from using the algorithm, if they wrote their own code (to be safe, without having seen the RSA-copyrighted code, only having the algorithm described to them by someone else). If the source code posted to sci.crypt was in fact a copy of an RSADSI copyrighted soure code listing, then making copies of that listing is a copyright violation. However, copyright protection does not extend to the underlying algorithm, so unless RSADSI has a patent on the algorithm the idea is free, and can be reimplemented using a "clean room" or "Chinese wall" approach. If the posted source code was *not* a copy of RSADSI source code but instead produced by disassembling object code RSADSI's claims are tenuous at best. RSADSI could conceivably claim that the disassembled code is a derivative product of their copyrighted object code, but I think they would have a hard time distinguishing themselves from the facts in _Sega v. Accolade_. I fail to see how the legality of "alleged-RC2" is any different than that of the "alleged-RC4" code which was published last year. --bal From mixmaster at vishnu.alias.net Thu Feb 1 18:39:17 1996 From: mixmaster at vishnu.alias.net (Mr. Boffo) Date: Fri, 2 Feb 1996 10:39:17 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <199602020200.UAA22646@vishnu.alias.net> > WARNING NOTICE > > It has recently come to the attention of RSA Data > Security, Inc. that certain of its confidential and > proprietary source code has been misappropriated and > disclosed. Despite such unauthorized use and disclosure, > RSA Data Security reserves all intellectual property rights > in such source code under applicable law, including without > limitation trade secret and copyright protection. In Ya know... This is getting old! It seems like RSA Data Security can't control their own site. It only seems like yesterday (actually about 2 years ago) that another one of their "RC" algorithms was published to the Usenet thru anonymous remailers. Can't they secure their own site against break-ins? If they want to be the prima-donna site for encryption with all of the "copy-written" crypto, you would think that they could protect their own resources better. Lazarus Long From adam at rosa.com Thu Feb 1 18:45:31 1996 From: adam at rosa.com (Adam philipp) Date: Fri, 2 Feb 1996 10:45:31 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <02221509300197@compuvar.com> At 08:00 PM 2/1/96 -0600, you wrote: >> WARNING NOTICE > > It has recently come to the attention of RSA Data >> Security, Inc. that certain of its confidential and >> proprietary source code has been misappropriated and ^^^^^^^^^^^^^^^ >> disclosed. Despite such unauthorized use and disclosure, > Ya know... This is getting old! It seems like RSA Data >Security can't control their own site. It only seems like yesterday >(actually about 2 years ago) that another one of their "RC" algorithms >was published to the Usenet thru anonymous remailers. Can't they >secure their own site against break-ins? I hope that his code was not stolen, if it was actually stolen and then released and we knew that for sure, then trade secret rights would probably still apply. However the code was posted anonymously we do NOT know for certain that it was MISAPPROPRIATED. As such it may have been reverse engineered in manner that does not violate trade secrets and hence it can be used. The burden is with RSA to prove that any one person KNEW it was misappropriated. That is why we are seeing all these messages flying around on the web, RSA attorneys are trying to shut the barn door after the horses have left... a rushed, Adam, Esq. --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ |PGP key available on my home page|Unauthorized interception violates | | http://XXXXXXXXXXXXXXXXX/adam |federal law (18 USC Section 2700 et| |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA... |communications are preferred for | | (see home page for definition) |sensitive materials. | \-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ From llurch at networking.stanford.edu Thu Feb 1 18:45:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 2 Feb 1996 10:45:45 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" In-Reply-To: Message-ID: On Thu, 1 Feb 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 1-Feb-96 Tim's paranoid rant about > D.. by Just Rich at c2.org > > I disagree. It is clear to me that there is absolutely no cloud hanging > > over us. If any German court tried to press charges against me for > > posting Zendel's materials, they'd be laughed across the Argonne. Most > > mainstream Jewish groups *love* me right now. > > > > I find it curious, and I am beginning to get a little annoyed, that my > > name is rarely mentioned, though I set up the first mirror, and Declan got > > the files from me. > > So you're getting pissy that you're not The Only Zundel Mirror. Big > fucking deal. Get over it. The more the better. > > I find it telling that you wrote me mail demanding that I alter my web > pages to your satisfaction or you'll smear me in the press, since your > web site (you informed me) is going to be featured in the next issue of > TIME, Internet World, and the San Francisco Chronicle. > > Hey, guy, kudos to you. Glad to hear it. Smear the fuck away. This does not accurately represent what I said, and it certainly does not represent what I have done. You are still identified as "My friend Declan," and I recommend that people visit your site. I actually would have appreciated it if you had crowed, or at least shared, your media contacts. For example, I only just now found out about Steve Pizzo's poorly researched article in Web Review, where he presents as my views deliberate lies that I told Zundel in order to get his cooperation and trust. > > I am very annoyed that Declan has not responded to repeated requests to > > remove the cleartext "Stanford University" from the parts of his Web site > > that mention me. Of course the stanford.edu, or at least net 36.190, will > > remain in the URL, but there is no reason that the link text could not say > > "Rich Graves' mirror." First Declan sent me mail saying he would respect > > my wishes, but he didn't. > > Let's get the facts right and ignore Rich's distortions. I wrote: > > "I'll honor your wishes and take your full name off." > > I did *not* write that I'd take Stanford's name off the pages. I did > take your full name off, as I said I would. This does not accurately reflect your mail. At this time, you have not removed my full name, either. > > Then a friend of mine reminded Declan of my > > request, and Declan responded with abuse. > > Your friend, Haggai Kupermintz, sent me unsolicited email demanding to > know why I didn't act on a request that was sent earlier that day. I You will find that Haggai had been Cc'd on several messages back and forth on fight-censorship, and he was Bcc'd on my original request (at the header of my message to you was a notice that it was being Bcc'd to other people at Stanford). While I don't appreciate his mommying me, I hardly consider his mail unsolicited or unwarranted, since you have still failed to honor my request. > have better things to do than leap on every demand I get, so I flamed > him. *shrug* Big deal. I didn't know a rather mild flame was "abuse." If > you don't want to be "abused," don't send me demands in unsolicited > email. (I'm glad for the sake of other "abusers" at Stanford that your > school's speech code was struck down by a California court last year.) The "speech code" was never applied to anyone, and was widely regarded to be unenforceable. I opposed it. It was a joke, yes. What were we talking about again? > > Declan wants me to believe that this disclaimer is enough: > > > > "Please note that the > > existence of a web site at any particular institution does not > > in any way imply endorsement. Universities and businesses > > do not take responsibility for what their community members > > or customers place online." > > > > This is clearly untrue when the person in question is a staff member, as I > > am. Were I still a student, then I could more legitimately say that I'm a > > student at Stanford, and that I have the academic freedom to post whatever > > I want; but as someone who now merely works for a living at Stanford, I do > > whatever I want by the (very) good graces of my (very good) employer. > > I don't follow. In what way is that disclaimer untrue? You *do* > represent Stanford? The concept of academic freedom doesn't apply to > staff members? If that's true, you do have a point. Then you, kadie, and I agree. I have a point. Why do you persist in identifying, in two places, a Stanford University Mirror Site? > > One mirror site was enough. The German providers would not have blocked > > stanford.edu had it remained the only mirror site. The President of > > Stanford, Gerhard Casper, is a recognized constitutional scholar from > > Germany. The Stanford Provost, Condoleezza Rice, was one of the two or > > three people most responsible for the Bush Administration's policy > > towards German Unification. Dozens of Stanford students have studied in > > Berlin. > > One mirror site may have had a limited effect, but more mirror sites > have a more significant effect. I strongly disagree. Which has more symbolic power for good, a single man standing in front of a tank in Tiananmen Square, or nuking Hiroshima and Nagasaki? It is not ethical to abuse this power we have. Especially because neither of us are students at the universities whose machines we are abusing. > The press likes a local angle, and local mirrors are giving them just > that. I put a reporter from the Boston Globe in touch with the UMass > mirror operator, and a reporter from the Philadelphia Inquirer in touch > with the University of Pennyslvania mirror operator. I'd love to see > mirrors in every major city for greater coverage in every major paper. > > If you don't understand that concept, you don't understand the way the > media works. I do understand the way the media works. They live on "press releases" from "recognized authorities." Most > So Rich, answer me this: "What articulable and demonstrable harm have > additional mirror sites done, besides hurt your ego?" Since my mirror site has been limited to .edu and selected other domains for a full day, this is an odd question. The demonstrable harm, as you now agree, is that the Ottawa Times, http://intranet.on.ca/ott_time.html, the Stormfront-L neo-nazi list, and so on are full of lies about how universities sympathetic to Zundel's fight against Zionist oppression and the Holocaust Lie have jumped to his defense. > > This is ludicrous. I expect better from you. > > I'm a big fan of Tim's, and I think that while he may have been jesting, > his comments have a serious undertone. > > I don't really expect to be locked up for the rest of my life in a > German cellblock, but harassment at entry/exit points is possible. > Perhaps probable, given that other "distributors" of Neo-Nazi spew have > experienced just that. No distributors. Only point sources. And as has been pointed out, they often get off with a slap on the wrist. You have been duped by Zundel's false claims of persecution. I bet you even bought the "Dr. Axl Clocstein" story for a while. > > Declan, if you don't fix up your page the way I want it by morning (please > > not that you have three more hours of morning than I do), I will post a > > modified (spell-checked) version of this note on my Web page, to > > alt.censorship, and to your "fight-censorship" mailing list. > > Please send me in private email (or post it here if you really want) > exactly what you want me to change. 1. As I've been saying for the last day and a half, please remove all occurrences of the strings "Stanford" and "Graves." I hardly think that requesting not to be so identified is egotistical. 2. While you're at it, it would be good to remove the following as well, which does not accurately reflect the facts. In early January, Zundel contacted the Simon Wiesenthal Center and asked permission to reproduce some of their materials. He wanted to disprove some of their views as he had tried to rebut those of the Nizkor Project. (The Nizkor folks earlier had requested bidirectional linking. Zundel agreed to their request, heralding the experiment as "The Great Internet Holocaust Debate.") Nizkor's response to this is rather prominent on their Web site. 3. Please fix this: January 29, 1996: This site goes online, with the help of files supplied by Rich (rich at c2.org), supplemented with more recent documents taken directly from the Zundelsite. Rich's site at Stanford University goes online. (Note that Rich and I mirrored the Zundelsite at our own initiative, not by request.) To bolster Zundel's coyright claim against the National Alliance, please clarify that "we" specifically requested the materials from Zundel, and that his handler Marc uploaded them all to "one of our machines" (since we could not have run a WebWacker on the highly overloaded webcom.com). Also remove the string "Stanford." In any case, the files are no longer available at Stanford. 4. February 1, 1996: Web Review Magazine reports on the mirror sites. I have sent mail to Steve Pizzo and requested that he call me to correct some false statements attributed to me. 5. February 1, 1996, afternoon: UMass censors mirror. Simon Wiesenthal Center sends letters of protest to participating mirror universities. Sameer announces University of California at Berkeley mirror. Every one of these is false. a. The operator of the UMass mirror objects to your characterization of what happened as "censorship," and to your posting his private mail. b. Where is your confirmation of Simon Wiesenthal's action? c. Sameer has not announced a UC Berkeley mirror. He specifically asked that it not be listed because like most of us, he is beginning to have ethical qualms. 6. On index.html you have: There is an apparent campaign of email and web bombing being launched againt Zundel's site on Webcom, making it near-impossible to reach. Do you have a source for this besides me? Well, I retract the rumor. In fact it seems that the problem is that Zundel foolishly put a bunch of huge RealAudio files on his page that are overloading the server. > Rich, by now I suspect you've seen this joke, but what the hell: > > Q: What's a left-wing firing squad? > > A: Everyone stands in a circle and shoots at each other I guess this is supposed to be something clever about how the vanguard is supposed to discard their personal interests for the common good. I am a member of no vanguard. -rich From jimbell at pacifier.com Thu Feb 1 19:10:39 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 2 Feb 1996 11:10:39 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 02:02 AM 2/1/96 -0800, Just Rich wrote: >On Thu, 1 Feb 1996, Timothy C. May wrote: > >> At 7:27 AM 2/1/96, sameer wrote: >> >> I guess Declan M. won't be visting France or any of the other EU >> >> countries any time soon! >> > >> > That reminds me of a question-- >> > >> > If, for example, Germany decides that my company is in >> >violation of their laws for mirroring the Zundelsite, will they send >> >us a letter saying that, so we know not to go to Germany? >> >> The Nebraska-based neo-Nazi publisher who was picked up in Denmark and >> extradited to Germany pretty much knew his actions were illegal in Germany, >> but I doubt (sheer speculation on my part) he had ever been formally >> notified that an arrest warrant had been issued by Germany and could be >> exercised in Denmark. >> >> The situation with Declan, Sameer, Duncan, and others, is even less clear. > >I disagree. It is clear to me that there is absolutely no cloud hanging >over us. If any German court tried to press charges against me for >posting Zendel's materials, they'd be laughed across the Argonne. Most >mainstream Jewish groups *love* me right now. Actually, I think your argument self-destructs. Tim May is right. If you take solace in the fact that "most mainstream Jewish groups *love* [you] right now," then that strongly implies that this fact (assuming, for the purposes of the argument, that your claim is true: you are loved) indicates that Jewish groups have some sort of strong input into who Germany prosecutes. This implies a political friend/foe system, which is EXACTLY the kind of indeterminacy that Tim May (and many other people) are worried about. Consider the position of a "new" person who isn't on the "mainstream Jewish groups radar" (either positive or negative) the way you claim to be. The implications of your statement is that HE would have to WORRY. YOU would be SAFE! Doesn't this bother you a bit? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRFzmvqHVDBboB2dAQHK3gQAobCDzSMWbGCwN9Iu8rN2Q3v1c/oxm4kh HaskQ1B2PyXVlzBwIZz8uNHWxeHLXr21mPYNTY77ScmfRp6cYF9DS+SqjvAmHI7f xxMn04bHLS5zNovvxt39fASrc5kgta+30pjDmjkjJY3ZImQw1lt68ajuRx02rDf7 Jt09GFypRS4= =hw5S -----END PGP SIGNATURE----- From sinclai at ecf.toronto.edu Thu Feb 1 19:22:01 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Fri, 2 Feb 1996 11:22:01 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI In-Reply-To: Message-ID: <96Feb1.215126edt.10310@cannon.ecf.toronto.edu> > I hope that his code was not stolen, if it was actually stolen and then > released and we knew that for sure, then trade secret rights would probably > still apply. However the code was posted anonymously we do NOT know for > certain that it was MISAPPROPRIATED. As such it may have been reverse > engineered in manner that does not violate trade secrets and hence it can be > used. The burden is with RSA to prove that any one person KNEW it was > misappropriated. That is why we are seeing all these messages flying around > on the web, RSA attorneys are trying to shut the barn door after the horses > have left... The author claims that the code was disassembled. S/he credits "CodeView" which is Microsoft's debugging/disassembly tool. Of course, this could just be a cunning ruse... From EALLENSMITH at ocelot.Rutgers.EDU Thu Feb 1 19:22:02 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 2 Feb 1996 11:22:02 +0800 Subject: [NOISY] Deutsche Telekom <--> webcom.com "routing troubles" Message-ID: <01I0PPI0LL00A0UNHV@mbcl.rutgers.edu> While it fortunately seems that the German government is getting some sense, I've had one idea for future such anti-censorship efforts. It's that, despite Alta Vista and other spiders, sometimes things on the web don't get spotted by search engines very soon. Having information out there doesn't do much good if people who haven't been following newsgroups, etcetera don't know about it. Rich and Declan may have thought of this already, but I haven't seen it on cypherpunks. There is a web page for multiple search-engine submissions at http://www.submit-it.com/. I don't know how well it works, since I haven't used it (yet). But it might be something to try. -Allen From jsw at netscape.com Thu Feb 1 19:26:57 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 2 Feb 1996 11:26:57 +0800 Subject: Visa & MC Std In-Reply-To: Message-ID: <31117ABA.611B@netscape.com> Clay Olbon II wrote: > > At 8:25 AM 2/1/96, pj ponder wrote (much elided): > > >AN FRANCISCO -- Hoping to remove a major impediment to credit card > >transactions over the Internet, a business group led by Mastercard > >International > >and Visa International plans to announce an industry-standard technology > >Thursday for protecting the security of electronic payments. > ... > > > >The software standard, called Secure Electronic Transactions, or SET, > >will permit a user to send a credit card account numbers to a merchant > >in a scrambled > >form. > > > >The scrambled number is supposed to be unintelligible to electronic > >eavesdroppers and thieves -- and even to the merchants receiving the > >payment. > > > >But a special code is supposed to enable the merchant to check > >electronically and automatically with the bank that issued the credit > >card to make sure that it is a > >valid card number and that the customer is the authorized user of the > >card. The number-scrambling part of the system is based on a well-known > >and widely used > >national software standard known as the Data Encryption Standard. > > ---------------- First a disclaimer. I have not studied the drafts of the protocol, or been directly involved with its development. I do know a few things and I will try to answer to the best of my abilities. > A few psueudorandom points regarding this post: > > First, it seems silly to implement a separate standard that only > works for the credit card number. What about the privacy of the rest of > the info (what I am ordering, how much, etc.). > > Can (or will) this be layered with Netscape's SSL? I don't know if the spec will specify SSL as the required transport, but I think that our products will use it. > How is this to be implemented? It sounds like the merchants will > just pass the encrypted number to the credit card company. If this is the > case, key management could become an issue. I suppose this could easily be > implemented using public key crypto, but only DES was mentioned. If only > DES is used and everyone uses the same DES key, that would be a valuable > key to break! RSA will be used in addition to DES (or perhaps something stronger). > How about a MITM attack. Get the encrypted credit card #, and > change the purchase amount, delivery info, etc if that is not encrypted. There is stuff in the protocol to prevent MITM and replay attacks. I'm not familiar with the details, but I know that they have been thinking about these problems for a long time. > If there is anyone on the list with more info on this, I would love to hear > it (heopfully we will hear something from Netscape, since they are quoted > in the article). From what I know so far, it seems like a poor compromise. It is hard to get even the flavor of the protocol in a press release that has been dumbed down for the general population. I believe that the spec will be released for a public review period before it is finalized, so you should have a chance to review it and get your comments in. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From ses at tipper.oit.unc.edu Thu Feb 1 19:31:55 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 2 Feb 1996 11:31:55 +0800 Subject: Prediction about new credit card number scheme In-Reply-To: Message-ID: On Thu, 1 Feb 1996, Thomas Grant Edwards wrote: > > >By JOHN MARKOFF AN FRANCISCO -- > >Hoping to remove a major impediment to credit card transactions over the > >Internet, a business group led by Mastercard International and Visa > >International plans to announce an industry-standard technology Thursday > >for protecting the security of electronic payments. > > My prediction about the new CC standard: it will be a mistake if they > don't pass on the details to cypherpunks. > > BTW - are any micropayment schemes reving up to commerciality yet??? > > -Thomas > > > > > (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From jsw at netscape.com Thu Feb 1 19:35:56 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 2 Feb 1996 11:35:56 +0800 Subject: Prediction about new credit card number scheme In-Reply-To: Message-ID: <31117E58.6F16@netscape.com> Thomas Grant Edwards wrote: > > >By JOHN MARKOFF AN FRANCISCO -- > >Hoping to remove a major impediment to credit card transactions over the > >Internet, a business group led by Mastercard International and Visa > >International plans to announce an industry-standard technology Thursday > >for protecting the security of electronic payments. > > My prediction about the new CC standard: it will be a mistake if they > don't pass on the details to cypherpunks. I believe that there will be a public review period. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From nsb at nsb.fv.com Thu Feb 1 20:45:36 1996 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Fri, 2 Feb 1996 12:45:36 +0800 Subject: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) In-Reply-To: Message-ID: Excerpts from mail.cypherpunks: 30-Jan-96 Re: Apology and clarification Jamie Zawinski at netscape. (4170*) > Nathaniel Borenstein wrote: > > > > What we at FV have done is to demonstrate how easy it is to develop an > > FULLY AUTOMATED attack that undermines the security of all > > software-based credit card commerce schemes. > You have done no such thing. You have written *one component* of that > attack, and the easiest part of it at that. > Combine it with a virus, or self-replicating worm, and demonstrate that > it is immune to all known virus checkers, and *then* you will have > spoken the truth when you say you have "demonstrated" anything. This is a particularly fascinating reaction, Jamie. As I see it, we have implemented every part of the attack that we can implement without doing anything that is either unethical or illegal. Is it your position that no systematic flaw in your security is real until someone has actually broken it? Actually, that position would in fact be quite consistent with your company's earlier implicit assertion that 40-bit encryption was sufficient (for international consumers) until somebody actually broke it, even though everyone who understood cryptography already knew otherwise. > You may think this is nitpicking, but the fact is, you're assuming that > the implicit cooperation of some vast number of users in running your > program is easy to obtain. I disagree with this assumption. If this > assumption were true, then viruses would be a much bigger problem than > the mere annoyance that they are today. Nearly everyone with a computer has either been infected with a virus or knows somebody who has. There has never been a serious financial incentive for virus writers in the past, so they haven't ever been, for example, bankrolled by organized crime. They've been written by sociopathic hobbyists in the past. Your commerce mechanism gives them an incentive to turn pro. The average sophistication of Internet users is dropping every day, as the net continues to explode, and the ease of spreading malicious software is going up accordingly. Having said all that, I do agree with you 100% that the hardest part of the devastating, automated attack that we have outlined is in fact the infection vector. You are absolutely right about that. What we have shown is that the HARDEST part of stealing an unbounded number of credit cards transmitted using your company's preferred commerce mechanism is, in fact, the deployment of a virus or Trojan Horse. Unfortunately, as most personal computer users have long since realized, that just isn't that uncommon or hard to do. > *Computers* provide a path to large-scale fraud. So does the printing > press. So does the telephone, and the postal system. So what. You > still haven't proven that it's easy. I suspect that the world's financial institutions will, by and large, be grateful that First Virtual doesn't share your belief that one has to wait for a criminal to break a system to be convinced that it is insecure. Show me an automated way to break the postal system in a large-scale way without getting caught, and then I'll be worried about it, too. > With as much work as you've put into this, someone could write a > Microsoft Word document which when opened, would start dumping the > contents of your hard disk into the mail. Ooh, good point. We could probably use MS Word macros as the infection vector for our program. I like that idea. I'll add it to our list of potential ways this program could spread itself. However, the entire contents of your hard disk aren't of direct economic value. They're also hard to digest, and they're big enough to be likely to be noticed in transit (e.g. they can easily fill up mail spools if you mail 'em out). I'd much rather sift through your hard disk looking for credit card numbers, and then spirit them quietly off your machine. But I'd also install a keystroke sniffer if I suspected the user might be using your preferred mechanism to send out his credit card number. > It's not a matter of possibility. It's a matter of probability, and > risk management. It's unlikely enough that I'm not afraid of using my > credit card on the net. Tell me my credit card number, and I'll change > my mind. Hey, you're a smart guy. That probably means your machine is relatively hard to infect. A criminal would skip you and instead target the millions of consumers who were more easily infected. I didn't describe a scheme that could target one individual's credit card. I described a scheme that could steal millions of them indiscriminately. > All a banker needs to know is the amount of risk associated with the > thing in which they are investing; they don't need to know how keyboard sniffers work. The "trust us, we're experts" approach to security is only as good as the experts you trust, as you've just amply demonstrated. For my part, I'm happy to let the bankers hire independent experts study the attack we've outlined and reach their own conclusions. -- Nathaniel -------- Nathaniel Borenstein Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq at nsb.fv.com From wlkngowl at unix.asb.com Thu Feb 1 21:23:59 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Fri, 2 Feb 1996 13:23:59 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <199602020507.AAA23639@UNiX.asb.com> On Thu, 1 Feb 1996 20:00:50 -0600, you wrote: > Ya know... This is getting old! It seems like RSA Data >Security can't control their own site. It only seems like yesterday That has nothing to do with it. What they (or anyone else) can't control is disassembling the code.... which is apparently where it comes from. >(actually about 2 years ago) that another one of their "RC" algorithms Actually, about a year and a half ago... From nelson at santafe.edu Thu Feb 1 21:51:52 1996 From: nelson at santafe.edu (Nelson Minar) Date: Fri, 2 Feb 1996 13:51:52 +0800 Subject: Noise and the Nature of Mailing Lists In-Reply-To: Message-ID: <9602010503.AA06841@sfi.santafe.edu> tcmay at got.net (Timothy C. May) writes: >And remember, it's a whole lot easier using filters and reading tools to >reduce the volume of messages on an active group than it is to get an >inactive group up to critical mass! Yes, definitely! I'm sending this note to remind people that they can also read Cypherpunks via NNTP, at nntp://nntp.hks.net/hks.lists.cypherpunks/ There are several programs that can read newsgroups on other NNTP servers. I use Emacs Gnus, which has an excellent set of filtering tools. Cypherpunks would be a lot harder to read without it. It'd be easier to read if everyone preserved the References: headers, btw. (thanks, hks.net!) From jsw at netscape.com Thu Feb 1 21:53:42 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 2 Feb 1996 13:53:42 +0800 Subject: FV, Netscape and security as a product In-Reply-To: <199601311753.JAA18008@darkwing.uoregon.edu> Message-ID: <311043FF.186A@netscape.com> Greg Broiles wrote: > Netscape and FV have both taken a > "security is a product" stance, which is a gross misrepresentation. We are definitely moving away from the "security is a product" stance that you mention. It was definitely overdone in the early days of the product, but after the security bugs of the summer I and others were able to convince marketing that they should back off. I want it to be clear what our product can and can not do. For example, SSL can only protect data in transit between two machines. If either machine is compromised then the data can be stolen at that end. Our product does not attempt to secure the user's machine, and can not operate securely on an insecure machine. Expect to see warnings and disclaimers of this nature from us in the future. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From attila at primenet.com Thu Feb 1 22:09:54 1996 From: attila at primenet.com (attila) Date: Fri, 2 Feb 1996 14:09:54 +0800 Subject: Freedom of speech question... In-Reply-To: <199602012012.OAA00279@einstein.ssz.com> Message-ID: Jim's point is particularly valid in the U.S. --Congress (and the states) pass statues that preempt the actual commission of the crime, or as Jim phrased it: for what might result. The enabling clause is "conspiracy" which is best defined by: three men are getting stinking drunk in a bar across from a bank; one suggests they rob the bank, and they sit there drinking and planning. when they depart, one man passes out on the floor; the other two, of course, are arrested while in the act --but the police also arrested the sleeping drunk. Why? Title 18 US ---- ...any one who commits, or conspires to commit, the crime of (insert your favourite), shall be charged with a felony.... conspiring to commit a crime, executed or not, is the same under U.S. law as committing the crime. --welcome to America. In the civil courts of Europe, you either committed the crime, or you did not. conspiracy does not count in a civil law case. On Thu, 1 Feb 1996, Jim Choate wrote: > > It is a commenly held belief that shouting 'fire' in a crowded theatre is a > crime because of the potential for harm to persons and property. It is one > of the most commen examples given for limiting freedom of speech even though > the Constitution says "Congress shall make no law...". This view is proposed > as a equaly valid rationale for limiting crypto, virus technology, drugs, > etc. > > My question to the list is would it be a crime if you were alone in the > theatre? If you developed a virus and didn't distribute it would that be a > crime? If you give it to one person is it a crime? How about if you give it > to millions? How many people must know a fact, posses source code or > executable. In short, does freedom of speech rest on how many people are > aware of your expression? > > My position is that if you answer in the affermative then you are basicaly > stating there is no freedom of speech. It should be perfectly permissible > to shout 'fire' in a theatre filled to the brim. If anyone takes you > seriously and is harmed then you should be liable for the damage. Your right > to shout 'fire' is not relevant. If you accept the premise then what you are > buying into is preemptive justice, in short judging somebody guilty by what > they might do, not what they have done. If this is permitted then we have a > serious problem in that anyperson is therefore guilty of whatever crime is > desired. > > > > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From adam at rosa.com Thu Feb 1 22:14:14 1996 From: adam at rosa.com (Adam philipp) Date: Fri, 2 Feb 1996 14:14:14 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <05390275000371@compuvar.com> At 09:51 PM 2/1/96 -0500, you wrote: >The author claims that the code was disassembled. S/he credits "CodeView" >which is Microsoft's debugging/disassembly tool. Of course, this could >just be a cunning ruse... Although it has not been completely settled that disassembly is a legitimate form of reverse engineering, the trend has been to consider the two equivalent. So, whoever posted RC2 had at least a good idea of how to present it. I don't think it would be be a good idea for them to come out and sue RSA for libel for the accusation that it was misappropriated however. Adam, Esq. --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ |PGP key available on my home page|Unauthorized interception violates | | http://XXXXXXXXXXXXXXXXX/adam |federal law (18 USC Section 2700 et| |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA... |communications are preferred for | | (see home page for definition) |sensitive materials. | \-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ From attila at primenet.com Thu Feb 1 22:15:51 1996 From: attila at primenet.com (attila) Date: Fri, 2 Feb 1996 14:15:51 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" In-Reply-To: Message-ID: Rich: if you want to indulge in personal rants and vendettas, take it to personal mail. secondly, you are slamming someone without the decency or courtesy to even copy him. the whole Zundel thing is completely off the concept unless maybe a mention that Germany is trying to deny free speech rights to Zundel. The man is entitled to his fifteen minutes in the sunlight, no matter how despicable he may be. everybody publicizing Zundel only extends his fifteen minutes in thye sun. anyway, Rich, you are being childish. I have two daughters who are always at each other's throats for something, but even a 10 year old is not as petty as you're pouting. why in the world would you even want to claim Zundel's trash? check the mirror for the fool. [ BTW, if I were a sysadmin, I would not cut his service, but I sure as hell would not encourage it. ] let's all have a nice day! attila [ the peacemaker ] On Thu, 1 Feb 1996, Rich Graves wrote: > On Thu, 1 Feb 1996, Declan B. McCullagh wrote: > > > Excerpts from internet.cypherpunks: 1-Feb-96 Tim's paranoid rant about > > D.. by Just Rich at c2.org > > > I disagree. It is clear to me that there is absolutely no cloud hanging > > > over us. If any German court tried to press charges against me for > > > posting Zendel's materials, they'd be laughed across the Argonne. Most > > > mainstream Jewish groups *love* me right now. > > > > > > I find it curious, and I am beginning to get a little annoyed, that my > > > name is rarely mentioned, though I set up the first mirror, and Declan got > > > the files from me. > > > > So you're getting pissy that you're not The Only Zundel Mirror. Big > > fucking deal. Get over it. The more the better. > > > > I find it telling that you wrote me mail demanding that I alter my web > > pages to your satisfaction or you'll smear me in the press, since your > > web site (you informed me) is going to be featured in the next issue of > > TIME, Internet World, and the San Francisco Chronicle. > > > > Hey, guy, kudos to you. Glad to hear it. Smear the fuck away. > > This does not accurately represent what I said, and it certainly does not > represent what I have done. You are still identified as "My friend > Declan," and I recommend that people visit your site. > > I actually would have appreciated it if you had crowed, or at least > shared, your media contacts. For example, I only just now found out about > Steve Pizzo's poorly researched article in Web Review, where he presents > as my views deliberate lies that I told Zundel in order to get his > cooperation and trust. > > > > I am very annoyed that Declan has not responded to repeated requests to > > > remove the cleartext "Stanford University" from the parts of his Web site > > > that mention me. Of course the stanford.edu, or at least net 36.190, will > > > remain in the URL, but there is no reason that the link text could not say > > > "Rich Graves' mirror." First Declan sent me mail saying he would respect > > > my wishes, but he didn't. > > > > Let's get the facts right and ignore Rich's distortions. I wrote: > > > > "I'll honor your wishes and take your full name off." > > > > I did *not* write that I'd take Stanford's name off the pages. I did > > take your full name off, as I said I would. > > This does not accurately reflect your mail. At this time, you have not > removed my full name, either. > > > > Then a friend of mine reminded Declan of my > > > request, and Declan responded with abuse. > > > > Your friend, Haggai Kupermintz, sent me unsolicited email demanding to > > know why I didn't act on a request that was sent earlier that day. I > > You will find that Haggai had been Cc'd on several messages back and forth > on fight-censorship, and he was Bcc'd on my original request (at the > header of my message to you was a notice that it was being Bcc'd to other > people at Stanford). While I don't appreciate his mommying me, I hardly > consider his mail unsolicited or unwarranted, since you have still failed > to honor my request. > > > have better things to do than leap on every demand I get, so I flamed > > him. *shrug* Big deal. I didn't know a rather mild flame was "abuse." If > > you don't want to be "abused," don't send me demands in unsolicited > > email. (I'm glad for the sake of other "abusers" at Stanford that your > > school's speech code was struck down by a California court last year.) > > The "speech code" was never applied to anyone, and was widely regarded to > be unenforceable. I opposed it. It was a joke, yes. > > What were we talking about again? > > > > Declan wants me to believe that this disclaimer is enough: > > > > > > "Please note that the > > > existence of a web site at any particular institution does not > > > in any way imply endorsement. Universities and businesses > > > do not take responsibility for what their community members > > > or customers place online." > > > > > > This is clearly untrue when the person in question is a staff member, as I > > > am. Were I still a student, then I could more legitimately say that I'm a > > > student at Stanford, and that I have the academic freedom to post whatever > > > I want; but as someone who now merely works for a living at Stanford, I do > > > whatever I want by the (very) good graces of my (very good) employer. > > > > I don't follow. In what way is that disclaimer untrue? You *do* > > represent Stanford? The concept of academic freedom doesn't apply to > > staff members? If that's true, you do have a point. > > Then you, kadie, and I agree. I have a point. Why do you persist in > identifying, in two places, a Stanford University Mirror Site? > > > > One mirror site was enough. The German providers would not have blocked > > > stanford.edu had it remained the only mirror site. The President of > > > Stanford, Gerhard Casper, is a recognized constitutional scholar from > > > Germany. The Stanford Provost, Condoleezza Rice, was one of the two or > > > three people most responsible for the Bush Administration's policy > > > towards German Unification. Dozens of Stanford students have studied in > > > Berlin. > > > > One mirror site may have had a limited effect, but more mirror sites > > have a more significant effect. > > I strongly disagree. > > Which has more symbolic power for good, a single man standing in front of > a tank in Tiananmen Square, or nuking Hiroshima and Nagasaki? > > It is not ethical to abuse this power we have. Especially because neither > of us are students at the universities whose machines we are abusing. > > > The press likes a local angle, and local mirrors are giving them just > > that. I put a reporter from the Boston Globe in touch with the UMass > > mirror operator, and a reporter from the Philadelphia Inquirer in touch > > with the University of Pennyslvania mirror operator. I'd love to see > > mirrors in every major city for greater coverage in every major paper. > > > > If you don't understand that concept, you don't understand the way the > > media works. > > I do understand the way the media works. They live on "press releases" > from "recognized authorities." Most > > > So Rich, answer me this: "What articulable and demonstrable harm have > > additional mirror sites done, besides hurt your ego?" > > Since my mirror site has been limited to .edu and selected other domains > for a full day, this is an odd question. > > The demonstrable harm, as you now agree, is that the Ottawa Times, > http://intranet.on.ca/ott_time.html, the Stormfront-L neo-nazi list, and > so on are full of lies about how universities sympathetic to Zundel's > fight against Zionist oppression and the Holocaust Lie have jumped to his > defense. > > > > This is ludicrous. I expect better from you. > > > > I'm a big fan of Tim's, and I think that while he may have been jesting, > > his comments have a serious undertone. > > > > I don't really expect to be locked up for the rest of my life in a > > German cellblock, but harassment at entry/exit points is possible. > > Perhaps probable, given that other "distributors" of Neo-Nazi spew have > > experienced just that. > > No distributors. Only point sources. And as has been pointed out, they > often get off with a slap on the wrist. > > You have been duped by Zundel's false claims of persecution. I bet you > even bought the "Dr. Axl Clocstein" story for a while. > > > > Declan, if you don't fix up your page the way I want it by morning (please > > > not that you have three more hours of morning than I do), I will post a > > > modified (spell-checked) version of this note on my Web page, to > > > alt.censorship, and to your "fight-censorship" mailing list. > > > > Please send me in private email (or post it here if you really want) > > exactly what you want me to change. > > 1. As I've been saying for the last day and a half, please remove all > occurrences of the strings "Stanford" and "Graves." I hardly think that > requesting not to be so identified is egotistical. > > 2. While you're at it, it would be good to remove the following as well, > which does not accurately reflect the facts. > > In early January, Zundel contacted the Simon Wiesenthal Center and asked > permission to reproduce some of their materials. He wanted to disprove > some of their views as he had tried to rebut those of the Nizkor Project. > (The Nizkor folks earlier had requested bidirectional linking. Zundel > agreed to their request, heralding the experiment as "The Great Internet > Holocaust Debate.") > > Nizkor's response to this is rather prominent on their Web site. > > 3. Please fix this: > > January 29, 1996: This site goes online, with the help of files supplied > by Rich (rich at c2.org), supplemented with more recent documents taken > directly from the Zundelsite. Rich's site at Stanford University goes > online. (Note that Rich and I mirrored the Zundelsite at our own > initiative, not by request.) > > To bolster Zundel's coyright claim against the National Alliance, please > clarify that "we" specifically requested the materials from Zundel, and > that his handler Marc uploaded them all to "one of our machines" (since we > could not have run a WebWacker on the highly overloaded webcom.com). Also > remove the string "Stanford." In any case, the files are no longer > available at Stanford. > > 4. February 1, 1996: Web Review Magazine reports on the mirror sites. > > I have sent mail to Steve Pizzo and requested that he call me to correct > some false statements attributed to me. > > 5. February 1, 1996, afternoon: UMass censors mirror. Simon Wiesenthal > Center sends letters of protest to participating mirror universities. > Sameer announces University of California at Berkeley mirror. > > Every one of these is false. > > a. The operator of the UMass mirror objects to your characterization of > what happened as "censorship," and to your posting his private mail. > > b. Where is your confirmation of Simon Wiesenthal's action? > > c. Sameer has not announced a UC Berkeley mirror. He specifically asked > that it not be listed because like most of us, he is beginning to have > ethical qualms. > > 6. On index.html you have: > > There is an apparent campaign of email and web bombing being launched > againt Zundel's site on Webcom, making it near-impossible to reach. > > Do you have a source for this besides me? Well, I retract the rumor. In > fact it seems that the problem is that Zundel foolishly put a bunch of > huge RealAudio files on his page that are overloading the server. > > > Rich, by now I suspect you've seen this joke, but what the hell: > > > > Q: What's a left-wing firing squad? > > > > A: Everyone stands in a circle and shoots at each other > > I guess this is supposed to be something clever about how the vanguard is > supposed to discard their personal interests for the common good. > > I am a member of no vanguard. > > -rich > __________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be. From tedwards at Glue.umd.edu Thu Feb 1 22:24:37 1996 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Fri, 2 Feb 1996 14:24:37 +0800 Subject: Telecom Bill may makes abortion talke illegal on the net... Message-ID: Sec. 507 of the Telecom Bill Ammends Section 1462 of title 18 of the U.S. Code (Chapter 71), in ways which may make sending the following over the Internet illegal: o any text, graphic, or sound that is lewd, lascivious, or filthy o any information telling about how to obtain or make abortions and drugs, or obtaining or making anything that is for indecent or immoral use Here is Section 1462 as Ammended: (Telecom bill chnages in "<" and ">"): Section 1462. Importation or transportation of obscene matters Whoever brings into the United States, or any place subject to the jurisdiction thereof, or knowingly uses any express company or other common carrier , for carriage in interstate or foreign commerce - (a) any obscene, lewd, lascivious, or filthy book, pamphlet, picture, motion-picture film, paper, letter, writing, print, or other matter of indecent character; or (b) any obscene, lewd, lascivious, or filthy phonograph recording, electrical transcription, or other article or thing capable of producing sound; or (c) any drug, medicine, article, or thing designed, adapted, or intended for producing abortion, or for any indecent or immoral use; or any written or printed card, letter, circular, book, pamphlet, advertisement, or notice of any kind giving information, directly or indirectly, where, how, or of whom, or by what means any of such mentioned articles, matters, or things may be obtained or made; or Whoever knowingly takes , from such express company or other common carrier any matter or thing the carriage of which is herein made unlawful - Shall be fined not more than $5,000 or imprisoned not more than five years, or both, for the first such offense and shall be fined not more than $10,000 or imprisoned not more than ten years, or both, for each such offense thereafter. ----------- Here is the text which addes the interactive computer service part in the Telecom Bill: SEC. 507. CLARIFICATION OF CURRENT LAWS REGARDING COMMUNICATION OF OBSCENE MATERIALS THROUGH THE USE OF COMPUTERS. (a) Importation or Transportation.--Section 1462 of title 18, United States Code, is amended-- (1) in the first undesignated paragraph, by inserting ``or interactive computer service (as defined in section 230(e)(2) of the Communications Act of 1934)'' after ``carrier''; and (2) in the second undesignated paragraph-- (A) by inserting ``or receives,'' after ``takes''; (B) by inserting ``or interactive computer service (as defined in section 230(e)(2) of the Communications Act of 1934)'' after ``common carrier''; and (C) by inserting ``or importation'' after ``carriage''. ----------- Media Notes: USAToday 02/01/96 - 07:37 PM ET http://www.usatoday.com/news/washdc/ncs16.htm Telecommunications deregulation breaks down electronic walls "At one point, the debate veered off on abortion. Seeing a ''high-tech gag rule,'' Rep. Nita Lowey, D-N.Y., joined by Pat Schroeder, D-Colo., and several other women lawmakers, asserted the anti-pornography provisions would outlaw discussions about abortion over the Internet, the global computer network. Rep Henry Hyde, R-Ill., a leading abortion foe, assured members that nothing in the bill suggested any restrictions on discussions about abortion." Well, Henry Hyde was right - nothing in the bill suggests restrictions on abortion discussion - the restrictions are in Title 18 of the U.S. Code, which now includes computer networks. ----------- Thanks to the Cornell Law School Legal Information Institute (http://www.law.cornell.edu/) and the Alliance for Competitive Communications (http://www.bell.com/) for source text. -Thomas Edwards From nobody at REPLAY.COM Thu Feb 1 22:50:47 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 2 Feb 1996 14:50:47 +0800 Subject: Nu? Message-ID: <199602020603.HAA11792@utopia.hacktic.nl> Tim May, 2/1/96, 10:39: > * I believe that much of "Jewish culture" is, for historical reasons, > closely related to German culture. It is understandable that so many Jews > hate Germans and German culture, but also sad. (I don't mean the newer > Israeli/Hebrew culture, but the Yiddish/German culture, which was so shaken > by the Holocaust that, sadly in my opinion, it cannot acknowledte its > essential Germanness.) We have an old saying, Tim, "Nisht geshtoygen, nisht gefloygen," which more or less means "You're making no sense" - literally, "You're not standing, you're not flying." I'll bow to you on CP-related matters any day, but on the subject of Yiddish culture you're clearly pretty clueless. No great loss, I assure you. ObCrypto: Reputations are subject-specific, not global. Your reputation on the Holocaust is nill, about the same as my relatives' (the ones with the funny striped suits and tattoos on their forearms) reputations are on the subject of encryption. Stick to crypto, folks - this isn't Shoah-punks. From rishab at best.com Thu Feb 1 23:14:50 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Fri, 2 Feb 1996 15:14:50 +0800 Subject: Domain hijacking, InterNIC loopholes In-Reply-To: <199602010926.EAA19923@amsterdam.lcs.mit.edu> Message-ID: <199602011457.GAA29387@shellx.best.com> David Mazieres wrote: > I don't think Domain hijacking is a terribly big threat. First of > all, the modification process insn't fully automated. Second of all, > it takes several weeks for the changes to go through. Before the My new ISP got the domain modified in a day, or so. The proces _is_ automated, as long as you follow the template perfectly. > changes go through, the internic sends out mail to a bunch of people, > including all previous administrators and administrators of all > domains which contain old or new nameservers. More to the point, the InterNIC informs all the major nameservers (such as ns.nasa.gov and all those that mirror ns.internic.net). Obviously. Without that, how would anyone know where to find your domain (even if 'hijacked')? But I never did say domain hijacking was a security threat - unlike spoofing, this can't in itself compromise your systems. But, as the InterNIC admits, it can have "serious consequences" on commercial organisations, for whom the loss of net presence for even a day could be considerable. > Thus, I'd say the domain modification process is slightly more secure > than First Virtual :-) :-) :-). It relies on the security of the > network routers and existing nameservers, and requires one or more > active attacks or viruses to defeat. Probably your best is to wait You obviously didn't get the point. There are no routers involved at all, or even nameservers. The Internet domain registry structure (unlike much else) is strictly hierarchic - the InterNIC is the source of all. Modify the InterNIC record, and the new record is official, and will be promptly accepted by all the nameservers that bother to track these things. > for as many as possible of the relevant sysadmins to go on vacation, > and then mail-bomb them rest so hard they end up not reading all of > their real E-mail. Then again, there's always the possibility that > the domain administrator knows how to use procmail... Again, whether the sysadmin eventually catches on is not the point. Unless the hijacker is exceptionally sophisticated (by, for example, not interrupting but only intercepting web and mail traffic) and the victim exceptionally stupid, the truth will be known soon. But perhaps not soon enough for, say, Hotwired or Yahoo who can't afford to go down. To drive my point home: suppose the owners of www.howtired.com (yes, it does exist) were to hijack hotwired. Further suppose that they mirrored (or otherwise replicated) hotwired's content, displaying it to users with some nasty changes, and filtering out all complaint mail. One assumes HotWired's admins are savvy enough to think of this, but you never know, and if they took a few days or more over fixing it, it would not be nice for them. Of course, their lawyers wouldn't make it nice for howtired either, if they had their address, and it wasn't in ... China! Rishab From declan+ at CMU.EDU Thu Feb 1 23:37:57 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 2 Feb 1996 15:37:57 +0800 Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...] In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 2-Feb-96 Re: Tim's paranoid rant abo.. by attila at primenet.com > if you want to indulge in personal rants and vendettas, take it to > personal mail. secondly, you are slamming someone without the > decency or courtesy to even copy him. Yeah, I don't particularly enjoy rants, but I engage in them myself occasionally, so I'm willing to cut Rich some slack. We've since mended fences and we're working in the same direction. I had thought his initial actions were slightly irrational, but now I know him a bit better, I think. Both of us are working in good faith, and that's what's important here. In particular, the NeoNazi slime are really starting to piss of both of us. Can anyone say "defamation," on this fascist's darling little page at Georgia State: [ http://www.gsu.edu/~hisjwbx/ZUNDEL ] > This is a mirror archive of most of Ernst Zundel's holocaust >revisionist site. I DO agree with his views. I ALSO ^^ ^^^^ > agree with his right to express them. There is an apparent campaign >of email and web bombing being launched > againt Zundel's site on Webcom, making it near-impossible to reach. >Germany has forced Deutsche Telekom to > censor access to his site by URL. This mirror archive exists to >demonstrate the folly and the danger of Internet > censorship. > > Read more about these attempts at censorship. > > -Declan McCullagh, declan at well.com, 1/29/96 ^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ Now, this guy copied that file from my web site. Fine -- it was up for FTP. But editing my comments to *support* Neo-Nazis and leaving my name is just fucking too much. I've sent him polite mail requesting a change. We'll see what happens. Cypherpunk relevance? Authentication for web pages. There's no reason for a reasonable person to believe, at first glance, that I was *not* the author. Perhaps someone has suggested this before, but should a web browser's functionality be extended to support authentication via an automated PGP-type mechanism? Using comments, possibly. I guess I'm just pissed over this attribution of Zundelscheistenviews to me, but has anyone else run into such a problem? (Legal threats and complaints to sysadmins are of course another alternative...) -Declan From jya at pipeline.com Fri Feb 2 00:06:57 1996 From: jya at pipeline.com (John Young) Date: Fri, 2 Feb 1996 16:06:57 +0800 Subject: Tivoli Message-ID: <199602011802.NAA24147@pipe3.nyc.pipeline.com> Mike, Is it fair to assume that it's your Tivoli that's in the NYT and WSJ today, bought by IBM? If so, congrats on never again having to sell your body for everlasting fame and glory. Envious From anonymous-remailer at shell.portal.com Fri Feb 2 00:11:30 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 2 Feb 1996 16:11:30 +0800 Subject: Alien factoring breakthroughs Message-ID: <199602020747.XAA15564@jobe.shell.portal.com> Came across this little gem on the web the other day. I thought I'd post it - it's as sensible as most of the crap here. Yours conspiratorially, Noddy. ---------------------------------------------------------------------------- From: remallin at dorsai.dorsai.org (Richard Mallinson) Newsgroups: alt.conspiracy, alt.alien.visitors, sci.math, alt.politics.org.nsa Subject: The Grays' involvement in cryptography and national security Date: 25 Jan 1994 07:05:10 GMT Summary: How the NSA has got help from extraterrtestrials ---------------------------------------------------------------------------- One thing that the NSA will not reveal is the magnitude of their advancement in theoretical mathematics and cryptography. It is estimated that the NSA is about 200 years ahead of the rest of the world in mathematical theory. This not only allows them to break any code devised outside of the NSA, but to devise codes which cannot be broken. A tiny part of this advancement is due to an intensive mathematics research program commenced in the 1960s. Fermat's Last Theorem was proven conclusively in 1964, but only those in the NSA know of it. Some 2,000 theorems and lemmas, all numbered and classified, have arisen. At least a dozen branches of theoretical mathematics such as flag theory, superspace theory, interstice theory, match theory and quantum logic have been developed, and yet not only has the outside world never heard of them, but the NSA has been deliberately inserting disinformation into textbooks, research papers, et cetera to keep everybody else off the trail. Most of this advancement has been achieved with outside help. In 1973, during the Nixon Administration, the NSA hooked up fith the Jason Society, the top-secret body that liaises with the extraterrestrial beings known as the Grays. This gave them an immediate infusion of mathematical theory, as the grays have developed mathematics to a level which we cannot completely comprehend. In return, the grays were given two more bases in New Mexico and a 15% increase in the number of people that they may abduct per year for analysis and extraction of vital fluids. The Grays have renegged on their abduction quota agreement, and are abducting many more people than before. Most of these are returned, after being implanted with a device which allows the grays to have total control over their thoughts and actions. Approximately 40% of Americans now carry one of these devices, which are impossible to remove without killing the host. Richard E. Mallinson ---------------------------------------------------------------------------- From anon-remailer at utopia.hacktic.nl Fri Feb 2 00:15:04 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Fri, 2 Feb 1996 16:15:04 +0800 Subject: No Subject Message-ID: <199602010400.FAA16774@utopia.hacktic.nl> Are anon remailers the only way to send anon email without giving up the source eventhough an organization has a wealth of dough/technology and several class B addresses? Couldn't they just trick their mail servers or would a nslookup/whois defeat that? And are nym accounts the only way to receive email without giving up who the intended recipient of tha mail/news post actually is? From sjb at universe.digex.net Fri Feb 2 00:40:38 1996 From: sjb at universe.digex.net (Scott Brickner) Date: Fri, 2 Feb 1996 16:40:38 +0800 Subject: noise levels In-Reply-To: <199601190051.RAA28314@nagina.cs.colorado.edu> Message-ID: <199601312323.SAA05263@universe.digex.net> Bryce writes: >Perry, I quite agree with you. I am having a very difficult >time wading through cpunks, and I am currently reduced to >grepping for my name, and then picking out a topic or two by >subject line before junking 95% of the posts. Since you have >such enthusiasm for solving the noise problem I suggest that we >do the following: I have an expansion on this. Why not generalize the problem to create a group rating system? Anyone who wants to can send ratings messages (rating each message on a scale of one to five, one meaning "what total crap" and five meaning "what a useful piece of information") to the ratings server. The server maintains the ratings for each message by sender. Client software can retrieve the ratings added since a given time and use this information with the ratings assigned by the user to generate compatibility profiles indicating with which raters the user tends to agree, and provide ratings on all messages based on it. The user can then have anything lower than his tolerance threshold automatically deleted. This is patterned after a newsgroup collaborative filtering tool I read a paper on not too long ago. I can't find that reference, but has an open architecture design for a ratings server. Ideally, one would modify MUAs to recognize an "X-Ratings-To:" header to tell where ratings messages should be sent, and the list server would add that to all outgoing messages. The MUA would present the ratings buttons when displaying messages containing "X-Ratings-To:" headers and automatically generate and send the rating when the user pushed a button. The beauty of this is that it works for *any* mailing list that has an associated ratings server. It allows anyone with the appropriate MUA to ignore those conspiracypunks boneheads almost transparently. Necessary coding: modifications to majordomo: - add optional ratings server address and update frequency in list configuration data - add "X-Ratings-To:" headers to outgoing messages in lists with ratings servers - periodically send ratings updates to ratings server subscribers modifications to MUAs: - recognize "X-Ratings-To:" headers in incoming messages and present ratings interface when displaying them - generate ratings messages to ratings server - interpret incoming ratings messages to compute user's predicted rating - maintain user preferences vector From jimbell at pacifier.com Fri Feb 2 01:08:34 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 2 Feb 1996 17:08:34 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: Despite being totally uninvolved with whatever this guy's talking about, Jim Bell is responding: At 11:06 AM 2/1/96 PST, baldwin wrote: > >WARNING NOTICE > > It has recently come to the attention of RSA Data >Security, Inc. that certain of its confidential and >proprietary source code has been misappropriated and >disclosed. Despite such unauthorized use and disclosure, >RSA Data Security reserves all intellectual property rights >in such source code under applicable law, including without >limitation trade secret and copyright protection. Hey, I'm not a lawyer, and I don't even play one on TV, but as I understood the law keeping something a secret was an alternative to disclosing it with a patent. Patents had certain advantages and disadvantages; trade secrets had other advantages and other disadvantages. A famous example, the "formula for Coca-Cola" was kept secret for decades; to patent it would have allowed anybody else to build Coca-Cola after 17 years of patent protection. Keeping it secret could, theoretically last forever, but the legal protection against copying is less or even non-existent. I am well aware that the legal system has been abusing the whole concept of patenting software, etc, ever since they discovered they wanted to keep the country from using RSA in the middle 1970's. However, it seems to me that if your "trade secret" is now disclosed, then it really isn't a "trade secret" anymore and you lose "trade secret" status. You may have a valid claim against the discloser, but that SHOULD be unrelated to everyone else. It sounds like you want the best of both worlds: You want to claim "trade secret" status for something that you either can't or don't want to patent. From jimbell at pacifier.com Fri Feb 2 01:20:10 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 2 Feb 1996 17:20:10 +0800 Subject: Charter of PDX Cpunk meetings Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 10:52 PM 2/1/96 -0800, Alan Olsen wrote: > >I requested that this debate be taken to private e-mail. Since you seem to >not want to do that, and since you insist of making false and unrealistic >claims, Which "false and unrealistic claims"? I am removing your name from the subscription list for >pdx-cypherpunks. This isn't a DEBATE. It is a WARNING to all other potential suckers in the Portland Oregon area that Alan Olsen engaged in highly unethical behavior with regards to the recent cypherpunks meeting, flamed me without justification in the national list, failed to respond to security inquiries, failed to deny issues and matters of truth, and failed to properly deal with a situation that he had a responsibility to handle ethically. Not to mention lying in the comment above. I am going to take this to the national list, because you took it there first in your original flame: I am going to point out that you flamed me for no good reason; you engaged in a "knee-jerk" "debunking" without even knowing what you were ostensibly "debunking," that you failed to respond to my polite request for clarification; that you've attempted to pretend that I was somehow at fault for noticing your transgressions; that your local clique is pre-programmed to defend you in the face of your transgressions. I notice that some of them don't even know what a key-signing meeting is FOR: I've received commentary which suggests that they believe that key-signing somehow vouches for the HONESTY of the person involved; not his IDENTITY. Until you start responding substantively to legitimate complaints, that is all you deserve. The public needs to be warned about people like you. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMRHIE/qHVDBboB2dAQHHMAQAkTFZaMMF6asl79yU8RSkd5O0zYElg9so syuonRR1UnrzTGlQ2cT/8GPZhuV/IIBSiroxu7EwCX6ASR6BTRUGVdTWbN3l27Vi M6FRiduXpBvzpIzQ7XOzwcvPv0D/bLXwXPGHzmUzqsk3chWpsskKw1PKZun7wCKL fG2MVim+Vqk= =Di2Q -----END PGP SIGNATURE----- From nelson at santafe.edu Fri Feb 2 01:45:07 1996 From: nelson at santafe.edu (Nelson Minar) Date: Fri, 2 Feb 1996 17:45:07 +0800 Subject: Anonymity -> Untraceability -> High Latency? Message-ID: <199602020919.CAA02994@nelson.santafe.edu> I've been trying out various mechanisms for anonymity: remailer chains, HTTP proxies. There's one problem that makes them inconvenient to use regularly: latency. A good Type I remailer chain takes at least an hour to deliver email, instead of the 15 seconds I'm used to. Mixmaster-style takes even longer; the delay is important to the security of the system. Forwarding all my HTTP requests through a proxy adds an extra hop and some processing to all web transactions, noticeably slowing down browsing. I'm not much for waiting for computers. The problem is that that these anonymity schemes rely on untraceability. And to be untraceable, we have to have centralized servers take our traffic and forward it along, stripping out identifying information, burying it in the noise of lots of other traffic. But that forwarding process seems guaranteed to add latency to the communication. Back in the old days (ie: six months ago, before Web search engines were big on the scene) I was reasonably happy with the needle-in-a-haystack anonymity of the unorganized Internet. I posted personal things to Usenet, fairly sure that only the members of that Usenet group were going to see my messages. I ftped files from all over without worrying that my transactions would be logged permanently. But now, with the amazing success of Web searching, I no longer feel that obscurity is sufficient security. Are there other approaches to anonymity that don't impose the latency that forwarding messages around does? From bruce at aracnet.com Fri Feb 2 02:07:22 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Fri, 2 Feb 1996 18:07:22 +0800 Subject: Helping the Crypto-Clueless Message-ID: <2.2.32.19960202095316.0069c6a8@mail.aracnet.com> While talking with Alan Olsen about the impending Telecommunications Decency Act, a thought struck me: one of the groups that's really going to be hurt by this is pagans. Me, I'm one o' them Christian types; it's my anarchism that'll get me on lists. But insofar as cypherpunks have contact with pagans (and aboriginal American groups and the like), probably there are a lot of folks who should be ramping up for privacy right away. Bruce Baugh bruce at aracnet.com From alano at teleport.com Fri Feb 2 02:26:01 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 2 Feb 1996 18:26:01 +0800 Subject: [noise] Re: Charter of PDX Cpunk meetings Message-ID: <2.2.32.19960202100334.009241ec@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- I think an explanation for this is due. Jim is going to move his complaints here instead of dealing with them with me no matter what I do... A bit of history here... I had seem Jim Bell's postings and had not thought too much about them one way or another. I felt that some people had been a bit too hard on him, but did not care one way or another. I organized a physical meeting on Jan 20th at a public coffee house in portland. Jim showed up. During this meeting he espoused some ideas which I found very bothersome because they sounded far too much like "magical thinking" and pseudo science. I did not challenge him about them at the meeting and tried to move on to other things. A while ago an anonymous poster made a number of comments about Jim Bell's beliefs involving assassination politics. He brought up a number of valid points. Jim ignored all of those points and flamed him on something totally without substance. (Not signing messages and not using an identifiable nym.) This bothered me. I responded to the post. A good portion of this message was flame, but it contained a number of questions about the workability of Jim's pet theories. Jim's response to this was to question the validity of the post, but not deal with any of the substance of the arguments. (He was questioning it because I did not sign the posting.) I ignored the post as I had other things occupying my time... During the period of time between the meeting and the offending post I had created a pdx-cypherpunks list. I had a number of people who were interested and it seemed like a good idea at the time... Well, i posted on the list a question about the next meeting and mentioned about the results from the key signing. (I had three people, who i did not mention by name, who had not signed keys or gotten back to me on it.) I relieved a response from Jim about my messages to him here and why he had not signed anyone's keys. [For those who are interested, I can forward the original messages. They are interesting reading, in an odd sort of way...] It came down to him complaining about my messages on national list. He still did not address any of the issues I had raised (he still has not), but was pretty pissed. A number of the other people on the list took him to task on a number of the comments he made. It grew into a pretty hot flame war on the list. After I started to get complaints and it prevented anything useful being posted, I posted a message to take the discussion to e-mail or I would start banning people from the list. Jim ignored that request and I removed him from the list. That is why it has moved back here. This will be my last response to Jim's rantings in public. i will be glad to deal with questions in e-mail. I have sent a number of responses to Jim already in e-mail and he has ignored them. He has made veiled threats to me on the pdx list and has shown no sign of wanting to deal with this in a rational manner. The issue comes down to this. Jim Bell has a number of ideas i disagree with. I have challenged him on some of those ideas. He is unwilling to answer any questions as to the flaws in his beliefs. Instead, he takes any questioning of his ideas as personal attacks. I refuse to give any respect to an individual who presents his ideas to the world and yet is unwilling to defend them in public (or in private). I suggest you get your killfiles ready. I will be killfileing Mr. Bell's comments on this list as it does not belong here. The following is the last I will say publically on the matter. At 12:16 AM 2/2/96 -0800, jim bell wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >At 10:52 PM 2/1/96 -0800, Alan Olsen wrote: > >> >>I requested that this debate be taken to private e-mail. Since you seem to >>not want to do that, and since you insist of making false and unrealistic >>claims, > >Which "false and unrealistic claims"? Well, lets see... The claim that you have a method of "rendering a building uninhabitable by electronic equipment for at least 30 days". The claims that the Portland meeting was a "private meeting". That I did not inform people of that fact. That I somehow owe you an apology for statements which you seem to be unwilling to deal with. I am sure that i can dig up more. >I am removing your name from the subscription list for >>pdx-cypherpunks. > >This isn't a DEBATE. That is because you are not willing to debate. You want your beliefs accepted with no proof and no rational thought. You want them to be accepted without question. >It is a WARNING to all other potential suckers in the >Portland Oregon area that Alan Olsen engaged in highly unethical behavior >with regards to the recent cypherpunks meeting, What behavior was that Jim? I told people about your loonie scheme to "disable hardware"? If you did not want it known, then you should have kept your mouth shut! (The first rule of not being seen is DON'T STAND UP!) You seemed to have some sort of idea that it was a private meeting. Nowhere was it stated that it was private. We were in a crowded coffee house. You were sitting in front of a big glass window. Anyone who wanted to take the time to hear you could have. There was no reasonable expectation of privacy at that meeting. I am sorry that you have suffered embarrassment. Grow up. >flamed me without >justification in the national list, I gave my justification. You are unwilling to respond to criticism of your ideas. You still are. Sorry, but you need to grow an epidermal layer. > failed to respond to security inquiries, I did not sign my messages to him. He assumed that it must be some sort of spoof. I left it unanswered for two reasons. At the time i was not really needing a confrontation (as my personal life was taking time) and I was not certain how to answer. (How do you answer someone who is THAT paranoid?) I wonder if he assumes Tim May's messages are all spoofs. (He may have something there...) >failed to deny issues and matters of truth, Did not answer mail... >and failed to properly deal with >a situation that he had a responsibility to handle ethically. Not to >mention lying in the comment above. Jim is not willing to deal with the issues i keep bringing up so i must be lying... >I am going to take this to the national list, because you took it there >first in your original flame: And I banned Jim from the Portland list... >I am going to point out that you flamed me >for no good reason; you engaged in a "knee-jerk" "debunking" without even >knowing what you were ostensibly "debunking," I was flaming you for being unwilling to clarify your positions. You made extraordinary claims and have been unwilling to explain how any of this is supposed to work or given anyone any sort of reason as to why we should believe you. >that you failed to respond to >my polite request for clarification; Yeah, that one is my fault. i should have responded sooner to that message. > that you've attempted to pretend that I >was somehow at fault for noticing your transgressions; No. You were at fault for ignoring every issue that was brought up. You have been unwilling to deal with anything resembling substance and instead insist on continuing this petty flame war. >that your local >clique is pre-programmed to defend you in the face of your transgressions. i.e. the rest of the Portland list jumped on his case for his behavior. Many of them are my friends. At least one of them is someone i have only met once. You seem unwilling to accept that maybe the idea that no one has sided with you is that they do not agree with you. >I notice that some of them don't even know what a key-signing meeting is >FOR: I've received commentary which suggests that they believe that >key-signing somehow vouches for the HONESTY of the person involved; not his >IDENTITY. As I have stated before, the concept of identity is a slippery thing. Actually the information on the key signing that I posted, and the theories behind it, were from the FAQ written by Derek Atkins. >Until you start responding substantively to legitimate complaints, that is >all you deserve. The public needs to be warned about people like you. You have one legitimate complaint. (That I did not respond to mail in a timely fashion.) Sorry... Guilty. The rest you have blown FAR out of proportion. You are mad because i said some unpleasant things to you on a list where you so much want to be respected. I suspect that you had lost the respect of most of them before I posted. If they are that easily swayed, then you have not done alot to earn their respect and be able to keep it. You have failed to respond to the mail I have sent in private. That makes me suspect that you do not want to resolve the issue with me, but cause problems for me with others as "punishment" for exposing your outlandish views. I am sorry that you feel that you have to go to such extremes. It reinforces my decision to bounce you from the Portland list however. The more you rant, the less I am willing to deal with you. When my daughter acts like you she is sent to her room. In your case, I will just have to ignore you... Find an anagram for "Spiro Agnew". -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMRHgrOQCP3v30CeZAQGHFQf8CVDZAKzBv3vHy4aY9hiV2ydNJ+Dz1DX8 wQiA0Hg1eK5WuCJ4y6lIrZpSOR6h9ok86eGAdyaWqayscgcvDWVyTF1D/VJ3RPyM vhbXLWF01DeG0eU+9ckqjoB4dJSYVYcdLRD18QzO/MDAmaOJaTehfxOT2BlNHHHi WoHpH1SYq0JOHsN+5UoITA7GUR1JNNlTDhHBtcM17Wqm5WXnhwm+z1gpBPExIcZ6 VFMOsPBGqHj02lYZtUVUwFzmVXRlF9zbN7SzqyhnPdK0TkmH/V7jtk2A91C62DAw 6ZCE8KNQbXOMlyKS0RyhtUCXfPZpBTs77leP/9tKs1vyortPxO07GA== =RoA4 -----END PGP SIGNATURE----- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ Is the operating system half NT or half full? From jrochkin at cs.oberlin.edu Fri Feb 2 03:02:12 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Fri, 2 Feb 1996 19:02:12 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: At 7:06 PM 02/01/96, baldwin wrote: >WARNING NOTICE > > It has recently come to the attention of RSA Data >Security, Inc. that certain of its confidential and >proprietary source code has been misappropriated and >disclosed. Despite such unauthorized use and disclosure, >RSA Data Security reserves all intellectual property rights >in such source code under applicable law, including without >limitation trade secret and copyright protection. In Well, now we know it really was RC2. Is there a law-knowing type out there who can tell us what's going on legally? As I understand things, RSA is just bullshitting here. When something has 'trade secret' status, the only people with legal obligations toward it are those with contractual obligations to RSA--you can only enforce 'trade secrets' through contractual obligations, non-disclosure and confidentiality agreements, etc. Once something has been disclosed, as I understand it, people without contractual obligations in regards to it are free to do whatever they want to it--trade secret status of RC2 has nothing to do with me, who has no contractual obligations to RSA regarding RC2. (Unless the license agreement for RSAref could be stretched to apply somehow, but I don't think so). Now, copyright might be another matter. But you can't copyright an algorithm, only specific text in fixed form (ie, the source code). So this would mean you couldn't use the particular code posted to sci.crypt, but wouldn't stop anyone from using the algorithm, if they wrote their own code (to be safe, without having seen the RSA-copyrighted code, only having the algorithm described to them by someone else). You can _patent_ an algorithm, but as I understand it, something can't be patented and a trade secret--you have to disclose it in full to the patent office to get a patent, at which point it's no longer a trade secret. And the legalese from RSA doesn't even mention patents anyway (because they dont' have one, of course), only copyright and 'trade secret'. I'm not a lawyer of course. Information from someone more sure of their knowledge then I am would be appreciated. But, as I understand it, they're basically making stuff up, and there is nothing stopping any of us, who haven't signed any non-disclosure agreements with RSA, from using the RC2 algorithm. From tony at secapl.com Fri Feb 2 04:37:20 1996 From: tony at secapl.com (Tony Iannotti) Date: Fri, 2 Feb 1996 20:37:20 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI In-Reply-To: <9602020046.AA23769@sulphur.osf.org> Message-ID: On Thu, 1 Feb 1996, Rich Salz wrote: > At any rate, I'll stop my comparison of the distributed RC2 and the > licensed RC2 since RSA's done it for us. :) What if it's just a ruse by them to ID it as RC2? They could have even released a bogus version themselves, and then sent up a hue and cry.... From kelli at zeus.towson.edu Fri Feb 2 05:53:02 1996 From: kelli at zeus.towson.edu (banjo, lord of the c monkeys) Date: Fri, 2 Feb 1996 21:53:02 +0800 Subject: CDA as a tool (was: Re: Helping the Crypto-Clueless) In-Reply-To: <2.2.32.19960202095316.0069c6a8@mail.aracnet.com> Message-ID: On Fri, 2 Feb 1996, Bruce Baugh wrote: > While talking with Alan Olsen about the impending Telecommunications Decency > Act, a thought struck me: one of the groups that's really going to be hurt > by this is pagans. Me, I'm one o' them Christian types; it's my anarchism > that'll get me on lists. But insofar as cypherpunks have contact with pagans > (and aboriginal American groups and the like), probably there are a lot of > folks who should be ramping up for privacy right away. > I agree: and in addition to that, I'd like to say that contrary to the beliefs of some people on this list, I don't think the CDA is representative of a legislative body's spiteful action against general free speech and information; it's far to simple a motivation for computer-illiterate, re-election minded professional politicians. They simply don't know enough about the nature of the internet itself to conspire to something as abstract as all that. I believe that every congress critter had a specific social enemy in mind when he/she voted for that bill; somebody who they've been using as their banner, whom they vow to fight against when re-elected. Pagans are a good example of a group likely to be the victims of such political action. I, as an activist in the field, ask you to imagine the consequenses for the gay civil rights movement, when even discussing the issue is viewed as 'indecent or immoral' by some of the more conservative lawmakers. Remember when Canada banned the import of pornography, even the news-oriented gay and lesbian publications were halted at the border. The crypto relevance in this post is the value of examples such as these when explaining to your friends why they need non-government-escrowed crypto so badly in electronic discourse. People tend to see the need for it a bit more when they see the threat more clearly. I'm a college student, and while not all my friends are involved in the same pursuits I am, most of them are at least loosely associated with groups which are considered undesireable by some government types (Black Activists, Jewish Activists, Pro Life/Choice advocates, etc). In college, who isn't? I don't post too often to cypherpunks, so if this view is overly simplistic, right on the mark, or completely wrong, send me some mail, and we'll discuss. Kathleen M. Ellis http://zeus.towson.edu/~kelli/ kelli at zeus.towson.edu Diverse Sexual Orientation Coll. Towson State University DSOC at zeus.towson.edu "I can't help it, I'm a born lever-puller" -Ringo from "Yellow Submarine" "Your friends are really just enemies who don't have the guts to kill you" -J. Tenuta "Obscenity is a crutch for inarticulate motherfuckers." -Fortune Cookie Courtesy of Linux 1.3.45 From PADGETT at hobbes.orl.mmc.com Fri Feb 2 06:27:37 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security) Date: Fri, 2 Feb 1996 22:27:37 +0800 Subject: Telecom Bill may makes abortion talke illegal on the net... Message-ID: <960202090301.2020ff8d@hobbes.orl.mmc.com> > (b) any obscene, lewd, lascivious, or filthy phonograph recording, >electrical transcription, or other article or thing capable of producing >sound; or There goes rec.antiques.radio+phono & rec.radio.swap - many of the Trans-Oceanics I have bought on-line would qualify as filthy, ever try to remove years of accumulated tobbacco smoke residue from the inside of a dial-lens ? Don't forget rec.radio.shortwave - someone in a non-compliant country might transmit someting nasty. And as for lascivious - there goes the Tex Avery cartoons on Nickelodeon. Did Nehimiah (sp?) Scudder come up with this ? Warmly, Padgett From wilcoxb at nag.cs.colorado.edu Fri Feb 2 06:31:07 1996 From: wilcoxb at nag.cs.colorado.edu (Bryce) Date: Fri, 2 Feb 1996 22:31:07 +0800 Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...] In-Reply-To: Message-ID: <199602021350.GAA03188@nag.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself "Declan B. McCullagh" is alleged to have written: > > Now, this guy copied that file from my web site. Fine -- it was up for > FTP. But editing my comments to *support* Neo-Nazis and leaving my name > is just fucking too much. I've sent him polite mail requesting a change. > We'll see what happens. Polite? You show more restraint than most of us would I suspect. Actually it is probably a good tactic for the first encounter. > Cypherpunk relevance? Authentication for web pages. There's no reason > for a reasonable person to believe, at first glance, that I was *not* > the author. It is possible to PGP-clearsign web pages using comments. PGP's insertion of "- " before any line beginning with "-" might cause a problem, but you'll just have to be a little more careful. I'm considering hacking up a "PGP verification service" web page which will accept a PGP-signed URL, retrieve it, verify it, and report the results. Of course I'll make it clear that this service is very susceptible to active attacks. On a related topic it would probably be wise for you to clear-sign your mail, Declan. Establish a public key with me, and next time I see mail from you saying "I've been reading about this 'the Holocaust was a hoax' stuff and it's actually kind of convincing." I'll know where to lay the authorship of the words... :-) Regards, Bryce "Toys, Tools and Technologies" the Niche New Signal Consulting -- C++, Java, HTML, Ecash Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMRIWjPWZSllhfG25AQE4UwP/eFEXJ0qoocgRdcNFqf2jeW/XOe8UNA8k cQkYRSuyTwODEbNtkoLWoAGh+ucttGToy13uvA2e4WO8PG3LD2BVQlHP5Xi/umip XpUn+Ge7fbCm4O2dlogf6HNLmTNo5BrwX8ET46wn1K4hLf695cIyYoMToua+4xWr azZPYCg+eYs= =unP7 -----END PGP SIGNATURE----- From jcobb at ahcbsd1.ovnet.com Fri Feb 2 06:59:13 1996 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Fri, 2 Feb 1996 22:59:13 +0800 Subject: "German service cuts Net access" (to Santa Cruz) Message-ID: Dmitri, On 01 28 96 you say: Heck, any message on the Internet is inherently porno- graphic because it's just a bunch of 1's and 0's. And we all know that to Sen Exon a 1 looks like a penis and a 0 looks like a vagina! :-) On C-Span, did I hear Senator Kennedy suggest the Senate Ethics Committee delve into Senator Exon for unlawful carnal knowledge of nuclear arithmetic? Cordially, Jim From steve at miranova.com Fri Feb 2 07:07:14 1996 From: steve at miranova.com (Steven L Baur) Date: Fri, 2 Feb 1996 23:07:14 +0800 Subject: Unix swapfile security issues... In-Reply-To: <199602010730.XAA09785@infinity.c2.org> Message-ID: >>>>> "Anonymous" == Anonymous writes: Anonymous> I'm working on a unix application where I want to store a Anonymous> key in memory and don't want it to get written out to a Anonymous> swap file. If the key is in any of the application's Anonymous> memory pages, it could be swapped out at any time, and Anonymous> potentially left in the swap file when the computer is Anonymous> turned off. That's only a problem if physical security doesn't exist at the console. No operating system (or monitor) can overcome the lack of that. Anonymous> But, what if the program creates a pipe() and writes the Anonymous> key into it, then reads the key out when necessary? A pipe ^^^^^ ^^^ ^^^ ^^^ In which case it's in memory and can be paged or swapped. Anonymous> has a 4K buffer, but that buffer is in the kernel's memory, Anonymous> not in the application's pages. Could a kernel buffer get Anonymous> written out to a swapfile? Depending on how the kernel is written, bringing down the machine could result in a dump of kernel memory being written to the swap device anyway. -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. From tcmay at got.net Fri Feb 2 07:09:07 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 2 Feb 1996 23:09:07 +0800 Subject: Germans, Nazis, Jews, and My Beliefs Message-ID: With all of the recent developments, including the comments against censorship and in favor of measures to route around censorship, and the charges of pro-Nazi sentiment, let me state some of my beliefs: * I strongly believe, to the point of certainty, that the events described variously as "the Holocaust" and "the gassing of Jews" occurred. I first encountered photos in "Life" magazine, circa 1966, and nothing I have seen since then has even slightly shaken my belief that Hitler and his government oversaw the extermination in the most barbaric manner of several millions of Jews, gypsies, homosexuals, cripples, etc. * However, I am very fond of German culture in general. Though my ancestry is essentially Scandinavian (Denmark, Norway) and Anglo-Saxon (Scotland, England), I have felt more affinity for things Germanic than for things French, Italian, Spanish, etc. Perhaps it was my interest in science, where Einstein, Heisenberg, Schodinger, etc., reigned supreme (though Darwin and Newton were no slouches!), but I felt an affinity for Germany that I did not feel for, say, France (though I lived for a year in the south of France, near Nice, as a child). * By "German culture" I mean: Einstein, the Rhine, beer, Beethoven, Mozart, castles, the Alps, Salzburg, Goethe, Heidelberg, and of course, the language (which is a root language of English, naturlich, and part of the "Indo-Germanisches," or "Indo-European" family of languages...proto-IE goes back a lot further than either Greek or Latin, which are just variants of PIE). * Nothing about the Third Reich appeals to me, excpept that they had some pretty good scientists. (And I believe that Schrodinger, Heisenberg, and others dragged their feet on alerting Hitler and his advisors to the real prospects for atomic bombs...in a way that Einstein, Bohr, Fermi, Szilard, and dozens of others in the U.S. at that time did not.) As one opposed to the excesses of government power, I view the excesses of the Third Reich as an object lesson about the dangers of totalitarianism. * I believe that much of "Jewish culture" is, for historical reasons, closely related to German culture. It is understandable that so many Jews hate Germans and German culture, but also sad. (I don't mean the newer Israeli/Hebrew culture, but the Yiddish/German culture, which was so shaken by the Holocaust that, sadly in my opinion, it cannot acknowledte its essential Germanness.) * As far as racial or ethnic differences go, I believe the so-called races are essentially indistinguishable, except for superficial differences in appearance, stature, pigmentation, etc. (And a comparison between Watusis and pygmies will reveal that "Negroids" are as varied in stature--and basketball skill--as any differences between Negroid, Caucasoid, and Mongoloid.) That all the races and sub-races, from Australian Aboriginal to European to Asian to American Indian can interbreed with identical fertility rates suggests no genomic differences. In fact, it strongly suggest that evolution as we normally think of it essentially stopped some tens of thousands of years ago, which makes a lot of sense. And there you have it. Let no one call me a Nazi. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From pdlamb at iquest.com Fri Feb 2 07:57:13 1996 From: pdlamb at iquest.com (Patrick Lamb) Date: Fri, 2 Feb 1996 23:57:13 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI Message-ID: <199602021529.JAA15348@vespucci.iquest.com> At 11:06 2/1/96 PST, you wrote: > >WARNING NOTICE > > It has recently come to the attention of RSA Data >Security, Inc. that certain of its confidential and >proprietary source code has been misappropriated and >disclosed. Despite such unauthorized use and disclosure, >RSA Data Security reserves all intellectual property rights >in such source code under applicable law, including without >limitation trade secret and copyright protection. (Remainder of warning elided.) Does this mean RSADSI is claiming copyright infringement on the RC2 source code? Pat -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzACleQAAAEH/2+41W3bZPuWU1gv6A0bq3a57bgCiCAbU1QY41f+NI1I8i/+ a/L314RIpCR0iCZhsNMHNI9rVovsbmOQE4Cf9YYL3cClUoE2VAsLOi9LAjlN8qYc kmAqpsGQ39eaKrnlC/0lxJtFZgypT4m9UIsTU986y3gyy+ZTWwxtbDaLBEdsTiH/ e+zosoBiXmwWYY1n+5yvaKLGMUwa20AKdoRCUgqhJQpkW0nAvItU6WhaqxwH6JXp KCNsuP6k8FBmcKZfSSvUphSOIJnARAq9K9UPhj5BeAy1vKZ416jfgeYQUTxHQOMT rTiQOYR/oAR35gBpGYg6p1lu6Ma5eDPtpBPadUUABRG0IFBhdHJpY2sgTGFtYiA8 cGRsYW1iQGlxdWVzdC5jb20+ =DZzp -----END PGP PUBLIC KEY BLOCK----- From wlkngowl at unix.asb.com Fri Feb 2 07:59:29 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Fri, 2 Feb 1996 23:59:29 +0800 Subject: Telecom Bill may makes abortion talke illegal on the net... Message-ID: <199602020749.CAA10281@UNiX.asb.com> Thomas Grant Edwards wrote: >Sec. 507 of the Telecom Bill Ammends Section 1462 of title 18 of the U.S. >Code (Chapter 71), in ways which may make sending the following over the >Internet illegal: [..] > o any information telling about how to obtain or make abortions and > drugs, or obtaining or making anything that is for indecent or immoral ^^^^^ > use So the PharmWeb and any discussion of pharamacology would be illegal? Or does that soley apply to abortion drugs? Immoral is a pretty vague word legally... [..] > (a) any obscene, lewd, lascivious, or filthy book, pamphlet, picture, >motion-picture film, paper, letter, writing, print, or other matter of >indecent character; or So much for good foreign films... > (b) any obscene, lewd, lascivious, or filthy phonograph recording, >electrical transcription, or other article or thing capable of producing >sound; or Whoopie cuishins would be illegal. [..] From jamesd at echeque.com Fri Feb 2 08:00:05 1996 From: jamesd at echeque.com (James A. Donald) Date: Sat, 3 Feb 1996 00:00:05 +0800 Subject: Tim's paranoid rant about Declan appearing on "Europe's Most Wanted" Message-ID: <199602020704.XAA14197@shell1.best.com> On Thu, 1 Feb 1996, Declan B. McCullagh wrote: > > Rich, by now I suspect you've seen this joke, but what the hell: > > > > Q: What's a left-wing firing squad? > > > > A: Everyone stands in a circle and shoots at each other At 06:11 PM 2/1/96 -0800, Rich Graves wrote: > I guess this is supposed to be something clever about how the vanguard is > supposed to discard their personal interests for the common good. Actually it refers to the famous factionalism of the left: Similar to the parody in Monty Python's "Life of Brian" --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From sunder at dorsai.dorsai.org Fri Feb 2 08:23:22 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Sat, 3 Feb 1996 00:23:22 +0800 Subject: RC2 Source Code - Legal Warning from RSADSI In-Reply-To: Message-ID: On Fri, 2 Feb 1996, Tony Iannotti wrote: > On Thu, 1 Feb 1996, Rich Salz wrote: > > > At any rate, I'll stop my comparison of the distributed RC2 and the > > licensed RC2 since RSA's done it for us. :) > > What if it's just a ruse by them to ID it as RC2? They could have even > released a bogus version themselves, and then sent up a hue and cry.... There's an easy test.. set up the real RC2 to encrypt data and have this one decrypt it, then reverse the two, use different keys, etc... a few thousand rounds should give a strong indication if this is the true RC2. It doesn't mean that it wasn't rigged to produce weak keys and such, however a closer analysis of the source will point that out. :) ========================================================================== + ^ + | Ray Arachelian |Emptiness is loneliness, and loneliness| _ |> \|/ |sunder at dorsai.org|is cleanliness and cleanliness is god-| \ | <--+-->| |liness and god is empty, just like me,| \| /|\ | Just Say |intoxicated with the maddness, I'm in| <|\ + v + | "No" to the NSA!|love with my sadness. (Pumpkins/Zero)| <| n ===================http://www.dorsai.org/~sunder/========================= From rishab at best.com Fri Feb 2 08:36:08 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Sat, 3 Feb 1996 00:36:08 +0800 Subject: Domain registration In-Reply-To: <199602011939.OAA23286@amsterdam.lcs.mit.edu> Message-ID: <199602021550.HAA23942@shellx.best.com> David, as I wrote earlier, iyou only get fast responses from InterNIC if your application is _perfect_ - you might have used an older form, or misplaced your commas or something. From rishab at best.com Fri Feb 2 08:37:26 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Sat, 3 Feb 1996 00:37:26 +0800 Subject: Domain hijacking, InterNIC loopholes In-Reply-To: <199602011934.OAA23195@amsterdam.lcs.mit.edu> Message-ID: <199602021556.HAA27293@shellx.best.com> David Mazieres wrote: > How can you say there are no routers? The verification process is a > confirmation E-mail message. To intercept this you must compromise a > router, a nameserver, or the host on which the domain administrator > reads mail. Since there often are multiple domain administrators > on different networks, I stand my my statement that it would require > multiple active attacks, etc. The confirmation message is sent to the address requesting an update. This could be anyone. To take a real example, my dxm.org domain was modified by hostmaster at best.com - neither the existing admins, nor root at dxm.org received any confirmation, as the request was sent from another address. The InterNIC does NOT require domain update requests to be sent by admins - that is, in fact, the simplest level of authentication that will be introduced by the InterNIC Guardian Object. Rishab From nobody at REPLAY.COM Fri Feb 2 08:43:06 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 3 Feb 1996 00:43:06 +0800 Subject: Police PR Mendacity Message-ID: <199602021620.RAA05747@utopia.hacktic.nl> Financial Times, 2 Feb 1996 Governments around the world are taking action to police computer networks By Our Foreign Staff The US Congress last night passed legislation that imposes stiff penalties for the distribution of "indecent" material on the Internet, a global web of computer networks that can be reached by an estimated 30m computer users. The action echoes moves by other leading industrial countries to bring the Internet under some form of control. It coincides with a call by French officials for an international law on communications to deal with regulation of electronic publishing on the Net. In Japan, meanwhile, Tokyo police have made what are believed to be the first arrests in a crackdown on the distribution of pornography via computer networks. The rapid growth of the Internet has created widespread concerns about its use to distribute pornography, racial hate messages and other offensive materials. However the vast bulk of material published on the global computer network is commercial or technical in nature. The measures passed in the US Congress, which were attached to a broad Telecommunications Bill, for the first time place legal limits on the types of materials that can be distributed via computer networks. Government intervention is strongly opposed by Internet pioneers, and by many within the computer industry, who believe that rapid growth of the Internet and electronic commerce will be stunted by regulation. Moreover, legal experts say that the regulation of cyberspace raises complex issues about jurisdiction because the Internet carries information across national borders. In France, the issue has been brought to a head by the recent publication, on the Internet, of "Le Grand Secret" (The Big Secret), a book about Francois Mitterrand's battle with cancer written by Dr Claude Gubler, the late president's personal physician, which has been banned by the French courts. Mr Francois Fillon, post and telecoms minister, said in the French Senate yesterday that he was to propose to a March meeting of EU culture and telecoms ministers an international conference to debate a law. He said the government was creating a working group with representatives from the ministries of justice, culture and telecoms, and stressed that his concerns included the problem of dealing with regulation outside national boundaries and the difficulty of pursuing those who abused the system. He also suggested the possibility of introducing ethical codes for Internet operators along the lines of those already in place for the country's Minitel telephone- based information system. In Japan, where use of the Internet is growing rapidly, the legality of publishing pornography on computer networks is about to be tested in the courts following the first arrests for allegedly criminal use of the Internet. Tokyo police announced that they had arrested a 28-year-old businessman, Mr Hiroshi Kamekura, on suspicion of distributing pornographic pictures. He is alleged to have produced the images at home and distributed them on his home page since last month, said police. According to Mr Kamekura, the service was popular and he was asked by other Internet users to produce more provocative pictures. Police also arrested a high school student, accused of distributing pornographic pictures over the Internet since last September. The arrests may raise eyebrows in a country where graphic, frequently sadistic pornography, moderated only by a ban on depictions of pubic hair, is openly sold on book stalls everywhere. A German court has already acted to prevent users in that country from accessing sexually explicit Internet discussion groups. The court forced Compuserve, a US-based online information service, to block access to about 200 of the thousands of "Usenet" groups to be found on the Internet. ----- From rishab at best.com Fri Feb 2 09:14:04 1996 From: rishab at best.com (Rishab Aiyer Ghosh) Date: Sat, 3 Feb 1996 01:14:04 +0800 Subject: No Subject Message-ID: <199602021642.IAA20236@shellx.best.com> India's Department of Telecommunications (DoT) charges a licence fee of $50,000 per _annum_ for BBS operators, and nearly twice as much for e-mail providers. It is preparing to finalise a policy for Internet service providers; as it doesn't understand the distintion between Internet _networks_ (MCI, Sprintnet etc) and "retail" providers (the geek in the garage), it is planning to charge well over $100,000 in annual licence fees. This is totally against the opinions of Telecom Secretary R K Takkar, as expressed to my newsletter, The Indian Techonomist, some months ago. I spoke to Mr Takkar for some time, providing him the "education" that he asked for in my newsletter and that large datacom companies here have been curiously averse to give him. He appreciated my point of view, and invited me to send a proposal for an alternative datacom policy, which I have done (and which is summarised below). I hope to meet him next week to follow this up. As a major part of my call for removing restraints is based on the Internet's treatment by other world governments, I would like letters of support to show this. My proposal may appear tame, but it isn't really. It will allow small ISPs to pay as little as $150 a year in licence fees; reduce the (high) likelihood of cartels between large companies; and entrench electronic free-speech at (some) parity with other media. (Note that the DoT has said that it is "not considering" blocking access to parts of the Net for reasons of morals or security. This despite the local media's loudly proclaimed discovery that the Net is 97.34% paedophile, or whatever.) Highlights 1. Definitions - The category for E-mail providers becomes redundant, leaving international gateway, national network, and "retail" service providers - Content providers have constitutional protection as electronic publishers - BBSes do not require licensing, being content providers 2. Goals - Licence fees not for revenue generation, but to ensure responsibility (unavoidable. Mr Takkar's words) - Licence fees based on telecom infrastructure costs, not revenues (at the moment, a licence is almost like income tax) - Regulation required for free and fair competition (see below) - TRAI should also handle datacom regulation, and datacom consumer complaints (the Telecom Regulatory Authority of India is likely to be very independent of the government, headed by a former Supreme Court judge) 3. Regulation - Equal access to gateway, network and service providers (to prevent denial of service and cartels, very likely here without explicit rules preventing them) - Rationalisation of DoT leased line tariff structure (now, a network costs more than the sum of its parts! too complicated to explain briefly) 4. Licensing - Uniform fee structure for gateway, network and service providers (say 2.5% of leased line costs, which are known as they are provided by the DoT) - Barriers to entry greatly reduced (minimal ISP pays $150 p.a) - However, total licence fee revenue for DoT not significantly reduced (important for success of this proposal; large nationwide network may still pay $100,000+ thanks to its huge leased line requirements) The full text of the proposal will be made publicly available on the Net sometime next week. Those who would like to see it, and a template for a letter of support, should send me mail at dcom-appeal at dxm.org. I would like letters from non-commercial organisations, lobby groups, policy bodies, and so on, but NOT datacom companies (I wouldn't mind _personal_ letters of support from them, but they wouldn't do for the DoT). I would particularly like to see something from Hong Kong, which I have used as a good example of how to do things in Asia. Thanks, Rishab ---------------------------------------------------------------------- The Indian Techonomist - newsletter on India's information industry http://dxm.org/techonomist/ rishab at dxm.org Editor and publisher: Rishab Aiyer Ghosh rishab at arbornet.org Vox +91 11 6853410; 3760335; H 34 C Saket, New Delhi 110017, INDIA From rishab at dxm.org Fri Feb 2 09:32:20 1996 From: rishab at dxm.org (Rishab Aiyer Ghosh) Date: Sat, 3 Feb 1996 01:32:20 +0800 Subject: Germany, China, but not India? Message-ID: <199602021643.IAA20927@shellx.best.com> Sorry if this post got screwed up the first time. In the context of recent events in Germany and China, it is interesting to note that, despite horrid rumours about high license fees for ISPs, the Indian government is "not considering" blocking portions of the Net for security or moral reasons. The Telecom Secretary appears relatively progressive, and has invited me to send an alternative proposal for datacom policy. I would like letters of support: read on. -Rishab India's Department of Telecommunications (DoT) charges a licence fee of $50,000 per _annum_ for BBS operators, and nearly twice as much for e-mail providers. It is preparing to finalise a policy for Internet service providers; as it doesn't understand the distintion between Internet _networks_ (MCI, Sprintnet etc) and "retail" providers (the geek in the garage), it is planning to charge well over $100,000 in annual licence fees. This is totally against the opinions of Telecom Secretary R K Takkar, as expressed to my newsletter, The Indian Techonomist, some months ago. I spoke to Mr Takkar for some time, providing him the "education" that he asked for in my newsletter and that large datacom companies here have been curiously averse to give him. He appreciated my point of view, and invited me to send a proposal for an alternative datacom policy, which I have done (and which is summarised below). I hope to meet him next week to follow this up. As a major part of my call for removing restraints is based on the Internet's treatment by other world governments, I would like letters of support to show this. My proposal may appear tame, but it isn't really. It will allow small ISPs to pay as little as $150 a year in licence fees; reduce the (high) likelihood of cartels between large companies; and entrench electronic free-speech at (some) parity with other media. (Note that the DoT has said that it is "not considering" blocking access to parts of the Net for reasons of morals or security. This despite the local media's loudly proclaimed discovery that the Net is 97.34% paedophile, or whatever.) Highlights 1. Definitions - The category for E-mail providers becomes redundant, leaving international gateway, national network, and "retail" service providers - Content providers have constitutional protection as electronic publishers - BBSes do not require licensing, being content providers 2. Goals - Licence fees not for revenue generation, but to ensure responsibility (unavoidable. Mr Takkar's words) - Licence fees based on telecom infrastructure costs, not revenues (at the moment, a licence is almost like income tax) - Regulation required for free and fair competition (see below) - TRAI should also handle datacom regulation, and datacom consumer complaints (the Telecom Regulatory Authority of India is likely to be very independent of the government, headed by a former Supreme Court judge) 3. Regulation - Equal access to gateway, network and service providers (to prevent denial of service and cartels, very likely here without explicit rules preventing them) - Rationalisation of DoT leased line tariff structure (now, a network costs more than the sum of its parts! too complicated to explain briefly) 4. Licensing - Uniform fee structure for gateway, network and service providers (say 2.5% of leased line costs, which are known as they are provided by the DoT) - Barriers to entry greatly reduced (minimal ISP pays $150 p.a) - However, total licence fee revenue for DoT not significantly reduced (important for success of this proposal; large nationwide network may still pay $100,000+ thanks to its huge leased line requirements) The full text of the proposal will be made publicly available on the Net sometime next week. Those who would like to see it, and a template for a letter of support, should send me mail at dcom-appeal at dxm.org. I would like letters from non-commercial organisations, lobby groups, policy bodies, and so on, but NOT datacom companies (I wouldn't mind _personal_ letters of support from them, but they wouldn't do for the DoT). I would particularly like to see something from Hong Kong, which I have used as a good example of how to do things in Asia. Thanks, Rishab ---------------------------------------------------------------------- The Indian Techonomist - newsletter on India's information industry http://dxm.org/techonomist/ rishab at dxm.org Editor and publisher: Rishab Aiyer Ghosh rishab at arbornet.org Vox +91 11 6853410; 3760335; H 34 C Saket, New Delhi 110017, INDIA From nobody at REPLAY.COM Fri Feb 2 09:35:41 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 3 Feb 1996 01:35:41 +0800 Subject: Espionage-enabled Greed Message-ID: <199602021657.RAA07766@utopia.hacktic.nl> To follow up the GNN report on Net espionage and NSA sniffing: For a quick overview of the prime sites for sniffing, see the informative map of the major US NAP's, routers and interconnections at: http://www.cerf.net/cerfnet/about/interconnects.html MAE-East, MAE-West, MAE-Chicago and others are detailed at: http://www.mfsdatanet.com:80/MAE/ AltaVista offers more about the Routing Arbiter project - - for examples, www.ra.net; rrdb.ra.net; rrdb.merit.edu; isi.com -- as well as about FIX-East and FIX-West, various NAP's and the international exchanges and routers. Is there technology for eluding these espionage-enabled chokepoints -- tunneling, satellite-richochet or otherwise? The newly announced Planet 1 personal satellite phone system, $2,500 a unit, could it provide secure privacy off the heirarchical telecomm throttle? Or, are all options slowly being shutdown by regulated greed? From tcmay at got.net Fri Feb 2 09:54:32 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 3 Feb 1996 01:54:32 +0800 Subject: Alien factoring breakthroughs Message-ID: At 7:47 AM 2/2/96, anonymous-remailer at shell.portal.com wrote: >From: remallin at dorsai.dorsai.org (Richard Mallinson) >The Grays have renegged on their abduction quota agreement, and are >abducting many more people than before. Most of these are returned, after >being implanted with a device which allows the grays to have total control >over their thoughts and actions. Approximately 40% of Americans now carry >one of these devices, which are impossible to remove without killing the >host. And several of these Gray-implanted abductees were ordered to subscribe to the Cypherpunks list! Known as "Tentacles," they share the same hive mind and report periodically to the mother base in Colorado. I'm sure you all know by now that "RSA" refers to their home star systems: Rigel, Sirius, and Arcturis. --Tim "Spooky" May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From fletch at ain.bls.com Fri Feb 2 09:56:17 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sat, 3 Feb 1996 01:56:17 +0800 Subject: [NOISE][CONTEST][FACTS] don't help much, do they? In-Reply-To: Message-ID: <9602011536.AA06728@outland> > Ontogeny recapitulates phylogeny, as the saying goes. > [ Mr. May laments the futility of []'d labeling to raise S/N. ] For those that use emacs (and you should :), there's a version of GNUS (the newsreader) that has a neat scoring feature. Unlike a kill file which only gets rid of articles, scoring will automagically assign a negative (i.e. kill it) or positive (i.e. interesting) score to articles. You can manually rate articles or threads, or you can let Gnus use what the author of the package calls "artificial stupidity" to assign points based on whether or not you read a particular message. I've been using it on news for a couple of days now and it's starting to pickup some of my reading habits. It will also work on mail files (now if I can only get MH installed where my mail feed comes in I'll be set :). It also can access shared global score files using anon-ftp, so if someone want's to start a CP scoring service . . . . If you're interested check out: http://www.ifi.uio.no/~larsi/ --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From baldwin at RSA.COM Fri Feb 2 09:58:30 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Sat, 3 Feb 1996 01:58:30 +0800 Subject: Technical comments on RC2 from John Kelsey Message-ID: <9601028232.AA823281610@snail.rsa.com> Here are some interesting technical comments on RC2 from sci.crypt. If you already read sci.crypt, delete this now and accept my apologies for wasting your time. --Bob ______________________________ Forward Header __________________________________ From: John Kelsey Newsgroups: sci.crypt Subject: Re: RC2 source code Date: Tue, 30 Jan 96 10:20:43 -0500 Organization: Delphi (info at delphi.com email, 800-695-4005 voice) -----BEGIN PGP SIGNED MESSAGE----- [ To: sci.crypt ## Date: 01/29/96 09:18 pm ## Subject: RC2 source code ] >From: anon-remailer at utopia.hacktic.nl (Anonymous) >Newsgroups: sci.crypt >Subject: RC2 source code >Date: 29 Jan 1996 06:38:04 +0100 This was interesting. Is this another "S1," or another "alleged-RC4?" The whole thing looks pretty believeable, i.e., it doesn't have any obviously dumb parts that I can see. Note that alleged RC2's block encryption function looks an awful lot like one round of MD5 performed on 16-bit sub-blocks, using the bitwise selection function as the nonlinear function, and a key-derived constant table. Additionally, in rounds four and eleven, there are four lookups into the expanded key array. The encryption function could be rewritten as for(i=0;i<16;i++){ a = rotl(a + bsel(d,c,b) + *sk++, 1); b = rotl(b + bsel(a,d,c) + *sk++, 2); c = rotl(c + bsel(d,c,b) + *sk++, 3); d = rolt(d + bsel(c,b,a) + *sk++, 5); if((i==4)||(i==11)){ a += xk[d&0x3f]; b += xk[a&0x3f]; c += xk[b&0x3f]; d += xk[c&0x3f]; } } If this is accurate, it may give us some insight into Rivest's development of MD4 and MD5, which were radically different than MD2. What are the dates on this? Did Rivest do MD4 or RC2 first? This may be the first block cipher in the commercial/academic world to use a UFN structure. One interesting part of this is the use of the subkey array as an S-box twice during the encryption process. I'm curious as to why this would be used only twice, rather than each round, i.e. a += bsel(b,c,d) + *sk++ + s[d&0x3f]; Sticking a very different internal transformation in may have been an attempt to make iterative (i.e., differential) attacks harder, since there's no longer a single round function through which you can pass differential characteristics. This depends upon when RC2 was developed and released. Note that the claim that "RC2 is not an iterative block cipher" seems to be based on the fact that it has two instances where a different round function is thrown in. (Essentially, it's actually an 18-round cipher with two different round functions, one of which is used only twice.) This other round function isn't very impressive, since it uses only six bits of the source block to affect the target block. A one-bit change in a randomly-distributed input block looks look like it will propogate pretty quickly: There's a roughly 0.5 probability that it doesn't make it through the bsel function. If it does, then there's about a 0.5 probability that it will cause a change in the carry bit. This happens four times per "round," so a one-bit change should have about a 2^{-8} chance to make it through one round as a one-bit change, and so about a 2^{-128} chance to make it through all sixteen rounds, assuming no impact from either of the two S-box lookups. Does this look right, or am I missing something? (This is a first approximation--if our bit is in the high-order position anywhere, then it *can't* cause a carry bit, but there's no obvious way to keep it there for long.) By choosing the input block, I can ensure that one-bit XOR difference makes it through the first step or two, but that doesn't do too much for an actual attack. Other XOR differences can help with the first round or so, but stop being helpful afterward. It generally looks hard to prevent diffusion by choosing other values, at least using XOR differences, because each subblock is rotated a different amount in each round. (The bits don't keep lining up.) We can also try to do a differential attack based on subtraction modulo 2^16, based partially on Tom Berson's attempt to differentially attack MD5 using subtraction modulo 2^32. This gets complicated because of the rotations and the bit selection operations, but it ought to be tried if it hasn't already. The key scheduling is also interesting, and somewhat reminiscent of MD2's internal operations. Each expanded key byte after the first N (where N is the number of bytes in the user's key) is determined by two bytes--the previous expanded key byte, and the expanded key byte N positions back. This means that we probably don't get ideal mixing of the key bytes in the early expanded key bytes, but it isn't clear to me that there will be a lot of problems with reasonable key lengths. (Note that a reasonable key length would be 128 bits=16 bytes, and that it should come from the output of a good one-way hash function.) I wouldn't recommend using the key schedule to hash passphrases, since long passphrases would leave us with many very low-entropy subkey values. In general, I think that really large user keys will leave us vulnerable to a variety of related-key attacks and other nasty stuff. I'm a little curious as to the purpose of phase 2 of the key schedule, but since it's only used when a watered-down version of the algorithm is wanted (right?), I haven't spent much time looking at it. Does alleged RC2's key schedule use the same permutation table as MD2 does? For small systems, this might have been a reasonably nice space savings. (On the other hand, if you have a hash function available at the same time, it makes sense to go ahead and use it in your key schedule, which isn't done here.) The algorithm looks like it will have reasonable performance on 16-bit machines like the 8086, which was almost certainly one of the requirements for the algorithm, given the times it was used. Comments? --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ43Q0Hx57Ag8goBAQG0LQQAiohrNSPvKzSIJjMeWjrK/r7HZOWp0Mhg zcq60rIyPMpsDnxuk7VlLrU2XBy0Aff4QpO8jORS3VFKtaLH5XJehc7WTZF+1En1 ux4prro+Gpvn99HToTqKa6igxlEGYShskoF/aBIkszZAg6m/P92BPyZ/PW3tnMtp MoMcdNGcO0I= =ttGl -----END PGP SIGNATURE----- From tcmay at got.net Fri Feb 2 10:11:54 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 3 Feb 1996 02:11:54 +0800 Subject: End-to-End Encryption Message-ID: At 4:57 PM 2/2/96, Anonymous wrote: >Is there technology for eluding these espionage-enabled >chokepoints -- tunneling, satellite-richochet or >otherwise? End-to-end encryption. So long as users can do end-to-end encryption, at various levels (that is, end users use things like PGP, other levels use things like SWIPE or PipeNet, etc.), what surveillance organizations do to monitor channels is not so critical. And remailers and proxies make traffic analysis less possible. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From djr at saa-cons.co.uk Fri Feb 2 10:20:47 1996 From: djr at saa-cons.co.uk (Dave Roberts) Date: Sat, 3 Feb 1996 02:20:47 +0800 Subject: Psion organisers Message-ID: I was wondering about a couple of things regarding the Psion Series 3a personal organisers. (According to the manual, you have them in the USA as well! :) Firstly, anyone know what kind of encryption is done on documents and spreadsheets held on it's internal disk? It only allows a 10 character password, and claims to encrypt the whole file. Secondly, I presume that as the encryption software is apparently embedded into the system (ie cannot be extracted), I won't get arrested when I wander through US customs next time. TIA - Dave. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From paul at icx.com Fri Feb 2 10:20:59 1996 From: paul at icx.com (Paul Kanz) Date: Sat, 3 Feb 1996 02:20:59 +0800 Subject: Charter of PDX Cpunk meetings In-Reply-To: Message-ID: Now, hold on here. I was at the meeting and I don't know what you are referring to as "highly unethical behavior", could you expand this for myself and others. As for "FOR: I've received commentary which suggests that they believe that key-signing somehow vouches for the HONESTY of the person involved; not his IDENTITY." Unless I'm in the minority, the key-signing process IS NOT a test to determine if the person is a 'honest' person, but to ensure that the keys where valid and that someone did not make a mistake somewhere. Keep in mind that the meeting was a mixer, not a board of directors meeting - take a chill pill. -Paul On Fri, 2 Feb 1996, jim bell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > At 10:52 PM 2/1/96 -0800, Alan Olsen wrote: > > > > >I requested that this debate be taken to private e-mail. Since you seem to > >not want to do that, and since you insist of making false and unrealistic > >claims, > > Which "false and unrealistic claims"? > > > I am removing your name from the subscription list for > >pdx-cypherpunks. > > This isn't a DEBATE. It is a WARNING to all other potential suckers in the > Portland Oregon area that Alan Olsen engaged in highly unethical behavior > with regards to the recent cypherpunks meeting, flamed me without > justification in the national list, failed to respond to security inquiries, > failed to deny issues and matters of truth, and failed to properly deal with > a situation that he had a responsibility to handle ethically. Not to > mention lying in the comment above. > > I am going to take this to the national list, because you took it there > first in your original flame: I am going to point out that you flamed me > for no good reason; you engaged in a "knee-jerk" "debunking" without even > knowing what you were ostensibly "debunking," that you failed to respond to > my polite request for clarification; that you've attempted to pretend that I > was somehow at fault for noticing your transgressions; that your local > clique is pre-programmed to defend you in the face of your transgressions. > I notice that some of them don't even know what a key-signing meeting is > FOR: I've received commentary which suggests that they believe that > key-signing somehow vouches for the HONESTY of the person involved; not his > IDENTITY. > > Until you start responding substantively to legitimate complaints, that is > all you deserve. The public needs to be warned about people like you. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMRHIE/qHVDBboB2dAQHHMAQAkTFZaMMF6asl79yU8RSkd5O0zYElg9so > syuonRR1UnrzTGlQ2cT/8GPZhuV/IIBSiroxu7EwCX6ASR6BTRUGVdTWbN3l27Vi > M6FRiduXpBvzpIzQ7XOzwcvPv0D/bLXwXPGHzmUzqsk3chWpsskKw1PKZun7wCKL > fG2MVim+Vqk= > =Di2Q > -----END PGP SIGNATURE----- > > ______________________________________________________________________________ Paul Kanz System Administrator Interconnectix, Inc. 10220 SW Nimbus Ave, Building K4 Portland, OR 97223 Email: paul at icx.com Phone: 503.684.6641 Fax: 503.639.3469 ______________________________________________________________________________ From tcmay at got.net Fri Feb 2 10:37:14 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 3 Feb 1996 02:37:14 +0800 Subject: Anonymity -> Untraceability -> High Latency? Message-ID: At 9:19 AM 2/2/96, Nelson Minar wrote: >I've been trying out various mechanisms for anonymity: remailer >chains, HTTP proxies. There's one problem that makes them inconvenient >to use regularly: latency. "Latency" is not necessary for mix security. What is important is the number of messages mixed together in the mix. If it is desired that N = 10 and only 10 messages are entering the mix per hour, then, on average, the mix must wait an hour. E.g., "latency = one hour." If however, 100 messages are entering the mix per hour, then "latency = 6 minutes." >A good Type I remailer chain takes at least an hour to deliver email, >instead of the 15 seconds I'm used to. Mixmaster-style takes even >longer; the delay is important to the security of the system. None of these points is necessarily true. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From baldwin at RSA.COM Fri Feb 2 10:52:35 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Sat, 3 Feb 1996 02:52:35 +0800 Subject: RC2 technical questions Message-ID: <9601028232.AA823283956@snail.rsa.com> In a shameless attempt to move the discussion of RC2 into a more technical arena, here are some interesting questions to explore about RC2. --Bob Key expansion - How can you tell whether the permutation is based on some sequence of digits from PI? - What are the diffusion and avalanche properties of this permutation? - What are the linear characteristics of this permutation? - What are the properties of the compression function that maps 16 bits (bytes X and Y) to 8 bits (byte Z) via Z = P[X + Y]? - How does the length of the key influence the mixing of bits during each pass of the expansion algorithm? - Is this a non-linear feedback shift register over the field GF(256)? - If the first pass of expansion is viewed as a hash function that produces 40 or 128 bits out, what are its properties? Round Functions - What are the diffusion and avalanche properties of the two round functions? - What are the linear approximations and how good are they? - What characteristics can be preserved by the round function that performs rotations? - With what probability? - Does the amount of rotation influence the security? - What characteristics can be preserved by the round function that performs the data dependent selection of the expanded key? - With what probability? - Are there any "weak" keys? - Will the expansion algorithm produce them? From tedwards at access.digex.net Fri Feb 2 11:20:29 1996 From: tedwards at access.digex.net (tedwards at access.digex.net) Date: Sat, 3 Feb 1996 03:20:29 +0800 Subject: Voice On the Net Digest V2 #44 In-Reply-To: <199602021245.HAA10963@enterprise.pulver.com> Message-ID: > From: "Shane D. Mattaway" > Date: Thu, 1 Feb 1996 07:12:32 -0500 > Subject: [VON]: WebPhone Beta 6 Release > AUDIO ENCRYPTION > All audio transmissions are encrypted to provide secure conversations > without any performance overhead. Encryption is accomplished using a > proprietary algorithm. If the encryption is secure, there is no need to have "security through obscurity." I rather doubt that the makers of WebPhone have invented a proprietary encryption method that actually provides a high level of security. Most truly secure encryption methods (DES, RSA, IDEA) are presented for peer review for years before the academic and cryptographic communities deem them to be reasonably secure. It is easy to claim you have a secure encryption algorithm - but most such algorithms turn out later to have serious security holes. Only some manage to hold up to their security claims under close academic analysis. PGPfone's encryption methods are available for public inspection, and are generally accepted by the cryptographic community to be secure. -Thomas Edwards From perry at piermont.com Fri Feb 2 11:26:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 3 Feb 1996 03:26:49 +0800 Subject: Denning's misleading statements In-Reply-To: Message-ID: <199602021832.NAA12047@jekyll.piermont.com> "James M. Cobb" writes: > A few days ago I bought Markoff and Shimomura's Takedown. I've > read the first three chapters. > > In my opinion: > > (1) the book is an important part of that well orchestrated > Psy Ops campaign > > (2) the book's designed from the word go to play that part. (3) You have been taking lots of really good drugs recently, but haven't quite come down yet. .pm From frissell at panix.com Fri Feb 2 11:49:30 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 3 Feb 1996 03:49:30 +0800 Subject: Declan appearing on "Europe's Most Wanted" Message-ID: <2.2.32.19960201111816.009b2ee4@panix.com> At 01:26 AM 2/1/96 -0800, Timothy C. May wrote: >The situation with Declan, Sameer, Duncan, and others, is even less clear. >Things are moving much faster now that the Net is the means of >distribution. I was of course half-joking about Declan visiting Europe, but >surely France could decide to throw the book at him, and any EU country he >entered (such as Ireland, judging from his name) could hold him at their >entry point and ship him off to France to "set an example." The "modal time served" in Europe for cypherpunks activities is/will be so low as to be indistinguishable from zero. If only that was my greatest legal risk. Continental legal systems believe in prior restraint so they make a lot of noise but they are pretty weak in the punishment department. DCF From sunder at dorsai.dorsai.org Fri Feb 2 12:04:57 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Sat, 3 Feb 1996 04:04:57 +0800 Subject: your mail In-Reply-To: <199602010110.RAA21647@infinity.c2.org> Message-ID: re: Virus site (http://www.xcitement.com/virus/) reports error 404 - no such file... ========================================================================== + ^ + | Ray Arachelian |Emptiness is loneliness, and loneliness| _ |> \|/ |sunder at dorsai.org|is cleanliness and cleanliness is god-| \ | <--+-->| |liness and god is empty, just like me,| \| /|\ | Just Say |intoxicated with the maddness, I'm in| <|\ + v + | "No" to the NSA!|love with my sadness. (Pumpkins/Zero)| <| n ===================http://www.dorsai.org/~sunder/========================= From sandfort at crl.com Fri Feb 2 12:25:56 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 3 Feb 1996 04:25:56 +0800 Subject: FEBRUARY MEETING Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, The February Bay Area Cypherpunks meeting will start at noon in downtown San Francisco. The address and directions are: The meeting will be on the fourth floor of 388 Market St. The building is bounded by Market, Pine and Front (Front is the north-of-Market extension of Fremont St.) There are numerous parking garages in the area. You will have to sign in at the security desk in the lobby. You need to indicate that you are going to "Simple Access" on the 4th floor. After you get off the elevator there will be signs directing you to the conference room. 388 is above the Embarcadero BART and Muni Metro station. Other public transit links exist from the Transbay Terminal and the Caltrain Depot. If you have any questions about how to get to the meeting, let me know. If you are driving: >From the Peninsula: 1. Take 101 north to 80. 2. Take 80 east to the 4th Street exit. 3. Take Bryant east (north-east, actually) to Fremont. 4. Turn left on Fremont and drive to Market. 5. You are there, but now you need to find a place to park. 6. (You should have taken public transit!) >From the East Bay: 1. Take 80 west to the Fremont exit. Follow directions 4 thru 6, above. S a n d y P.S. About 50 people have already RSVPed my party invitation. If you have not told me if you will attending my party, please do so. I need to know how much stuff to get. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From llurch at networking.stanford.edu Fri Feb 2 12:28:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 3 Feb 1996 04:28:36 +0800 Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...] In-Reply-To: <199602021350.GAA03188@nag.cs.colorado.edu> Message-ID: On Fri, 2 Feb 1996, Bryce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > An entity calling itself "Declan B. McCullagh" > is alleged to have written: > > > > Now, this guy copied that file from my web site. Fine -- it was up for > > FTP. But editing my comments to *support* Neo-Nazis and leaving my name > > is just fucking too much. I've sent him polite mail requesting a change. > > We'll see what happens. > > Polite? You show more restraint than most of us would > I suspect. Actually it is probably a good tactic for the > first encounter. Certainly a lot more polite than I am... > > Cypherpunk relevance? Authentication for web pages. There's no reason > > for a reasonable person to believe, at first glance, that I was *not* > > the author. > > It is possible to PGP-clearsign web pages using comments. > PGP's insertion of "- " before any line beginning with "-" > might cause a problem, but you'll just have to be a little > more careful. What's wrong with a prominent PGP-signed notice in

's that "This
page, at URL [whatever], has a separate PGP signature at [other URL]." 
I've did that with the windows networking FAQ a few times until it just 
got to be too much trouble.

-rich





From jf_avon at citenet.net  Fri Feb  2 12:28:59 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sat, 3 Feb 1996 04:28:59 +0800
Subject: Active processes monitoring?
Message-ID: <9602021919.AA08293@cti02.citenet.net>


on feb 2 96, sunder at dorsai.org replied to me:

>On Thu, 1 Feb 1996, Jean-Francois Avon wrote:
>
>> Hi!
>> 
>> I'm running on a first generation 486 ISA 4meg ram Win 3.11
>> I use realdeal /commercial  and wipeswap.exe in an *.bat that launch Win3.11
>> How can I detect if another process is running on my system?
>> I use MEM /c in a dos window.  But is that sufficient?
>> Can a hidden process detect MEM loading and hide itself somehow?

>Mem /C doesn't do squat under 95... don't know about 3.11.... since each 
>DOS box runs in its own space, MEM /C cannot see what processes are 
>running in Windoze.

AFAIK, when I do mem /c in a dos windows, under W3.11wg, it seems to report
all processes that I expect that would be running in the machine.

It reports win something processes,
it reports realdeal, cd-rom drivers and everything (I think...)

Can anybody Wizzard-type can reply on this one?

Or RTFM us with the proper references...

Thanks and Regards

JFA






From fair at clock.org  Fri Feb  2 12:35:21 1996
From: fair at clock.org (Erik E. Fair (Time Keeper))
Date: Sat, 3 Feb 1996 04:35:21 +0800
Subject: Espionage-enabled Greed
Message-ID: 


This scenario has one problem: the providers have determined that large
public peering points like the CIX, NAPs, MAEs, and FIXs do not scale well,
and that for the continued health and growth of the Internet, there are
going to have to be more small, private interconnects between providers.

Put another way: if the equipment you're working with has certain limits
(let's say 100Mb/s FDDI or 45Mb/s T3/DS3 interfaces), it's better to have
more interconnects with fewer peers at each interconnect point when your
traffic potentially or actually will exceed those interface limits in
aggregate. This is being driven by the incredible growth of the Internet,
and by the fact that the customers can (and do) buy the same size pipes
into the providers that the providers themselves use for their backbones -
i.e. any such customer can potentially fill your backbone around the
section of your backbone where he connects to you. Ooops.

If you want to have fewer, large interconnects, which, incidentally, you
can monitor all the traffic passing through, you've gotta have monstrous
point-to-point bit pipes and/or LANs, and the Router/Switch From Hell to
make the traffic move. There are people trying to build such things - it's
called Asynchronous Transfer Mode (ATM), but it doesn't really work in
practice yet at high enough speeds - best you can get at the moment is OC3
(155Mb/s), which is only a trifle faster than FDDI, and the stuff is more
expensive than conventional LAN/WAN technology, so it's only being used in
small areas to prove the technology (with the hope that it really does
scale as promised, and gets cheaper). There are working examples of a fast
LAN switch in use at the public peering points: the DEC GIGAswitch (3.2Gb/s
aggregate - 16 100Mb/s FDDI ports).

Of course, you also have to build a pretty fast computer to suck down all
this traffic and analyze it, too. And we all have the ultimate laugh on
would-be eavesdroppers: IP security (read: end-to-end encryption of the
data payload of IP packets on a per peer basis), drafts for which are in
implementation phase as of the Stockholm IETF meeting (July 1995). This
leaves 'em with just traffic analysis to use on us.

Erik Fair







From sunder at dorsai.dorsai.org  Fri Feb  2 12:37:40 1996
From: sunder at dorsai.dorsai.org (Ray Arachelian)
Date: Sat, 3 Feb 1996 04:37:40 +0800
Subject: Active processes monitoring?
In-Reply-To: <9602010555.AA19695@cti02.citenet.net>
Message-ID: 


On Thu, 1 Feb 1996, Jean-Francois Avon wrote:

> Hi!
> 
> I'm running on a first generation 486 ISA 4meg ram Win 3.11
> I use realdeal /commercial  and wipeswap.exe in an *.bat that launch Win3.11
> How can I detect if another process is running on my system?
> I use MEM /c in a dos window.  But is that sufficient?
> Can a hidden process detect MEM loading and hide itself somehow?
> 
> Are there others applications like MEM that are not as universal?
> (here, I guess that such stealth behaviour have to rely on identifying the
> program being loaded, thus, a less common program has less chance of 
> being fooled)

Mem /C doesn't do squat under 95... don't know about 3.11.... since each 
DOS box runs in its own space, MEM /C cannot see what processes are 
running in Windoze.

==========================================================================
 + ^ + |  Ray Arachelian |Emptiness is loneliness, and loneliness|  _ |>
  \|/  |sunder at dorsai.org|is cleanliness  and cleanliness is god-|  \ |
<--+-->|                 |liness and god is empty,  just like me,|   \|
  /|\  |    Just Say     |intoxicated  with the maddness,  I'm in|   <|\
 + v + | "No" to the NSA!|love with my sadness.   (Pumpkins/Zero)|   <| n
===================http://www.dorsai.org/~sunder/=========================






From wilcoxb at nagina.cs.colorado.edu  Fri Feb  2 12:38:48 1996
From: wilcoxb at nagina.cs.colorado.edu (Bryce)
Date: Sat, 3 Feb 1996 04:38:48 +0800
Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...]
In-Reply-To: 
Message-ID: <199602021955.MAA01950@nagina.cs.colorado.edu>



-----BEGIN PGP SIGNED MESSAGE-----

> What's wrong with a prominent PGP-signed notice in 
's that "This
> page, at URL [whatever], has a separate PGP signature at [other URL]." 
> I've did that with the windows networking FAQ a few times until it just 
> got to be too much trouble.


That's a good idea, but I don't see any reason to sign the 
notice.  Just put a "PGP signed" logo at the bottom of the
page.  If the user clicks on it then it hrefs to a .asc
file (or is it better to have a .html file is the
signature in 
...) which contains the detached sig for
the original page.


This would also have the bonus effect of making PGP more
visible to the web-browsing public.  I'll work on this
during my.. err.. "spare time".


Bryce

                 "Toys, Tools and Technologies"
  the Niche 
        New Signal Consulting -- C++, Java, HTML, Ecash
            Bryce 
 
PGP sig follows


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMRJsP/WZSllhfG25AQEimAP+O1SJBflS+rOQZ5K9bNwJYxuzhBBgRjvR
qePJn1d+uQvBs1sHgoofu7R8DbcHX1BEyCc2YUBC0i+fSu0sR3+nYawdcj6Wem9L
WEDmspbp2TMj35v8AtUinKNqfZqfG6S9Hsb7DColCxpuvvkFTdFGNJBkqgEFHS46
gANShEspa/4=
=54jP
-----END PGP SIGNATURE-----





From adam at lighthouse.homeport.org  Fri Feb  2 12:45:39 1996
From: adam at lighthouse.homeport.org (Adam Shostack)
Date: Sat, 3 Feb 1996 04:45:39 +0800
Subject: RC2 Source Code - Legal Warning from RSADSI
In-Reply-To: <9601018232.AA823213189@snail.rsa.com>
Message-ID: <199602012351.SAA16150@homeport.org>


baldwin wrote:

|         RSA Data Security considers misappropriation of its
| intellectual property to be most serious.  Not only is this
| act a violation of law, but its publication is yet another
| abuse of the Internet.  RSA has begun an investigation and
| will proceed with appropriate action against anyone found to
| have violated its intellectual property rights.

	Out of curiosity, did your similar investigation of RC4 ever
lead anywhere?

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume






From alano at teleport.com  Fri Feb  2 12:55:23 1996
From: alano at teleport.com (Alan)
Date: Sat, 3 Feb 1996 04:55:23 +0800
Subject: Your mail
Message-ID: <199602022009.MAA08670@desiree.teleport.com>




>re: Virus site (http://www.xcitement.com/virus/) reports error 404 - no 
>such file...

To make matters worse, the code on the site was poorly written so that web wacker choked when I tried to download the site.

I guess the Grays captured the site.






From Bill.Humphries at msn.fullfeed.com  Fri Feb  2 13:02:50 1996
From: Bill.Humphries at msn.fullfeed.com (Bill Humphries)
Date: Sat, 3 Feb 1996 05:02:50 +0800
Subject: CDA as a tool (was: Re: Helping the Crypto-Clueless)
Message-ID: 


banjo, lord of the c monkeys (is that a 1,000 monkeys trying for RSA code,
12 monkeys trying for a screenplay to a Terry Gilliam film?) wrote:

>I agree:  and in addition to that [stuff deleted above], I'd like to say
>that >contrary to the beliefs of some people on this list, I don't think
>the CDA is
>representative of a legislative body's spiteful action against general
>free speech and information; it's far to simple a motivation for
>computer-illiterate, re-election minded professional politicians.

The legislators may not have known or understood what they voted for,
however, the fact of the matter remains is there were a host of groups
(primarily the Christian Coalition) who know what the Internet can do to
prevent them from dominating public discourse and dictating policy to the
GOP. They used the congress and a press-release driven news media to get
their way.


bill.humphries at msn.fullfeed.com
(not affiliated with the Microsoft Network)
@$#! Henry Hyde, #!*% James Exon, !@$! Ralph Reed







From rah at shipwright.com  Fri Feb  2 13:05:51 1996
From: rah at shipwright.com (Robert Hettinga)
Date: Sat, 3 Feb 1996 05:05:51 +0800
Subject: Futplex makes the news!
Message-ID: 


I just heard on WBUR (NPR) here in Boston that our own L. (I know his real
first name now...) "Futplex" McCarthy was busted by the UMASS diginarks for
putting "Nazi material" on the internet. This must be one of those
Nazi-mirrors I've been skipping articles over...

They were pretty hysterical, NPR. Maybe we should call him "FUDplex" in
honor of his newfound notariety...

;-).

Cheers,
Bob Hettinga

-----------------
Robert Hettinga (rah at shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"Reality is not optional." --Thomas Sowell
The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/







From llurch at networking.stanford.edu  Fri Feb  2 13:27:07 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 05:27:07 +0800
Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...]
In-Reply-To: <199602021955.MAA01950@nagina.cs.colorado.edu>
Message-ID: 


On Fri, 2 Feb 1996, Bryce wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> > What's wrong with a prominent PGP-signed notice in 
's that "This
> > page, at URL [whatever], has a separate PGP signature at [other URL]." 
> > I've did that with the windows networking FAQ a few times until it just 
> > got to be too much trouble.
> 
> That's a good idea, but I don't see any reason to sign the 
> notice.

For the paranoid, it would be an added assurance that they are reading the
original file at the original location. Otherwise, anybody could copy the
Web page, modify it, and give it someone else's PGP signature. 

But yeah, it would look awfully silly, especially to the non-PGP-aware
public. An unobstrusive PGP logo (below) would be great, and might become
a status symbol, like those cheesy HTML validation service and Internet
Audit Bureau logos (which I have used on a few pages). 

> Just put a "PGP signed" logo at the bottom of the
> page.  If the user clicks on it then it hrefs to a .asc
> file (or is it better to have a .html file is the
> signature in 
...) which contains the detached sig for
> the original page.
> 
> This would also have the bonus effect of making PGP more
> visible to the web-browsing public.  I'll work on this
> during my.. err.. "spare time".

Yeah, I like the idea of a standardized logo. A lot.

-rich





From tony at secapl.com  Fri Feb  2 13:30:37 1996
From: tony at secapl.com (Tony Iannotti)
Date: Sat, 3 Feb 1996 05:30:37 +0800
Subject: Active processes monitoring?
In-Reply-To: <9602021919.AA08293@cti02.citenet.net>
Message-ID: 


On Fri, 2 Feb 1996, Jean-Francois Avon wrote:

> AFAIK, when I do mem /c in a dos windows, under W3.11wg, it seems to report
> all processes that I expect that would be running in the machine.
> 
> It reports win something processes,
> it reports realdeal, cd-rom drivers and everything (I think...)

No wizard I, but I think that it is showing you all programs (TSRs, drivers,
etc) loaded _before_ Windows. I do not see it showing programs loaded in
other Dos windows. (Edit, XyWrite, dBase, MSD, etc.)






From brianh at u163.wi.vp.com  Fri Feb  2 13:34:36 1996
From: brianh at u163.wi.vp.com (Brian Hills)
Date: Sat, 3 Feb 1996 05:34:36 +0800
Subject: http://www.xcitement.com/virus/
Message-ID: 


It was up yesterday. I was there. and does have alot of info.
> 
> re: Virus site (http://www.xcitement.com/virus/) reports error 404 - no 
> such file...
> 
> ==========================================================================
>  + ^ + |  Ray Arachelian |Emptiness is loneliness, and loneliness|  _ |>
>   \|/  |sunder at dorsai.org|is cleanliness  and cleanliness is god-|  \ |
> <--+-->|                 |liness and god is empty,  just like me,|   \|
>   /|\  |    Just Say     |intoxicated  with the maddness,  I'm in|   <|\
>  + v + | "No" to the NSA!|love with my sadness.   (Pumpkins/Zero)|   <| n
> ===================http://www.dorsai.org/~sunder/=========================
> 
> 


-- 
UNTIL WE MEET AGAIN :-)







From wlkngowl at unix.asb.com  Fri Feb  2 13:40:57 1996
From: wlkngowl at unix.asb.com (Mutatis Mutantdis)
Date: Sat, 3 Feb 1996 05:40:57 +0800
Subject: RC2 technical questions
Message-ID: <199602022058.PAA21068@UNiX.asb.com>


On Fri, 02 Feb 96 10:02:37 PST, "baldwin at RSA.COM" wrote:

>        In a shameless attempt to move the discussion of RC2 into
>a more technical arena, here are some interesting questions to
>explore about RC2.
>                --Bob

Odd. You're from RSA.COM... It would seem that you're better able to
find these things out than the rest of us.

Make that Alleged RC2, BTW. ;)

I'm rather curious about implementing known plaintext attacks.  The
reliance on addition and anding doesn't make me feel too confident.

For example, the ciphertext produced by the input of all zeros
(plaintext) is basically the added/anded (with rolls) skey bytes.

With a bit of probabilistic analysis one could work at determining the
skey[] bytes.  Weaknesses in the key expansion may help this
further...

Rob.







From rmartin at aw.sgi.com  Fri Feb  2 13:55:43 1996
From: rmartin at aw.sgi.com (Richard Martin)
Date: Sat, 3 Feb 1996 05:55:43 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: <9602021547.ZM22167@glacius.alias.com>


-----BEGIN PGP SIGNED MESSAGE-----

http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F033%2Freg%2Fag052102

Is an AP report on the at-home censorship.

richard

- --
Richard Martin
Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team]
rmartin at aw.sgi.com/g4frodo at cdf.toronto.edu      http://www.io.org/~samwise
Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRJ4AR1gtCYLvIJ1AQFIrgQAnYnAAG0b+PU5IGUxBYI6ufcNzaaR4y5v
bsd7FS1uUSnATWuEXPEPgx1rtRRLgzIID5JoDMK9tcOAjIVts0OdJMMVE+ZVux4E
b+FijVRRaoelyOgbyPHUzr1E2e2oEhbNV8fKfAiaivaKR32FXDHxIJnHghRYlLDZ
M0keLCHcMTc=
=YCtp
-----END PGP SIGNATURE-----






From jrochkin at cs.oberlin.edu  Fri Feb  2 14:18:26 1996
From: jrochkin at cs.oberlin.edu (Jonathan Rochkind)
Date: Sat, 3 Feb 1996 06:18:26 +0800
Subject: cypherpunks press
Message-ID: 


The 29 January New Yorker has an article "Hackworm" that discusses the
Mitnick-Shimomura-Markoff echoing cypherpunks lack of sympathy for the
Markoff-Shimomura P.R. extravaganza.  Article ends mentioning cypherpunks
and John Gilmore specifically, discussion of crypto politics, while not
entirely toe-ing the cypherpunks party line, an enhearteningly informed and
rational treatement.

[An altavista search reveals the New Yorker is at
http://www.enews.com/magazines/new_yorker/, but they don't seem to put the
entire issue online, and parts of the 15 January issue is what you get when
you click on "current issue"]







From Jeremym at area1s220.residence.gatech.edu  Fri Feb  2 14:26:29 1996
From: Jeremym at area1s220.residence.gatech.edu (Jeremy Mineweaser)
Date: Sat, 3 Feb 1996 06:26:29 +0800
Subject: Active processes monitoring?
Message-ID: <2.2.32.19960202210108.00ec2df4@area1s220.residence.gatech.edu>


At 01:59 PM 2/2/96 -0500, you wrote:
>
>> Are there others applications like MEM that are not as universal?
>> (here, I guess that such stealth behaviour have to rely on identifying the
>> program being loaded, thus, a less common program has less chance of 
>> being fooled)
>
>Mem /C doesn't do squat under 95... don't know about 3.11.... since each 
>DOS box runs in its own space, MEM /C cannot see what processes are 
>running in Windoze.

There are a number of process viewing applications available for Win95/NT.
I use two of them: one is called pstat.exe and the other is ps.exe.  Both of
them
show most of the visible processes running.  ps does not show running services,
but pstat does.  Both of them are available at

ftp://csa.gt.ed.net


Jeremy
---
   Jeremy Mineweaser     | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$
 j.mineweaser at ieee.org   | L+>++ E-(---)  W++ N+  !o-- K+>++  w+(++++) O-  M--
                         | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+()
    *ai*vr*vx*crypto*    | tv(+)  b++>+++ DI+(++)  D+  G++ e>+++  h-() r-@ !y-






From rah at shipwright.com  Fri Feb  2 14:32:13 1996
From: rah at shipwright.com (Robert Hettinga)
Date: Sat, 3 Feb 1996 06:32:13 +0800
Subject: Futplex makes the news!
Message-ID: 


>I just heard on WBUR (NPR) here in Boston that our own L. (I know his real
>first name now...) "Futplex" McCarthy was busted by the UMASS diginarks for
>putting "Nazi material" on the internet. This must be one of those
>Nazi-mirrors I've been skipping articles over...

So, the "expanded version" of the story says that it was a nazi-mirror, and
FUDless verbage why Futplex did it, and that UMASS Amherst said they didn't
want "Political messages" on their web-server, so they booted Futplex.

LOL! The most Politically Correct university in the universe doesn't want
"Political messages" on their web server!

The ganglia twitch...

Cheers,
Bob Hettinga

-----------------
Robert Hettinga (rah at shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"Reality is not optional." --Thomas Sowell
The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/







From mpd at netcom.com  Fri Feb  2 14:32:23 1996
From: mpd at netcom.com (Mike Duvos)
Date: Sat, 3 Feb 1996 06:32:23 +0800
Subject: Futplex makes the news!
Message-ID: <199602022119.NAA29620@ix6.ix.netcom.com>


rah at shipwright.com (Robert Hettinga) wrote:

 > I just heard on WBUR (NPR) here in Boston that our own L. (I 
 > know his real first name now...) "Futplex" McCarthy was busted
 > by the UMASS diginarks for putting "Nazi material" on the 
 > internet. This must be one of those Nazi-mirrors I've been 
 > skipping articles over...

Horrors.  

We seem to be discovering more and more side effects from the 
defense of free speech for the unpopular.  The Holocausta Nostra
is cheering wildly at the opportunity to present the works of
Mr. Zundel under a banner reading "Nazi Scum".  Zundelsites are
being set up by people whose views are so disgusting they probably
offend even Mr. Zundel himself.  And now our very own "Futplex" 
will have to live the rest of his life branded as a electronic
distributor of "hate literature" by the forces of political
correctness at UMASS.  

It may be time to regroup and take inventory of what we are 
suposedly trying to accomplish here. 

--
X-Signature: Mike Duvos
X-Signature-File: c:\netcom\mail.sig


On a completely different note, which I am appending so as to waste
as little bandwidth as possible, Cypherpunks messages to my netcom
account stopped dead two days ago, and I am getting no response from
either majordomo at toad.com or cypherpunks-owner at toad.com.  

I am currently reading the list quite nicely on 

        news://news.hks.net/hks.lists.cypherpunks

using Netscape so it really isn't a big deal, but I was just curious
if there was a routing problem or some other Net glitch.

Please EMAIL any replies. 







From sandfort at crl.com  Fri Feb  2 14:40:16 1996
From: sandfort at crl.com (Sandy Sandfort)
Date: Sat, 3 Feb 1996 06:40:16 +0800
Subject: FEBRUARY MEETING
In-Reply-To: <311274f5.248877750@mailhost.primenet.com>
Message-ID: 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                          SANDY SANDFORT
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C'punks,

Gary Edstrom pointed out to me that I forgot a minor detail about
the upcoming meeting and party--the date.  

They will be on Saturday 10 February.

Sorry about that.


 S a n d y

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






From lmccarth at cs.umass.edu  Fri Feb  2 14:57:15 1996
From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu)
Date: Sat, 3 Feb 1996 06:57:15 +0800
Subject: [NOISE] Futplex makes the news!
In-Reply-To: 
Message-ID: <199602022124.QAA03337@thor.cs.umass.edu>


-----BEGIN PGP SIGNED MESSAGE-----

Bob Hettinga writes:
> So, the "expanded version" of the story says that it was a nazi-mirror, and
> FUDless verbage why Futplex did it, and that UMASS Amherst said they didn't
> want "Political messages" on their web-server, so they booted Futplex.

Just to be clear, I haven't been expelled or suspended from the school, and
I have not been notified of any kind of pending disciplinary action against
me. The pages are indeed gone, however.

Lewis "Futplex" McCarthy, checking in from Rumor Control Central

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRKA3Gf7YYibNzjpAQHiqQQAy//2FTjwOuJ9OT8Dpo9dH69GfbSmPadA
1WpFjFG6m05R0aAF5NFCKkmLRGXM4/pj2ZOSqB4ghfaBnd5GSviNWlWajOYFUYuk
q//INed6U1c7Es3SCNEJN0QeY8hDnZwtjUfsSwWlH8SnrY5PD9S0jj4H6kCoNCnQ
LVb6h2H+biQ=
=ILCO
-----END PGP SIGNATURE-----





From perry at piermont.com  Fri Feb  2 14:58:56 1996
From: perry at piermont.com (Perry E. Metzger)
Date: Sat, 3 Feb 1996 06:58:56 +0800
Subject: cypherpunks press
In-Reply-To: 
Message-ID: <199602022111.QAA12320@jekyll.piermont.com>



Jonathan Rochkind writes:
> The 29 January New Yorker has an article "Hackworm" that discusses the
> Mitnick-Shimomura-Markoff echoing cypherpunks lack of sympathy for the
> Markoff-Shimomura P.R. extravaganza.  Article ends mentioning cypherpunks
> and John Gilmore specifically, discussion of crypto politics, while not
> entirely toe-ing the cypherpunks party line, an enhearteningly informed and
> rational treatement.

Could someone please explain to me why Mitnick is a cypherpunk issue?
Myself, I have neither sympathy nor lack of sympathy for the
Markoff-Shimomura "pr extravaganza", see no "cypherpunk" opinion on
the subject, and don't see any reason we should, as a group, discuss
or care about the topic.

Perry





From nsb at nsb.fv.com  Fri Feb  2 15:07:14 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sat, 3 Feb 1996 07:07:14 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601292111.AA23738@toad.com>
Message-ID: 


I know people are tired of hearing from me, but I can't let *this* go
unchallenged:

Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F..
"Paul M. Cardon"@fnbc.co (580*)

> Interesting address that was used to reach me.

> To: pmarc at nsb.fv.com
> To: pmarc

> Somehow, both reached me from within their system, but if they  
> can't configure their e-mail to show the proper address than I don't  
> have to much faith in their other abilities.  I don't imagine that  
> anybody else would have much luck replying to either of those or CAN  
> I now receive mail at nsb.fv.com?  Is this a new free service  
> provided by FV?

Bogus mail addresses of that kind are typically added by all sorts of
mail relays.  In other words, although I can't tell you 100% for certain
without seeing the mail headers, the scenario underlying this was
probably something involving a bogus mail relay.  Alternately, there are
some systems where this could have all happened entirely on your end, in
your delivery software.  There are a zillion ways this can happen,
actually.  I've checked my archive, and that address definitely was not
in the mail when it left my system.

I can guarantee you that it wasn't our system that did this.  If there's
one things we know cold, it's email.  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Fri Feb  2 15:17:56 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sat, 3 Feb 1996 07:17:56 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: 
Message-ID: 


Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal F..
Weld Pond at l0pht.com (1503*)

> Here is an example of an imagemap for secure number entry.

> http://www.l0pht.com/~weld/numbers.html

I *really* like this example.  That's because it demonstrates so clearly
the security/usability tradeoff that I keep trying to hammer home to
people.

Yes, with something like this -- and a LOT of variation, so it wasn't
the same every time -- you could avoid an attack like ours.  But you'd
also have a user interface that was virtually unusable.  The focus of
the attack we outlined was one particular, naive approach to Internet
commerce that sacrificed a lot of security for usability.  If the net
result of what we've done is to force them to find a better balance, it
was well worth the effort.

Or, to put it another way, I'm not too worried about competing with
software-encrypted credit card numbers if they use an imagemap technique
like the one you've outlined.
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From foner at media.mit.edu  Fri Feb  2 15:21:16 1996
From: foner at media.mit.edu (Leonard N. Foner)
Date: Sat, 3 Feb 1996 07:21:16 +0800
Subject: Call for Demos at Computers, Freedom, and Privacy '96
Message-ID: <9602022139.AA20052@out-of-band.media.mit.edu>


Since 1991, the Computers, Freedom, and Privacy conference has brought
together experts and advocates from the fields of computer science, law,
business, public policy, law enforcement, government, and many other areas
to explore how computer and telecommunications technologies are affecting
freedom and privacy.

This year, for the first time, it's happening at MIT.  I'm helping to
coordinate a Technology Fair of interesting demos related to CFP's themes,
and I'm soliciting people for neat things they'd like to show.

If you think you have something you'd like to demo, please let me know.
For more information about the conference, you might want to check out
  http://www-swiss.ai.mit.edu/~switz/cfp96/
and for information about the demos themselves (including telling us what
items you may need us to provide), you should check out
  http://www-swiss.ai.mit.edu/~switz/cfp96/call-for-demos.html

Some examples to get you thinking:
. A demonstration of anonymous remailers?
. A demonstration of NFS packet substitution on the wire?
. Real-time Netscape key-breaking?
. A bake-off between some individuals or companies to see who can find out
  the most dirt on someone the fastest?
. Something else?

Remember, a lot of the things that Cypherpunks take for granted are
relatively unknown even to the type of crowd that goes to CFP; this could
be your chance to raise some awareness on these issues, show reporters what
can _really_ be done, and so forth.

If you'd like to demo (or even if you're just thinking about), please send
me mail as soon as possible so we can have time to plan.  Thanks!





From jf_avon at citenet.net  Fri Feb  2 15:25:18 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sat, 3 Feb 1996 07:25:18 +0800
Subject: PGP "official" logo?
Message-ID: <9602022143.AA16479@cti02.citenet.net>


>On Fri, 2 Feb 1996, somebody wrote

>> Just put a "PGP signed" logo 
>> This would also have the bonus effect of making PGP more
>> visible to the web-browsing public.  I'll work on this
>> during my.. err.. "spare time".

and somebody replied:

>Yeah, I like the idea of a standardized logo. A lot.

Me too...

Some ideas:

 - ask Phil Z. if he ever devised a PGP logo.
 - a PGP logo design contest (the prize would be eternal glory
      and gratitude from all CPunks)
     In this latter case, the winner might be decided by:
          - a jury (presided by Phil Z. ?)
          - a vote of CPunks

I think it would not do any good if everybody used their own logo.

JFA






From nsb at nsb.fv.com  Fri Feb  2 15:33:24 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sat, 3 Feb 1996 07:33:24 +0800
Subject: Delusional
In-Reply-To: <9601301325.AA17030@sulphur.osf.org>
Message-ID: 


Excerpts from mail.cypherpunks: 30-Jan-96 Delusional Rich Salz at osf.org (752)

> You're disagreeing that I invented safe-tcl?  You disagree that I sent
> you and Ousterhout the very first message that said I want to strip out
> the dangerous commands?

That's not the way I remember it at all, but I'd be interested in seeing
the archives.  My recollection was that it was invented over breakfast
at an IETF meeting (the Columbus one???  I'm not sure) and that Dave
Crocker and Einar Stefferud were also there, along with Marshall and I. 
If I'm misremembering, I apologize.  Honeslty.  

> You're disagreeing that without enabled mail FV would probably
> not have happened?

Except for the fact that they provided prior evidence that Marshall & I
could work together, I'm not sure how it's relevant.  Yes, we used
safe-tcl to implement our server, but any number of other languages
would have sufficed.... -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From bjohnson at nym.alias.net  Fri Feb  2 15:40:16 1996
From: bjohnson at nym.alias.net (bjohnson at nym.alias.net)
Date: Sat, 3 Feb 1996 07:40:16 +0800
Subject: Proxies
Message-ID: <199602022146.PAA10881@vishnu.alias.net>


I keep hearing references to 'proxies' as a method of anonymity.  The only information that I've been able to find, deals with firewalls on networked systems.

Are 'proxies' applicable to personal PCs using browsers, such as Netscape?

Would appreciate any info or leads to information sources.

Thanks in advance,
bjohnson at nym.alias.net






From pmarc at fnbc.com  Fri Feb  2 15:40:21 1996
From: pmarc at fnbc.com (Paul M. Cardon)
Date: Sat, 3 Feb 1996 07:40:21 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601292111.AA23738@toad.com>
Message-ID: <199602022142.PAA10232@abraxas.fnbc.com>


My mailer insists that Nathaniel Borenstein wrote:
> I know people are tired of hearing from me, but I can't let *this*
> go unchallenged:
>
> Excerpts from mail.cypherpunks: 30-Jan-96 Re: FV Demonstrates Fatal
> F.. "Paul M. Cardon"@fnbc.co (580*)
>
> > Interesting address that was used to reach me.
>
> > To: pmarc at nsb.fv.com To: pmarc
>
> > Somehow, both reached me from within their system, but if they
> > can't configure their e-mail to show the proper address than I
> > don't have to much faith in their other abilities. I don't
> > imagine that anybody else would have much luck replying to either
> > of those or CAN I now receive mail at nsb.fv.com? Is this a new
> > free service provided by FV?
>
> Bogus mail addresses of that kind are typically added by all sorts
> of mail relays. In other words, although I can't tell you 100% for
> certain without seeing the mail headers, the scenario underlying
> this was probably something involving a bogus mail relay.
> Alternately, there are some systems where this could have all
> happened entirely on your end, in your delivery software. There are
> a zillion ways this can happen, actually. I've checked my archive,
> and that address definitely was not in the mail when it left my
> system.

You like that zillion word when you can't quantify something.

> I can guarantee you that it wasn't our system that did this. If
> there's one things we know cold, it's email.

C'mon Nathan.  It was in the Received headers generated at your  
end.  I agree that it COULD have happened on our end, but it didn't.  
 I've never seen anybody with such an arrogant attitude.  BTW, it  
looks like it has been fixed now.  :-b

---
Paul M. Cardon

MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e





From jpp at software.net  Fri Feb  2 15:44:17 1996
From: jpp at software.net (John Pettitt)
Date: Sat, 3 Feb 1996 07:44:17 +0800
Subject: RSA disappears :-)
Message-ID: <2.2.32.19960202212818.016da488@mail.software.net>


rsa.com dissapeard from the net!  The only valid nameserver for rsa.com is
rsa.com and since it's net connection is down anybody trying to talk to
www.rsa.com or send mail to rsa is getting host not found errors.

:-)


--
John Pettitt
email:         jpettitt at well.sf.ca.us (home)
               jpp at software.net       (work)    







From jrochkin at cs.oberlin.edu  Fri Feb  2 15:49:01 1996
From: jrochkin at cs.oberlin.edu (Jonathan Rochkind)
Date: Sat, 3 Feb 1996 07:49:01 +0800
Subject: cypherpunks press
Message-ID: 


>Jonathan Rochkind writes:
>> The 29 January New Yorker has an article "Hackworm" that discusses the
>> Mitnick-Shimomura-Markoff echoing cypherpunks lack of sympathy for the
>> Markoff-Shimomura P.R. extravaganza.  Article ends mentioning cypherpunks
>> and John Gilmore specifically, discussion of crypto politics, while not
>> entirely toe-ing the cypherpunks party line, an enhearteningly informed and
>> rational treatement.
>
>Could someone please explain to me why Mitnick is a cypherpunk issue?
>Myself, I have neither sympathy nor lack of sympathy for the
>Markoff-Shimomura "pr extravaganza", see no "cypherpunk" opinion on
>the subject, and don't see any reason we should, as a group, discuss
>or care about the topic.
>
>Perry

The article mentions the cypherpunks, and spends a couple pages discusing
crypto politics and internet security issues.  Like I said, I found it an
unusually well-informed article for the conventional press.  I thought
other cypherpunks list members would be interested in a pointer to it, both
because it discusses the cypherpunks list and because it discusses crypto
politics in a fairly intelligent manner.  And, yes, because it was also
about Mitnick-Markoff-Shimomura, and despite your constant protests that it
isn't a cypherpunks issue, I know that many on the list disagree and are
interested in the issue (and have opinions about it, individually; of
course there is no group mind 'cypherpunks opinion'.)  And, also, because I
think media analysis and issues of what the media is doing and how it works
are 'cypherpunks issues'--that is, issues with a direct relationship to the
crypto issues often discussed here, and which a large proportion of list
members are interested in discussing and hearing about.

I don't see why you, Perry, are the arbiter of what is and is not a
'cypherpunk issue'--if there are lots of people interested in discussing a
certain issue or type of issue on the list, it's going to be discussed.
All you can do is increase the noise on the list even futher by constantly
complaining about it.   Which you seem to enjoy, so go ahead, I guess.







From tcmay at got.net  Fri Feb  2 16:02:50 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 08:02:50 +0800
Subject: Futplex makes the news!
Message-ID: 


At 8:47 PM 2/2/96, Richard Martin wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F033%2Fre
>g%2Fag052102
>
>Is an AP report on the at-home censorship.

Many thanks for providing this, Richard! I just read it, and it worries me.

If UMass has yielded, the prominently mentioned CMU and Stanford sites may
be prompted to exactly the same thing. This will "prove" to the Germans
that they did the right thing, and be a blow in _favor_ of suppression of
speech.

I hope some other sites have the mirrored material and are not reeds in the
wind as at least one university is.

(Did I hear correctly that Futplex has "volunteered" to perform 500 hours
of community service at the Simon Wiesenthal Center's Boston office? And
that he has volunteered to attend 50 hours of sensitivity training? Or am
thinking of Cornell?)

Not to make light of this sorry episode, you understand. But my guess is
that unless Futplex immediately begins to grovel to the campus bigshots and
explain how his judgment was impaired by exposure to fascist Cypherpunks,
that his days at UMass as a grad student are numbered. This is the way
universities seem to handle these things.

--Tim, who hopes he's wrong....

Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From andrew_loewenstern at il.us.swissbank.com  Fri Feb  2 16:21:27 1996
From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern)
Date: Sat, 3 Feb 1996 08:21:27 +0800
Subject: PGP "official" logo? (a.k.a. the Return of the Logo Wars)
In-Reply-To: <9602022143.AA16479@cti02.citenet.net>
Message-ID: <9602022227.AA01627@ch1d157nwk>


JF Avon (jf_avon at citenet.net), in a fit of creativity, writes:
> Some ideas:
>
>  - ask Phil Z. if he ever devised a PGP logo.
>  - a PGP logo design contest (the prize would be eternal glory
>       and gratitude from all CPunks)
>      In this latter case, the winner might be decided by:
>           - a jury (presided by Phil Z. ?)
>           - a vote of CPunks

If you consult the archives you will find the decayed remains of many  
cypherpunks whose blood was shed in the "Logo Wars" of years past.

Instead of having another logo war on the mailing list and having to shout  
over the din of accounts and subjects hitting the bottom of subscriber's kill  
files, I'll sum it up for you:  If you have a cool logo, put it on your own web  
pages (or get someone to put it on theirs).  Then post the URL on the mailing  
list.  If others like it they will use it.  Welcome to anarchy.

Forget contests (unless you want to pony up the prizes and the judges), forget  
voting, forget juries presided by PRZ (he has more important things to do...),  
forget trying to get a consensus on the mailing list...  Still, if you feel  
you must select a logo in public, set up your own mailing list for discussing  
the logo...

> I think it would not do any good if everybody used their own logo.

I doubt that there will be a large number of logos produced (if any...).  If  
one person comes up with a logo that is obviously better than all the rest then  
people will use it.  If nobody puts logos on their pages then it probably  
wasn't meant to be.


andrew





From bal at martigny.ai.mit.edu  Fri Feb  2 16:31:03 1996
From: bal at martigny.ai.mit.edu (Brian A. LaMacchia)
Date: Sat, 3 Feb 1996 08:31:03 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: <9602022229.AA11435@toad.com>


   Date: Fri, 2 Feb 1996 15:34:24 -0800
   X-Sender: tcmay at mail.got.net
   Mime-Version: 1.0
   Content-Type: text/plain; charset="us-ascii"
   From: tcmay at got.net (Timothy C. May)
   Sender: owner-cypherpunks at toad.com
   Precedence: bulk

   If UMass has yielded, the prominently mentioned CMU and Stanford sites may
   be prompted to exactly the same thing. This will "prove" to the Germans
   that they did the right thing, and be a blow in _favor_ of suppression of
   speech.

I just heard the latest version of this story on WBZ radio here in
Boston.  The report quoted the chairman of the CS dept. at UMass; his
claim is that Futplex's distribution of the material was clearly a
"political act" and thus not an appropriate uses of computing resources
funded by public tax dollars.  The report clearly stated that Futplex's
actions were taken to protest German censorship.

Immediately after this story WBZ reported that Germany is now
investigating AOL for possible distributions of banned material.

					--bal






From EALLENSMITH at ocelot.Rutgers.EDU  Fri Feb  2 16:36:26 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Sat, 3 Feb 1996 08:36:26 +0800
Subject: Just what the Internet needs right now...
Message-ID: <01I0QVJK2WDSA0UTJS@mbcl.rutgers.edu>


	I'll try to see if I can find some bomb-making information from a
non-US web site; it may help in counterarguments. Given that I'm still not
that good at searching, it would be nice if someone else could locate it also.
	-Allen

Reuters New Media
   
   _ Friday Febuary 2 4:54 PM EST _
   
Boys Arrested for Plotting Bomb

   
   
   NEW YORK (Reuter) - Three 13-year-old boys have been accused of
   plotting to blow up their school after learning how to build a bomb
   over the Internet, police said Friday.
   
   The boys were arrested Wednesday after other students at Pine Grove
   Junior High School in Minoa, New York, heard rumors of their plans and
   police were alerted, said Capt. William Bleyle of the nearby Manlius
   police department.
   
[...]

   One of the boys, believed to be the ringleader, admitted to police
   that the three eighth graders learned how to build the bomb from
   instructions they found on the Internet, the global network accessible
   from home computers.
   
   ``The information is very easy to find,'' Bleyle said. ''It's at your
   fingertips. They just called it up.''
   
   He said police found diesel fuel, a bag of fertilizer and other items
   -- the basic materials to build a bomb-- at the first boy's house.
   
   The boys found the information using a computer at home, not at
   school, said Gary Minns, superintendent of the East Syracuse-Minoa
   school district, about 250 miles northwest of New York City. The
   school is not hooked up to the Internet but had been considering it,
   he said.
   
   ``It goes way beyond what we would consider a prank,'' Minns said.
   ``Especially from Oklahoma City and the knowledge and awareness of the
   devastation these things can cause, to think they were even
   considering doing this type of thing is extremely disturbing.''
   
[...]

   The three boys had built and tested a bomb in a field behind an
   elementary school, Bleyle said. That bomb caught fire but did not
   explode. All three, who are being charged as juveniles, are accused of
   conspiracy, he said. They have been suspended from school.
   
   Police were still investigating their motives, Bleyle said, adding
   ``It was definitely to effect destruction on the school. It was not an
   idle threat. There was actual intent to carry this through. The
   destruction could have been enormous.''





From tcmay at got.net  Fri Feb  2 16:36:51 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 08:36:51 +0800
Subject: PGP "official" logo?
Message-ID: 


At 9:37 PM 2/2/96, jf_avon at citenet.net (Jean-Francois Avon (JFA
Technologies, QC, wrote:

>Me too...
>
>Some ideas:
>
> - ask Phil Z. if he ever devised a PGP logo.
> - a PGP logo design contest (the prize would be eternal glory
>      and gratitude from all CPunks)
>     In this latter case, the winner might be decided by:
>          - a jury (presided by Phil Z. ?)
>          - a vote of CPunks

I realize that Phil Z. is an "icon" to many people, but icons sometimes are
overrated. In this context, I mean symbolic icons, or logos, e.g., little
pictures.

Why is an icon or logo preferable to "Begin PGP signed..."? The little
rose, or chevrons, or escutcheons, or whatever, then have to be explained
to people. "PGP" is actually its own best logo.

(There is also the important point that most uses of PGP are in
primarily-ASCII settings, in e-mail. Yes, I know that MIME and whatnot can
support graphics, but such uses are rare. Look at this mailing list, and
Usenet, for examples of how most messages are composed. I routinely delete
all messages that have "attachments converted" to them, and others have
told me they do the same thing.)

Logos and signs typically are useful to attract customers from afar, as
with roadside signs, or to establish consumer preference. In the case of
PGP, neither situation seems especially germane.

Finally, the idea of a "contest" and a "vote" comes up once again. Being an
anarchy, no one is stopping anyone from attaching logos to their articles.
But I can't imagine a "vote of CPunks."

--Tim


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From tcmay at got.net  Fri Feb  2 16:43:08 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 08:43:08 +0800
Subject: Proxies
Message-ID: 


At 9:46 PM 2/2/96, bjohnson at nym.alias.net wrote:
>I keep hearing references to 'proxies' as a method of anonymity.  The only
>information that I've been able to find, deals with firewalls on networked
>systems.
>
>Are 'proxies' applicable to personal PCs using browsers, such as Netscape?
>
>Would appreciate any info or leads to information sources.

A quick look with Alta Vista for the string "web proxy" reveals 25 articles
on Usenet and 200 on the Web, with some of them containing further
pointers, definitions, and other helpful information.

--Tim May

Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From somogyi at digmedia.com  Fri Feb  2 16:43:41 1996
From: somogyi at digmedia.com (Stephan Somogyi)
Date: Sat, 3 Feb 1996 08:43:41 +0800
Subject: Looking for GSM A5 info
Message-ID: 


I'm looking for information about the A5 encryption algorithm used in
GSM phones. Specifically:

- How does the algorithm work and is its encryption methodology similar
to any other well-known algorithms?

- Is A5's implementation mandatory to produce an world-wide
interoperable GSM device?

- What are the variants of A5 (there was some discussion of less secure
versions), how do they differ, and where are they used?

- Are there any known weaknesses in or attacks on A5-encrypted GSM
conversations?

- Are there notable instances where GSM deployment was delayed or
halted due to A5? (I remember hearing that such a delay happened in
Australia, but I don't recall details.)

Any related information, or pointers to related information,
appreciated greatly.

________________________________________________________________________
Stephan Somogyi                Mr Gyroscope                Digital Media







From llurch at networking.stanford.edu  Fri Feb  2 17:00:38 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 09:00:38 +0800
Subject: Ways around "censorship" of Nazi Zundelsite (fwd)
Message-ID: 


Similar notes have been posted to the newsgroups and faxed to a number of
press critters in Germany, Canada, and the US. The Ottowa Times is
probably going to be the first out with a reasonably in-depth story. If
you have something of import to say, I'll give you the reporter's number. 

We won already. OK? I believe even the Wiesenthal Center is waking up to
the fact that the only acceptable and efffective way to deal with evil
lies in the modern age is by drawing them into the open and smothering
them with the truth. They should have a statement shortly. 

Share and enjoy.

-rich

---------- Forwarded message ----------
Date: Thu, 1 Feb 1996 12:34:42 -0800 (PST)
From: Rich Graves 
To: declan at eff.org, fight-censorship+ at andrew.cmu.edu, haggaik at leland
Subject: Ways around WebCom censorship of Zundelsite (fwd)

-----BEGIN PGP SIGNED MESSAGE-----

Declan et al, I sent the enclosed to the white supremacists' moderated
mailing list in order to foster the free flow of information, and Don
Black approved it for distribution. Now they all know about all the 
mirrors. 

Since there is no longer any censorship, and since Zundel has released a 
press release about how "major universities have come to his defence" 
against this Zionist repression, I believe it would be appropriate to 
express our true feelings now. Of course copyright and good taste 
dictate that his pages remain on the Web completely unedited, but I see 
no reason for them to be the only thing there.

I would recommend adding a link to the following additional publications
of Zundel's, which were similarly "censored": 

 http://www.almanac.bc.ca/hweb/people/z/zundel-ernst/flying-saucers/

To prevent the saving of bookmarks within his site, I further recommend
moving his pages into a subdirectory with a name that changes from time to
time, as I have done. 

I apologize for blowing up at Declan. The link text from my page to his
again reads, in part: "My friend Declan's page has some more developed
ideas, most but not all of which I agree with. He has more time for this." 

- -rich

- ---------- Forwarded message ----------
Date: Thu, 1 Feb 1996 00:55:06 GMT
From: Stormfront-l 
To: rich at c2.org
Subject: Ways around WebCom censorship of Zundelsite

From: Rich Graves 
Date: Wed, 31 Jan 1996 16:55:06 -0800 (PST)
Subject: Ways around WebCom censorship of Zundelsite
 
You might want to consider this on your own sites. An IP filter is no 
good if the IP address changes.
 
I would also suggest holding your own press conference on February 28th.
 
- ---------- Forwarded message ----------
Date: Wed, 31 Jan 1996 15:52:37 -0800 (PST)
From: Declan
To: Fight Censorship Mailing List ,
Subject: Re: A possible (though unlikely) easy way around WebCom censorship
 
On Wed, 31 Jan 1996, Declan B. McCullagh wrote:
> The attached TELECOM Digest message mentions assigning a new IP address
> to WebCom's web server, which would defeat the current block.
 
Thomas Leavitt from WebCom tells me that Telekom has blocked all accesses
to hosts within the webcom.com domain, though WiN has not. 
 
Apparently Spiegel TV is interested in reporting on this. One of their
reporters told me that the AntiDefamation League in NYC has been compiling
a list of offensive resources (primarily web pages, I think) on the
Internet. 
 
They're going to hold a press conference on February 28 to "demand reduced
access" to this material. 
 
- -Declan
 
- ---------- Forwarded message ----------
Anyway, this is all moot, because there are so many holes in the 
censorship curtain. See the full list of mirror sites and supplemental 
documentation at any of the following, all accessible from any computer 
in Germany:
 
http://web.mit.edu/afs/athena.mit.edu/contrib/bitbucket2/zundel/censorship.html
http://www.cs.cmu.edu/afs/cs/user/declan/www/Not_By_Me_Not_My_Views/censorship.
html
http://www.cs.cmu.edu/afs/cs/user/declan/www/Not_By_Me_Not_My_Views/censorship.
html
http://web.mit.edu/afs/cs.cmu.edu/user/declan/www/Not_By_Me_Not_My_Views/censor
ship.html
 
The Berlin Wall has fallen.
 
Next stop, the Great Firewall of China.

- ------------------------------------------------------------------------
To: Multiple recipients of the Stormfront-L Mailing List
Host: don.black at stormfront.org (Don Black)
To unsubscribe, send e-mail to 'listserv at stormfront.org' with the
line 'unsubscribe Stormfront-L' in the message BODY, not the subject.
- ------------------------------------------------------------------------

- -----
Processed with Listserv v2.77 for Wildcat v4

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMREji43DXUbM57SdAQFO0wP/XsuwmTWifPvJ2MscEWP0N+hSslXRzxfr
l1FN13DnduAJBE2yhJhZUZoCxdAlpXehHP7G2ZOyycdQpxUom7sTo4X0PP95Y5k4
7psQdzFoubAN7Uv6hQh1MTALD3t8vu2bwH4pYtkOeAi13PMvTe/PRfxlPBLcFz69
Bro6hYmaeE8=
=rKCu
-----END PGP SIGNATURE-----







From jonl at well.com  Fri Feb  2 17:08:25 1996
From: jonl at well.com (Jon Lebkowsky)
Date: Sat, 3 Feb 1996 09:08:25 +0800
Subject: Denning's misleading statements
In-Reply-To: <199602010308.WAA27249@pipe2.nyc.pipeline.com>
Message-ID: <199602022316.PAA12911@well.com>


> Responding to msg by jonl at well.com (Jon Lebkowsky) on Wed, 31 
> Jan  6:34 PM
> 
> 
> >Definitely! I wonder who we could get from the FBI??
> 
> 
>    Try for Al Bayse, formerly assistant director of the FBI's
>    Technical Services Division and its long-time senior
>    techonology expert. Here's a quote from David Burnham's new
>    book, "Above the Law:"
> 
>       Al Bayse, whom FBI documents suggest has been involved
>       in the Clipper since its inception, was ecstatic about
>       its inception. Shortly before the White House announced
>       the project to reporters, he telephoned the three
>       leading security experts in the academic world --
>       Dorothy Denning of Georgetown University, Lance Hoffman
>       of George Washington University and Peter Neumann of SRI
>       International -- and informed them that the FBI's
>       problem had been solved. (p. 150)
> 
>    Burnham claims that because Bayse shaped and directed the
>    FBI's investigative technologies from the late 1970s to the
>    mid-1990s he "may well be the nation's single most
>    influential law enforcement official since J. Edgar
>    Hoover." (p. 136)

Is he online? I need his email address, and Denning's.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jon Lebkowsky                  http://www.well.com/~jonl
Host, Electronic Frontiers Forum, 7PM PST 9PM CST Thursdays
  at Club Wired 
Vice President, EFF-Austin 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=






From jrochkin at cs.oberlin.edu  Fri Feb  2 17:19:16 1996
From: jrochkin at cs.oberlin.edu (Jonathan Rochkind)
Date: Sat, 3 Feb 1996 09:19:16 +0800
Subject: Futplex makes the news!
Message-ID: 


At 1:17 PM 02/02/96, Mike Duvos wrote:
>We seem to be discovering more and more side effects from the
>defense of free speech for the unpopular.  The Holocausta Nostra
>is cheering wildly at the opportunity to present the works of
>Mr. Zundel under a banner reading "Nazi Scum".  Zundelsites are
>being set up by people whose views are so disgusting they probably
>offend even Mr. Zundel himself.  And now our very own "Futplex"
>will have to live the rest of his life branded as a electronic
>distributor of "hate literature" by the forces of political
>correctness at UMASS.
>
>It may be time to regroup and take inventory of what we are
>suposedly trying to accomplish here.

The AP article on the net that someone referenced for us before
(http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F033%2Fre
g%2Fag052102), fortunately portrays Futplex M accurately as a principled
free speech crusador, rather then a Nazi, with a few good quotes from F
(nice job Futplex!).     [And Rich Graves should be pleased to see his name
gets mentioned _before_ Declan's.  snork.]   I hope he doesn't get into too
much trouble with UMASS, but I suspect he won't--after he gets called a
"free speech activist" on the AP wire, umass is going to look really bad
punishing him for his activism.   [I guess they've already told him he has
to take it down, but it served it's purpose anyway].

I think the whole endeavor was a resounding success, and I wish I had been
on the ball enough to participate in it.  So, nazi wierdos even worse then
Zundel have appropriated his views--only goes to show that when you try to
censor something (on the net especially--but this has always been true to
some extent, and you can frequently hear ACLU types worthily propagandizing
it), all you do is end up giving it free publicity.  So what if the
'holocost nostra' is delighting in calling Zundel "nazi scum", or whatever.
I haven't read his stuff, so I don't know if I think him deserving of that
title or not, but they can certainly exercise their freedom of speech in
saying so. (Although if they're not careful I suppose Zundel could exercise
his freedom of filing a libel lawsuit against them).

The important thing is that Rich, Declan, Futplex, and anyone else
participating showed the world that censorship on the internet, if not
impossible, is at least a good deal more dificult then people thought.
And,  just as importantly, that they defeated this individual act of
censorship thoroughly.  (Yes, I think participating in the defeat of
censorship is worthy even when it's nazi stuff you're protecting.  A
'banned sites' page on the WWW would be a great thing, even if it contained
a majority of links to neo-nazi propaganda.  If censorship attempts
continue, one of us ought to make such a site--and, of course, mirror it
throughout the universe).

[ Thought--if Germany was blocking sites that contained pornography
instead, not only would Rich/Declan/Futplex probably have been more
reluctant to mirror it, but they probably would have gotten in legal
trouble for doing so, even in the U.S.  And, of course, would have brought
their web servers to a standstill as the entire world tried to get erotic
pictures from their sites.  And the AP article probably wouldn't have been
so kind.   It's ironic and sad that in 1996 America, pictures of people
having sex are more dangerous contraband then is anti-semetic propaganda.]







From jcobb at ahcbsd1.ovnet.com  Fri Feb  2 17:23:43 1996
From: jcobb at ahcbsd1.ovnet.com (James M. Cobb)
Date: Sat, 3 Feb 1996 09:23:43 +0800
Subject: Gleeful Prosecutors, Happy AOL
Message-ID: 


 
 
  Friend, 
 
 
        A 02 02 96 Associated Press newsstory 
        ------------------------------------- 

  AMERICA ONLINE ADDED TO PROBE OVER INCITING RACISM

                     datelined 
 
    MANNHEIM, Germany (Feb 2, 1996 3:29 p.m. EST) 
 
                     reports: 
 
 
   Prosecutors hoping to ban neo-Nazi material from reaching 
   Internet users in Germany have notified America Online Inc. 
   that it may be charged with inciting racial hatred. 
 
  and of course... 
 
   America On-Line spokesman Ingo Reese in Hamburg said his 
   company also was happy to work with the prosecutors. 
 
 
  Cordially, 
 
  Jim 
 






From ddt at lsd.com  Fri Feb  2 17:34:19 1996
From: ddt at lsd.com (Dave Del Torto)
Date: Sat, 3 Feb 1996 09:34:19 +0800
Subject: Apology and clarification
Message-ID: 


At 1:57 AM 1/30/96, Nathaniel Borenstein wrote:

[explanation of keysniffing intentions elided]
>When you put all four of these together, you have an attack that IS new,
>in the sense that nobody we know of has ever mentioned it before, and
>which could in fact be used by a single criminal, with only a few weeks
[elided]

Nathaniel,

I took your posting in the spirit it was intended, I think, since it was
obviously not directed at a c'punk audience. You may remember, BTW, that I
did some information-gathering on keystroke sniffers early in 94. I, too,
did not feel comfortable spreading the info too widely, however, though
now, to a select audience, it might be timely.

Thanks for pointing out a very valid set of attack parameters, BTW.

>One good
>programmer, in less than a month, can write a program that will spread
>itself around the net, collect an unlimited number of credit card
>numbers, and get them back to the program's author by non-traceable
>mechanisms.  Does anyone on this list doubt that this is true?

I do not doubt it for an instant. I even know some Eastern Eudopeans who
might be at it as we speak.

   dave







From jcobb at ahcbsd1.ovnet.com  Fri Feb  2 17:37:56 1996
From: jcobb at ahcbsd1.ovnet.com (James M. Cobb)
Date: Sat, 3 Feb 1996 09:37:56 +0800
Subject: Going, Going, Gone With the Flow
Message-ID: 


 
 
  Friend, 
 
 
            A 02 02 96 Boston Globe newsstory 
            --------------------------------- 

     GOVERNMENTS MOVE TO LIMIT FREE FLOW OF THE INTERNET 

                       datelined 
 
             (Feb 2, 1996 00:17 a.m. EST) 

                       reports: 
 
 
    ...the Internet is slowly being colonized. 
 
 
  Colonized? 
 
    Governments around the world -- from Germany to Iran to 
    Singapore -- are moving to limit Internet access for their 
    citizens.... 
 
 
  Oh I see.  Colonized by parasites. 
 
    This move to cordon off the Internet into private plots -- 
    some call it digital Balkanization -- is seen by experts as 
    one of the most profound changes since the global network 
    emerged as a commercial medium in 1991. 
 
 
  S-s-h-h.  The experts speak! 
 
    Many Internet specialists say it marks the shift...to [a 
    "network"] where users are building nation states, an evo- 
    lution that they say will lead to the Internet's ultimate 
    success as a commercial and communication platform. 
 
 
  S-s-h-h!  The specialists have spoken. 
 
 
    Earlier this week, Federico Mayor, the director of UNESCO, 
    an arm of the United Nations, called for the drafting of a 
    global agreement that would help protect rights in cyber- 
    space. 
 
 
  Mais oui. 
 
 
  Cordially, 
 
  Jim 
 
 





From steve at miranova.com  Fri Feb  2 17:41:27 1996
From: steve at miranova.com (Steven L Baur)
Date: Sat, 3 Feb 1996 09:41:27 +0800
Subject: Proxies
In-Reply-To: 
Message-ID: 


>>>>> "Tim" == Timothy C May  writes:

Tim> At 9:46 PM 2/2/96, bjohnson at nym.alias.net wrote:

>> I keep hearing references to 'proxies' as a method of anonymity.
>> The only information that I've been able to find, deals with
>> firewalls on networked systems.
>> 
>> Are 'proxies' applicable to personal PCs using browsers, such as
>> Netscape?

Proxies aren't any use towards anonymity on a single user system.
They can be very useful on a network, regardless of whether a firewall
exists or not.

>> Would appreciate any info or leads to information sources.

Tim> A quick look with Alta Vista for the string "web proxy" reveals
Tim> 25 articles on Usenet and 200 on the Web, with some of them
Tim> containing further pointers, definitions, and other helpful
Tim> information.

For one-stop shopping I recommend Delegate, written by Yutaka Sato
, available from
	ftp://etlport.etl.go.jp/pub/DeleGate/

It should run on any reasonable Unix system.  Most of the
documentation is in Japanese, but there is enough in English to get it
up and running.

Regards,
-- 
steve at miranova.com baur
Unsolicited commercial e-mail will be proofread for $250/hour.





From rah at shipwright.com  Fri Feb  2 17:41:50 1996
From: rah at shipwright.com (Robert Hettinga)
Date: Sat, 3 Feb 1996 09:41:50 +0800
Subject: Futplex makes the news!
Message-ID: 


At 6:34 PM 2/2/96, Timothy C. May wrote:
>(Did I hear correctly that Futplex has "volunteered" to perform 500 hours
>of community service at the Simon Wiesenthal Center's Boston office? And
>that he has volunteered to attend 50 hours of sensitivity training? Or am
>thinking of Cornell?)

Ah.

I think what Tim's referring to is the brand new Reeducation Campz, Inc.
(RCI), "NewCommonwealth" facility currently taking on new "HappyCampers" in
Cambridge just up Brattle Street from Harvard Square.  I hear it's a
complete appropriate-behavior Skinnerian-behavior-modification
aversion-therapy facility complete with electroshock contour couches in
front of surplus Digital Equipment Corporation MicroVaxen, all running a
special version of CuttyBrowser, specially developed in COBOL for the
MicroVaxen by Mitre and Micotronx. When the wrong URLs are selected (EF*,
Cyph*, crypt*, White_W*, and "Black Rhino", to name a few grep strings),
the camper is randomly electrocuted at senstitive subcutaneous nerve
endings or gassed with nauseous sulpher fumes.

This technology, along with direct neural stimulation of pleasure centers
when Significant Figures of National Authority (SFNA) (including the First
Lady, the FBI Director, and the Attorney General), are randomly flashed,
although slowly, on the MicroVax's screen has proven very powerful in
creating extremely motivated and happy citizens of the Commonwealth.

An interesting side effect is that the process creates sexual arousal when
the HappyCampers see the company logo of the computer outside of the Camp
setting, which is apparently why the machines in this particular facility
were donated by Digital under a "Help the Commonwealth Grow" program,
reserved for Massachusetts computer companies. Digital is hoping that this
will help stanche the decline in sales they've been suffering the last few
years, or at least help get rid of a "very large" production run of
MicroVax computers they've been writing off for the last eight years.

RCI, a "hybrid" for-profit corporation owned by government/non-profit
organizations, is a partnership between the NSA, both NEAs, NOW, NARAL, The
Moral Majority, Oral Roberts University, The 700 Club, and, of course,
UMASS in cooperation with the Kennedy School of Government at Harvard.
After the camp, the HappyCamper is charged $37,000 in tuition for the
12-day 19-hour-a-day experience, is also required to pay for the computer
(because the campers tend to become emotionally distraught when separated
from the machines, and because nobody can be hired to clean the machines
either), and, is required to recruit 4 other campers.

Oddly enough, this last requirement has become something of a problem,
because graduates of the Camp are usually overzealous in their recruitment
efforts, dragging relatives, farm animals, and, in several cases,
inebriated homeless residents of Harvard Square to the Camp and leaving
them in unconscious piles at the Camp door. This is causing problems with
neighbors in the Brattle Street area, including John Kenneth Galbraith and
Governor William Weld, who are not now very happy campers at all. The Camp
is now required to give the neighborhood association 24 hour advanced
notice of every graduation, so that gardeners and domestic help can be
locked safely indoors.


Anyway, have fun, Futplex!  Remember that I've moved, and don't forget your
Kleenex when you go...

Better yet, stay in Ithaca.


Cheers,
Bob Hettinga

Ithaca? That's Cornell, right? Hmmmm... How about moving to New Haven, instead?

-----------------
Robert Hettinga (rah at shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"Reality is not optional." --Thomas Sowell
The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/







From wilcoxb at nag.cs.colorado.edu  Fri Feb  2 17:51:32 1996
From: wilcoxb at nag.cs.colorado.edu (Bryce)
Date: Sat, 3 Feb 1996 09:51:32 +0800
Subject: PGP "official" logo? (a.k.a. the Return of the Logo Wars)
In-Reply-To: <9602022227.AA01627@ch1d157nwk>
Message-ID: <199602030017.RAA06483@nag.cs.colorado.edu>



-----BEGIN PGP SIGNED MESSAGE-----

 An entity calling itself "Andrew Loewenstern 
 " is alleged to 
 have written:
>
> Instead of having another logo war on the mailing list and having to shout  
> over the din of accounts and subjects hitting the bottom of subscriber's kill  
> files, I'll sum it up for you:  If you have a cool logo, put it on your own web  
> pages (or get someone to put it on theirs).  Then post the URL on the mailing  
> list.  If others like it they will use it.  Welcome to anarchy.


Hello Andrew, I recommend that you set your line widths so a
smaller number so that people who quote you, as above, don't
generate >80 col lines, as above.


But anyway, I drew my own PGP logo for my "Bryce's Auto-PGP"
distribution site.  The logo's a kloogey piece of work, but 
I like the motif of an envelope with "PGP" stamped across 
the seal, so I use it.  If anyone else does the same idea
better, I'd love to see (/copy) it.


Anyone is welcome to copy my "PGP- the electronic envelope"
logo, but by doing so you are assenting to this contract,
which states that the next time we are hanging out together
in the same bar you will buy me a beer.


 BAP
Distribution Site 


Bryce

                 "Toys, Tools and Technologies"
  the Niche 
        New Signal Consulting -- C++, Java, HTML, Ecash
            Bryce 
 
PGP sig follows


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMRKpfvWZSllhfG25AQH1QwP/SX7UN0QV5OkxHnHQcZRs4c5f9wBb3+Dj
8MzJoIgdEIiiSLZ+dfc3EHiiP4huMtaNzb+E9k2os8gJvU9D3aYR8Lz8bZDKA0kF
dzbCsQAPZoFF+egicd4JTm1KfcfnXJmSModvf6Xoy+L7GdTw5j74tCZNZb9f1GY+
fs6c8XgI3ME=
=pd+E
-----END PGP SIGNATURE-----





From proff at suburbia.net  Fri Feb  2 17:55:08 1996
From: proff at suburbia.net (Julian Assange)
Date: Sat, 3 Feb 1996 09:55:08 +0800
Subject: Just what the Internet needs right now...
In-Reply-To: <01I0QVJK2WDSA0UTJS@mbcl.rutgers.edu>
Message-ID: <199602030025.LAA25077@suburbia.net>


>    He said police found diesel fuel, a bag of fertilizer and other items
>    -- the basic materials to build a bomb-- at the first boy's house.

Looks like I've just been placed into the ranks of the pyro-terrorist.

Golly, Deisel fuel.
Gosh, Fertilizer.
Ma, other items.

-- 
+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  stood still, who built the largest     |
|EMAIL: proff at suburbia.net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+





From nobody at REPLAY.COM  Fri Feb  2 17:59:15 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Sat, 3 Feb 1996 09:59:15 +0800
Subject: Don't shot till you see the gray of their eyes
Message-ID: <199602030030.BAA27066@utopia.hacktic.nl>


Now I understand it.

That thing on the cover of Applied Crypto is really
one of the Gray's space ships that they use to abduct
aspiring cryptographers and implant microchips in them,
controlling their minds and making them obey RSA's
license agreement.

Very interesting indeed.

On a lighter note, a local NBC station advertised a
special they will have this monday, about the 1-800-INFO-PET
chips... only that parents are opting to have them implanted
in their newborn children.








From allyn at allyn.com  Fri Feb  2 18:18:39 1996
From: allyn at allyn.com (Mark Allyn 860-9454 (206))
Date: Sat, 3 Feb 1996 10:18:39 +0800
Subject: FEBRUARY MEETING
In-Reply-To: 
Message-ID: <199602030121.RAA22883@mark.allyn.com>


Does anyone know if there are any meetings in the
Seattle, Washington area?

Mark Allyn





From sunder at dorsai.dorsai.org  Fri Feb  2 18:20:29 1996
From: sunder at dorsai.dorsai.org (Ray Arachelian)
Date: Sat, 3 Feb 1996 10:20:29 +0800
Subject: Free filtered list -> Re: noise levels
In-Reply-To: 
Message-ID: 


On 31 Jan 1996, Steven L Baur wrote:

You know folks, I do run a free filtered cypherpunks list.  there's no 
need for ratings.  I filter, you read. :)

If you want to subscribe send a message with the subject "FCPUNX 
SUBSCRIBE" or "FCPUNX HELP"


==========================================================================
 + ^ + |  Ray Arachelian |Emptiness is loneliness, and loneliness|  _ |>
  \|/  |sunder at dorsai.org|is cleanliness  and cleanliness is god-|  \ |
<--+-->|                 |liness and god is empty,  just like me,|   \|
  /|\  |    Just Say     |intoxicated  with the maddness,  I'm in|   <|\
 + v + | "No" to the NSA!|love with my sadness.   (Pumpkins/Zero)|   <| n
===================http://www.dorsai.org/~sunder/=========================






From allyn at allyn.com  Fri Feb  2 18:24:12 1996
From: allyn at allyn.com (Mark Allyn 860-9454 (206))
Date: Sat, 3 Feb 1996 10:24:12 +0800
Subject: RSA disappears :-)
In-Reply-To: <2.2.32.19960202212818.016da488@mail.software.net>
Message-ID: <199602030118.RAA22873@mark.allyn.com>


Hello!

RSA is fine and up and running as of 5 PM PST on
Friday Feb 1. RSA.COM nameserver at 192.80.211.33
is up and on the net as well as www.rsa.com.

Love

Mark Allyn





From wilcoxb at nag.cs.colorado.edu  Fri Feb  2 18:26:54 1996
From: wilcoxb at nag.cs.colorado.edu (Bryce)
Date: Sat, 3 Feb 1996 10:26:54 +0800
Subject: Web page authentication (was: Anti-Nazi Authentication)
In-Reply-To: 
Message-ID: <199602030123.SAA09872@nag.cs.colorado.edu>



-----BEGIN PGP SIGNED MESSAGE-----


 An entity calling itself "Rich Graves 
 " is alleged to have
 written:
>
> On Fri, 2 Feb 1996, Bryce wrote:
> 
> > > What's wrong with a prominent PGP-signed notice in 
's that "This
> > > page, at URL [whatever], has a separate PGP signature at [other URL]." 
> > > I've did that with the windows networking FAQ a few times until it just 
> > > got to be too much trouble.
> > 
> > That's a good idea, but I don't see any reason to sign the 
> > notice.
> 
> For the paranoid, it would be an added assurance that they are reading the
> original file at the original location. Otherwise, anybody could copy the
> Web page, modify it, and give it someone else's PGP signature. 


Uhhh- wait a second.  Anybody can always copy the file *and*
the signature to a new site without changing the
authentication.  And anybody can always copy the cleartext
and then sign it with a different key.  Right?  What are you
getting at?


Now what you can do is put the site's URL in the signed 
text, forcing the copier to change the URL and re-sign it
with his own key.  And you could time-stamp your document, 
proving that you had possession of it before the copier did.
But that's the extent of what you can do, AFAIK.


> But yeah, it would look awfully silly, especially to the non-PGP-aware
> public. An unobstrusive PGP logo (below) would be great, and might become
> a status symbol, like those cheesy HTML validation service and Internet
> Audit Bureau logos (which I have used on a few pages). 


Yeah that was my idea.  A little "PGP signed" logo.  If the
user clicks on it it gives them the signature, and/or a href
to a PGP page.  (Probably one maintained by yours truly.)


> Yeah, I like the idea of a standardized logo. A lot.


I have a little logo which is (as I recall) 32x32 pixels
which is just "PGP" with a red check-mark superimposed.
I'll hack on this idea during what I jocularly refer to as
my spare time.


Regards,

Bryce

                 "Toys, Tools and Technologies"
  the Niche 
        New Signal Consulting -- C++, Java, HTML, Ecash
            Bryce 
 
PGP sig follows


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMRK45PWZSllhfG25AQG9uQP/Ry8TJDwvBjgNLjqJ4O0kX5277Th9ERoD
/I90bq+EvdkVOIypr8DIagxGQDtY8GUDeIXzZvvoUSH/h/EioKP7P6J3El9liCmO
NEYcGhlYtnKMn2/iKeQiZfu68iVSCpUSm8Tvq42ecLKTpgcpx+6sQIhFs3e5oG0O
F2lc601FTL4=
=0qGM
-----END PGP SIGNATURE-----





From declan+ at CMU.EDU  Fri Feb  2 18:34:28 1996
From: declan+ at CMU.EDU (Declan B. McCullagh)
Date: Sat, 3 Feb 1996 10:34:28 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: 


Excerpts from internet.cypherpunks: 2-Feb-96 Re: Futplex makes the news!
by Timothy C. May at got.net 
> If UMass has yielded, the prominently mentioned CMU and Stanford sites may
> be prompted to exactly the same thing. This will "prove" to the Germans
> that they did the right thing, and be a blow in _favor_ of suppression of
> speech.
>  
> I hope some other sites have the mirrored material and are not reeds in the
> wind as at least one university is.

If we're talking about Nazis, UMass is the place to look for the PC
breed of 'em. Check out http://joc.mit.edu/roundup.html for info on
their recent PC speech code censor attempts at UMass Amherst.

I've decided to take the materials off my web pages -- but with no
pressure from, and in fact no communication at all with CMU
administrators. I've had nothing but support from the School of Computer
Science folks at Carnegie Mellon. A CMU SCS faculty member even offered
to host the pages if the administration got their panties in a snit.

This after there was a front page above-the-fold article in today's
Pittsburgh Tribune Review: "CMU in middle of Internet flap" It talked
about the Simon Wiesenthal Center's efforts to, um, educate university
administrators:

    The Simon Wiesenthal Center, the world's leading anti-Nazi organization,
was fuming however -- faxing indignant messages to the presidents of CMU,
Stanford, the Massachusetts Institute of Technology, and University of
Pennsylvania...

    Mark Weitzman, the director of the Wiesenthal Center's Task Force Against
Hate, said he had heard nothing by late yesterday afternoon from CMU
President Robert Mehrabian, whom he had urged by fax Wednesday "to address
this issue as quickly as possible."...

    Linda Hurwitz, director of the Holocaust Center of Pittsburgh, criticized
the postings, saying while she didn't approve of censorship in general, some
lies were so harmful that they were tantamount to yelling "fire" in a crowded
theater.

I don't often congratulate Carnegie Mellon for a job well done, but this
is one of those occasions. (Though I'm not sure how the administration
would have reacted if the Zundelstumphen was in my Andrew account
instead of my SCS AFS directory...)

-Declan






From mpd at netcom.com  Fri Feb  2 19:09:05 1996
From: mpd at netcom.com (Mike Duvos)
Date: Sat, 3 Feb 1996 11:09:05 +0800
Subject: Futplex makes the news!
Message-ID: <199602030230.SAA20498@ix6.ix.netcom.com>


On 2 Feb 1996 19:02:29 -0500, you wrote:

>I think the whole endeavor was a resounding success, and I wish I had been
>on the ball enough to participate in it. 

[deletia]

>The important thing is that Rich, Declan, Futplex, and anyone else
>participating showed the world that censorship on the internet, if not
>impossible, is at least a good deal more dificult then people thought.

Before poo-pooing Tim, declaring victory, and returning home, it
should be noted that German prosecutors today added AOL to the list of
entities they wish to charge with "inciting hatred."

UMASS will of course test the political waters before taking any
action, but we may yet see the gonads of Futplex hanging from one of
the upper floors of the Graduate Research Center.  :)

Time will tell whether we have won this war, or have simply
encountered a lull after the first onslought by the enemy.  

--
     Mike Duvos         $    PGP 2.6 Public Key available     $
     mpd at netcom.com     $    via Finger.                      $







From dm at amsterdam.lcs.mit.edu  Fri Feb  2 19:20:16 1996
From: dm at amsterdam.lcs.mit.edu (David Mazieres)
Date: Sat, 3 Feb 1996 11:20:16 +0800
Subject: Lotus Notes
In-Reply-To: <199601310705.XAA09848@netcom6.netcom.com>
Message-ID: <199602030230.VAA06785@amsterdam.lcs.mit.edu>


> Tim May had it exactly right in his post entitled "Silver Linings
> and Monkey Wrenches" (thanks Tim).  The only thing I can add is that
> forcing them to attack a 40 bit key is better than giving them the
> whole key thru some LEAF scheme ala Clipper.

Your point may be valid, but who is attacking a 40 bit key?  Is
cracking 40 out of 64 bits of a 64-bit RC4 key as hard as cracking a
40 bit key, or does knowing a significant portion of the key make the
search considerably easier than brute force?  I've never heard anyone
make an assertion either way, except that some people seem to assume a
the difficulties are the same.

Thanks,
David






From tcmay at got.net  Fri Feb  2 19:23:23 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 11:23:23 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: 



I can't say that I've always wanted to use this oft-joked about title, but
for the first time since I got on some form of the Net in 1973, I think
there's some truth to it.

(It's not hopeless. In fact, the stuff we talk about, use, work on, etc.,
is the best hope.)

Several pieces of news are coming at the same time:

* the Communications Decency Act, as part of the Telecom Act, was passed by
Congress yesterday. Clinton is expected to sign it into law early next
week. It includes language of great significance for users, for ISPs, and
perhaps for remailers. When it takes effect--some number of days after
Clinton signs it into law--it could almost immediately have a chilling
effect on many newsgroups, on Web accesses, etc. Though civil liberties
groups are expected to challenge it in court, and may ultimately win, it
could be a long and expensive fight for some ISP who "lets" a 17-year-old
access indecent material (or lets abortion articles in, or lets various
other banned things in).

* Other countries are gaining steam in restricting, or trying to restrict,
what happens on the Net, especially what enters. Germany is the most
oft-discussed, with actions underway against Compuserve, American Online,
and possibly other ISPs with a German presence. And the Deutsche Telekom
access block of American sites. France is also contemplating various
actions. Even the "liberal" countries have things brewing, according to
news items appearing recently. (Look at the list of countries represented
by senior law enforcement officials at the Key Escrow meetings in Sept.
'94, for example. I don't expect most of these countries to have an active
public debate about crypto restrictions, for various obvious reasons. I do
expect them to accept with alacrity the "international treaties" when they
are offered.)

* And don't forget that there is still a campaign to control encryption and
to adopt a global regimen for "key escrow." The various international
meetings, the Washington meetings, and the noises coming out of foreign
capitals strongly suggest a comprehensive scheme--as yet unannounced--to
mandate the escrowing of keys with the local authorities. (To be sure,
there are many, many problems, and many avenues for attack, but this
doesn't mean such an international scheme won't be tried...look to the U.S.
lead in controlling drug traffic over the past 60 years.)

* The Wiretap Bill still mandates that digital switches be made digitally
wire-tappable. (Lots of technical details, and lots of debate about how
much of the $500 million mentioned will actually be budgeted, provided,
etc.) FBI Director Louis Freeh is still pushing this as critically
important. This is part of the larger mosaic.

* Various trial balloons about key authentication agencies, about having
the government issue keys and even handle e-mail (the Postal Service has
been pushing for this for a long time). Some of the "centralized" schemes
for signature authorities appear to fit in nicely with a
government-mandated certificate hierarchy. There are various scenarios for
how a certificate hierarchy could be mandated, ranging from outlawing of
"anarchic" variants (unlikely, at first) to the court system refusing to
help enforce contracts signed in a non-compliant manner (pretty likely, in
my opinion).

* Universities are *not* becoming more tolerant and diverse, more acceptant
of extreme speech. In fact, more and more of them are adopting "speech
codes," especially for the Internet. Sometimes called "stalking" laws,
sometimes "respect" laws, they serve to stifle what is noniolently,
noncoervively said by some students to others. Even private jokes, as at
Cornell, are treated as crimes (the "voluntary" community service the four
Cornell students agreed to). And "political" material is ordered off
university Web sites (the UMass case of Lewis McCarthy, which just unfolded
today).

*Universities, corporations, and even ISPs are explicitly adopting policies
that allow them to inspect e-mail at will. (If the arrangement is made in
advance, it may not violate the ECPA to do this...and I'm not saying there
aren't some good reasons why these entities would want the right to inspect
e-mail (their liability being a good example), just noting the growing
situation. Absent any sort of "common carrier," we may be approaching an
age where the relay layers most users must use have explicit policies
allowing monitoring and even banning unapproved/unescrowed encryption (I've
seen the policies of at least one ISP that state this). (Alice and Bob can
still presumably dial each other up directly over the phone lines and do a
UUCP-style transfer, but using intermediary ISPs may not allow them to use
the crypto of their choice...again, the ISPs, universities, corporations,
etc., may be held liable for misdeeds done over their systems, so this is
why they would want to control the content or have some way to monitor
communications.)

* The Four Horsemen of the Infocalypse. Increasing media reports of child
porn on the Net, of "digital stalkers" on campuses, of children finding
bomb instructions, of nuclear terrorists using Alta Vista to design their
bombs.... Even the media lionization of Shimomura, who dismisses concerns
about privacy as the ravings of paranoid hackers and libertarians, adds to
this public view. Shorter, more sensationalistic, articles are appearing
daily. (I don't believe the reporters, notably Markoff, Levy, etc., are "in
on" some kind of conspiracy, just noting that the media hype about the Net,
and hackers, and the dangers, are adding up to a growing sense that "the
government has to something!").

* "Anonymity" in general is under attack. Calls for "responsibility." "What
have you got to hide?" is the standard refrain. If the rumors of a kind of
"Internet Drivers License" are correct, all posts could be required to be
signed by the orginator. Forwarders would be held responsible for checking
signatures, or, at least, be held liable for misdeeds. They would not be
treated as we treat the carriers of sealed packages, for example. (I can
think of many counter-arguments, including the usual one about a forwarder
not knowing the contents of what he was forwarding, not being able to tell
if a file was noise, data, compressed data, or an encrypted packet...while
I find this persuasive, it may take years of expensive court cases to
establish this, and still might go against this interpretation.)

* Corporations are having their secrets stolen, and are demanding that
something be done. (Expect more of these calls to increase as more cases
like the RC2 case arise...without supporting RSA in their anger, I can see
why remailers scare the hell out of them,)

* Groups as disparate as the Church of Scientology and the Simon Wiesenthal
Center are screaming to have the Net regulated. What major groups will be
next? The Catholic Church? The Junior League? As more groups "threatened"
by the anarchic, free speech of the Net decide to cast their lot in with
the government (with hopes that if they scratch the government's back,
it'll return the favor, or at least help control the marauders), the
constituency for clamping down on the Net will grow.

* And the tax authorities, the IRS, FinCEN, etc., are well-known to be
trying to figure out how to get their cut, how to control the spread of
untaxed transactions, and how to make sure that Chaumian untraceable
digital cash is never fully deployed. You can bet that they would love to
have Visa or Mastercard or one of the "little" systems that allows full
traceability be adopted, maybe even mandated. This would in one fell swoop
fix several problems for them.

Without getting into paranoia about Clinton, Black Helicopters, U.N. troops
in American cities, the militia movement, Fostergate, etc., it looks to me
like a coordinated move to try to regain "control" of the transnational
Internet anarchy is getting started in earnest.

I said it is not hopeless. Indeed, the powerful technologies of encryption,
digital mixes, and other such tools will make a clamp-down very hard, maybe
ultimately impossible. This is my hope.

But in the meantime, a lot of hard work. And a lot of obvious targets--such
as people who put things on their Web pages, ISPs who let minors on their
systems, those who cause abortion information to be brought in from outside
the U.S., etc.--will be prosecuted, given huge fines to send a message to
others, and maybe even imprisoned. International treaties will be signed,
giving these laws the force of treaty. The New World Order,
cyberspace-style.

I'm not despairing. I just think a lot of work lies ahead of us. The crypto
anarchy future is not going to happen if governments have anything to say
about it. Therein lies the challenge.

--Tim May



Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From tien at well.sf.ca.us  Fri Feb  2 19:24:32 1996
From: tien at well.sf.ca.us (Lee Tien)
Date: Sat, 3 Feb 1996 11:24:32 +0800
Subject: crypto/classification
Message-ID: <199602030232.SAA06904@well.com>


A few weeks ago someone posted the following message:

From: nobody at tjava.com (Anonymous)
Date: Wed, 10 Jan 1996 22:30:55 -0600
Subject: Cryptology and classification

Hi all,

Just received a memo, the "Desk Reference Guide" to Executive Order 12958.
This memo/executive order discusses classified national security
information.  The cypherpunks-interesting aspect of this memo lies in
exceptions to some new guidelines.  Basically, this executive order
removes the authority for the government to "permanently" classify
information.  Basically, classification is now limited to 10 years
(or 25 years in some special cases).  The exceptions to this allow
classification for longer durations for certain types of material.
These types include things like protecting intelligence sources and 
nuclear weapons design info.  One of the other exeptions is for:

"...information that would impair United States cryptologic systems
or activities."

This appears to be taken directly from the executive order, so these
types of decisions are being made at high levels.  Thought you might
be interested.

        Hooker

I'm curious whether the "desk reference" contains more than the mere text
of the Executive Order.  If it does, I'd like to get a copy, since the FOIA
cases I handle typically involve classified information.

Please reply personally, since I only read the list in digest form.

Thanks!
Lee Tien







From tien at well.sf.ca.us  Fri Feb  2 19:30:48 1996
From: tien at well.sf.ca.us (Lee Tien)
Date: Sat, 3 Feb 1996 11:30:48 +0800
Subject: Encryption and the 2nd Amendment
Message-ID: <199602030233.SAA07384@well.com>


I agree that a 2nd A. argument is legally worthless; so do Mike Godwin and
other persons whose legal opinions are generally carefully considered.  

FWIW, I note that one gov't study of the constitutionality of encryption
restrictions, done by some law profs for DOEnergy, had a section surveying
the possible applicability of the 2nd A.  Since we are not using this
argument in Bernstein, I didn't read the section with any care.  The thrust
was, if I recall correctly, that even if the 2nd A did apply, it has so
little force that it doesn't matter (i.e., one can't easily point to
doctrine calling for "heightened" or "strict" scrutiny under the 2nd; I
happen to believe that there should be some form of scrutiny beyond
"rational basis" for infringement of 2nd A. rights, having been impressed
by Sanford Levinson's analysis, but the cases do not support it).

I suspect that one reason why folks find this approach rhetorically
interesting is that it's got that "you called it that, so . . . " flavor. 
In a different post on a different issue, Perry Metzger referred to
estoppel, and I think the same intuition operates here. But as Michael
Froomkin said, what the State Department calls it shouldn't be relevant to
the meaning for constitutional purposes.  Also, estoppel against the
government is quite limited.  There's a line of cases saying that, and
courts frequently refuse to hold the government to the same kind of
estoppel as private parties.  (Agreeing w/Peter Junger)

Lee Tien

 







From jf_avon at citenet.net  Fri Feb  2 19:37:59 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sat, 3 Feb 1996 11:37:59 +0800
Subject: PGP "official" logo?
Message-ID: <9602030250.AB01223@cti02.citenet.net>


Cc: CypherPunks

Philip Zimmermann , replied to me:

>I'd like to see some suggested logos.  I am closing in on a design
>for a PGPfone logo.
>
>Phil

Well, I tend to believe that you are not reading Cypherpunks currently...

I got some reply that told me that, basically, the inherent anarchy of 
CPunks would make it impossible to hold a vote.  Some even questionned
the utility of a logo.  Some other said that many peoples use non-graphical
software.

While I think that a logo is a nice idea,  I never 
even considered designing one myself before somebody mentionned 
the idea, today on CPunks.

IMO, I think that a logo would appeal to non-techies.  The typical non-
techie attitude is to *ignore* anything he/she does not understand.  The 
proposed label "PGP signed" or similar would not have the effect a good
logo would on certain persons.

A logo could make PGP look "cool".  I am not prejudiced against trying to
attract peoples who would not look up by themselves, especially considering 
the actual condition of the net.

Refuting the usefullness of a logo would be an expression of the 
opinion that dumbness is uncurable.
MHO on it is that while dumbness will always exist, *specific individuals* 
could be educated.  This is especially true of the youngs. And beside, 
the masses never made anything change for the better... 

In this optic, and regarding the fact of the immense popularity of 
software that requires little computer knowledge, I think that a logo 
is not only appropriate but also necessary, if encryption issues are to 
be resolved in our favor.

Many techies, and many members of CPunks are of this type, scorn at the
"uneducated" public.  It is a great mistake they do.  Not because they
have have a duty to the public, but because in the "public", lives 
intelligent individual that, for a multitude of reasons, did not 
follow the same path as them.  They owe it to themselves, our of selfishness
to spread their vision of the world

Regards


JFA  B.Sc. Physics

P.S. Thanks for having written PGP.






From tien at well.sf.ca.us  Fri Feb  2 19:38:10 1996
From: tien at well.sf.ca.us (Lee Tien)
Date: Sat, 3 Feb 1996 11:38:10 +0800
Subject: RC2 Source Code - Legal Warning from RSADSI
Message-ID: <199602030235.SAA08181@well.com>


I don't practice intellectual property law, but I think y'all should be
careful, legally speaking.  Without more facts, you don't know if the
purported disassembly was lawful.  


>From: Rich Salz 
>Date: Thu, 1 Feb 1996 19:46:50 -0500
>Subject: Re:  RC2 Source Code - Legal Warning from RSADSI
>
>Once lost, trade secret can never be regained.  The person(s) responsible
>can be sued so they never work again :), but it's unclear if RSA can
>stop anyone using unpublished trade-secret source.
>
>At any rate, I'll stop my comparison of the distributed RC2 and the 
>licensed RC2 since RSA's done it for us. :)
>        /r$

I think the first and second sentences don't map.  It's true that once a
trade secret is "lost," it's lost (though I suppose if everyone forgets it
and someone rediscovers and protects it it's regained).

But you must distinguish between *legally* lost and merely practically
disseminated.  Trade secrecy is not complete or real secrecy.  If I were
under NDA to RSA to keep RC2 secret, passed it on to Rich, and RC2 met the
legal test for trade secrecy, it is still a trade secret in the law.  I
don't recall the remedies, but I'm fairly sure that if Rich has the right
level of knowledge/notice, he's not immune.

>From: "Brian A. LaMacchia" 
>Date: Thu, 1 Feb 96 21:06:12 -0500
>Subject: Re: RC2 Source Code - Legal Warning from RSADSI
>
>   Date: Thu, 1 Feb 1996 18:26:15 -0500
>   Mime-Version: 1.0
>   Content-Type: text/plain; charset="us-ascii"
>   From: jrochkin at cs.oberlin.edu (Jonathan Rochkind)
>   Sender: owner-cypherpunks at toad.com
>   Precedence: bulk
>
>   Now, copyright might be another matter.    But you can't copyright an
>   algorithm, only specific text in fixed form (ie, the source code).  So this
>   would mean you couldn't use the particular code posted to sci.crypt, but
>   wouldn't stop anyone from using the algorithm, if they wrote their own code
>   (to be safe, without having seen the RSA-copyrighted code, only having the
>   algorithm described to them by someone else).   
>
>If the source code posted to sci.crypt was in fact a copy of an RSADSI
>copyrighted soure code listing, then making copies of that listing is a
>copyright violation.  However, copyright protection does not extend to
>the underlying algorithm, so unless RSADSI has a patent on the algorithm
>the idea is free, and can be reimplemented using a "clean room" or
>"Chinese wall" approach.  If the posted source code was *not* a copy of
>RSADSI source code but instead produced by disassembling object code
>RSADSI's claims are tenuous at best.  RSADSI could conceivably claim
>that the disassembled code is a derivative product of their copyrighted
>object code, but I think they would have a hard time distinguishing
>themselves from the facts in _Sega v. Accolade_.
>
>I fail to see how the legality of "alleged-RC2" is any different than
>that of the "alleged-RC4" code which was published last year.
>
>                                                --bal

Trade secrecy is separate from either copyright or patent.  It covers both
patentable and nonpatentable stuff.  Its great advantage is its potential
duration -- so long as it's not independently generated or
reverse-engineered.  Its great drawback is it's hard to maintain.  

I think Brian is right in what he said, but the critical qualification is
how the posted source code was produced.  One could have a trade secret in
the algorithm; Sega v. Accolade only addresses the copyright issues, if
memory serves.  The Ninth Circuit found that the dissassembly was
infringement, because it involved copying of the protected expression, but
excused the infringement based on "fair use."  *** Keep in mind that fair
use is multifactor, and the Sega decision expressly noted that Accolade was
only trying to achieve compatibility, only indirectly harming the market
for Sega's videogames.  This alone might distinguish disassembly to get RC2
source in order to put RC2 "out there," even from a copyright perspective.

What's unclear in the law is RSA's power to control dissassembly by
contract.  Traditionally, reverse engineering has always been a legitimate
means of penetrating trade secrecy.  The problem arises, though, if one
agrees not to reverse-engineer.  If I got an RSA product and agreed not to
disassemble and not to disclose anything I might happen to discover, then I
have a contractual, not statutory, duty.  This is like the shrink-wrap
license issue:  if I buy Lotus Notes, a shrink-wrap "no dissassembly"
provision may well be unenforceable.  Such a provision is more likely
enforceable in a truly bargained contract.  This is all contract law.

So if the person who disassembled was under a contractual bar, disassembly
could be misappropriation.  (I'm not clear on current misappropriation law,
which is in a statute in California if I recall.)

I'm not really up on all this, and it's very fact-sensitive, but I don't
think the legal issues are very simple, and I would counsel some caution. 
Are those enough qualifications and disclaimers?  

Lee







From tcmay at got.net  Fri Feb  2 19:38:23 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 11:38:23 +0800
Subject: Futplex makes the news!
Message-ID: 


At 2:28 AM 2/3/96, Mike Duvos wrote:
>On 2 Feb 1996 19:02:29 -0500, you wrote:
>
>>I think the whole endeavor was a resounding success, and I wish I had been
>>on the ball enough to participate in it.
>
>[deletia]
>
>>The important thing is that Rich, Declan, Futplex, and anyone else
>>participating showed the world that censorship on the internet, if not
>>impossible, is at least a good deal more dificult then people thought.
>
>Before poo-pooing Tim, declaring victory, and returning home, it
>should be noted that German prosecutors today added AOL to the list of
>entities they wish to charge with "inciting hatred."
>
>UMASS will of course test the political waters before taking any
>action, but we may yet see the gonads of Futplex hanging from one of
>the upper floors of the Graduate Research Center.  :)
>
>Time will tell whether we have won this war, or have simply
>encountered a lull after the first onslought by the enemy.

Meaning no disrespect to any of my colleagues here, but is there now some
sense that "we won"?

I don't see it this way. And the Germans don't seem to think they lost.

Let's look at where this issue is. The UMass admins yanked the Zundelsite
info, Declan has voluntarily withdrawn his ZS info, Germany is accelerating
its threats against CS, AOL, etc., and of course the Communications Decency
Act is about to be signed into law.

Maybe I'm not seeing the Boston-area papers, and their spin on things, but
it doesn't seem to me that an anti-censorship interpretation is getting a
lot of press. What I am sensing is just the opposite, that a bunch of
babykilling Nazis bent on taking over the Internet just had their main
Propaganda Center at UMass shut down by the forces of light. This is the
spin on the story I'm sensing.

(Hate to say it, but the nuances of free speech are lost on most people. To
most of them, putting Holocaust denial information on a site is ipso facto
proof of genocidal racism. I wouldn't be surprised to see the various
groups at UMass foaming at the mouth next week in the campus newspaper to
get the "notorious racist" Lewis McCarthy sanctioned or thrown out.
University administrators  will try to cool things off, but will keep
feeling the pressures from various "aggreived" groups until something just
has to be done. I've seen this many times at Stanford, UC Santa Cruz,
Berkeley, and elsewhere.)

Here's to hoping Rich's site remains up.

--Tim

Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From nobody at REPLAY.COM  Fri Feb  2 19:45:38 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Sat, 3 Feb 1996 11:45:38 +0800
Subject: What is this threat?
Message-ID: <199602030254.DAA04307@utopia.hacktic.nl>



The USG offers a $500,000 reward for stopping:

   Perception management and active measures activities.

The FBI DECA terms it one of seven "foreign intelligence 
activities that are deemed to be significant threats to  
U.S. national security interests."

----------

URL: http://www.fbi.gov/deca.htm
    
_______________________________________________________
   
DECA (pronounced "DECK-UH") is the FBI's program for the
Development of Espionage, Counterintelligence and
Counterterrorism Awareness. The DECA program disseminates
information concerning national security matters.
   
The FBI is the lead counterintelligence agency in the
United States. It has the principal authority to conduct
and coordinate counterintelligence and counterterrorism
investigations and operations within the United States.
The FBI, supported by other U.S. agencies as needed,
conducts espionage investigations when the subject of the 
investigation is not under the jurisdiction of the
Department of Defense, Uniform Code of Military Justice.
_______________________________________________________
   
NATIONAL SECURITY THREAT LIST
   
The FBI's foreign counterintelligence mission is set out
in a strategy known as the National Security Threat List
(NSTL). The NSTL combines two elements:

*  First, it includes national security threat issues
   regardless of the country of origin.

*  Second, it includes a classified list of foreign
   powers that pose a strategic intelligence threat to
   U.S. security interests.

The issue threat portion of the NSTL was developed in
concert with the U.S. Intelligence Community and key
elements of the U.S. Government. As a result, the FBI
identified seven categories of foreign intelligence
activity that were deemed to be significant threats to 
U.S. national security interests. The FBI will
investigate the intelligence activities of any country
that are related to any of these seven issues. They are:

1. Proliferation of special weapons of mass destruction
   to include chemical, biological, nuclear, and delivery
   systems of those weapons of mass destruction.

2. Collection of information relating to defense
   establishments and related activities of national
   preparedness.

3. U.S. critical technologies as identified by the
   National Critical Technologies Panel.

4. Targeting of U.S. intelligence and foreign affairs
   information and U.S. Government officials.

5. Collection of U.S. industrial proprietary economic
   information and technology, the loss of which would
   undermine the U.S. strategic industrial position.

6. Clandestine foreign intelligence activity in the
   United States.

7. Perception management and active measures activities.

_______________________________________________________
    
NATIONAL CRITICAL TECHNOLOGIES
   
Foreign intelligence activities directed at U.S. critical
technologies are of specific interest to the FBI. These
critical technologies are listed as follows:

   *  Materials:

      +  Materials synthesis and processing
      +  Electronic and photonic materials
      +  Ceramics
      +  Composites
      +  High-performance metals and alloys

   *  Manufacturing:

      +  Flexible computer-integrated manufacturing
      +  Intelligence processing equipment
      +  Micro- and nanofabrication
      +  Systems management technologies

   *  Information and communications:

      +  Software
      +  Micro and optoelectronics
      +  High-performance computing and networking
      +  High-definition imaging and displays
      +  Sensors and signal processing
      +  Data storage and peripherals
      +  Computer simulation and modeling

   *  Biotechnology and life sciences:

      +  Applied molecular biology
      +  Medical technology

   *  Aeronautics and surface transportation:

      +  Aeronautics
      +  Surface transportation technologies

   *  Energy and environment:

      +  Energy technologies
      +  Pollution minimization, remediation, and waste
         management

_______________________________________________________
   
National Security Begins With You
  
You may be the target of foreign intelligence activity if
you or your company are associated in any of the critical
technologies listed above. Foreign powers may also seek
to collect U.S. industrial proprietary economic
information and technology, the loss of which would
undermine the U.S. strategic industrial position. Foreign
intelligence collectors target corporate marketing
information in support of their nation's firms. Overseas
travel, foreign contact, and joint ventures may further
increase your exposure to the efforts of foreign
intelligence collectors. If you suspect possible foreign
intelligence activity, or have questions concerning the
National Security Threat List strategy, please contact
the FBI DECA Coordinator at the FBI Field Office nearest
you.

_______________________________________________________

Up to $500,000 Reward for Stopping Espionage
  
An amendment to title 18 U.S.C. Section 3071, recently
enacted, authorizes the Attorney General to make payment
for information of espionage activity in any country
which leads to the arrest and conviction of any
person(s):

1. ...for commission of an act of espionage against the
   United States;

2. ...for conspiring or attempting to commit an act of
   espionage against the United States;

3. or which leads to the prevention or frustration of an
   act of espionage against the United States.

Specifics of this amendment can be obtained from any FBI
DECA Coordinator.

_______________________________________________________

FBI Contact Numbers:
   
To report suspected illegal intelligence or terrorism
activity against the interest of the United States,
telephone the DECA Coordinator at the FBI Field Office
nearest you.

Update Version: 9/25/95

_______________________________________________________







From ravage at ssz.com  Fri Feb  2 19:51:16 1996
From: ravage at ssz.com (Jim Choate)
Date: Sat, 3 Feb 1996 11:51:16 +0800
Subject: Encryption and the 2nd Amendment (fwd)
Message-ID: <199602030328.VAA03766@einstein.ssz.com>



Forwarded message:

> Date: Fri, 2 Feb 1996 18:37:24 -0800
> From: tien at well.sf.ca.us (Lee Tien)
> Subject: Re: Encryption and the 2nd Amendment
> 
> I agree that a 2nd A. argument is legally worthless; so do Mike Godwin and
> other persons whose legal opinions are generally carefully considered.  
> 

I still believe this issue is a prime candidate for testing the 9th and
10th. There is nothing specific in the Constitution which allows the
government to control crypto technology (or any technology actualy) which is
contrary to the 10th. Per the 9th it should be left up to the states or the
people to decide. The current group of issues as mentioned in a post by Tim
May earlier today are all related by these amendments. The precedence of the
legislative and court bodies in this country ignoring these amendments may
be at an end.






From jf_avon at citenet.net  Fri Feb  2 20:12:28 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sat, 3 Feb 1996 12:12:28 +0800
Subject: sent to U.Mass
Message-ID: <9602030349.AA03495@cti02.citenet.net>


Hi CPunks.

I went into www.umass.com, somewhere into it up untill I could find an e-mail
adress, and mailed this letter:



-----BEGIN PGP SIGNED MESSAGE-----

to: Dean of the University.

From: Jean-Francois Avon
Pierrefonds, QC, Canada

jf_avon at citenet.net


While I do not believe nor endorse the neo-nazi movements and their ideas, I consider interesting to be able to look at their arguments, if only to make my own opinion of them.

I understand that you banned a WWW site providing such information.  I also understand that this site presented this information to oppose the german govt. in their censoring actions against some such sites.  I do not have a first hand knowledge of the content of the specific site (Zundel) that started the whole thing and I am convinced that many other pro-nazi might use some material presented in a decent way for quite questionnable ends.

But nevertheless, from what I read, you seemed to have banned a site out of political correctness.  I hope it is not true.

Unfortunately, freedom and liberty, thoses crutial and typically american values, seems to be eroded first by thoses trusted to protect them: the american intellectual and scholar.

We live in a very sad world, where reason is dissapearing slowly, being replaced by fear and low animal instincts.

Please pardon my poor english.

Jean-Francois Avon

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRK0IgOWptJXIUrtAQHt1AP+ND5LeFPpc/ypyS2eBkK1SAsAyZazNpBf
t9vrBs3LOgu8wCmfKV+H9Qczfp4wCtcs3gMux+U7w1E7Xj556iPBCXNcYLVI/RBN
8DzJLYN3ANlJIZqKDSv+GGmsfvx+wIXKEFiM8lKV+D1PZIeZ1HEdy9N3vT6H12oL
1LOQKRLG4tM=
=H4wq
-----END PGP SIGNATURE-----






From jordan at Thinkbank.COM  Fri Feb  2 20:27:21 1996
From: jordan at Thinkbank.COM (Jordan Hayes)
Date: Sat, 3 Feb 1996 12:27:21 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: <199602030401.UAA19434@Thinkbank.COM>


	From tcmay at got.net Fri Feb  2 19:10:21 1996

	I'm not despairing ...

It seems to me that all the things you pointed out are just symptoms
of the Internet growing up.  You mentioned on the one hand that
you don't like the trend that you see culminating in having all
USENET posts be signed, but on the other hand that you'd like to
see a 'sealed package' approach to your packets.

The problem is clear: USENET *isn't* 'sealed packages' -- it's
practically an outdoor billboard.  And I think it's logical to
expect some concensus-based rules for behavior there.  This whole
uproar about 'porno on the net' has to do with how children can
'stumble' upon it, as opposed to, say, renting it from Blockbuster[*].

I'm a little more upbeat than Tim, I guess.  I see the trend toward
'socialization' on the 'public' part of the Internet as ultimately
just fine, and the trend toward finding private means ('sealed
packages') to transmit 'private' goods continuing.  Soon I hope
that there will be as much chance of children 'stumbling upon'
X-rated JPEGs as they can today image satellite-delivered porno in
their heads without a dish.

I think the trend will continue so that people will eventually feel
that their e-mail is about as safe from 'the public' as a phone
call is.  Absolute privacy will be resisted from the top because
being 'in power' means always having a final veto; but what is the
real risk of this?

And don't forget: if you have privacy, you don't need anonymity.
Swiss banks provide the ultimate example.

/jordan

[*] I think community standards are important.  Whether it's speed
bumps on side streets or calls for silence in a jazz club, the
participants in a group should get to decide what is acceptable
behavior within their group.  That being said, I also believe it
is one of the few roles that a national government to provide is
guidance about a small number of issues (so before you hit that
'R' key, I don't believe that small towns can assert racism in
their town charter ...).





From llurch at networking.stanford.edu  Fri Feb  2 20:42:26 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 12:42:26 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 2 Feb 1996, Timothy C. May wrote:

> At 2:28 AM 2/3/96, Mike Duvos wrote:
> >On 2 Feb 1996 19:02:29 -0500, you wrote:
> >
> >Before poo-pooing Tim, declaring victory, and returning home, it
> >should be noted that German prosecutors today added AOL to the list of
> >entities they wish to charge with "inciting hatred."
> >...
> >Time will tell whether we have won this war, or have simply
> >encountered a lull after the first onslought by the enemy.
> 
> Meaning no disrespect to any of my colleagues here, but is there now some
> sense that "we won"?
> 
> I don't see it this way. And the Germans don't seem to think they lost.

That's what they thought in 1945, too. I'd really hate to have to nuke
them from orbit. I maintain (I hope a little more coherently now) that
widely publicized subversion is far more effective than a frontal assault.
Who holds up the nuking of Hiroshima and Nagasaki as great victories
against tyranny? 
 
> Maybe I'm not seeing the Boston-area papers, and their spin on things, but
> it doesn't seem to me that an anti-censorship interpretation is getting a
> lot of press. What I am sensing is just the opposite, that a bunch of
> babykilling Nazis bent on taking over the Internet just had their main
> Propaganda Center at UMass shut down by the forces of light. This is the
> spin on the story I'm sensing.

I think this sense is wrong.

Yesterday's "Modem Driver" column in the San Jose Mercury News was poorly 
researched, but had the right spin. It mentions that the operator of 
webcom.com is the grandson of a Holocaust victim, so he gets the Mom & 
Apple Pie vote.

 http://www.sjmercury.com/living/daveplot/modem084.htm

Front page of the Stanford Daily, which generated calls from the San Jose 
Merc and the Chronicle of Higher Edication, which are likely to get the 
story right:

 http://www-Daily.stanford.edu/2-2-96/NEWS/index.html

[No, I am *not* happy to get all the credit there]

AP story in Boston Globe (long and ludicrous on-line URL, and OK, so this 
is not the greatest story, but I think it's somewhat positive):

 http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F033%2Freg%2Fag052102

Web Review (good, even though he totally misrepresented what I'd said 
without even bothering to try to reach me):

 http://www.gnn.com/gnn/wr/96/02/01/news/ndn/zundel.html
 http://www.gnn.com/gnn/wr/current/news/ndn/telcom.html

The News & Observer (also never bothered to contact me before stating 
what I believed):

 http://www2.nando.net/newsroom/ntn/info/020296/info2_20579.html

> (Hate to say it, but the nuances of free speech are lost on most people. To
> most of them, putting Holocaust denial information on a site is ipso facto
> proof of genocidal racism.

I think it is, if (and only if) you agree with it.

> I wouldn't be surprised to see the various
> groups at UMass foaming at the mouth next week in the campus newspaper to
> get the "notorious racist" Lewis McCarthy sanctioned or thrown out.

I certainly would.

> Here's to hoping Rich's site remains up.

I've shut off access and challenged Zundel to get his many friends to run
their own damn mirrors. They could, you know -- at least one of them has a
T1. But I will put the files back (on c2.org and/or netcom and/or AOL
accounts, because it's just not ethical for me to involve Stanford in
this) if Deutsche Telekom continues to block access to webcom.com after,
say, next Wednesday. 

If they're not back up by, say Monday, I'll post an ultimatum to the 
above effect.

Netcom has hosted several notorious hate groups for years. There's no way 
in hell they'd buckle, and they're big enough to matter. Probably bigger 
than Stanford and CMU combined, though without quite the same symbolic 
power.

- -rich

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRLgRI3DXUbM57SdAQHDDwP/XI0VJKQ9mELfCFeo/HLxqfanO4Xw1xcu
bXPiao91PCSKYJIfOM0Xku90bQB2rdVgbFLqX1fxbUu3cHi8pmq9ZRtV8rWgLcvR
WpMnmslOZjTmoIjUL5llRmQbPhUWhYithCQuP1EXsoZ/mo8ngQyW0AfGPvYWyGpe
dK3Zn0YohvQ=
=2k0/
-----END PGP SIGNATURE-----





From alano at teleport.com  Fri Feb  2 20:55:07 1996
From: alano at teleport.com (Alan Olsen)
Date: Sat, 3 Feb 1996 12:55:07 +0800
Subject: RSA disappears :-)
Message-ID: <2.2.32.19960203042904.00928b40@mail.teleport.com>


At 01:28 PM 2/2/96 -0800, John Pettitt wrote:
>rsa.com dissapeard from the net!  The only valid nameserver for rsa.com is
>rsa.com and since it's net connection is down anybody trying to talk to
>www.rsa.com or send mail to rsa is getting host not found errors.

Maybe it was because Tim May broke their cover.

Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From ampugh at mci.newscorp.com  Fri Feb  2 21:05:27 1996
From: ampugh at mci.newscorp.com (Alan Pugh)
Date: Sat, 3 Feb 1996 13:05:27 +0800
Subject: PGP "official" logo?
Message-ID: <199602030147.UAA29244@camus.delphi.com>


=snip=
>Why is an icon or logo preferable to "Begin PGP signed..."? The little
>rose, or chevrons, or escutcheons, or whatever, then have to be explained
>to people. "PGP" is actually its own best logo.
>
>(There is also the important point that most uses of PGP are in
>primarily-ASCII settings, in e-mail. Yes, I know that MIME and whatnot can
>support graphics, but such uses are rare. Look at this mailing list, and
>Usenet, for examples of how most messages are composed. I routinely delete
>all messages that have "attachments converted" to them, and others have
>told me they do the same thing.)

i agree with mr. may. graphics are misplaced in email generally. 
it takes long enough to download my mail without the additional
load of cute graphics. i can't image many graphics at all that 
would be much smaller than the biggest sig files.

otoh, it _would_ be useful imo to have a pretty much 'standard' 
graphic to put on web pages similar to the 'netscape' buttons 
you see everywhere. they might do nothing but link to one of the 
cypherpunks home pages, but the more people see them, the more 
aware people will hopefully become. perhaps it will pique some 
folks curiosity. actually, i like rsa's logo, but it is obviously 
taken. 

that said, i've seen a few passes on this list of discussion of a
graphic logo. the archives would be a good place to look for a fairly
massive volume of posts on it.  if anyone has a good idea, put it on a 
page and post the pointer.



amp







From tcmay at got.net  Fri Feb  2 21:40:14 1996
From: tcmay at got.net (Timothy C. May)
Date: Sat, 3 Feb 1996 13:40:14 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: 


At 4:12 AM 2/3/96, Rich Graves wrote:

>Who holds up the nuking of Hiroshima and Nagasaki as great victories
>against tyranny?

Since you ask, I do.

A land invasion of Japan would've likely cost half a million American
lives, and perhaps a million or more Japanese citizen lives, according to
comprehensive studies I think are on the mark.

(Anecdotally, my father was on Guam at that time, and was part of the force
being prepared for the land invasion of Japan. He was mighty happy to hear
about the new wonder weapon and how it ended the war in days rather than
months.)

If the war was just, then ending it quickly and decisively was more just
than ending it more slowly and painfully. That some Japanese died in a
nuclear fireball rather than in conventional firestorms or blockbuster
bombings is neither here nor there.

Sometimes ya just gotta nuke em.


--Tim

Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From Neal.McBurnett at att.com  Fri Feb  2 22:03:06 1996
From: Neal.McBurnett at att.com (Neal McBurnett)
Date: Sat, 3 Feb 1996 14:03:06 +0800
Subject: Analysis of PGP keyserver web of trust
Message-ID: <9602030545.AA06363@lever.dr.att.com>


-----BEGIN PGP SIGNED MESSAGE-----

I wrote a Java program to analyze the the PGP web of trust and I've
documented it on some web pages.  They include information on the
strongly connected components (the largest has 1291 keys in it), the
longest "shortest-path" (21 signatures long), the 'central trustee'
and 'central truster', the mean path length (6.4, by one definition), etc.

	http://bcn.boulder.co.us/~neal/pgpstat/

(For those who saw the earlier version, I've fixed some small bugs.)

There is a lot of useful information here for folks who want to
improve the connectivity of the public PGP web of trust.

Cheers,

Neal.McBurnett at att.com  503-331-5795  AT&T Bell Labs, Denver/Portland
WWW: http://bcn.boulder.co.us/~neal/Home.html  (with PGP key)

- -----------------------------------------------------------------------

                           PGP Keyserver Statistics
                                       
   This is an analysis of the web of trust among users of the leading
   technology in the world of secure email communications, Pretty Good
   Privacy (PGP). See the [1]PGP Frequently Asked Questions for more
   information on PGP itself and other related tools.
   
   There is a set of public key servers around the world which allow PGP
   users to register their keys and publicly sign each other's keys via
   [2]email and [3]WWW interfaces. This analysis is based on the public
   keyring obtained from
   [4]ftp://ftp.uit.no/pub/crypto/pgp/keys/pubring.pgp on _1 Jan 1996_.
   For comparative analysis, here is the [5]Jan 1 version (7,976,108
   bytes long). I could also provide a shorter and simpler file format
   which just lists which keyIDs signed which keyIDs. If there is
   interest, updates can be provided.
   
Overall Statistics


Public keys submitted ('pub'):          19124
Signatures ('sig'):                     28031
Total number of unique keys referenced: 21107
Revoked keys:                           839

Self-signed keyIDs:                     7300
Other unique keyID-signs-keyID pairs:   17908

   Note that less than half of the keys are signed by themselves. People
   should _always sign their own UserID_ on their own key! Otherwise,
   someone else can surreptitiously change the email address in order to
   encourage correspondents to send email to the wrong place.
   
   Only about 1/3 of the keys are signed by at least one another key, and
   only 1/6 have 2 signatures.
   
     To be a "good PGP-citizen", you should
     * Be very careful about signing keys. Have first-hand knowledge
       based on hard-to-forge communications that the key's fingerprint
       (pgp -kvc) in your keyring matches the user's real fingerprint.
     * Sign the keys of at least two other people
     * Get at least two signatures on your own key.
     * Extra credit: Sponsor a [6]key-signing party
       
Strongly-Connected Components

   A 'strongly-connected' set of keys is defined as a set in which every
   key leads to every other key via some chain of signatures (aka
   signature path). Note that we are not incorporating any PGP-specific
   rules for establishing trust (e.g. the default CERT_DEPTH of 4, the
   default requirement for two 'marginally trusted' introducers to
   establish trust, etc.).
   
   After running pgp -kc on the keyring (with MIT PGP 2.6.2, for almost 2
   days...) the number of signatures dropped from 28031 to 25810,
   presumably because some old signatures where thrown out. The analysis
   here was done with the original keyring, so all versions of PGP will
   not recognize all the signatures which are accepted here.
   
   Note that the program used for this analysis (pgpstat.java) so far
   only deals with keyID-keyID relationships, rather than dealing
   separately with each keyID/UserID pair. It does properly ignore
   revoked keys.

Size of 'strong': largest strongly-connected component: 1291
Size of 'signees': keys signed by 'strong':             2775
Size of 'signers': keys which sign 'strong':            2001

   The [7]largest strongly-connected component of this keyring (the set
   names 'strong') has 1291 keys in it. The [8]next-largest
   strongly-connected component has only 16 keys in it. There are another
   1484 keys which are directly or indirectly signed by at least one key
   in 'strong' but which do not sign any key in 'strong' and are thus not
   in the strongly-connected component, for a total of 2775 keys in the
   'signees' set that can be reached from the 'strong' set. Similarly,
   there are a total of 2001 keys in the 'signers' set which directly or
   indirectly sign at least one key in the strong component.
   
Shortest-Path Distances

   Using a breadth-first search of the keyspace, we can calculate the
   shortest path from one keyID to other keyIDs it has directly or
   indirectly signed.

Mean distance from strong keyIDs to signees:    6.41189
Mean distance to strong keyIDs from signers:    6.70961

Maximum shortest-path distance:                 21

   First, for each key in 'strong', we compute the mean length of the
   shortest path necessary to reach each key in 'signees': 6.41189. Next
   we do the converse, following paths of signatures into the strong
   component rather than out of it. The mean distances are different
   because a different set of keys is involved: signers vs signees.
   
   Finally, we note that there are several pairs of keys which have a
   shortest path distance of 21 between them. Here is the [9]example
   path, between these two keys:

6CB05C95 Karl F. Scheibner 
82996935 Brett Dubroy <1:225/357 at fidonet.org>

   Anyone who is along this path can improve the tightness of the web of
   trust by finding someone they know further along the path and
   carefully signing their key.
   
Centers of Trust: the Central Trustee and Central Truster

   By examining the shortest-path data more closely we can identify the
   keys which are closest to the 'center' of the web of trust. The
   'central trustee' is the key which is signed most directly by others:
   the key which has the shortest mean distance from all of the
   'signers'. Here is the current "top 10":

Mean    Max     KeyID           UserID
4.17191 11      CE766B1F        Paul C. Leyland 
4.30235 12      53AAF259        Klaus-Peter Kossakowski, DFN-CERT 
4.37881 12      32DD98D9        Vesselin V. Bontchev 
4.38381 12      D410B7F5        DFN-CERT 
4.4043  13      DA0EDC81        Phil Karn 
4.4073  12      F82CEA91        Simon Cooper 
4.43778 13      C1B06AF1        Derek Atkins 
4.46527 13      466B4289        Theodore Ts'o [SIGNATURE] 
4.47576 12      C7A966DD        Philip R. Zimmermann 
4.48426 12      8E0A49D1        Wolfgang Ley, DFN-CERT 

   You can also get the [10]full list by mean distance.
   
   Here is the [11]distance to the cental trustee from the each of the
   signers along with info on how many keys sign and are signed by each
   key.
   
   The converse of this is the 'central truster', the key which trusts
   other keys most directly:

Mean    Max     KeyID           UserID

3.91928 10      32DD98D9        Vesselin V. Bontchev 
3.97694 11      C7A966DD        Philip R. Zimmermann 
4.0191  12      DA0EDC81        Phil Karn 
4.0418  12      0DBF906D        Jeffrey I. Schiller 
4.05838 11      CE766B1F        Paul C. Leyland 
4.08396 12      7B7AE5E1        Germano Caronni 
4.08973 11      4D0C4EE1        Jeffrey I. Schiller 
4.13405 12      666D0051        Assar Westerlund 
4.17333 12      5826CF8D        John Gardiner Myers 
4.17982 12      466B4289        Theodore Ts'o [SIGNATURE] 

   You can also get the [12]full list by mean distance.
   
   Here is the [13]distance to each of the 'signees' from the central
   truster, along with info on how many keys sign and are signed by each
   key.
   
Further Questions

   Many other aspects of the web of trust could be explored.
     * It is important that the web be multiply-connected. p Good
       software to do bi-connectivity (or tri-connectivity, etc.) for
       directed graphs would be useful, especially if it identifies the
       most significant articulation points (keys which are critical for
       the connection of big pieces of the web).
     * Identification of large cliques or near-cliques (sets of keys
       which all sign each other, related to coloring problem, very
       hard.)
     * Software to generate a high-level graphical view would be useful.
       For example, a directed-acyclic-graph of the connectivity of the
       larger strongly-connected components would be interesting.
     * It shouldn't be too hard to make pgpstat.java into a server which
       could answer custom queries (shortest path from x to y, size of
       component that x is in, suggestions for who might be able to sign
       your key (e.g. other keys from the strongly-connected component
       which are in your domain), etc.)
       
Tools

   The analysis tool, pgpstat.java, is an application written in the very
   nice new language [14]Java (Perl just doesn't have any decent
   hierarchical data structure support...). Source code will probably be
   made available after some cleaning-up for others who want to explore
   different keyrings or other avenues of analysis.
   
   Performance note: the algorithms used here mostly scale linearly in
   time complexity, based on the sum of the numbers of keys and
   signatures. In particular this is true for the code that finds the
   strongly-connected components (thanks to a favorite professor of mine,
   Bob Sedgewick, and his "Algorithms" book!)
   
   The one notable exception is finding the centers of trust and the
   longest shortest-path, which is quadratic in the size of the connected
   set, but doesn't have to be computed nearly as often, as a practical
   matter. The full analysis took less than 30 minutes using one
   processor on a Sun Sparc 1000 (50 Mhz?). There are lots of
   opportunities for optimization, and hopefully non-quadratic algorithms
   for at least approximating the center/longest path problems.
   
   Please let me know if you have any feedback on this analysis.
     _________________________________________________________________
                                      
   [15]Neal McBurnett 

References

   1. http://www.quadralay.com/www/Crypt/PGP/pgp00.html
   2. http://www.pgp.net/pgp/email-key-server-info.html
   3. http://www.pgp.net/pgp/www-key.html
   4. ftp://ftp.uit.no/pub/crypto/pgp/keys/pubring.pgp
   5. file://localhost/home/neal/public_html/pgpstat/public-keys.960101.pgp
   6. http://www.quadralay.com/www/Crypt/PGP/pgp06.html#608
   7. file://localhost/home/neal/public_html/pgpstat/strong-from
   8. file://localhost/home/neal/public_html/pgpstat/strong2
   9. file://localhost/home/neal/public_html/pgpstat/maxpath
  10. file://localhost/home/neal/public_html/pgpstat/strong-from
  11. file://localhost/home/neal/public_html/pgpstat/signers
  12. file://localhost/home/neal/public_html/pgpstat/strong-to
  13. file://localhost/home/neal/public_html/pgpstat/signees
  14. http://www.javasoft.com/
  15. http://bcn.boulder.co.us/~neal/Home.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBVAwUBMRL1t8KbwnFPAGm1AQHizwIAn+HiF7ohgcxlYAI9OS4St9FFghzCQ+8v
TQYKssbcqS06Y0kkeTYyKFBRfwTrulxugE+aq6Jchpw2vo0C6YvEdA==
=mXbe
-----END PGP SIGNATURE-----





From edgar at Garg.Campbell.CA.US  Fri Feb  2 22:19:45 1996
From: edgar at Garg.Campbell.CA.US (Edgar Swank)
Date: Sat, 3 Feb 1996 14:19:45 +0800
Subject: OFFSHORE RESOURCES
Message-ID: <7VHPiD2w165w@Garg.Campbell.CA.US>


Another URL for offshore investing, etc. is

  http://www.dnai.com/offshore/offshore.html

Edgar W. Swank   

-- 
edgar at Garg.Campbell.CA.US (Edgar Swank)
The Land of Garg BBS -- +1 408 378-5108





From ses at tipper.oit.unc.edu  Fri Feb  2 22:22:49 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Sat, 3 Feb 1996 14:22:49 +0800
Subject: Analysis of PGP keyserver web of trust
In-Reply-To: <9602030545.AA06363@lever.dr.att.com>
Message-ID: 


There's a bunch of nifty graph-mangling code available as part of the 
stanford graphbase (literate CWEB, written by DEK; I think that had some 
stuff for bi-connectedness).


Simon //  TeX Files - Don Knuth is out there





From dmandl at panix.com  Fri Feb  2 22:32:59 1996
From: dmandl at panix.com (David Mandl)
Date: Sat, 3 Feb 1996 14:32:59 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: 


At 8:02 PM 2/2/96, Timothy C. May wrote:
>*Universities, corporations, and even ISPs are explicitly adopting policies
>that allow them to inspect e-mail at will. (If the arrangement is made in
>advance, it may not violate the ECPA to do this...and I'm not saying there
>aren't some good reasons why these entities would want the right to inspect
>e-mail (their liability being a good example), just noting the growing
>situation.

On that note...

A good friend of mine was fired (forced to resign) from her Wall Street
programming job recently.  The reason: her employer "just happened" to
stumble onto a message she'd posted to a mailing list a year ago, in which
she'd said some "very unflattering" things about the company.  The message
in question was posted from her personal email account (so it in no way
violated the company's rather strict internet use policy) and was the only
such message she'd ever posted.

However, one other piece of email was cited, this one also containing an
unflattering reference to the company but never mentioning them by name.
The obvious conclusion is that they hadn't merely come across this stuff in
an innocent Alta Vista search for "Company Name," but rather had searched
for my friend's name specifically.

My friend is looking into various legal options, so she's asked me not to
say any more for now.  But I consider this a very serious development and a
frightening precedent.  The company in question, incidentally, also does
routine scans of email and archives all incoming and outgoing mail.

As I and others have been saying for a while: what's happening on the net
is another "enclosures" movement.  Yes, I know that on this list that's a
politically incorrect view.  Deal with it.

   --Dave.

--
Dave Mandl
dmandl at panix.com
http://www.wfmu.org/~davem







From merriman at arn.net  Fri Feb  2 23:49:21 1996
From: merriman at arn.net (David K. Merriman)
Date: Sat, 3 Feb 1996 15:49:21 +0800
Subject: PGP & thee
Message-ID: <2.2.32.19960202191849.006aee34@arn.net>


-----BEGIN PGP SIGNED MESSAGE-----

I have a couple of questions about the variants of PGP on the CP ftp site:

1> What are the different Mac versions about? Which one goes with which Mac?

2> What are the differences in the different DOS/OS2 versions?

Reason I'm asking is that I've got some folks interested in using PGP, and I want to be able to point them in the right direction.

Emailed responses preferred to save listwidth :-)

Dave Merriman

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRJGisVrTvyYOzAZAQHxygQAoSHE5FOC20manSJvjprKjUkZyrj/3iCC
dz59IKftq6xxVYEE6ys/m0xnwIEBygayfqQzcvco66QfasFjCbKWakGQgOuW7bnk
UToLUSpnP31UBCozASRrSCDh1he535WHCegqTVCr7dUweDuPC7CGmpp9G78WsmfH
mWNvdOim76s=
=tgOX
-----END PGP SIGNATURE-----
-------------------------------------------------------------
"It is not the function of our Government to keep the citizen
from falling into error; it is the function of the citizen to
keep the Government from falling into error."
Robert H. Jackson (1892-1954), U.S. Judge
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
My web page: http://www.geocities.com/CapitolHill/1148







From jamesd at echeque.com  Sat Feb  3 00:55:18 1996
From: jamesd at echeque.com (James A. Donald)
Date: Sat, 3 Feb 1996 16:55:18 +0800
Subject: Germany investigates AOL for providing Zundelaccess
Message-ID: <199602030836.AAA13781@blob.best.net>


At 07:34 PM 2/2/96 -0500, Declan B. McCullagh wrote:
>      America Online spokesman Ingo Reese in Hamburg said his company
> also was happy to work with the prosecutors. The company is ``totally
> opposed'' to illegal propaganda, he said,

They target the gutless, in order to create precedents 
without having to go to court.

You will recall that AOL also shopped its customers to the 
feds over child pornography.


 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From tbyfield at panix.com  Sat Feb  3 00:59:35 1996
From: tbyfield at panix.com (t byfield)
Date: Sat, 3 Feb 1996 16:59:35 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: 


At 1:18 AM 2/3/96, Dave Mandl wrote:

>As I and others have been saying for a while: what's happening on the net
>is another "enclosures" movement.  Yes, I know that on this list that's a
>politically incorrect view.  Deal with it.

        "Politically incorrect" on this list? What's gotten into you, Dave?
Really! PCism is what all those goddamn Tax-n-Spend Leftist Liberals
do--you know, like the ones in the _Life of Brian_. Folks here would never
engage in _any_ kind of PCism. I'm shocked, shocked...
        Don't you get it? Nation-states are going to collapse Real Soon Now
(after all, their Imminent Death has been Predicted), and the Markets,
guided by an irresistably beckoning Invisible Hand, will Rise Up against
their Tyrannous Masters and be guided out of State Space into
Crypto-Anarchy[T{C}M], the land of milk and honey. And everyone who's
positioned themselves shrewdly--as your friend no doubt has--will prosper.
No problem!
        Tell your friend she has _nothing_ to worry about. In a few months,
she'll look back and laugh.


--Victor! von Kredulous-am-Kapitalismus

Visit Pere Lachaise!
We got majordomos, we're typing on phone lines, it's Realpolitik Lite & Fun 2!
---------:---------:---------:---------:---------:---------:---------:----
Nostradamus F. Xavier          | Clipto-nemesis: privatization, tons of $$$,
victor at get.not   212-255-2748  | end of history, optimistic tax deductions,
G.A.D.D.I.S.: Nag Hammadi, EG  | C-corps, lecture circuits, insider trading,
Higher power: "What me worry?" | carpal tunnel syndrome, other cool stuff.
"Sleeping policemen are national borders on the Information Soapbox Derby."







From llurch at networking.stanford.edu  Sat Feb  3 01:00:42 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 17:00:42 +0800
Subject: Helping the Crypto-Clueless
Message-ID: 


Bruce Baugh's latest missive inspired me to send the following to my new
racist friends, and also, coincidentally, to those at the Wiesenthal
Center, law enforcement agencies, and so on who also read the list.  Posts
to Stormfront-L are moderated to keep out any non-racist "noise," but I
assume that this message will be approved. Don really has no other choice. 

I imagine that this message will inspire greater awareness of and interest
in cryptographic applications, though I do not have great confidence that
it can do much to address my friends' cluelessness as such. 

I was not inclined to give them any real specifics on how to obtain and
employ cypherpunkish tools. After all, we're not very close friends. 

-rich

---------- Forwarded message ----------
Date: Sat, 03 Feb 96 08:21:32 0800
From: Not_By_Me_Not_My_Views Publishing 
To: stormfront-l at stormfront.org, rich.graves at leland.stanford.edu
Subject: Publicizing Stormfront-L; Internet privacy resources; Copyrights

-----BEGIN PGP SIGNED MESSAGE-----

I was surprised and disappointed to learn recently that there are no 
public archives of the Stormfront list. Many organizations, most of 
whom are strongly opposed to Stormfront's goals, seem to be keeping 
private logs of everything that is said on Stormfront-L, but to date 
none have made their archives public.

I find this silly. It's an open list, after all, and you know that 
people who do not share your goals are reading the list. With all this 
talk about The Enemy and free expression, it's odd that only The Enemy 
has accurate chronicles, and that you deny the general public the 
right to read what you say.

To address this oversight, I will be opening up my personal archives 
of Stormfront-L to public view on c2.org's Web server. I haven't 
worked out the details yet, but I'll probably be using hypermail, if 
this use is judged to satisfy the license terms.

Don't bother unsubscribing me. There are lots of people who would be 
only too happy to send me their copies of list mail, anonymized. Don't 
bother moving to another list, either, unless you don't mind losing 
all members of the list whose loyalties cannot be established beyond a 
reasonable doubt. See, you can't exactly announce on the list that 
you're moving to a new list where The Enemy can't find you.

Despite the fact that it has always been trivial to determine the list 
membership, I plan to respect list members' privacy by giving you all 
a day to avail yourselves of the large number of anonymity and double-
blind pseudonymity resources available on the Internet.

For information on the most well-known remailer, the penet.fi 
anonymous contact service, send email to both help at anon.penet.fi 
(sends you the FAQ) and ping at anon.penet.fi (assigns you an ID). The 
disadvantages of the penet.fi service are that it is slow (mail is 
delayed as much as 24 hours) and that it is not really secure (records 
of which IDs belong to which real email address are kept on a computer 
in Finland, and are therefore available to very determined law 
enforcement officers and other armed thugs).

Those with a technical bent may wish to look into more secure 
cypherpunk remailers, but they require some brains. Even I don't 
really use them.

Alternatively, if one or more of you have the means and incentive to 
set up a public Stormfront-L archive on the Internet, and very soon, 
then please let me know, and I will drop my plans. The advantages of 
an official public list archive run by someone who shares your goals 
should be obvious. Of course, private archives will still be kept by 
third parties in order to ensure that the official archive remains 
accurate and up to date. Checks and balances, natch.

I would be happy to provide some technical assistance if you need help 
getting started.

On to copyrights. The issue of who owns the copyrights to the 
Zundelsite pages has been raised both privately and publicly (very 
publicly).

It appears that Mr. Zundel has made his choice. The Zundelsite 
materials are in the public domain. Anyone can use them, abuse them, 
modify them, or sell them without violating anyone's intellectual 
property rights. May a thousand Zundelsites bloom. You may also 
include his works on BBSes, CD-ROMs, and T-shirts that you sell for 
personal profit. I'm working on a T-shirt for the "Zundel 
Detournement" contest right now. I doubt any of you would be 
interested in buying one, though.

Still, it would be much better if a formal network of mirror sites was 
established. That way you'd have a channel for receiving updates 
direct from Zundel's webmasters. Unfortunately, it seems that Mr. 
Zundel is embarrassed by the thought of being associated with the 
people who actually want to mirror his site for the content. He has 
had to  publicly distance himself from the very proud white 
supremacist Joe Bunkley, for example.

Most sincerely,

- -rich

P.S. You may have heard it reported recently that the author of PGP, 
which I am using (if this message does not bear a valid PGP digital 
signature, it is probably a forgery) is a Neo-Nazi sympathizer. This 
was untrue, and Phil considers this suggestion to be a serious libel. 
The newspaper that ran the allegation posted a very public and 
detailed retraction. Of course some Neo-Nazi sympathizers do use PGP, 
and so can you. In fact I'd love to exchange key signatures with one
of you guys in the San Francisco Bay Area (I'm sure there are a lot
of you here).

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRMa2Y3DXUbM57SdAQFQfwP+LV5H6+YPv9E7HHfmgcm7dQLDf/layB8s
xzUjH5QX8zdWNE5t+9gQt3W7sG3pN1IQ32IxclcmlMBZIQmVzmZ7rbsGq07gwpPc
I7yLqK0KAz8tNND+ZBtXX/lLQ4zu46cb6p2fJsMDS5Gv+cWA+smNE44CiM9reeNX
xlQAV5UeeLA=
=LpPb
-----END PGP SIGNATURE-----





From llurch at networking.stanford.edu  Sat Feb  3 01:20:28 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 17:20:28 +0800
Subject: Germany investigates AOL for providing Zundelaccess
In-Reply-To: <199602030836.AAA13781@blob.best.net>
Message-ID: 


On Sat, 3 Feb 1996, James A. Donald wrote:

> At 07:34 PM 2/2/96 -0500, Declan B. McCullagh wrote:
> >      America Online spokesman Ingo Reese in Hamburg said his company
> > also was happy to work with the prosecutors. The company is ``totally
> > opposed'' to illegal propaganda, he said,
> 
> They target the gutless, in order to create precedents 
> without having to go to court.
> 
> You will recall that AOL also shopped its customers to the 
> feds over child pornography.

Didn't they have a court order? Sure they could have resisted, but they
didn't bend quite so far over backwards that they were really bending over
forwards. 

This is an exapmple of the kind of defeatist attitude that I think is 
counterproductive. Instead, say:

"With all the press attention being paid to censorship issues right now,
with the ridiculously Unconstitutional so-called Communications Decency
Act and so on, even America 'Online' is not likely to be so stupid and
spineless as to buckle under now. Ferchrissakes, the guy who runs
webcom.com is the grandson of a Holocaust victim; he deserves everyone's
undying respect for his commitment to the freedoms of someone he so
despises, and is simply not going to lose business because of this stand.
We won't let it happen." 

-rich





From ethridge at Onramp.NET  Sat Feb  3 01:21:33 1996
From: ethridge at Onramp.NET (Allen B. Ethridge)
Date: Sat, 3 Feb 1996 17:21:33 +0800
Subject: Just what the Internet needs right now...
Message-ID: 


>        I'll try to see if I can find some bomb-making information from a
>non-US web site; it may help in counterarguments. Given that I'm still not
>that good at searching, it would be nice if someone else could locate it also.
>        -Allen
>
>Reuters New Media
>
>   _ Friday Febuary 2 4:54 PM EST _
>
>Boys Arrested for Plotting Bomb
>
>
>
>   NEW YORK (Reuter) - Three 13-year-old boys have been accused of
>   plotting to blow up their school after learning how to build a bomb
>   over the Internet, police said Friday.
>
>   The boys were arrested Wednesday after other students at Pine Grove
>   Junior High School in Minoa, New York, heard rumors of their plans and
>   police were alerted, said Capt. William Bleyle of the nearby Manlius
>   police department.
>
>[...]
>
>   One of the boys, believed to be the ringleader, admitted to police
>   that the three eighth graders learned how to build the bomb from
>   instructions they found on the Internet, the global network accessible
>   from home computers.

This was on the national TV news tonight as well.  I'm still trying to
figure out what planet all these people are from.  Boys and bombs have gone
together at least since i was a boy.  Teenage boys were building pipe bombs
back when i was a teenager, in the seventies, before anyone had heard of
personal computers or the internet.  Of course, i didn't learn about bombs
for blowing up entire buildings until much later, when some television show
mentioned combining diesel fuel with  fertilizer.  This show even got
specific as to the type of fertilizer, but i forgot to take notes.

The only counter-argument than makes any sense to me is that this isn't
new.  Boys have been building bombs for years.  Now they get their
information from the internet instead of the library or older kids down the
street.  The information has always been available.

Of course, there is always the argument about parental responsibility, but
that's not as sexy as the evil internet.

        allen







From jcobb at ahcbsd1.ovnet.com  Sat Feb  3 01:50:12 1996
From: jcobb at ahcbsd1.ovnet.com (James M. Cobb)
Date: Sat, 3 Feb 1996 17:50:12 +0800
Subject: Denning's misleading statements
Message-ID: 


 
 
 
  Jeff, 
 
 
  On 01 28 96 you say: 
 
    We [cypherpunks] are becoming the "Bad Guys" in a well 
    orchestrated Psy Ops campaign propagated naively by the 
    4th Estate. 
 
 
  A few days ago I bought Markoff and Shimomura's Takedown. I've 
  read the first three chapters. 
 
  In my opinion: 
 
    (1)  the book is an important part of that well orchestrated 
         Psy Ops campaign 

    (2)  the book's designed from the word go to play that part. 
 
 
  Cordially, 
 
  Jim 
 
 
 






From stewarts at ix.netcom.com  Sat Feb  3 02:19:02 1996
From: stewarts at ix.netcom.com (Bill Stewart)
Date: Sat, 3 Feb 1996 18:19:02 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit
Message-ID: <199602030951.BAA12305@ix2.ix.netcom.com>


At 05:30 PM 1/29/96 -0500, Nathaniel wrote:

>Have you downloaded my key from the net?  Assume that you have.  How do
>you know it's mine?
>
>I use PGP about 20 times per day.  I use it in a manner that is
>*meaningful*.  Unless we have in some way or another verified each
>others' keys, it is meaningless for me to sign a message to you. 
>Putting a PGP signature on a message to someone who has no way of
>verifying your keys is a nice political statement, but is utterly
>meaningless in terms of adding any proof of the sender's identity.  --

We have this discussion around here occasionally; one thing it does
is allows somebody to know that different messages were from the
_same_ person, whether that person is using a purported True Name
or an outright alias.  Another thing it does is allows you to demonstrate,
if need be, that you have the keys that were used to sign a message,
by signing another message with the same key, and optionally by
doing the Web Of Trust thing to validate your identity to someone.
I'm not aware that anyone's actually _done_ this in court,
but Utah and maybe other states have laws recognizing the validity of
digital signatures, and other courts could at least accept it along
with the usual Expert Witnesses.

Obviously it doesn't let you prove that an unsigned message isn't from you,
but that's pretty tough without requiring all messages to be
signed with your True Nationalist-ID-Card Is-A-Citizen Key.

#--
#				Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs






From stewarts at ix.netcom.com  Sat Feb  3 02:19:06 1996
From: stewarts at ix.netcom.com (Bill Stewart)
Date: Sat, 3 Feb 1996 18:19:06 +0800
Subject: FV's Borenstein discovers keystroke capture programs! (gifs at 11!)
Message-ID: <199602030951.BAA12309@ix2.ix.netcom.com>


At 09:24 AM 1/30/96 -0500, Nathaniel Borenstein  wrote:
>>  But I just can't believe that he thinks that
>the telephone is more secure on average than a keyboard.
>
>We have a few pages of C code that scan everything you type on a
>keyboard, and selects only the credit card numbers.  How easy is that to
>do with credit card numbers spoken over a telephone?
>The key is large-scale automated attacks, not one-time interceptions.

Speaker-independent recognition of digits is a done deal.
For large-scale automated attacks, you obviously don't wiretap the customer;
you hire The Dread Pirate Mitnick* to wiretap the 800 number for the
Home Shopping Channel, and hoover down the CC numbers of a large
number of known frequent-shopping cardholders.  (Actually, hitting on them
might be a bit tough, since they've presumably got direct T1s or T3s from
one or more carriers, which are harder to tap than the average residence line.)


(*Not the original Kevin "Dread Pirate" Mitnick, who's retired,
but Fred Bargle, who's got the current Dread Pirate Mitnick franchise.... :-)
#--
#				Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs






From stewarts at ix.netcom.com  Sat Feb  3 02:19:12 1996
From: stewarts at ix.netcom.com (Bill Stewart)
Date: Sat, 3 Feb 1996 18:19:12 +0800
Subject: Netscape, CAs, and Verisign
Message-ID: <199602030951.BAA12320@ix2.ix.netcom.com>


At 06:50 PM 1/30/96 -0500, Phill wrote:
>Question is how can Netscape (or anyone else) _securely_ allow an arbitrary
CA's 
>certificate to be used? Certainly the process cannot be automatic. Binding the 
>Verisign public key into the browser may be an undesirable solution, but the 
>problem is to think of a better one.

It's easy, and I gather Netscape has done it in 2.x - let the _user_ decide
what CAs
to trust.  For convenient verification, you can have the user sign the
keys for each of the CAs, and then the chain-following software only needs
to compare each certificate's signer with the user's own pubkey, rather than
comparing with Verisign's.  If you want to be automatic about it, you _could_
have the user sign Verisign's key when first generating keys, or you could
ask the user the first time.  

You've got to pull the wool over your _own_ eyes, here :-)
#--
#				Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs






From stewarts at ix.netcom.com  Sat Feb  3 02:19:56 1996
From: stewarts at ix.netcom.com (Bill Stewart)
Date: Sat, 3 Feb 1996 18:19:56 +0800
Subject: Crypto suggestion - re: Fatal Flaws in Credit Cards
Message-ID: <199602030951.BAA12301@ix2.ix.netcom.com>


Nathaniel's written about the "fatal flaw" in any system that
involves typing credit card numbers into your computer being that
they're easy for a keyboard-sniffer or similar cracker to recognize.
An obvious work-around for this (and for many of the problems with
Social Security / Taxpayer ID numbers) is to use some sort of smartcard
that generates one-shot numbers that the credit card company (or tax thugs)
can map back to the "real" owner's ID.  The downside of this approach
is that you need a lot of bits to support it, since you have to accomodate
the expected number of users * the average uses/user + overhead,
and that may (for credit cards) be annoyingly long to type in
(though fine for electrical-interface cards, or cards that display
their numbers as barcodes for a wand reader, or whatever.)

Some potential algorithms:
1) public-key - 512 bits isn't really enough (cracking it doesn't necessarily
        let you charge to everybody's Visa number, but it does let you
        figure out what everybody's is), and that's already too long.

2) data-base of randomly generated numbers - the would do ok for SSNs;
        give everybody a dozen or two, and let them get more if
        they want.  That wouldn't even require a smartcard, but it
        would tend to require a SSN card that you don't lose,
        since you probably won't remember the dozen long numbers on the back.
        This would of course require redesigning all those databases
        that know an SSN is 9 digits long - I view this as a Good Thing,
        especially since it may get people to stop using them as database keys.

        Is it practical for credit cards?  Ten billion customers times
        a million uses each is 16 digits; I suppose that's not much longer
        than current card numbers, though each card company would need to
        keep track of more numbers.  You'd probably cache a hundred or a
thousand
        in the card, and update the card every couple of years?

3) Some kind of hash or secret-key encryption of a constant (your "real"
card number)
        and a random number?  This would still be susceptible to brute-force
        search (10**20 not being an exceptionally large number), and you'd
        need an algorithm with either zero or a very low probability of
        collisions.  A secret-key version would require a tamper-proof card
        to reduce probability of theft, and I'm not sure I believe in
        tamper-proof cards, even if you have a lot of keys and a salt
        that tells the credit-card company which key to use.

Any other suggestions?
        
#--
#				Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs






From hal9001 at panix.com  Sat Feb  3 03:52:30 1996
From: hal9001 at panix.com (Robert A. Rosenberg)
Date: Sat, 3 Feb 1996 19:52:30 +0800
Subject: Declan appearing on "Europe's Most Wanted"
Message-ID: 


At 1:26 2/1/96, Timothy C. May wrote:

>The Nebraska-based neo-Nazi publisher who was picked up in Denmark and
>extradited to Germany pretty much knew his actions were illegal in Germany,
>but I doubt (sheer speculation on my part) he had ever been formally
>notified that an arrest warrant had been issued by Germany and could be
>exercised in Denmark.

It is even worse since they invited him into the country (and issued him a
Visa with the intent of arresting him and shipping him to Germany) to
attend a Nazi Convention. It was, in essence, a Government Authorized Sting
Operation.







From ses at tipper.oit.unc.edu  Sat Feb  3 03:57:21 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Sat, 3 Feb 1996 19:57:21 +0800
Subject: RC2 Source Code - Legal Warning from RSADSI
In-Reply-To: <96Feb1.215126edt.10310@cannon.ecf.toronto.edu>
Message-ID: 


On Thu, 1 Feb 1996, SINCLAIR  DOUGLAS N wrote:

> The author claims that the code was disassembled.  S/he credits "CodeView"
> which is Microsoft's debugging/disassembly tool.  Of course, this could
> just be a cunning ruse...

i'd guess it was in fact reverse engineered





From sinclai at ecf.toronto.edu  Sat Feb  3 05:47:31 1996
From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N)
Date: Sat, 3 Feb 1996 21:47:31 +0800
Subject: Toronto ZS radio coverage
Message-ID: <96Feb3.081746edt.3003@cannon.ecf.toronto.edu>


The first item on the 8:00 AM radio news this morning was about the
Zundelsites, cypherpunks, and German censorship.  The station was
CFNY 102.1, an alternative music station that is quite net.aware.
We probably got the coverage here because Toronto is Zundel's home
town.





From frissell at panix.com  Sat Feb  3 05:48:05 1996
From: frissell at panix.com (Duncan Frissell)
Date: Sat, 3 Feb 1996 21:48:05 +0800
Subject: Germany investigates AOL for providing Zundelaccess
Message-ID: <2.2.32.19960203132452.009ce224@panix.com>


At 07:34 PM 2/2/96 -0500, Declan B. McCullagh wrote:

>      America Online spokesman Ingo Reese in Hamburg said his company
>also was happy to work with the prosecutors. The company is ``totally
>opposed'' to illegal propaganda, he said, but argued that commercial
>on-line companies have as much control over materials posted on the
>Internet as telephone companies have over their customers'
>conversations.

That's what happens when you hire Germans for your German operations.

DCF






From frissell at panix.com  Sat Feb  3 06:05:06 1996
From: frissell at panix.com (Duncan Frissell)
Date: Sat, 3 Feb 1996 22:05:06 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <2.2.32.19960203134458.009cfccc@panix.com>


At 04:24 PM 2/2/96 -0500, lmccarth at cs.umass.edu wrote:

>Just to be clear, I haven't been expelled or suspended from the school, and
>I have not been notified of any kind of pending disciplinary action against
>me. The pages are indeed gone, however.
>
>Lewis "Futplex" McCarthy, checking in from Rumor Control Central
>

So that's why my How to Read Banned Newsgroups on Compuserve is unavailable.
I'll get it back up on IOS later today.  Would someone else like to mirror
it for redundancy?  It's only one page.

Sameer -- if you're listening, maybe you and I could start an updated site
"Censorship Central" that maintains updated links to banned materials so
people can do "one stop shopping."

DCF 






From frissell at panix.com  Sat Feb  3 06:13:59 1996
From: frissell at panix.com (Duncan Frissell)
Date: Sat, 3 Feb 1996 22:13:59 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <2.2.32.19960203135737.00740450@panix.com>


At 04:24 PM 2/2/96 -0500, lmccarth at cs.umass.edu wrote:
>Just to be clear, I haven't been expelled or suspended from the school, and
>I have not been notified of any kind of pending disciplinary action against
>me. The pages are indeed gone, however.
>
>Lewis "Futplex" McCarthy, checking in from Rumor Control Central

Are *you* going to bring action against the school?  You could proceed
administratively for free.

DCF






From nobody at REPLAY.COM  Sat Feb  3 06:14:16 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Sat, 3 Feb 1996 22:14:16 +0800
Subject: What is this threat?
Message-ID: <199602031355.OAA20420@utopia.hacktic.nl>



Anonymous questioned the meaning of the FBI-DECA 
national security threat:

>Perception management and active measures activities.

----------


Updated "The Puzzle Palace" will have more on this.

"Perception management" means any method used to conceal
intelligence or counterintelligence -- HUMINT, ELINT,
SIGINT, etc. -- including encryption or other operations
or communication technologies not accessible to, or
comprehensible by, the USG.

"Active measures activities" means any operations, human,
technological or administrative, that threaten the US.

The threat is a catch-all for interference with, or 
operation against intelligence and counterintelligence, 
surveillance and counter-surveillance or any other means 
used by the USG to protect against threats.

Its obscurity is used to cover in general what is not
covered explicitly by the other six well-known threats 
-- and to avoid revealing details of what is known or 
may yet be discovered.

It points to USG, and likely international, operations 
more blackly cloaked than those garishly paraded.












From mcguirk at indirect.com  Sat Feb  3 06:24:47 1996
From: mcguirk at indirect.com (Dan McGuirk)
Date: Sat, 3 Feb 1996 22:24:47 +0800
Subject: Crypto suggestion - re: Fatal Flaws in Credit Cards
In-Reply-To: <199602030951.BAA12301@ix2.ix.netcom.com>
Message-ID: <199602031408.HAA04273@bud.indirect.com>


> Nathaniel's written about the "fatal flaw" in any system that
> involves typing credit card numbers into your computer being that
> they're easy for a keyboard-sniffer or similar cracker to recognize.
> An obvious work-around for this (and for many of the problems with
> Social Security / Taxpayer ID numbers) is to use some sort of smartcard
> that generates one-shot numbers that the credit card company (or tax thugs)
> can map back to the "real" owner's ID.
> 
>[...]
>
> Any other suggestions?

Isn't this what zero-knowledge proofs are for?  Prove you know the
credit card number without ever having to transmit it.






From llurch at networking.stanford.edu  Sat Feb  3 06:26:50 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 22:26:50 +0800
Subject: THIS IS NOT NUKEPUNKS Re: Sometimes ya just gotta nuke em
In-Reply-To: 
Message-ID: 


ROTFL

But this is not nukepunks...

and that wasn't my point. There is considerable debate about whether
dropping the bomb was right. The moral clarity of a Gandhi, MLK, or (to
add someone who actually killed people, I think) Thomas Paine is much more
useful when you're talking about winning hearts & minds. 

If you have a choice, don't nuke.

But yes, sometimes ya just gotta nuke em.

-rich





From nsb at nsb.fv.com  Sat Feb  3 06:26:59 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sat, 3 Feb 1996 22:26:59 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601292111.AA23738@toad.com>
Message-ID: 


Excerpts from mail.cypherpunks: 2-Feb-96 Re: FV Demonstrates Fatal F..
"Paul M. Cardon"@fnbc.co (1751*)

> > I can guarantee you that it wasn't our system that did this. If
> > there's one things we know cold, it's email.

> C'mon Nathan.  It was in the Received headers generated at your  
> end.  I agree that it COULD have happened on our end, but it didn't.  
>  I've never seen anybody with such an arrogant attitude.  BTW, it  
> looks like it has been fixed now.  :-b

Well, I would think that if you were seriously trying to diagnose this
problem, you would have heeded my request and actually sent me the
Received headers that you claim prove that there was a problem on my
end.  I've been tracking down mail delivery problems for fifteen years
now, I take them *excruciatingly* seriously, and I think I know a
*little* bit about them.  If that makes me arrogant, I apologize.

Received headers are typically (but not always) added at each step along
the way as a mail message travels in a store-and-forward manner.  Mail
that leaves my system typically(i.e. using my preferred user agent) has
two Received headers by the time it leaves, and neither of them specify
the destination address at all.  Received headers don't generally
include destination informations, but may include them optionally, using
a FOR clause.  Any Received header that actually included the bogus
address you specified is definitely not generated by my machine, not
merely because I'm confident it wouldn't use that address, but more
critically because that clause of Received headers (FOR) isn't EVER
generated by my machine!  That's how I can be so absolutely sure that it
wasn't added by my machine.  When messages leave my machine they have
two Received headers, using these formats:

Received: by  nsb.fv.com (4.1/SMI-4.1)
        id AA26452; Fri, 2 Feb 96 16:40:24 EST
Received: from Messages.8.5.N.CUILIB.3.45.SNAP.NOT.LINKED.nsb.fv.com.sun4.41
          via MS.5.6.nsb.fv.com.sun4_41;
          Fri,  2 Feb 1996 16:40:23 -0500 (EST)

Note the complete absence of any FOR clause here.  It doesn't matter WHO
my system is sending mail to, it doesn't document the fact in the
Received headers.  (NOTE TO C'PUNKS:  In general, any mail relay that
uses the FOR clause for anything other than "final" delivery -- a very
tricky concept, by the way -- is indulging in a potentially very serious
breach of privacy, which should certainly concern the readers of this
list.  That's because it is typically based on the envelope addresses
rather than the header addresses, and hence can expose recipient names
that the sender thinks were being kept confidential, such as BCC
addresses.  That's one reason I prefer not to use the FOR clause at all.)

Note also that Received headers almost always appear in reverse order of
composition, because most relaying software just prepends them.  This
means that the mail you got from me probably has two headers like this
one, and that the one before it is the first one added by any machine
other than mine.  Most likely, the one before this is added at FV's mail
relay.  I don't *think* it uses "FOR" clauses either, but I can't swear
to that.

I hope this is helpful.  This is as far as I can go in diagnosing this
problem without actually seeing the mail headers you claim to have
received.  If you have any interest in diagnosing the real problem, as
opposed to publicly flaming me, I encourage you to send me the headers. 
I also see no point whatsoever in continuing to CC cypherpunks on the
diagnosis of a mail delivery problem, but will continue to do so in my
replies if you continue to send mail to cypherpunks slandering my
technical abilities in the guise of talking about a mail delivery
problem for which you refuse to provide documentary evidence that is
allegedly in your posession.  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nobody at REPLAY.COM  Sat Feb  3 07:39:46 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Sat, 3 Feb 1996 23:39:46 +0800
Subject: Don't shot till you see the gray of their eyes
Message-ID: <199602030030.BAA27037@utopia.hacktic.nl>


Now I understand it.

That thing on the cover of Applied Crypto is really
one of the Gray's space ships that they use to abduct
aspiring cryptographers and implant microchips in them,
controlling their minds and making them obey RSA's
license agreement.

Very interesting indeed.

On a lighter note, a local NBC station advertised a
special they will have this monday, about the 1-800-INFO-PET
chips... only that parents are opting to have them implanted
in their newborn children.








From proff at suburbia.net  Sat Feb  3 07:41:15 1996
From: proff at suburbia.net (Julian Assange)
Date: Sat, 3 Feb 1996 23:41:15 +0800
Subject: (fwd) National Security Agency
Message-ID: <199602031526.CAA11269@suburbia.net>


Path: news.aus.world.net!suburbia.net!proff
From: proff at suburbia.net (Julian Assange)
Newsgroups: alt.anagrams
Subject: National Security Agency
Date: 3 Feb 1996 10:50:30 GMT
Organization: AUSNet Services pty. ltd.
Lines: 21
Message-ID: <4evelm$b9n at sydney1.world.net>
NNTP-Posting-Host: suburbia.net
X-Newsreader: TIN [version 1.2 PL2]

National Anti-Secrecy Guy
Secret Analytic Guy Union
Caution Laying Any Secret
Run anti Social Agency Yet
Uncle gay, Insane Atrocity
Insane, ugly, acne atrocity
Your testical, again Nancy?
Acute yearly sactioning 
Yes, gain unclean atrocity.
Nuns age angelic atrocity

National Gay Secrecy Unit

ftp://suburbia.net/pub/electron/gan.tgz

--
+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  stood still, who built the largest     |
|EMAIL: proff at suburbia.net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+

--
+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  stood still, who built the largest     |
|EMAIL: proff at suburbia.net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+





From llurch at networking.stanford.edu  Sat Feb  3 07:41:28 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sat, 3 Feb 1996 23:41:28 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: 


I originally sent Tim private mail saying "you're wrong."

On the other hand, reading futplex's actual statement and the fact that
Germany continues to "investigate" CompuServe and AOL, maybe he's right... 

This is not the end, but it may be the end of the beginning.

I also think there's a place for premature ejaculations of victory, 
because they tend to become self-fulfilling prophecies. If the press says 
that Germany is successfully censoring Zundel, then that sets a 
precedent; but if the press says that Germany's limp attempts to censor 
somebody on the Internet were a total failure, then they'll just look 
like a bunch of goofballs pursuing a lost cause. 

-rich





From declan+ at CMU.EDU  Sat Feb  3 07:43:33 1996
From: declan+ at CMU.EDU (Declan B. McCullagh)
Date: Sat, 3 Feb 1996 23:43:33 +0800
Subject: Germany investigates AOL for providing Zundelaccess
Message-ID: 


German prosecutors appear to be using the *threat* of charges to force
AOL and CompuServe to block access to web sites. I suspect they'd rather
not actually file formal charges...

This is escalation. Faced with criminal charges for "inciting racial
hatred" or with enraged customers if they block access to web servers in
the U.S., what will AOL do? Try to block by URL?

-Declan

-----------------------------------------------------------------------

February 2, 1996

      BERLIN (AP) -- Prosecutors trying to keep Germans from reading
neo-Nazi propaganda on the Internet have notified America Online Inc.
that it may be charged with inciting racial hatred.

      Last week, prosecutors served similar notice to another
U.S.-based computer on-line service, CompuServe Inc. of Columbus,
Ohio, and T-Online, a division of the German phone company.

[...publishing neo-Nazi lit is illegal...]

      Prosecutors in Mannheim are considering bringing incitement charges
against the three Internet providers in Germany for allowing access to
material posted on the Internet by Ernst Zuendel, a German neo-Nazi living
in Toronto.

[...easy to create a web site...]

      T-Online, Germany's largest Internet access provider, responded
to the prosecutors' investigations by blocking its 1 million
subscribers from gaining access to the computer in California where
Zuendel had posted his tracts.

      Computer users accused T-Online of overreacting because the
block also prevented them from reaching more than 1,500 other sites on
that part of the network.

      CompuServe, with 4 million subscribers worldwide, including
220,000 in Germany, has not blocked the California server but said it
was working with the prosecutors to find a solution.

      America Online spokesman Ingo Reese in Hamburg said his company
also was happy to work with the prosecutors. The company is ``totally
opposed'' to illegal propaganda, he said, but argued that commercial
on-line companies have as much control over materials posted on the
Internet as telephone companies have over their customers'
conversations.

      America Online, based in Vienna, Va., only began operating in
Germany in December in a joint venture with a German company,
Bertelsmann AG. The joint venture has 40,000 subscribers in Germany;
America Online has 4.5 million customers worldwide.

[...]







From karl at cosmos.cosmos.att.com  Sat Feb  3 07:57:55 1996
From: karl at cosmos.cosmos.att.com (Karl A. Siil)
Date: Sat, 3 Feb 1996 23:57:55 +0800
Subject: RC2 Source Code - Legal Warning from RSADSI
Message-ID: <2.2.32.19960202140459.006d7194@cosmos.cosmos.att.com>


At 08:00 PM 2/1/96 -0600, Mr. Boffo wrote:
>> WARNING NOTICE > > It has recently come to the attention of RSA Data 

        [ text omitted ]

>secure their own site against break-ins? If they want to be the
>prima-donna site for encryption with all of the "copy-written" crypto,
>you would think that they could protect their own resources better.

I strongly suspect RSA distributes source to those customers who pay enough,
with the caveat that the customers don't share it, of course. My company
does that, even with its most sensitive code (of course, for a lot of money
:-) ). I find it extremely unlikely (from just a probabilistic standpoint)
that this leak came from within RSADSI.

I would first suspect someone of disassembly, of which I am envious. Not
because I couldn't do it, but because I don't have time to install a new
CD-ROM drive, never mind sit down and read hex dumps and assembler.

My second suspect is a disgruntled or "Crypto Freedom Fighter" employee at
some customer's site. If this is the case and the given anonymous remailer's
(or remailers') integrity is (are) not compromised, good luck to RSA in
trying to prosecute: They're gonna need it.

This horse is out of the barn, down the road, and in the next county.

My one question: Who cares about RC2?

                                        Karl






From campbelg at limestone.kosone.com  Sat Feb  3 08:40:57 1996
From: campbelg at limestone.kosone.com (Gordon Campbell)
Date: Sun, 4 Feb 1996 00:40:57 +0800
Subject: What happened to Aegis?
Message-ID: <2.2.32.19960203162249.0068582c@limestone.kosone.com>


After doing a total reinstall of my system (don't ask) I discovered that I
don't have a copy of the Aegis PGP Shell distribution archive anywhere. I
attempted to grab it from http://iquest.com/~aegisrc as listed in the docs,
but the site doesn't exist.

Doesn anybody know what gives and where I can get a new copy of the archive?
I really like this shell and haven't figured out how to otherwise integrate
PGP with EudoraPro.

Any other suggestions are also welcome.

-----
Gordon R. Campbell, Owner - Mowat Woods Graphics
P.O. Box 1902, Kingston, Ontario, Canada  K7L 5J7
Ph: (613) 542-4087   Fax: (613) 542-1139
2048-bit PGP key available on request.






From jimbell at pacifier.com  Sat Feb  3 09:09:43 1996
From: jimbell at pacifier.com (jim bell)
Date: Sun, 4 Feb 1996 01:09:43 +0800
Subject: THIS IS NOT NUKEPUNKS Re: Sometimes ya just gotta nuke em
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

At 09:25 PM 2/2/96 -0800, Rich Graves wrote:
>ROTFL
>
>But this is not nukepunks...
>
>and that wasn't my point. There is considerable debate about whether
>dropping the bomb was right. The moral clarity of a Gandhi, MLK, or (to
>add someone who actually killed people, I think) Thomas Paine is much more
>useful when you're talking about winning hearts & minds. 

>If you have a choice, don't nuke.
>But yes, sometimes ya just gotta nuke em.
>-rich

Actually, at this point I don't think it would be inappropriate to remind
you two debaters (as well as the rest of the people here) that part of the
implications of my "Assassination Politics" idea is that it would
automatically force the elimination of all heavy weapons including nuclear,
down perhaps to handheld rifles.

 I am a 2nd amendment absolutist:  I believe that I have the right to
possess any and all "arms," including nuclear, biological, and chemical, as
well as all convention armaments.

There is no contradiction here.  

BTW, Rich, I hope you saw my recent comment wherein I praised you for your
principles and courage concerning the "Zundelsite" situation.  Perhaps I
originally judged you in haste.  While possessing no sympathy (even strongly
negative sympathy) for Nazi and Neo-Nazi (and Holocaust revisionist)
propaganda, I have similarly low opinions of censorship of all kinds.

My knowledge of this is hazy, however.  Consider this the beginnings of what
may be a profound and sincerely felt apology.

Jim Bell 
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMROQgvqHVDBboB2dAQHOYwQAoSItmeqPx0m6YWLIfCL3B3UX9KbvWynJ
y0xxsuP3Q/ra8JDHAonDYnvrI2avmWGXErtHRnVfKW0ohgBAOizfcbZay3/WDW30
ZYRq/OERyzLjq4u98ecrykoxU2whkomzLycdx2/1fl6rmQxvFFW0xwjZtX2q5K2b
Aj0XwefNtuc=
=iqsH
-----END PGP SIGNATURE-----






From cwe at it.kth.se  Sat Feb  3 09:11:49 1996
From: cwe at it.kth.se (Christian Wettergren)
Date: Sun, 4 Feb 1996 01:11:49 +0800
Subject: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
In-Reply-To: 
Message-ID: <199602031655.RAA18445@piraya.electrum.kth.se>



The "keyboard sniffer" of FV is really troublesome, and the
extension of this threat will hamper the Internet Commerce
tremendously, I believe. The thing that might have made it
hard to accept the threat for cypherpunkers is that it was 
presented together with a plug for the FV scheme, (which may 
or may not be valid btw.)

But more generally, I see the following happening.

The factors that now are "harmonizing" are;
* the tremendous growth of Inet commerce; Digicash, encrypted
  CardNo's etc. Many of the now proposed schemes have no
  independant "evidence" mechanism, whereby you can settle
  a disputed transaction fairly. You will have to choose
  to believe one of the parts, and that is very often the
  service provider/bank/card company.

* The decline of the "ordinary" card fraud market,
  VISA/Europay/Mastercard is rapidly finishing their
  forthcoming smart card systems. I'd guess this "market"
  is gone within 2-3 years. Some "big organisations" might
  start to move into the new "fraud markets" soon.

* The fact that the PC are such an extremely used platform,
  and that the need for back compatibility will make it
  almost impossibe to add substantial security to it now.

* The fact that anti-virus tools haven't been able to
  eradicate the virii problem even before the "forthcoming
  surge" in virus writing that I believe will come. According
  to a survey by Information Week (Nov 27 -95) 67% of the 
  companies had been hit by a virus the last year, and 12% 
  of the companies had suffered financial loss caused of it. 
  (1293 companies surveyed). 
  Admittedly there are social problems behind the continued spread
  of virii too, but that alone doesn't make them go away. Take
  a look at the article "Virus Authors strike Back" by Alan
  Solomon in "Computers and Security" 11 (1992) 602-606. The
  state of anti-virus tools seemed to be in a rather sad state
  back then, and I really wonder whether they are any better
  now.

* The knowledge about how to write virii has been spread
  rather far - a college kid can get his hands on one of
  the polymorphic virus generators, and start to output
  new self-encrypting virii with the same action routine
  regularly. Also, note that this new kind of virii ("virii
  with a mission") would start to cost immediately, in 
  contrast with the "old kind" that only cost when you 
  have to clean them out, or if they wipe un-backuped data.
  (your fault - core dumped)

* All PC's will be net-connected... Embed a public key in the
  virus, let it encrypt the loot and post it to Usenet
  in the group junk.erotica. You can then harvest the group
  with the secret key anywhere in the world.
  (Be generous, let the virus go away automatically if it
  has "contributed" enough money.)

The pay-off of continously updating your virus to cope with
new protection mechanisms would be enormous. Lets assume that I
employ 10 programmers 2 years from now, that writes new action 
routines and develop new virus types... I bet I could get 
a decent living quite soon. Also assume I settle down in a 
suitable country with lax enough laws, do you believe that I
would be a criminal then? What is the legal status of virii,
and what is this concept of "electronic money" anyway? :-)

I promise, I wont do that. It's not a bet.












From loofbour at cis.ohio-state.edu  Sat Feb  3 09:36:50 1996
From: loofbour at cis.ohio-state.edu (Nathan Loofbourrow)
Date: Sun, 4 Feb 1996 01:36:50 +0800
Subject: Futplex makes the news!
In-Reply-To: 
Message-ID: <199602031721.MAA07583@hammond.cis.ohio-state.edu>


Rich Graves writes:
 > AP story in Boston Globe (long and ludicrous on-line URL, and OK, so this 
 > is not the greatest story, but I think it's somewhat positive):
 > 
 >  http://www.boston.com/globe/ap/cgi-bin/retrieve?%2Fglobe%2Fapwir%2F033%2Freg%2Fag052102

This article appears to have moved to a different, but equally
ludicrous URL:

http://www.boston.com/globe/cgi-bin/waisgate?WAISdocID=6775428472+0+0+0&WAISaction=retrieve

nathan





From tcmay at got.net  Sat Feb  3 09:54:28 1996
From: tcmay at got.net (Timothy C. May)
Date: Sun, 4 Feb 1996 01:54:28 +0800
Subject: Germany investigates AOL for providing Zundelaccess
Message-ID: 


At 1:24 PM 2/3/96, Duncan Frissell wrote:
>At 07:34 PM 2/2/96 -0500, Declan B. McCullagh wrote:
>
>>      America Online spokesman Ingo Reese in Hamburg said his company
>>also was happy to work with the prosecutors. The company is ``totally
>>opposed'' to illegal propaganda, he said, but argued that commercial
>>on-line companies have as much control over materials posted on the
>>Internet as telephone companies have over their customers'
>>conversations.
>
>That's what happens when you hire Germans for your German operations.


He was only following orders.


--Tim


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From dcrocker at brandenburg.com  Sat Feb  3 09:56:42 1996
From: dcrocker at brandenburg.com (Dave Crocker)
Date: Sun, 4 Feb 1996 01:56:42 +0800
Subject: Don't type your yes/fraud response into your computer
Message-ID: 


(I sent this separately to the www-buyinfo list and now decided that
cypherpunks might also be an interesting -- or even better -- venue for
raising the question.  Sorry for the duplicates if you get them.  d/)

If this has shown up in one or another of the discussion threads already, I
apologize for missing it.

	In thinking about the nature of the credit card keyboard attack, it
occurs to me that the confirmation message sent from First Virtual back to
the (purported) purchases is, itself, pretty distinctive.  It makes me
wonder whether an attack of the style used to detect credit card typing on
the keyboard could not also be used to detect the arrival of the FV
confirmation query and then, of course, to automatically generate a 'yes'
response back to FV?

	At base, the moral to the story is that a compromised user machine
permits essentially any and all activities to be suborned.  Only a smart
card mechanism stands a chance of standing up to this, but that, in effect,
makes the smart card the 'user machine'.

d/

--------------------
Dave Crocker                                                +1 408 246 8253
Brandenburg Consulting                                 fax: +1 408 249 6205
675 Spruce Dr.                                     dcrocker at brandenburg.com
Sunnyvale CA 94086 USA                           http://www.brandenburg.com

Internet Mail Consortium                   http://www.imc.org, info at imc.org







From ErnstZundl at aol.com  Sat Feb  3 10:05:07 1996
From: ErnstZundl at aol.com (ErnstZundl at aol.com)
Date: Sun, 4 Feb 1996 02:05:07 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <960203124656_311380557@emout09.mail.aol.com>


THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!

Recently several Jewish co-conspirators have tried to silence
me!  I finally go onto Usenet to make myself open for debate,
and the Communist conspirators write to the AOL postmaster
and ask that they remove my account!

Below are some messages I received from some of those
people who do not believe in Free Speech.  *I* believe in 
Free Speech.  Without Free Speech, I would be unable to
declare which books I feel should be burned, who should
be persecuted, and who should be declared to be inferior
or part of a race-wide conspiracy like the "Holocaust."

Please do not send email to the people who complained
about me.  I beleive in Free Speech, and so I believe in
their right to complain about me.  I also believe that it
just demonstrates that they are willing Fellow Travelers
in the worldwide Communist Conspiracy, they are friends
of the Black Helicopters of the United Nations, and they are
enemies of the Aryan Nazi UFO's at the center of the Earth.

Now, fellow Patriots and Supermen Aryans, read their
messages and tell me what you think?

>> Subj:  Re: TOS violations
>> Date:  Mon, Jan 29, 1996 8:23 PM EDT
>> From:  freedom at pathcom.com
>> X-From: freedom at pathcom.com (Marc Lemireberg)
>> To: postmaster at aol.com
>> CC: ernstzundl at aol.com, Mossad at israel.gov

>> Dear Sir/Madam:

>> An American Online user is repeatedly violating AOL's Terms of Service
>> on USENET.  Please read a sample post below.

>> He is a controversial Canadian publisher, Ernst Zundel,
>> who beleives in "Free Speech."  I personally do *NOT*
>> believe in "Free Speech" because I am a Jewish Communist. 
>> His continued posting from AOL could bring legal action
>> against your company, because that is what Jewish Communists
>> like me do.  It is the only way to keep the Aryan Space Nazi
>> UFO Mothership from vaporizing the world.

>> Please correct this problem by informing the user of his
>> politically incorrect activity.

>> Thank you.

>> -- Marc Lemireberg
>>*******************************************************
>>          **                DIGITAL CENSORSHIP BBS                **
>>          **     Canada's most Politically Correct BBS, access on    **
>>          ** FIRST call, 100% FREE, NOW 2.1 GIGABYTES ONLINE!! **
>>          **                        ^^^^^^^^^^^^^^^^^^^^^^^^^^ **
>>          **        Node 1 (417) 462-3328 28.8 V.34            **
>>          **        Node 2 (417) 465-4768 14.4 V.42            **
>>           
>> *******************************************************

>> Date:  Mon, Jan 29, 1996 1:26 AM EDT
>> From:  declan+ at CMU.EDU
>> X-From: declan+ at CMU.EDU (Declan B. McCullagh)
>> To: cypherpunks at toad.com
>> CC: ernstzundl at aol.com, fight-censorship+ at andrew.cmu.edu,
postmaster at aol.com

>> Ernst Zundel is the Neo Nazi Hatemonger who sparked the Wiesenthal
>> Center's attempts at censorship, and the latest move by the German
>> government.

>> Now an AOL alias, "ernstzundl at aol.com", is being used in the course of an 
>> effective propoganda spree on Usenet newsgroups including >>
alt.skinheads, alt.mindcontrol, and alt.fan.ernst.zundel.

>> Now, the Wiesenthal Center Censors are enraged over this attempt to
>> popularize the evil Ernst Zundel.  He and his legions of Aryan Supermen
>> of superior strength and intellect *must* be stopped from unleashing the
>> horror of intersteallar war upon Israel.  AOL is Earth's last defense
against
>> the Interstellar Aryan Space Nazis lead by Ernst Zundel.

>> As a card-carrying member of the Jewish Communist Conspiracy, I must
>> protest Mr. Zundel's acts of "Free Speech." Shalom, Fellow Travelers!


>> Subj:  No Subject
>> Date:  Tue, Jan 30, 1996 11:13 AM EDT
>> From:  ca314 at freenet.uchsc.edu

>> I hate Aryan Nazis from Space.  I will oppose them when they land
>> on Earth!


>> Subj:  Re: Ernst Zundel Says: Join the Aryan Corps!!! 
>> Date:  Sun, Jan 28, 1996 11:28 PM EDT
>> From:  hoel at eng.usf.edu
>> X-From: hoel at eng.usf.edu (Matthew Hoelstein (EE))
>> To: ernstzundl at aol.com (ErnstZundl)

>> Get out of misc.activism.militia!  Real patriots are not racist-- they
just
 >> hate Jews, Blacks, Catholics, and anyone who is "different".  People 
>> like me are really just Jews controled by the Zionist Occupied Government,
>> and the Militias are really just a way to help Israel seize more power. 

>>       Matthew D. Hoelstein, Milita Commander
>>       hoel at suntan.eng.usf.edu


>> Subj:  Re: Aryan Corps Operations Specialist????????
>> Date:  Sat, Jan 27, 1996 6:19 PM EDT
>> From:  bootboy at airmail.net
>> X-From: bootboy at airmail.net (Bootboy)
>> To: ernstzundl at aol.com (ErnstZundl)

>> Get off the internet, German Swine!
>> Sh'ma y'israel!
>> -Bootboy-  88/14
>> Jewish Skinheads U.S.A.
>> http://web2/airmail.net/bootboy/



*** Now do you see what kind of censorship I am up against???

If you want to help me, please DO NOT email the people above to complain.

Instead, you can help me in my cause to make the Earth safe for White
children.
You can help me by joining me and my legions of Aryan Nazi UFO Supermen
at the center of the Earth.  All you have to do to get there is enter the
Earth's center by way of a volcano in Antarctica.

If you are a *true* Patriot, and a *true* Aryan, then you *MUST*
make the journey to Antarctica and into the volcano!!  We owe it to
the world, we owe it to the great Adolph Hitler, and we owe it to
the White Race.

And please bring a sweater.  It's cold!









From blancw at accessone.com  Sat Feb  3 10:16:39 1996
From: blancw at accessone.com (blanc)
Date: Sun, 4 Feb 1996 02:16:39 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <01BAF21F.279FC500@blancw.accessone.com>


From: 	Duncan Frissell

Sameer -- if you're listening, maybe you and I could start an updated site
"Censorship Central" that maintains updated links to banned materials so
people can do "one stop shopping."
....................................................................

Look at:  
http://www.mit.edu:8001/activities/safe/home.html

in particular, at:  
http://www.mit.edu:8001/activities/safe/notsee.html#Politics


   ..
Blanc










From gimonca at skypoint.com  Sat Feb  3 10:41:19 1996
From: gimonca at skypoint.com (Charles Gimon)
Date: Sun, 4 Feb 1996 02:41:19 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: 


> 
> If you are a *true* Patriot, and a *true* Aryan, then you *MUST*
> make the journey to Antarctica and into the volcano!!  We owe it to
> the world, we owe it to the great Adolph Hitler, and we owe it to
> the White Race.
> 
> And please bring a sweater.  It's cold!
> 

Hey buddy--it was 32 below zero in Minneapolis this week, not 
including wind chill! I'm packin' swim trunks.






From drose at AZStarNet.com  Sat Feb  3 10:55:57 1996
From: drose at AZStarNet.com (drose at AZStarNet.com)
Date: Sun, 4 Feb 1996 02:55:57 +0800
Subject: Our "New Order"
Message-ID: <199602031830.LAA12987@web.azstarnet.com>


(Apologies to those on the cyberia-l list, to which this was x-posted, and
to Perry Metzger.)

In view of the fact that our government seems bent on abrogating its
citizens' rights to free speech, has anyone done a survey indicating which
foreign countries have the best Net connections to the U.S. (excepting, of
course, Germany and possibly France)?

It may be expedient for Planned Parenthood and others whose points of view
differ somewhat from those approved under our "New Order"* to explore
alternatives in order to reach their constituencies.

--David M. Rose

* "My New Order", as many of you know, is the 1941 sequel to "Mein Kampf".






From declan+ at CMU.EDU  Sat Feb  3 11:00:28 1996
From: declan+ at CMU.EDU (Declan B. McCullagh)
Date: Sun, 4 Feb 1996 03:00:28 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: 


Excerpts from internet.cypherpunks: 3-Feb-96 THE JEWS (ALL of them!)
Try.. by ErnstZundl at aol.com 
> >> Date:  Mon, Jan 29, 1996 1:26 AM EDT
> >> From:  declan+ at CMU.EDU
> >> X-From: declan+ at CMU.EDU (Declan B. McCullagh)
> >> To: cypherpunks at toad.com
> >> CC: ernstzundl at aol.com, fight-censorship+ at andrew.cmu.edu,
> postmaster at aol.com

[...]

> >> Now, the Wiesenthal Center Censors are enraged over this attempt to
> >> popularize the evil Ernst Zundel.  He and his legions of Aryan Supermen
> >> of superior strength and intellect *must* be stopped from unleashing the
> >> horror of intersteallar war upon Israel.  AOL is Earth's last defense
> against
> >> the Interstellar Aryan Space Nazis lead by Ernst Zundel.
>  
> >> As a card-carrying member of the Jewish Communist Conspiracy, I must
> >> protest Mr. Zundel's acts of "Free Speech." Shalom, Fellow Travelers!

Damn, he blew my cover. I shall seek vengeance with my orbital
mindcontrol lasers.

Shalom,

Declan






From maggie at critpath.org  Sat Feb  3 11:00:34 1996
From: maggie at critpath.org (Maggie Heineman)
Date: Sun, 4 Feb 1996 03:00:34 +0800
Subject: FYI: Free calls to Congress
Message-ID: <199602031833.LAA19465@mailhost1.primenet.com>


You too can call and complain about the CDA if you like.
Or any CRYTPO RELATED idea you fell revelant!

Love Always,

Carol Anne
         -  Please repost far and wide -  
  
>     The following two telephone numbers will connect anyone in the U.S. to 
>     the Capitol switchboard from where they can connect to any 
>     Congressional office:
>     
>     1-800-962-3524 
>     1-800-972-3524
>     
>     The numbers are courtesy of the Christian Coalition which is providing 
>     them to its members (and now to us).  Please feel free to forward this 
>     message to friends and family.

----------------------------------
It works!  -- I tested both the 962 and 972 numbers. 

Same dialogue on both calls -  

Operator:  Capital
Me:  Is this the Capital Switchboard?
Operator:  Yes.
Me:  I'd like to have Chaka Fattah's office, please
Ansering Machine: You have reached the office of Chakkah Fattah...

--------------------------
Relayed - The original poster (I think) was


>  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  + To send a message across the listserv, send your e-mail message    +
>  +                 To: lev-zev at igc.apc.org                            +
>  + To unsubscribe, send a message containing "unsubscribe LEV-ZEV"    +
>  +                 To: majordomo at igc.apc.org                          +
>  + Problems or Questions:                                             +
>  +                 mail: jpierotti at tcn.org                            +
>  + *Suggested SUBJECT prefixes when sending messages to the listserv* +
>  +                 ALERT:, MEDIA RELEASE:, or FYI:                    +
>  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Maggie 
=======================================================================
Margaret Andrus Heineman [maggie at critpath.org]
Fight the Right Network (Philadelphia)
-- http://www.critpath.org/ftrn/
Webmaster, PFLAG on the Web 
-- http://www.critpath.org/~maggie/pflag/   

Keep remembering: they are against the free flow of information.  
Anything you can do to increase information flow hurts them . -Purdom 
========================================================================







From sethf at MIT.EDU  Sat Feb  3 11:10:09 1996
From: sethf at MIT.EDU (sethf at MIT.EDU)
Date: Sun, 4 Feb 1996 03:10:09 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <9602031850.AA18675@frumious-bandersnatch.MIT.EDU>


	HOLD YOUR FLAMES! That message looks like a troll designed to
set us all off arguing. DON'T FEED THE TROLL.

--
Seth Finkelstein  				sethf at mit.edu
Disclaimer : I am not the Lorax. I speak only for myself.
Freedom of Expression URL http://www.mit.edu:8001/activities/safe/home.html





From zinc at zifi.genetics.utah.edu  Sat Feb  3 11:29:12 1996
From: zinc at zifi.genetics.utah.edu (zinc)
Date: Sun, 4 Feb 1996 03:29:12 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: 


oh my...

i guess it really does take all types.

-pjf

"Those that give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety." -- Benjamin Franklin (1773)
			  finger for PGP key
zifi runs LINUX 1.3.59 -=-=-=WEB=-=-=->  http://zifi.genetics.utah.edu 






From a-johnb at microsoft.com  Sat Feb  3 11:33:34 1996
From: a-johnb at microsoft.com (John Banes (Wasser))
Date: Sun, 4 Feb 1996 03:33:34 +0800
Subject: Microsoft's CryptoAPI - thoughts?
Message-ID: 


I have "standardized" the PS files on the MS website, so there should 
be no more problems. Sorry for the inconvenience.
----------
| From: Futplex  
| To: Cypherpunks Mailing List  
| Cc: CryptoAPI Information Alias
| Subject: Re: Microsoft's CryptoAPI - thoughts?
| Date: Friday, January 26, 1996 3:02AM
|
| rickt at psa.pencom.com writes:
| > [Info can be found at: 
http://www.microsoft.com/intdev/inttech/cryptapi.htm]
|
| Has someone here managed to extract PostScript hardcopy of the
| CAPI from this Web page? I tried earlier this evening and
| wound up with a miniature
| ecological disaster on my hands. The page says:
|
| "For ease of online reading and printing, we've provided copies of this
| lengthy document in Microsoft Word and Postscript formats."
|
| I grabbed the ZIPped PostScript version and unZIPped it, which resulted in a
| single file called "capiapp.ps". Making the wild assumption that this was
| indeed a PostScript file, I sent it to the printer and forgot about it for a
| while.
|
| An hour later I discovered a chaotic scene in the printer room, as the
| printer had spewed about 1.5 reams of raw PostScript printouts. The 
output bin
| had overflowed for a while, spraying paper in several directions. 

|
| As it turns out, the file unhelpfully begins with
| 	%-12345X at JPL ENTER LANGUAGE=POSTSCRIPT
| preceding the usual "%!PS-Adobe-3.0" line. Worse still, it appears that the
| capiapp.ps file is actually a catenation of many PostScript files (one per
| chapter?), each beginning with a version of this ensnarling line.
|
| I could do some global search-and-replacing, etc., but I think I'll wait for
| Microsoft to distribute a decent PS version of this document. Perhaps they
| should consider not generating it with MS Word....
|
| Grr!
|
| Futplex 
| 







From PADGETT at hobbes.orl.mmc.com  Sat Feb  3 12:07:02 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Sun, 4 Feb 1996 04:07:02 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: <960203083305.2020cd29@hobbes.orl.mmc.com>


Tim rote:
>At 4:12 AM 2/3/96, Rich Graves wrote:
>>Who holds up the nuking of Hiroshima and Nagasaki as great victories
>>against tyranny?
>Since you ask, I do.

And the biggest secret of the war was that "Fat Man" was the *last* A-bomb
we had or could build for about a year (had taken several *years* to
separate enough fissionable material for the three via two entirely
different processes).

To me this is the great strength of the USA: given a theoretical problem, we
will develop a hundred different solutions, try them all in parallel, and at 
least one will work.
						Warmly,
							Padgett





From ses at tipper.oit.unc.edu  Sat Feb  3 12:35:10 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Sun, 4 Feb 1996 04:35:10 +0800
Subject: Sometimes ya just gotta nuke em
In-Reply-To: <960203083305.2020cd29@hobbes.orl.mmc.com>
Message-ID: 


On Sat, 3 Feb 1996, A. Padgett Peterson, P.E. Information Security wrote:

> And the biggest secret of the war was that "Fat Man" was the *last* A-bomb
> we had or could build for about a year (had taken several *years* to
> separate enough fissionable material for the three via two entirely
> different processes).

So secret even Gen. Groves was unaware of it- he was so misled that he 
thought he would have the next Fat Man finished on the 12th or 13th 
August 1945, and ready for dropping on the 17th/18th of August. 

PerryDeflector: Guess they must have used some pretty funky codes eh?





From jordan at Thinkbank.COM  Sat Feb  3 12:47:09 1996
From: jordan at Thinkbank.COM (Jordan Hayes)
Date: Sun, 4 Feb 1996 04:47:09 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: <199602032012.MAA01412@Thinkbank.COM>


	From jf_avon at citenet.net Sat Feb  3 11:04:01 1996

	>Soon I hope
	>that there will be as much chance of children 'stumbling upon'
	>X-rated JPEGs as they can today image satellite-delivered porno in
	>their heads without a dish.

	I guess that children do not see the depicted event as as
	traumatic as you personnally do...  But guess what, maybe
	some peoples do not mind their kids seeing theses pictures.



Hey, I tried to explain this, but you missed it: I *don't personally
care* about whether kids see porno.  I *know* that a *huge* percentage
of the population in this country does (sorry for being USA-centric,
but we have [at least for now] the largest net population, so you
can see how this will go ...).  Therefore, I'd like to see a way
for the default be that kids (dare I say everyone!) don't *automatically
stumble upon* it in the open network.  I'm all for parents giving
access to their kids to whatver they feel is right, and I'm all
for adults making that choice as well; but I think that if the
majority of the people in a community don't want the default behavior
to be "click here for tits!" then it's up to us, as technologists,
to provide easy-to-use mechanisms for those who do want to see them
to not infringe on those who don't.

If you want porno on your TV, you can rent it, you can pay-per-view
it, you can get a sattelite dish, or whatever.  But most people
don't want it by default to be on channel 7.  Last time: I *personally*
am not one of them, but it's important to see what the majority
thinks on this issue.



	Phones are *NOT* private devices.

Again, you missed my point.  People *think* they are, and if you
compare "private" calls to "tapped" calls, you'll see that the
expectation of privacy is not so misplaced.  Yes, if your communications
are important to you or you are a potential target of investigation,
you should know it's not private.  But it's not like any significant
number of phone calls are tapped, by the government or otherwise.
And it's not likely to happen, either, because NONE CARES WHAT YOU
SAY TO YOUR FRIEND ON THE PHONE.

	You can tap a phone for 10$ worth of Radio Shack hardware.

And I'm sure you do this, what, 18,000 times per hour?  I'm like
so sure that you listen to all your neighbors phone calls.

	>And don't forget: if you have privacy, you don't need anonymity.
	>Swiss banks provide the ultimate example.

	I would like other peoples to comment on this one, but I
	think that swiss banks *did* also provide anonymity. (number
	accounts)

You can get a numbered account at a Swiss bank by showing up at
the branch, introducing yourself to the branch manager, proving to
him who you are, and signing some papers.  They will keep your name
out of any transactions you make, but they *know you* ... this is
not anonymity; this is merely privacy.

Another good example is John Perry's PGP'd mailing list.  No chance
of anyone "stumbling upon" the content, since it's all PGP'd.  But
it's not anonymous, and for good reasons.  So what if all mailing
lists were like this?  What if alt.binaries.pictures.erotica.oral
was like this? What if all our mail programs and news readers were
able to cope easily with this?  I think this is the question that
efforts like IPSec are trying to answer: we'd all be *way* better
off.

What if looking at a JPEG were like buying beer?  The default is
that a 12 year old isn't going to fool the guy at 7-11, but if
their parents buy a beer and give it to 'em, what the heck?
Consuming alcohol is not regulated; *purchasing* it is.

Don't forget: the fact that "porno on the net" (for instance) is
an issue *at all* is a *failure* of technology.  It would be a
non-issue if USENET wasn't essentially a technology vacuum.

/jordan





From jordan at Thinkbank.COM  Sat Feb  3 12:48:49 1996
From: jordan at Thinkbank.COM (Jordan Hayes)
Date: Sun, 4 Feb 1996 04:48:49 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: <199602032025.MAA01565@Thinkbank.COM>


#if !defined(perry)

	From tcmay at got.net Fri Feb  2 21:32:22 1996

	A land invasion of Japan would've likely cost half a million
	American lives, and perhaps a million or more Japanese
	citizen lives, according to comprehensive studies I think
	are on the mark.

Sorry to inject a little scholarly research on this topic, but I
would urge those of you who are interested in how this mythology
was created and disseminated to do an AltaVista serach for Alperovitz;
he's potentially the leading scholar on this subject.  I've read
his book, and Tim probably ought to as well ...

If you read nothing else on this topic, I urge you to check out
an interview with him at http://www2.ari.net/home/bsabath/950711.html

#endif

/jordan





From nsb at nsb.fv.com  Sat Feb  3 12:49:09 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sun, 4 Feb 1996 04:49:09 +0800
Subject: FV, Netscape and security as a product
In-Reply-To: <199601311753.JAA18008@darkwing.uoregon.edu>
Message-ID: 


Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi..
Jeff Weinstein at netscape. (985*)

> > Netscape and FV have both taken a
> > "security is a product" stance, which is a gross misrepresentation.

>   We are definitely moving away from the "security is a product" stance
> that you mention.  It was definitely overdone in the early days of the
> product, but after the security bugs of the summer I and others were
> able to convince marketing that they should back off.  I want it to
> be clear what our product can and can not do.  For example, SSL can
> only protect data in transit between two machines.  If either machine
> is compromised then the data can be stolen at that end.  Our product
> does not attempt to secure the user's machine, and can not operate
> securely on an insecure machine.  Expect to see warnings and disclaimers
> of this nature from us in the future.

I applaud this clear, sensible, and correct statement.  Nicely put, Jeff.

I don't think it's fair for Greg to characterize our approach as
"security is a product".  Quite the contrary, we keep talking about
security as a *process*.  It's made up of multiple layers, which may
include digital signatures, encryption, hard-to-sniff identifiers,
out-of-band mechanisms, confirmation loops, vigorous investigation of
attempted fraud, and probably many other things, not to mention more
"traditional" aspects of server-level security.  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Sat Feb  3 12:50:48 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sun, 4 Feb 1996 04:50:48 +0800
Subject: Crypto suggestion - re: Fatal Flaws in Credit Cards
In-Reply-To: <199602030951.BAA12301@ix2.ix.netcom.com>
Message-ID: 


Excerpts from mail.cypherpunks: 3-Feb-96 Crypto suggestion - re: Fat..
Bill Stewart at ix.netcom.c (2735*)

> Nathaniel's written about the "fatal flaw" in any system that
> involves typing credit card numbers into your computer being that
> they're easy for a keyboard-sniffer or similar cracker to recognize.
> An obvious work-around for this (and for many of the problems with
> Social Security / Taxpayer ID numbers) is to use some sort of smartcard
> that generates one-shot numbers that the credit card company (or tax thugs)
> can map back to the "real" owner's ID.  

Absolutely true.  If you go back to my original post, I mentioned smart
cards as one possible solution.  Once you add smart cards, you don't
have the system I described as fatally flawed, which is software-only
encryption of credit card numbers.  -- NB
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Sat Feb  3 12:57:06 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sun, 4 Feb 1996 04:57:06 +0800
Subject: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards)
In-Reply-To: <01BAEF34.AA95ECC0@ploshin.tiac.net>
Message-ID: 


Excerpts from mail.cypherpunks: 1-Feb-96 Re: Flaw in Netscape rejoin..
Jeff Weinstein at netscape. (10884*)

>   You would not send the FV ID to the "bad guys" until you saw a complete
> FV transaction take place.  You remember the ID when you see it, but
> only send it after seeing the e-mail verification message.

But there's no obvious correlation between the VirtualPIN as it appears
in the web transaction and the message that comes back!  In other words,
what you might be sniffing for in the web page would be a form that said
"Enter your Virtual PIN here".  But what comes back will be a mail
message that does NOT include the Virtual PIN and in which there's no
way that I can think of to do the correlation.  (That's a design
feature.)  This means that your algorithm will trigger if the host
machine gets ANY transfer-query back from FV, but it might not be
associated with the VirtualPIN that you previously intercepted.  The
correlation at this stage is VERY hard, and when you misfire, our fraud
department gets a quick heads up.

>   It should be quite easy to determine what protocol a user uses to read
> their mail from within winsock.  If we want to limit it to pop3 users, we
> could just keep track of connections to port 110.  As noted before, if
> they don't use pop we don't target them.

But you don't know, when you intercept a Virtual PIN, whether you've
intercepted the one that belongs to the user whose machine you've
infected.  This scheme will break down very quickly in "promiscuous"
environments like universities, CyberCafes, etc.  How will your attack
program know not to make the wrong decision in any environment where
more than a single user ever uses the machine?

The point is that if it misfires with any frequency at all -- even 1% of
the time -- we'll get some quick heads up about the ongoing fraud.

>   With the explosive growth of internet connected PCs, I think that
> the number of people who "surf" and read e-mail on different machines
> is dwindling rapidly.  I am happy to skip those old guard of the
> internet and concentrate on the newbies who only have one computer
> and one account.

Yes, I certainly understand that this is Netscape's product strategy,
and I think it is a VERY GOOD ONE at the level of selling tools to
users, which you guys are clearly great at.  However, the Internet
really is very heterogeneous, and is likely to continue to be so. 
Trends like CyberCafes are likely to make there continue to be a large
number of non-personal machines for a long time to come.  And unless
your attack program can figure out how NOT to infect such machines, it's
going to tip its hand fairly fast, especially since such machines will
probably be among the MOST vulnerable to various kinds of automated
infection.

>   I still think that someone could construct an attack against the
> current FV system using the techniques I've described.  It would be
> more complicated to construct than the keyboard attack but that has
> been proven time and again not to be a barrier.  Someone who could
> construct the Morris worm or the year ago IP spoofing attacks could
> do it. 

I think we're already way beyond that in complexity, and you still
haven't outlined all the necessary pieces of a successful automated
attack.  But even if you are eventually successful in devising an
automated attack on FV, it's already clear that it's going to be far,
far more complicated than the attack we've outlined on
software-encrypted credit card numbers.  If you take seriously the
notion that an automated attack should be as hard as possible, I think
the advantages of our system are already crystal clear.

>   I think that you may have to rethink some of your assumptions that
> were valid back when you designed the system, but are no longer given
> the current growth and changing demographics of the internet.

I like CyberCafes.  I like public access terminals in airports and
universities.  I like programs that create "terminal rooms" in the inner
cities to allow disadvantaged people to access the net.  All of these
are part of the current growth and changing demographics of the
Internet, too.

I do agree with you that if the Internet becomes much more homogeneous,
an automated attack on FV will become easier.  EVERYTHING becomes more
vulnerable in a homogeneous world, as in an ecosystem.  Diversity helps
to protect the health of the overall ecology.  Fortunately, I don't see
extreme homogeneity coming to the Internet any time soon.  Major
platforms from Microsoft and Netscape, for example, might well attain
80% market dominance, but the remaining 20% has a vital role to play in
keeping the net healthy.  Helping to thwart a complex automated attack
is just one example of this more general observation.

>   I'd really like to see some effort spent on closing some of the more
> gaping holes in the underlying systems.  Why should it be so easy
> for one program to snoop on the keystrokes directed to another?
> Why should it be so easy for a program downloaded from the net
> to patch a part of the operating system?

Agreed completely.  On the other hand, trends from OS vendors seem to be
moving in quite the opposite direction.  Think about "click here to
execute" in mail or news postings on the Microsoft Network.  And someone
recently told me (don't know if it's true) that Microsoft's OCX
architecture for executable web content is the best avenue yet for
creating Trojan Horses......  And I, for one, am deeply uneasy about
Java's security model, too.  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Sat Feb  3 13:11:38 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Sun, 4 Feb 1996 05:11:38 +0800
Subject: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)
In-Reply-To: <310E0EBE.30FD3BCC@netscape.com>
Message-ID: 


Excerpts from mail.cypherpunks: 1-Feb-96 Re: C'mon, How Hard is it t..
Jamie Zawinski at netscape. (2014*)

> > Is it your position that no systematic flaw in your security is real
> > until someone has actually broken it?

> Of course not.  You don't have to actually break it to show that it's
> possible.

> Of course, you *do* have to show the likelyhood of success and effort
> required to pull it off as well before it's interesting at all, whether
> it's theoretically possible or not.

OK, let's try this again:  Is it your position that the hardest part of
the attack we've outlined is the large-scale infection of consumer's
machines with untrusted code, using a virus, Trojan Horse, or some other
method?  And that this attack is not serious because doing that is
prohibitively difficult?  If so, I agree with the first claim but not
the second.  But I'm really trying to get clear about your position
here.  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From rishab at best.com  Sat Feb  3 13:13:45 1996
From: rishab at best.com (Rishab Aiyer Ghosh)
Date: Sun, 4 Feb 1996 05:13:45 +0800
Subject: No Subject
Message-ID: <199602021638.IAA18451@shellx.best.com>


India's Department of Telecommunications (DoT) charges a licence
fee of $50,000 per _annum_ for BBS operators, and nearly twice
as much for e-mail providers. It is preparing to finalise a policy
for Internet service providers; as it doesn't understand the distintion
between Internet _networks_ (MCI, Sprintnet etc) and "retail" providers
(the geek in the garage), it is planning to charge well over $100,000
in annual licence fees. This is totally against the opinions of Telecom
Secretary R K Takkar, as expressed to my newsletter, The Indian 
Techonomist, some months ago. 

I spoke to Mr Takkar for some time, providing him the "education" that 
he asked for in my newsletter and that large datacom companies here have 
been curiously averse to give him. He appreciated my point of view, and
invited me to send a proposal for an alternative datacom policy, which
I have done (and which is summarised below). I hope to meet him next week 
to follow this up. As a major part of my call for removing restraints is 
based on the Internet's treatment by other world governments, I would like 
letters of support to show this. 

My proposal may appear tame, but it isn't really. It will allow small
ISPs to pay as little as $150 a year in licence fees; reduce the (high)
likelihood of cartels between large companies; and entrench electronic
free-speech at (some) parity with other media. (Note that the DoT has
said that it is "not considering" blocking access to parts of the Net
for reasons of morals or security. This despite the local media's loudly
proclaimed discovery that the Net is 97.34% paedophile, or whatever.)

     Highlights
     
     1. Definitions
     - The category for E-mail providers becomes redundant,
       leaving international gateway, national network, and
       "retail" service providers
     - Content providers have constitutional protection as
       electronic publishers
     - BBSes do not require licensing, being content providers
     
     2. Goals
     - Licence fees not for revenue generation, but to
       ensure responsibility (unavoidable. Mr Takkar's words)
     - Licence fees based on telecom infrastructure costs,
       not revenues (at the moment, a licence is almost like income tax)
     - Regulation required for free and fair competition (see below)
     - TRAI should also handle datacom regulation, and datacom consumer
       complaints (the Telecom Regulatory Authority of India is likely
       to be very independent of the government, headed by a former
       Supreme Court judge)
     
     3. Regulation
     - Equal access to gateway, network and service
       providers (to prevent denial of service and cartels, very
       likely here without explicit rules preventing them)
     - Rationalisation of DoT leased line tariff structure
       (now, a network costs more than the sum of its parts! too 
       complicated to explain briefly)
     
     4. Licensing
     - Uniform fee structure for gateway, network and
       service providers (say 2.5% of leased line costs, which
       are known as they are provided by the DoT)
     - Barriers to entry greatly reduced (minimal ISP pays $150 p.a)
     - However, total licence fee revenue for DoT not
       significantly reduced (important for success of this proposal;
       large nationwide network may still pay $100,000+ thanks to its
       huge leased line requirements)
     
The full text of the proposal will be made publicly available on the
Net sometime next week. Those who would like to see it, and a template
for a letter of support, should send me mail at dcom-appeal at dxm.org.
I would like letters from non-commercial organisations, lobby groups,
policy bodies, and so on, but NOT datacom companies (I wouldn't
mind _personal_ letters of support from them, but they wouldn't do
for the DoT). I would particularly like to see something from Hong Kong,
which I have used as a good example of how to do things in Asia.

Thanks,
Rishab

----------------------------------------------------------------------
The Indian Techonomist - newsletter on India's information industry
http://dxm.org/techonomist/                             rishab at dxm.org
Editor and publisher: Rishab Aiyer Ghosh           rishab at arbornet.org
Vox +91 11 6853410; 3760335;     H 34 C Saket, New Delhi 110017, INDIA





From anon-remailer at utopia.hacktic.nl  Sat Feb  3 13:26:50 1996
From: anon-remailer at utopia.hacktic.nl (Anonymous)
Date: Sun, 4 Feb 1996 05:26:50 +0800
Subject: [CONSPIRACYPUNKS] RC2 Source Code - Legal Warning from RSADSI
Message-ID: <199602032104.WAA02903@utopia.hacktic.nl>


     It is becoming obvious to anyone with two brain cells to rub
together that RC4 and now RC2 have been deliberately released by RSA
Data Security.

     Consider that neither of these ciphers would be used in any
freely available software systems if licensing fees had to be paid to
RSA.  Now that the algorithms are public knowledge, many developers
will include them in their products if for no other reason than to
tweak RSA's nose.

     The warning notices and claims of dire consequences from RSA
are clearly designed to spread FUD among deep-pocket users of such
products.  Rather than risk any legal exposure, medium and large
companies who wish to use products containing RC2 and RC4 will obtain
licenses from RSA.  RSA has traded the entirety of a small pie for a
significant portion of a much larger pastry.

     Quite brilliant marketing when one thinks about it.





From jya at pipeline.com  Sat Feb  3 13:40:14 1996
From: jya at pipeline.com (John Young)
Date: Sun, 4 Feb 1996 05:40:14 +0800
Subject: GNU_kum
Message-ID: <199602032124.QAA24024@pipe4.nyc.pipeline.com>


   2-3-96. FinTim:

   "World's financial police to cast money laundering net
   wider."

      The plan needs to address issues raised by cybercash.
      These technologies pose a threat but answers should
      not be dated as soon as published. Officials want 
      developers of new technologies to consider their 
      criminal potential before launch, to avoid clampdown 
      afterwards. Possible safeguards against the misuse of 
      electronic purses may include limiting their maximum 
      value or restricting use to closed systems.


   "Communist to capitalist." [Book review]

      China's Rise, Russia's Fall, by Peter Nolan.

      Nolan says China's leaders had the self-confidence to
      chart their own evolutionary approach, largely
      preserving state institutions at a central and regional
      level, and fostered entrepreneurship through intelligent
      government planning. Russia's ruling class were 
      hoodwinked by a phalanx of mainly US and UK advisers 
      urging a "shock therapy" of destroying existing 
      economic and political power-bases. The result has been 
      a deep tragedy.

   2-3-96. EcoMist:

   "Why is the Internet so slow; what can be done about it?"

      At present there is no answer, only a few expedients to
      limit traffic on congested routes, say, with "caches".
      However, Web site owners object to providers caching
      their wares, because it robs them of valuable
      information about their viewers -- the sort that
      advertisers demand. The caches have, in effect copied
      these pages without their owners' permission, and are
      showing them to others without their owners' knowledge.
      But faced with an Internet meltdown copyright violation
      may be the least of their worries.


   GNU_kum (for the three)













From wb8foz at nrk.com  Sat Feb  3 13:58:25 1996
From: wb8foz at nrk.com (David Lesher)
Date: Sun, 4 Feb 1996 05:58:25 +0800
Subject: PGP "official" logo?
Message-ID: <199602031635.LAA16677@nrk.com>


EFF is promoting a new symbol of free speech -- the blue ribbon.

Can/should a PGP logo incorporate that somehow?

-- 
A host is a host from coast to coast.................wb8foz at nrk.com
& no one will talk to a host that's close........[v].(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433





From tomw at netscape.com  Sat Feb  3 14:00:54 1996
From: tomw at netscape.com (Tom Weinstein)
Date: Sun, 4 Feb 1996 06:00:54 +0800
Subject: Netscape, CAs, and Verisign
In-Reply-To: <199602030951.BAA12320@ix2.ix.netcom.com>
Message-ID: <3113D385.2781@netscape.com>


Bill Stewart wrote:
> 
> At 06:50 PM 1/30/96 -0500, Phill wrote:
> > Question is how can Netscape (or anyone else) _securely_ allow an
> > arbitrary CA's certificate to be used? Certainly the process cannot
> > be automatic. Binding the Verisign public key into the browser may
> > be an undesirable solution, but the problem is to think of a better
> > one.
> 
> It's easy, and I gather Netscape has done it in 2.x - let the _user_
> decide what CAs to trust.  For convenient verification, you can have
> the user sign the keys for each of the CAs, and then the
> chain-following software only needs to compare each certificate's
> signer with the user's own pubkey, rather than comparing with
> Verisign's.  If you want to be automatic about it, you _could_ have
> the user sign Verisign's key when first generating keys, or you could
> ask the user the first time.

In 2.0, what we do is maintain a database of certificates that have
various trust attributes.  We ship this database with a number of CAs
that we feel confident in, but the user can add and delete CAs if he
wants.

When the Navigator is presented with a certificate that it can't
verify (the CA isn't in the database), the user is prompted as to
whether or not to trust the site and whether to trust it permanently, or
just for this session.

The Navigator can also download certificates as one of the following
mime types:

application/x-x509-ca-cert
application/x-x509-server-cert
application/x-x509-user-cert

When the Navigator sees one of these, it presents the user with a
series of dialog boxes that take him through the process of approving
the certificate and adding it to the database.

-- 
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw at netscape.com





From tcmay at got.net  Sat Feb  3 15:03:45 1996
From: tcmay at got.net (Timothy C. May)
Date: Sun, 4 Feb 1996 07:03:45 +0800
Subject: Sometimes ya just gotta nuke em--and nuke em again
Message-ID: 


At 8:25 PM 2/3/96, Jordan Hayes wrote:

>Sorry to inject a little scholarly research on this topic, but I
>would urge those of you who are interested in how this mythology
>was created and disseminated to do an AltaVista serach for Alperovitz;
>he's potentially the leading scholar on this subject.  I've read
>his book, and Tim probably ought to as well ...

I have responded privately to Jordan Hayes on this issue. Reasonable people
can disagree on historical events, and historical motives, and certainly
the "decision to drop the bomb" has long been a contentious one.

I regret that Jordan Hayes believes a condescending tone, implying others
are not as scholarly as he, is the way to make a point.

(I've also received several long articles from people who seemed outraged
that I was belittling the dropping of the bomb. I wasn't belittling it. Far
from it. The Japs surrendered after the second bomb, so it was obviously
not a trivial matter to them.)

--Tim May

Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From stephan.mohr at uni-tuebingen.de  Sat Feb  3 15:09:15 1996
From: stephan.mohr at uni-tuebingen.de (Stephan Mohr)
Date: Sun, 4 Feb 1996 07:09:15 +0800
Subject: free speach and the government
Message-ID: <2.2.16.19960203234059.2eb7ed1c@mailserv.uni-tuebingen.de>


Well, I feel that I agree with the people on the right of free speech for
i.e. the neo-nazi stuff or other political, ideological and/or religious
ideas. But there is still something that leaves me uneasy: imagine there
would be a way to easily make a powerful poison, easily applicated to
your town's water-reservoir, or a very easy way to build some strong
explosive device. etc. Actually, I think that stuff like this does exist
already.

But the idea that one day I just put 'easy made deadly poison for millions'
into my webcrawler and whoop there it is on my screen or on the screen of any
other fool, doesn't sound to right to me. I would like things like this
to be better put aside and locked up.

Well, maybe my imagination isn't strong enough to make my point. But do
you fighter for free speech, in principle, think that nothing, really
nothing, shouldn't be prevented of being published? And by being
published, I mean published in the net, not at loompanics (who knows
loompanics?).

I know, of course, that by accepting that there is something that
shouldn't be available on the net, we would need something to decide what
and how to ban. So I wonder what would be a more 'net'-like way of handling 
this type of thing and how to prevent that some 'strong-armed' governments
take the net over.

I do not see tokay's governments being prepared for the net (at least not
the German one). But I see them trying to put the 'old' laws onto the net.
Not because they are mean, but because they don't know any better. So, I
think it would be nice to have something to offer to them. I do not think though
that they will accept the totally right of free speech (yet). 

There is something that is closely related to the right of free speech but
not the same and that is the right of privacy. And I think there is a big
danger of the issue of free (public) speech been taken over to the right of
privacy. Governments may, by arguing to control the public net, start to
prohibit the use of strong cryptography. It seems important to me to
separate this two issues. Maybe it will be necessary to agree to some kind
of (hopefully self organized) control of the public net. But it is totally
unacceptable to allow whatever organization to look into someone's private life.

Comments and hints to information on these topics very much welcome

Stephan






From cacst9+ at pitt.edu  Sat Feb  3 15:25:26 1996
From: cacst9+ at pitt.edu (Cecelia A Clancy)
Date: Sun, 4 Feb 1996 07:25:26 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: 




On Sat, 3 Feb 1996 ErnstZundl at aol.com wrote:

Ernst Zu"ndel's e-mail address is ezundel at cts.com.  He is on on
AOL to me knowledge.


> THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
> 
> Recently several Jewish co-conspirators have tried to silence
> me!  I finally go onto Usenet to make myself open for debate,
> and the Communist conspirators write to the AOL postmaster
> and ask that they remove my account!
> 
> Below are some messages I received from some of those
> people who do not believe in Free Speech.  *I* believe in 
> Free Speech.  Without Free Speech, I would be unable to
> declare which books I feel should be burned, who should
> be persecuted, and who should be declared to be inferior
> or part of a race-wide conspiracy like the "Holocaust."


The above text does not feel like Zu"ndel to me.  I think
that this ErnstZundel at aol.com might very well be an imposter.
The above is not the real Zu"ndel's speaking or writing
style.  Zu"ndel does not want books burned and people persecuted
nor does he want certain races and ethnic groups declared
inferior.

Zu"ndel more likely to complain about hypocricy and lack of tolerance
than lack of capitalized Free Speech. (At least according to
what I have been exposed to of him.)

 
> Please do not send email to the people who complained
> about me.  I beleive in Free Speech, and so I believe in
> their right to complain about me.  I also believe that it
> just demonstrates that they are willing Fellow Travelers
> in the worldwide Communist Conspiracy, they are friends
> of the Black Helicopters of the United Nations, and they are
> enemies of the Aryan Nazi UFO's at the center of the Earth.
> 
> Now, fellow Patriots and Supermen Aryans, read their
> messages and tell me what you think?
> 
> >> Subj:  Re: TOS violations
> >> Date:  Mon, Jan 29, 1996 8:23 PM EDT
> >> From:  freedom at pathcom.com
> >> X-From: freedom at pathcom.com (Marc Lemireberg)
> >> To: postmaster at aol.com
> >> CC: ernstzundl at aol.com, Mossad at israel.gov


Mossad?  Come on, get real.  The real Mossad would have an address
that ends in .il.   The ending .gov is for US government agencies.

"Do not write to these people", huh.  Well, I wonder if this is
because some of these addresses might all be fake?  I'll try sending to
them to see what happens.
Lemineberg!   That's a spoof on "Mark Lemire" a guy who really
works with the real Zu"ndel.

> >> *******************************************************
> If you are a *true* Patriot, and a *true* Aryan, then you *MUST*
> make the journey to Antarctica and into the volcano!!  We owe it to
> the world, we owe it to the great Adolph Hitler, and we owe it to
> the White Race.

Sorry, but the guy with the Charlie Chaplain mustache spelled his
first name "Adolf", not "Adolph."  The real Zu"ndel would not
make this misspellilng.


Cecelia Clancy
University of Pittsburgh

cacst9+ at pitt.edu
+1 (412) 441-2231








From cacst9+ at pitt.edu  Sat Feb  3 15:40:31 1996
From: cacst9+ at pitt.edu (Cecelia A Clancy)
Date: Sun, 4 Feb 1996 07:40:31 +0800
Subject: Ok Fake Ernst!
In-Reply-To: <9602031850.AA18675@frumious-bandersnatch.MIT.EDU>
Message-ID: 



Lets see how many of these names bounce back.





From jf_avon at citenet.net  Sat Feb  3 15:47:05 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sun, 4 Feb 1996 07:47:05 +0800
Subject: [philosophy of censorship] Re: Imminent Death of Usenet Predicted
Message-ID: <9602032325.AA07317@cti02.citenet.net>


Jordan wrote to me today:


>Hey, I tried to explain this, but you missed it:

     Apologies, I did miss part of your point.

>I *know* that a *huge* percentage
>of the population in this country does (sorry for being USA-centric,
>but we have [at least for now] the largest net population, so you
>can see how this will go ...).  

     Should the absolute number of peoples 'wishing' something relevant?

>Therefore, I'd like to see a way
>for the default be that kids (dare I say everyone!) don't *automatically
>stumble upon* it in the open network.

     I find the sentence a bit strong, here.

>I think that if the
>majority of the people in a community don't want the default behavior
>to be "click here for tits!" 

     They can subscribe to a net provider that restricts access to such newsgroups.
If this restriction is circumvented by the kid, don't you think that the said 
kid will find ways to get whatever he/she wants no matter the laws?

     They also can choose the ultimate solution: not to be on the net.

>then it's up to us, as technologists,
>to provide easy-to-use mechanisms for those who do want to see them
>to not infringe on those who don't.

     *THAT* is the thing I have most problems to.  This sentence is 
boobie-trapped.  Let's me state, for the book (or maybe hard drive),
that I do not subscribe to this view of Man.  I believe that 
selfishness is a virtue and that altruism is at best a psychological
problem.  Why is it that us, technologists, thoses who know and can, 
have a duty to thoses who cannot?  This does not contradict good 
commercial practices.  If there is a *demand* then, there is a market.
Any producers does follow the demand very closely or he gets out of 
business.

     But govt intervention, rules, standards, etc are *all* enforced 
at the point of a gun (even if deeply hidden under a pile of red tape).
This view implies that *because* you can produce, you have a duty to the
one who cannot.  It means that if you can produce, your duty is to become
a cattle for the benefit of others.  If you cannot produce, you have every
rights.

     In today's political climate, the whiners, complainers and decryier
are god.

     When is it that thoses who get sucked by the collectivists leeches
will say : Enough!  I am fed up to owe any drifter the best of my life!


> <...> porno <...>  you can rent it <...>  But most people
>don't want it by default to be on channel 7.  
>Last time: I *personally*
>am not one of them, but it's important to see what the majority
>thinks on this issue.

     I agree with you on this one: wouldn't it be wonderfull to have porno
movies on channel 7 ...   sigh...  :->


     Actually, just as I mentionned, every entities that seeked to control
man used guilt to do so.  And by the nature of guilt, sex and human mind,
sex is *the* best thing to induce guilt.

     Since a large part of the population *are* controlled through the sex-guilt 
association, it is 
extremely handy to create the pseudo-justification the govt need
for their actions.

     But as I said previously, the biggest threath to the govt is that peoples
can now find each other and talk together.  Previously, we had the means to
talk but no means of finding each others.  The Internet provides this.



>Yes, if your communications
>are important to you or you are a potential target of investigation,
>you should know it's not private.  But it's not like any significant
>number of phone calls are tapped, by the government or otherwise.
>And it's not likely to happen, either, because NONE CARES WHAT YOU
>SAY TO YOUR FRIEND ON THE PHONE.

     Unless you discuss about how freedom of speech should go unbreached...


>	>And don't forget: if you have privacy, you don't need anonymity.
>	>Swiss banks provide the ultimate example.


>You can get a numbered account at a Swiss bank by showing up at
>the branch, introducing yourself to the branch manager, proving to
>him who you are, and signing some papers.  They will keep your name
>out of any transactions you make, but they *know you* ... this is
>not anonymity; this is merely privacy.

No, for all it matters, it is anonymity.  Because the swiss banks does
not publish the name of accounts holders.  The recent case of German 
police raiding homes of german citizens working in Lischtenstein(?)
banks shows that, far all that matters, theses banks accounts are 
anonymous, i.e. there is no way for the german govt to know the name
of the accounts holders.   Their only way to gain knowledge is through
the use or threath of physical violence.


>Don't forget: the fact that "porno on the net" (for instance) is
>an issue *at all* is a *failure* of technology.

     Sorry for my stupidity, but I *completely* fail to understand.
Would you please explain what are your basis for stating so?


>  It would be a
>non-issue if USENET wasn't essentially a technology vacuum.

     I find this a bit strong, but since I did not understand the previous
statement, I will refrain from commenting.


Regards to all CPunkers

JFA
Existence exists, Reality Is.  






From paralax at alpha.c2.org  Sat Feb  3 16:05:30 1996
From: paralax at alpha.c2.org (paralax at alpha.c2.org)
Date: Sun, 4 Feb 1996 08:05:30 +0800
Subject: Sometines ya just gotta nuke em-and nuke em again
Message-ID: <199602032339.PAA08244@infinity.c2.org>


At 15:54:04 -0800 )2-03-96 Timothy C. May wrote:

> I regret that Jordan Hayes believes a condescending tone, implying others
> are not as scholarly as he, is the way to make a point.

> (I've also received several long articles from people who seemed outraged
> that I was belittling the dropping of the bomb. I wasn't belittling it. Far
> from it. The Japs surrendered after the second bomb, so it was obviously
> not a trivial matter to them.)

Mr. Hayes MAY have used a condescending tone but you have exposed your
racist roots again.  First you embarass yourself with you lack of knowledge,
sensitivity and understanding about all things Jewish and now you insult an 
entire race with the use of the word "Jap".

Stick to cypher related topics - - - - - -  You're elevating the Ugly American to
another level altogether.

A. Paralax View





From EALLENSMITH at ocelot.Rutgers.EDU  Sat Feb  3 16:06:43 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Sun, 4 Feb 1996 08:06:43 +0800
Subject: Noise and the Nature of Mailing Lists
Message-ID: <01I0SBIKF1HCA0UTZ4@mbcl.rutgers.edu>


From:	IN%"tcmay at got.net" 31-JAN-1996 00:44:48.72

>However, and current subscribers will no doubt jump in and give their
views, I hear that the current volume of messages is less than one per day,
with--according to my sources--sometimes days between messages. (I also
hear that the Extropians are devoting more of their energy to their
magazine, which may also be a factor.)
------------
	Actually, I'd guess that the recent problems with the mailing list
software are the problem. I got signed off of there when I changed mailing
addresses, and they haven't been able to put me back on. If it's that
low-traffic, I may see about requesting it from them again.
------------

>And remember, it's a whole lot easier using filters and reading tools to
reduce the volume of messages on an active group than it is to get an
inactive group up to critical mass!
------------
	One idea is to set up two lists, one of which has an automatic
filter that forwards stuff to another list... I'm currently trying to set that
up for another list I'm on. Something to keep in mind is that irrelevant
discussion can chase people off... what's happened to the list I mentioned.
	-Allen





From ericm at lne.com  Sat Feb  3 16:28:52 1996
From: ericm at lne.com (Eric Murray)
Date: Sun, 4 Feb 1996 08:28:52 +0800
Subject: free speach and the government
In-Reply-To: <2.2.16.19960203234059.2eb7ed1c@mailserv.uni-tuebingen.de>
Message-ID: <199602040002.QAA11844@slack.lne.com>


Stephan Mohr writes:
> 
> Well, I feel that I agree with the people on the right of free speech for
> i.e. the neo-nazi stuff or other political, ideological and/or religious
> ideas. But there is still something that leaves me uneasy: imagine there
> would be a way to easily make a powerful poison, easily applicated to
> your town's water-reservoir, or a very easy way to build some strong
> explosive device. etc. Actually, I think that stuff like this does exist
> already.
> 
> But the idea that one day I just put 'easy made deadly poison for millions'
> into my webcrawler and whoop there it is on my screen or on the screen of any
> other fool, doesn't sound to right to me. I would like things like this
> to be better put aside and locked up.

You can't put the genie back into the bottle.
Once something is invented or described, the knowledge
is out there.  Someone who wants to use that knowledge
for "wrong" purposes can find it.

Maybe a lot of people around the world could agree that
the knowledge to make something really dangerous (say Sarin nerve gas) 
should be suppressed.  But where do we draw the line?  If
we, or rather our government acting obstensibly in our interest, decides
to supress the information on how to make Sarin, not too many people
will complain.  But the tendency of governments is to regulate and
restrict and tax more.   What happens when governments suppress
knowledge on how to make gunpowder?  Or printing presses?  Or
encryption?

Many people argue (rightly IHMO) that once started on the slippery slope
of suppressing knowledge there's no stopping until we're all
under the boot heel of the police state.

[..]
> I know, of course, that by accepting that there is something that
> shouldn't be available on the net, we would need something to decide what
> and how to ban. So I wonder what would be a more 'net'-like way of handling 
> this type of thing and how to prevent that some 'strong-armed' governments
> take the net over.

So far the "net-like" way to deal with the problem is to not
supress information at all, and instead assume that people are
intelligent enough to make their own choices on what to do
with "dangerous" information.

 
> I do not see tokay's governments being prepared for the net (at least not
> the German one). But I see them trying to put the 'old' laws onto the net.
> Not because they are mean, but because they don't know any better. So, I
> think it would be nice to have something to offer to them. I do not think though
> that they will accept the totally right of free speech (yet). 

No government will accept net-speech that's any freer than
any other speech in that country.

In the US the media is by and large controlled by huge
media conglomerates with a vested interest in maintaining
the status quo and delivering up their audience to their
advertisers in tidy packages.

The government is along for the ride, being part and parcel
of the same system.  They won't rest until net-speech is
by and large controlled by huge media conglomerates all
busy delivering up the net-public to advertisers in tidy
packages... I'm not saying that there's a Black Heliocopters
type conspiracy, or any other for that matter.  There doesn't
have to be, there are huge political forces moving things
this way.  So there might as well be a conspiracy, as the
end effect on us is the same.


I think that any compromise with government censorship is a bad idea.
All we'd do is give them a little more while on the way towards the
inevitable.  If we don't give them all the censorship power they
want they'd just take it anyhow.  Better to hold out as well as
we can while we can.


-- 
Eric Murray  ericm at lne.com  ericm at motorcycle.com  http://www.lne.com/ericm
 Fuck Exon and the Communications "Decency" Act!  US off the Internet now!
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF





From nobody at REPLAY.COM  Sat Feb  3 16:33:35 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Sun, 4 Feb 1996 08:33:35 +0800
Subject: Ok Fake E.E.rnst!
Message-ID: <199602040011.BAA13348@utopia.hacktic.nl>



>From: Cecelia A Clancy 
>Subject: Ok Fake Ernst!

>In-Reply-To: 
><9602031850.AA18675 at frumious-bandersnatch.MIT.EDU>


Ho -- bandersnatch is powered up again and transmitting via the 
pigeon-beshitten attic-lattice of MIT dome!


PCB-swilling frumious, the cronkest of Hasse-heads, 23 years 
hacking a b.s.e.e.








From JMKELSEY at delphi.com  Sat Feb  3 16:39:58 1996
From: JMKELSEY at delphi.com (JMKELSEY at delphi.com)
Date: Sun, 4 Feb 1996 08:39:58 +0800
Subject: RC2--Some very preliminary analysis
Message-ID: <01I0SDBW5VYY984JFR@delphi.com>


-----BEGIN PGP SIGNED MESSAGE-----

[ To: sci.crypt, cypherpunks ## Date: 02/02/96 06:21 pm ##
  Subject:  Alleged RC2--some very preliminary analysis ]

I just wanted to post some corrected comments here, regarding
alleged-RC2.

1.   The best differential characteristic I can think of looks like
it will have a probability of 2^{-4} per round.  It's a one-round
iterative characteristic.  In my earlier post, I miscalculated this
to be 2^{-8} per round.  Sorry.

2.   Each round of RC2 represents four "steps."  This means that RC2
has 64 "steps," the same number as MD5.  (I find this interesting,
since MD5 has twice as many bits to diffuse through, and the
attacker can choose its key, but not its input block.)

3.   I don't see how to build useful linear characteristics.  Our
S-box is one bit wide.  There may be some very low-round confusion
failures, but they don't seem particularly useful here.  I'd like to
hear from anyone who can see a way to do a linear attack here.

It looks to me (though I haven't spent enough time to be certain)
that the best differential characteristics to push through the block
are going to be one-bit characteristics.  (These are certainly easy
to analyze.)

Let's throw some terminology in here:

This is one step:

A = rotl(A + f(B,C,D) + sk[i], 1);

A round is all four of these steps.  In the step above, A is the
target block (it's the one that's getting stomped by the other
values) and B, C, and D are the source block.  f(B,C,D) is the
bitwise-select function.  For each bit position i, if B_i is a one,
then f_i = C_i, otherwise f_i = D_i.

Now, when a one-bit difference is anywhere in the target block (the
block getting all the stuff added into it) except for the high bit,
its probability of not propogating to other bits in that block seems
to be about 0.5.  (This is just based on its chances of affecting
the carry into the next bit position.)  When the flipped bit is the
high-order bit of the target block, it has no chance of propogating.
When a one-bit difference is in the source block, if the rest of the
bits are approximately random, then it has a 0.5 probability of not
affecting the target block at all.  If it does affect the target
block, it has a 0.5 probability of only affecting one bit in that
block.

Note that I messed up the calculations in my earlier post on RC2 by
combining these three events in each round.  Let me try to fix that:

We flip some bit, t, making certain that if this bit doesn't
cause other bits to change, it won't ever affect the low six bits of
any block during rounds 4 and 11, when it would have a radical
effect on the encryption process.  (In other words, we choose an
input XOR delta with only bit t on.)  This bit then has the
following effect:

a.   Whenever it's in the target block, it passes through the
encryption step with probability 0.5.  (This means that changing
this bit doesn't change the carry into the next higher bit.) This
happens once per round.

b.   Whenever it's in the source block, it fails to affect the
target block with probability 0.5.  This happens three times per
round.

Note the reasons for this.  The source block affects the target
block only through this function:  ((A&B)|((~A)&C)).  This function
looks somewhat complicated, but it's really just a bitwise IF-THEN
statement:  If bit A is on, then choose bit B, otherwise choose bit
C.  Assume that A, B, and C are random.  Now, imagine flipping A.
If you were choosing bit B before, now you're choosing bit C.  Since
they're both random, half the time, B=C, so there's no change.  On
the other hand, imagine flipping bit C.  About half the time, bit A
is a one, and so C has no effect on the output.

All of this gives us a total per-round probability of 2^{-4} (NOT
2^{-8}). Getting through 14 rounds with this characteristic thus
happens with probability 2^{-56}.  *IF* single-bit characteristics
are the best ones to use, I'm doing the calculations right, and
there aren't some improvements in splitting out and dealing with
several possible characteristics in the later rounds, then it looks
to me like straight differential attacks aren't going to be too
practical against alleged RC2, though they will be possible. The
trick is going to be detecting the right pairs reliably. (This
analysis is guaranteed to be worth at least what you paid me for it.
:-) )

If this really is RC2, I suspect the number of rounds needed was
determined by imagining flipping a bit, and then seeing what the
odds were that it wouldn't flip any other bits all the way through.
My guess is that a probability of 2^{-64} of this happening was
deemed acceptably low.

That takes care of diffusion--now how about confusion?  Has anyone
looked at this cipher with regard to linear attacks?  In general, it
seems like source-heavy UFNs can often be attacked by linear
attacks.  However, it's not clear to me how to build linear
characteristics that will make it through more than a few rounds of
alleged-RC2.  Linear characteristics that are spread across many
subblocks (i.e., partly in A and partly in B) seem to get messed up
quickly by the rotations.  However, just keeping a linear
characteristic in A doesn't seem to work too well, either--if the
bits in the other blocks are random, then the bits in our
characteristic will quickly become random, as well, because the
bit-selection function has balanced outputs.  Intuitively, I think
the problem here is that we're applying a three-bit to one-bit
balanced S-box here, and each output from this S-box has at least
one different input bit.  This seems to make it really hard to find
correlations between multiple S-box output bits and their
corresponding input bits that span more than one or two rounds.
Also, we have to deal with the carry-bits from addition, which make
things significantly harder.  Am I missing something?

There are some other plaintext patterns that will make it through a
single round, but I can't see any way to exploit them for more
rounds.  Anyone want to point something out to me?

The other interesting area is the key schedule.  Recall that phase
one of the key schedule in alleged-RC2 works by filling the leftmost
k bytes with the k bytes of key, and then using a byte-wide S-box to
expand this out to 128 bytes.  Phase two then works from the
opposite direction, taking the last t bits of the expanded key
buffer, and making the entire expanded key dependent only upon those
bytes.  As someone on cypherpunks pointed out, this seems to be
meant to make it possible to use the key schedule directly on user
passphrases, and then reduce the effective key length to t bits to
meet export control requirements.

In general, I don't think it's a good idea to use that key schedule
to hash long user passphrases, because the first few subkeys wind up
with some badly skewed bits. (This may or may not translate into an
attack, but there isn't any good reason for allowing it.)  If you
had (say) a 64-byte user passphrase, this would mean that the first
four rounds' subkeys were badly skewed in this way, and the next
four rounds' subkeys were probably not all that well-mixed.  As I
said, I don't see a specific attack based on this, but it seems like
a bad idea, since I might be able to plan out (for example)
differential characteristics that took advantage of the skewed
subkey bits.

If you're using the key schedule to hash passphrases, then it's
probably better that you use phase two as well, perhaps with bits =
256 or something similar.  If you limit user passphrases to
something reasonable, such as 64 characters, then this is probably
okay.  Has anyone else looked at this?  (Naturally, it would make
more sense to just hash the passphrase intelligently, and then use
the export control hack if you had to.)

Comments?

Note:  Please respond via e-mail as well as or instead of posting,
as I get CP-LITE instead of the whole list.

   --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRP5P0Hx57Ag8goBAQF2FQP8DCxUvPqNly99t/KyRogWKkM5X0iZWHhq
MdQ5XEFWdyg26KMpwmPmFeNcgj3rpQiValSGGM3cTzAd2v35GQrKwPdRU/nmQW7B
hojJrYA1D0IuMxE7c0+tyqdjw6oFXrqiWYH816NKKlTSvAUzgst8hCyoVgpbNwkm
tbjAD93wsTk=
=uaz+
-----END PGP SIGNATURE-----





From llurch at networking.stanford.edu  Sat Feb  3 16:58:56 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sun, 4 Feb 1996 08:58:56 +0800
Subject: Futplex makes the news!
In-Reply-To: <199602022119.NAA29620@ix6.ix.netcom.com>
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 2 Feb 1996, Mike Duvos wrote:

> It may be time to regroup and take inventory of what we are 
> suposedly trying to accomplish here. 

I believe we *have* regrouped sufficiently, and I am doing my best to give
followup stories what I believe to be the correct spin. 

UMass will be *humiliated* if we play this right. Whom do we call?

For what I think is a good story (I wish they'd credited cypherpunks and 
other people more, but they do need to play up the local angle), see:

 http://www-Daily.stanford.edu/2-2-96/NEWS/index.html

AFAIK, futplex is the only person who has suffered any kind of negative
impact from these events. Except for cpunk reactions to my very poor
postings here, and *one* person who thought I was a Nazi (and who was
corrected, and apologized), I've been getting nothing but praise. 

IMHO, the correct response is to stop whining and trumpet victory, loudly,
and slam Exon and the CDA while we're at it. 

"This story shows that the so-called Communications Decency Act is just 
as ill-advised. If only four people at a handful of major universities 
can defeat German censorship of someone everybody hates, how can we 
expect mere laws to prevent the spread of indeterminate 'indecent' 
material on the Internet, which any teenager is interested in."

- -rich

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRKUXI3DXUbM57SdAQF3FQP/aVjiP4/yTj7Atuq409NJCuCB7deEpqvF
JcebTz1jG8D4M08VGhjOgFDGs+cNJ1zKXB3AZ9OLuCDnTr4oONsvPo2e3RnbZUYe
YMHBFsKNisq5FRAGOy2UwBbukI+NauFDAzKvCfQJBs5iPpk6aE8sEtwu+ja5nYBs
y8zjtjSuMDQ=
=jUPV
-----END PGP SIGNATURE-----





From EALLENSMITH at ocelot.Rutgers.EDU  Sat Feb  3 17:11:13 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Sun, 4 Feb 1996 09:11:13 +0800
Subject: The FV Problem = A Press Problem
Message-ID: <01I0SE71ZF6SA0UTZ4@mbcl.rutgers.edu>


From:	IN%"vin at shore.net"  1-FEB-1996 02:08:33.54

>Greg Broiles  opined:

>We should, however, learn from what FV did right - they wrote software which
>(apparently) had or can have a real political effect. (It seems to have
>worked on Garfinkel, anyway). Cypherpunks write code? FV wrote code and got
>some attention for their otherwise unexciting message.  

        Now _that's_ a useful and on-target observation.
-------------
	Quite. To expand it: A. a program doesn't have to be new to the
technical community to make a difference, it just has to be new to the rest of
the world; B. publicity for programs makes a difference. If DigiCash had
come out with this program and had done the press release better than the FV
folks, I suspect we'd be cheering them on and the credit card types would be
doing worse - a good situation.
	-Allen





From EALLENSMITH at ocelot.Rutgers.EDU  Sat Feb  3 17:24:53 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Sun, 4 Feb 1996 09:24:53 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: <01I0SEGNWJAYA0UTZ4@mbcl.rutgers.edu>


	One thing that I'm worried about is InterNIC. As I understand it, it
is a central company that is in the business of receiving domain name
registrations, including the info on what that domain is connected to, and
sending it out to various nameservers. The nameservers then use this to route
some (not all, I do believe) traffic.
	This situation is a weak point. The government in whatever country
InterNIC's physical presence is in (the US, I believe) can put pressure on
it for "faciliating breakage of laws" or some such nonsense (for some material,
such as the sites that have crypto material, the espionage argument that it
is cooperating in limiting their ability to work might be what was used). It
is then forced to stop issuing domain names except to people the US govt wants
to get such. Nameservers in the US that use any other service to determine
domain names get arrested themselves, under likewise treatment.
	Now, this can all be fought in the courts and will likely be defeated..
but it would still cause some problems. Am I completely incorrect, or do the
programmers on here and elsewhere need to start coming up with a better way to
do things?
	-Allen





From lmccarth at cs.umass.edu  Sat Feb  3 17:29:07 1996
From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu)
Date: Sun, 4 Feb 1996 09:29:07 +0800
Subject: [NOISE] Futplex makes the news!
In-Reply-To: <2.2.32.19960203135737.00740450@panix.com>
Message-ID: <199602040100.UAA03838@opine.cs.umass.edu>


Duncan Frissell writes:
> Are *you* going to bring action against the school?  You could proceed
> administratively for free.

Unfortunately I'm in an awkward stage of my career. This is my 3rd year in
graduate school, with 2 or 3 more years to go. I have been happy with nearly
all aspects of my time studying at UMass. It would be a royal pain to try to
switch horses in midstream. And I very much want to finish my degree.

Meanwhile, I think I can safely say that from this point on I need to dot
all my i's and cross all my t's until I graduate from UMass. Suppose it
turned out that no-one wanted to sit on my thesis committee ?  I'm sure
anyone who's been through grad school can imagine other disturbing
hypothetical scenarios.

James Donald may characterize me as gutless. I think he would probably be 
correct to some extent.

Have I answered your question ?

Lewis Futplex McCarthy 





From llurch at networking.stanford.edu  Sat Feb  3 17:35:22 1996
From: llurch at networking.stanford.edu (Richard Charles Graves)
Date: Sun, 4 Feb 1996 09:35:22 +0800
Subject: Zundelsite webcom.com <--> Germany routing difficulties resolved
Message-ID: <199602040116.RAA28239@Networking.Stanford.EDU>


-----BEGIN PGP SIGNED MESSAGE-----

The Zundelsite "censorship" issue has been resolved. We have a permanent home
for the site that will not be blocked or harassed by the site management. We
will help Zundel remove the shrill "I am being censored!" claims from his Web
pages.

More details will be forthcoming on Monday.

- -rich

$ From llurch at networking.stanford.edu to cypherpunks at toad.com $
$ Sat Feb  3 17:15:16 PST 1996 $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRQIz43DXUbM57SdAQFVlwQAxC4ywUESFZMf/dFBtK2z0I3WpU/Q4n9F
UucUtgqq66J0sPV3erneyh/Po9N0UfH/bYhYhfT3ubdUTwUIGDY0OaPtrB5ymUe1
9JtlBqJd4l9YrWJAkM4NSw7zZWaLjnoh9sly1LCZu+YAZUxZJVCyyC8YLPnqAeYs
DI6c/F0Llfs=
=mZaO
-----END PGP SIGNATURE-----





From tcmay at got.net  Sat Feb  3 17:51:00 1996
From: tcmay at got.net (Timothy C. May)
Date: Sun, 4 Feb 1996 09:51:00 +0800
Subject: Futplex makes the news!
Message-ID: 


At 1:00 AM 2/4/96, lmccarth at cs.umass.edu wrote:

>Meanwhile, I think I can safely say that from this point on I need to dot
>all my i's and cross all my t's until I graduate from UMass. Suppose it
>turned out that no-one wanted to sit on my thesis committee ?  I'm sure
>anyone who's been through grad school can imagine other disturbing
>hypothetical scenarios.
>
>James Donald may characterize me as gutless. I think he would probably be
>correct to some extent.

I think Lewis McCarthy was very brave to put up the Zundelsite mirror.
(Maybe unwise, too.) It's certainly not something most of the rest of us
are doing on our sites at universities, corporations, and even private
sites.

(Many ISPs will drop a customer who creates any trouble.)

And it's sad that the couple of days of the UMass Zundelsite's effect, even
now being lost in the "spin" coming from the German press about how UMass
forced the removal of the site, will perhaps result in a much lower public
presence by Lewis. (From what I've seen at California universities, the
folks with the long knives will still be trying to "get him."
Unfortunately, with search tools like Alta Vista they can keep tabs on him
semi-automatically and report any further evidence of his racist,
mysogynistic, and anti-democratic views to the Dean of Students.)

(I could add a smiley here, but it's really not very funny.)

--Tim May


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From ravage at ssz.com  Sat Feb  3 18:10:01 1996
From: ravage at ssz.com (Jim Choate)
Date: Sun, 4 Feb 1996 10:10:01 +0800
Subject: Futplex makes the news! (fwd)
Message-ID: <199602040203.UAA06687@einstein.ssz.com>



Forwarded message:

> Date: Sat, 3 Feb 1996 19:01:18 -0800
> From: tcmay at got.net (Timothy C. May)
> Subject: Futplex makes the news!
> 
> (Many ISPs will drop a customer who creates any trouble.)
> 

I think most private sites have their future on the line. In my own case it
has taken just about every resource I have available to get online and stay
there. This is one aspect of supporting your local private ISP that many
folks don't understand very well. For some reason most folks have the
impression that if you can start and run a private site you must be making
money hand over foot. Just taint so.

> 
> --Tim May
> 





From llurch at networking.stanford.edu  Sat Feb  3 18:40:49 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Sun, 4 Feb 1996 10:40:49 +0800
Subject: Zundelsite webcom.com <--> Germany routing difficulties resolved
In-Reply-To: <199602040135.SAA19463@sal.cs.utah.edu>
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 3 Feb 1996 the Bcc'd dude wrote privately:

>  Just for the fun of it, could you make your access statistics
> public? In particular, I'd like to know how many hits you 
> got from inside Btx.DTAG.DE.
>
> I have a strong suspicion that the intersection of those
> who can afford to browse the web through T-Online for 12-16 Pf/min
> (ca. 9-12 cents) with 2.400 bps (except in major cities, where
> it's 14.400) and those who are interested in neo Nazi web sites,
> faked or not, might be smaller than expected.

Good question! Something that not enough people are asking.

There were like two or three dozen hits. Period. But I think Declan 
publicized his mirror more widely, and probably got a few more.

You can get aggregate hit counts for all files in "/~llurch" through the 
www-leland.stanford.edu main page (features, I think).

I'm not sure I'll be able to get a server log dump because it would just
be so huge -- not because of the Zundelumpen, but because of the Windows
95 FAQ in my directory, which got a lot of press in early January. 

Zundel's main site at webcom.com did not just become popular and
overloaded with the press reports. It has always been overloaded because
he's a dumbshit who posts 3MB RealAudio files on the main page. 

- -rich

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRQWUo3DXUbM57SdAQHUZAQA2C5Bwg2lrpdHoXgs0+H1X3G7ssVO3Yyr
1ZfqSUO/HOrBDqzxh0hSnbt6DdrpfRvC1yO3ObEsV7sr3yQ4MfjOu8KhWptZpLiC
NlPveSWDN6/EiDGhueAyflUmSINuHHgZguaJnQDtihIUrz3pIg7dRT2mM4vWZV/m
Fk5CxWGbhgg=
=PdRm
-----END PGP SIGNATURE-----





From jsw at netscape.com  Sat Feb  3 18:45:26 1996
From: jsw at netscape.com (Jeff Weinstein)
Date: Sun, 4 Feb 1996 10:45:26 +0800
Subject: Netscape, CAs, and Verisign
In-Reply-To: <199602030951.BAA12320@ix2.ix.netcom.com>
Message-ID: <31141581.69C@netscape.com>


Tom Weinstein wrote:
> The Navigator can also download certificates as one of the following
> mime types:
> 
> application/x-x509-ca-cert
> application/x-x509-server-cert
> application/x-x509-user-cert
> 
> When the Navigator sees one of these, it presents the user with a
> series of dialog boxes that take him through the process of approving
> the certificate and adding it to the database.

  The only one of the above mime types that should be used with 2.0
is application/x-x509-ca-cert.  The others are not supported.  The
spec for the ca-cert type will be released on our web site soon.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw at netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.





From jimbell at pacifier.com  Sat Feb  3 18:59:32 1996
From: jimbell at pacifier.com (jim bell)
Date: Sun, 4 Feb 1996 10:59:32 +0800
Subject: [noise] Re: Charter of PDX Cpunk meetings
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

At 02:03 AM 2/2/96 -0800, Alan Olsen wrote:

>I think an explanation for this is due.  Jim is going to move his complaints 
>here instead of dealing with them with me no matter what I do...

Alan Olsen is correct, here.

>
>A bit of history here...
>
>I had seem Jim Bell's postings and had not thought too much about them one 
>way or another.  I felt that some people had been a bit too hard on him, but 
>did not care one way or another.
>
>I organized a physical meeting on Jan 20th at a public coffee house in 
>portland.  Jim showed up.  During this meeting he espoused some ideas which 
>I found very bothersome because they sounded far too much like "magical 
>thinking" and pseudo science. 

Alan Olsen will be amazed to see that I am absolutely agreeing with his 
limited understanding of the description of the events of the meeting.  
Further, I am acknowledging that I said certain things which, to the vast 
majority of the population, and ESPECIALLY moderately-technically educated 
ones, would sound like "magical thinking and pseudo science."  Even to 
extremely well-educated ones, in fact.  This sounds strange, but it is true. 
 But of course, I only told him PART of the story.  It is as if David 
Copperfield (the magician, not the Dickens character) claimed that he was 
going to make an elephant disappear:  The claim sounds impossible to 
believe. Logic tells us he can't do that.  But, on the other hand, he has a 
reputation as a "magician."   The difference, obviously, is that the name 
"David Copperfield" is far better known than "Jim Bell."

Of course, I am embarrassed to have to admit that I can't recall the name of 
the person who said something like, "A sufficiently advanced technology is 
indistiguishable from magic."  Perhaps somebody more "into" SF quotations 
can supply the reference.

Regrettably, I fear Alan Olsen (being exposed to talk which at the time he 
interpreted as "magic") will mis-remember the details of which I spoke. 
Actually, in the short term this is good.  Fortunately, I recall what I said 
quite well, and it will all become clear eventually.

As I kept saying in my (not-yet-canned) tagline:

Something is going to happen.    Something....Wonderful!   (2010)


>I did not challenge him about them at the 
>meeting and tried to move on  to other things.

Alan Olsen is correct, here.  He did not indicate the extent of his 
disbelief.  Perhaps I would have been willing to tell him more if he'd 
politely approached me after the meeting with his doubts.  Maybe not, however.
It's not really a deep-dark secret.

Instead, Alan Olsen flamed me on this national list, despite myself having 
done nothing to him (either in public or private or private email) to 
justify this.  In case there is any doubt here, I hereby give him permission 
to post any past and/or future (private) email from me to him that he may 
care to quote, which in his opinion "justifies" his acts of flaming.  
Furthermore, I give a blanket permission to anybody reading this message to 
publish on this (or other, more appropriate list) any private email from me 
which would, itself, "justify" or explain, pre-facto, Alan Olsen's odd 
behavior.

In other words, Alan Olsen has bought the rope, and has tied it to a branch 
on the tree, and is now asking permission from me to hang himself.  He has 
my permission.

>A while ago an anonymous poster made a number of comments about Jim Bell's 
>beliefs involving assassination politics.

And my response was that unless he (the anonymous poster) was unwilling to 
at least use a stable nym to stick around long enough to debate the details 
on some SUITABLE area, his criticisms were no more realistic than flames. 

>  He brought up a number of valid points. 

But he (the anonymous poster):
1.  FLamed me on this national list, similarly to the way Alan Olsen later did.
2.  Failed to be willing to sustain the debate in a more appropriate list, 
even under a stable nym.
3.  Didn't stick around to respond to my commentary.

> Jim ignored all of those points and flamed him on something totally 
>without substance. 

Others apparently disagree.  I received supportive (private) email, agreeing 
that I had been flamed by that anonymous poster.  The fact that he was 
anonymous says it all.  The fact that he has not returned says it all.  The 
fact that Alan Olsen is bringing up this example as if it is some sort of 
fault of mine incriminates Alan Olsen most of all.

> (Not signing messages and not using an identifiable 
>nym.)

If that's all that he did, then it wouldn't have been a problem.  I suspect 
that Alan Olsen had something to do with that anonymous post; in fact, I 
suspect that he knows who sent it.  Alan's following commentary sounds like 
an admission that he, himself, did it.

>This bothered me.

Your general behavior bothers me.

> I responded to the post.  A good portion of this message 
>was flame, but it contained a number of questions about the workability of 
>Jim's pet theories.

Justa sec.  You're admitting that a person  (YOU?!?)ANONONYMOUSLY posted to 
Cypherpunks, with a "good portion" of what even you are willing now to admit 
was a "flame", and yet you fault ME for my response to it?

Pardon me for a few minutes while I try to stop laughing, Alan.  


>Jim's response to this was to question the validity of the post, but not 
>deal with any of the substance of the arguments.

Which I believe is the logical thing to do.  For a number of reasons.  
First, I am well aware of the primary purpose of the Cypherpunks list, and 
the fact that I am relatively new here.  I have no intention of inflicting 
an unwelcome discussion of "Assassination Politics" on the list, and 
certainly not with a person who clearly wanted to start a flamewar and 
didn't genuinely want to debate the issues with even a stable nym.

Clearly, I recognized that if I responded to the bait and clogged 
Cypherpunks with off-topic (or numerous marginal-topic ones) then this 
flamer would already have won by sowing hate and discontent, and have not 
suffered any longterm loss of reputation of his own.  I, on the other hand, 
use my REAL NAME.

Only a fool would have taken an anonymous flamer seriously under those 
circumstances.


>  (He was questioning it 
>because I did not sign the posting.) 

You're admitting it, huh?

> I ignored the post as I had other 
>things occupying my time...

In other words, you took the time to flame me, but when I failed to take the 
bait you lost interest and went on to something else, huh?  Interestingly, 
subsequent to that event, both you and a number of your clique "lose 
interest" very quickly when things turn against you.  How...conveeeeenient!


>During the period of time between the meeting and the offending post I had 
>created a pdx-cypherpunks list.  I had a number of people who were 
>interested and it seemed like a good idea at the time...

What you REALLY wanted to do was to create your own little fiefdom where you 
could punish non-believers, a privilege which does not accrue to you on the 
national list.  


>Well, i posted on the list a question about the next meeting and mentioned 
>about  the results from the key signing.  (I had three people, who i did not 
>mention by name, who had not signed keys or gotten back to me on it.)  I 
>relieved a response from Jim about my messages to him here and why he had 
>not signed anyone's keys.  [For those who are interested, I can forward the 
>original messages.  They are interesting reading, in an odd sort of way...] 

You have my permission, BTW.  Go ahead and post them.  And this message will 
be signed.


> It came down to him complaining about my messages on national list.  He 
>still did not address any of the issues I had raised (he still has not), but 
>was pretty pissed.

Yes I was "pretty pissed."   But since you've now basically admitted that 
you were the anonymous flamer, as well as having flamed me on Cypherpunks 
without justification, under the circumstances I don't think you have pretty 
much destroyed your own credibility.  I assume people on Cypherpunks don't 
want anonymous flaming, and they wouldn't have appreciated it if I'd taken 
your bait and abused my position here.


>A number of the other people on the list took him to task on a number of the 
>comments he made. 

In other words, Alan Olsen's clique decided to help him out of his jam.  
He'd screwed up by flaming me nationally, and he disappeared for a few days 
while his cronies tried to pretend that it was all my fault.

> It grew into a pretty hot flame war on the list.  After I 
>started to get complaints and it prevented anything useful being posted,

Read:  "After my credibility had been shot to pieces...."

> I posted a message to take the discussion to e-mail or I would start banning 
>people from the list.

Read:  "I don't want anybody to know what I did, Jim.  Stop reminding people 
about it!"

>Jim ignored that request and I removed him from the list.

Read:  "Alan Olsen exercised his authority in his own personal fiefdom, the 
"PDX Cypherpunks list."

>
>That is why it has moved back here.

That's a very interesting admission, Alan.  While I'm sure that some of the 
people around here are interested in your character faults, baiting, 
flaming, and crude anonymous posting, most of them probably want this 
discussion off the national list and onto a local one.  Problem was, you 
couldn't even accept getting embarrassed locally, despite the fact that I 
was willing to maintain this as a local issue.  You were clearly afraid that 
your credibility would be destroyed by a serious discussion of your actions, 
so you couldn't even accept limiting the discussion to the local list.

>This will be my last response to Jim's rantings in public. 

Read:  "Things are bad enough as it is!  I'd better cut and run."

> i will be glad 
>to deal with questions in e-mail.

On the contrary, I have no interest in dealing with this sleazy character in 
email.  He was the one who chose a national list to do his flaming and 
baiting, and I think he deserves full "credit."

>  I have sent a number of responses to Jim 
>already in e-mail and he has ignored them.  He has made veiled threats to me 
>on the pdx list and has shown no sign of wanting to deal with this in a 
>rational manner.

Alan, please re-post these "veiled threats."  Let's see how you interpreted 
them as such.  Please explain your reasoning.

Above, you accused me of "magical thinking and pseudo science."  Let's see, 
maybe I ought to get out my set of voodoo dolls and poke a few pins in them...

Feel that, Alan?  And that?  And that?  


>The issue comes down to this.  Jim Bell has a number of ideas i disagree 
>with.  I have challenged him on some of those ideas. 

Anonymously, with flames, on a national list on which the discussion did not 
belong, anyway.   I, recognizing this, attempted to spare the rest of you 
Olsen's rants.

> He is unwilling to 
>answer any questions as to the flaws in his beliefs.

Alan Olsen is unwilling to apologize for his behavior.  He was unwilling to 
debate as a stable nym, even.  Clearly, he did not want to genuinely debate 
the issues involved.

>  Instead, he takes any 
>questioning of his ideas as personal attacks. 

No, I take unjustified (and anonymous) flames on Cypherpunks as attacks not 
only on myself, but on the rest of you people.   The only reason this 
discussion came back is that Alan Olsen's personal fiefdom was not strongly 
enough controlled by him, apparently, to help him out.

> I refuse to give any respect 
>to an individual who presents his ideas to the world and yet is unwilling to 
>defend them in public (or in private).

That's an odd statement from a person who wasn't willing to debate as a 
stable nym.  I'm using my own name.  And if there are any of you who have 
any residual doubts about my willingness to debate my ideas, I recommend 
that you ask the regulars on the FIDO areas DEBATE, CIVLIB, CONTROV, 
LEGAL_LAW, LAW, POLTITICS, and a few others.  While I haven't posted much in 
the last couple months there, I copied most everything to those areas and 
received many responses.  I responded, there, even to flamers if the "tone" 
of the "echo" (FIDO's term for what Internet people generally call a "list") 
allowed it.

>I suggest you get your killfiles ready.

I suggest that we regularly warn subsequent "newbies" about Alan Olsen and 
his misguided set of "ethics."

>  I will be killfileing Mr. Bell's 
>comments on this list as it does not belong here.

That's illogical.  What you really meant is that you don't want to hear the 
truth.  What you REALLY would like to do is to control EVERYBODY ELSE'S 
killfiles, so as to silence me.

>The following is the last I will say publically on the matter.

You're going to take your bat and ball and "go thwait home!"  You hear your 
mommy calling, Alan.

Jim Bell
jimbell at pacifier.com


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRQVtPqHVDBboB2dAQGCkAQAqXcN+lTsICS69k5t+43wwm37Em4OHmsJ
P1+HPPjQColXiboVKdXMhHt2qi9xOnGiU62ih0qnI8M2KO5FDw0GqmLqj47ERDjO
9xe/ykXBCutL65CSDIGpIBujToKHHxMRVTEV0uzdS9+W6/JUOG9HnctoFuFnpUUl
+f0rwqCH3PY=
=wZyv
-----END PGP SIGNATURE-----






From perry at piermont.com  Sat Feb  3 18:59:50 1996
From: perry at piermont.com (Perry E. Metzger)
Date: Sun, 4 Feb 1996 10:59:50 +0800
Subject: [CONSPIRACYPUNKS] RC2 Source Code - Legal Warning from RSADSI
In-Reply-To: <199602032104.WAA02903@utopia.hacktic.nl>
Message-ID: <199602040230.VAA14636@jekyll.piermont.com>



Anonymous writes:
>      It is becoming obvious to anyone with two brain cells to rub
> together that RC4 and now RC2 have been deliberately released by RSA
> Data Security.

Anyone with more than two brain cells might feel otherwise, however.

.pm





From dlv at bwalk.dm.com  Sat Feb  3 19:15:13 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Sun, 4 Feb 1996 11:15:13 +0800
Subject: free speach and the government
In-Reply-To: <199602040002.QAA11844@slack.lne.com>
Message-ID: 


Eric Murray  writes:
> Stephan Mohr writes:
> >
> > Well, I feel that I agree with the people on the right of free speech for
> > i.e. the neo-nazi stuff or other political, ideological and/or religious
> > ideas. But there is still something that leaves me uneasy: imagine there
> > would be a way to easily make a powerful poison, easily applicated to
> > your town's water-reservoir, or a very easy way to build some strong
> > explosive device. etc. Actually, I think that stuff like this does exist
> > already.
> >
> > But the idea that one day I just put 'easy made deadly poison for millions'
> > into my webcrawler and whoop there it is on my screen or on the screen of a
> > other fool, doesn't sound to right to me. I would like things like this
> > to be better put aside and locked up.
>
> You can't put the genie back into the bottle.
> Once something is invented or described, the knowledge
> is out there.  Someone who wants to use that knowledge
> for "wrong" purposes can find it.

Either some information is being suppressed, or no information whatsoever is
being suppressed. Whether it's the knowledge how to made strong crypto, or how
to make the A-bomb, or now to make Sarin, or _Mein Kampf_, or uuencoded
pictures of naked kids, really doesn't matter. E.g., many people perceive the
dissemination of Nazi teachings to be as dangerous as the dissemination of a
Sarin recipe. One can't be "a little big pregnant".

I believe that any exception to unlimited free speech, be it libel, or
copyright violation, or child pornography, or Nazi propaganda, or Chinese
dissident materials, just isn't compatible with the cpunk agenda. No censorship
is acceptable. That's an absolute.

[...]
> In the US the media is by and large controlled by huge
> media conglomerates with a vested interest in maintaining
> the status quo and delivering up their audience to their
> advertisers in tidy packages.
>
> The government is along for the ride, being part and parcel
> of the same system.  They won't rest until net-speech is
> by and large controlled by huge media conglomerates all
> busy delivering up the net-public to advertisers in tidy
> packages... I'm not saying that there's a Black Heliocopters
> type conspiracy, or any other for that matter.  There doesn't
> have to be, there are huge political forces moving things
> this way.  So there might as well be a conspiracy, as the
> end effect on us is the same.

There's a widespread misconception that most journalists support freedom of
speech for non-journalists. I deal with journalists occasionally, and my
impression is that the attitude of some of them can be summarized as follows:
"I'm an important guy because I can say something that hundreds of thousands of
people will see/read; and I can libel another person and s/he won't be able to
respond". People with this attitude are very threatened by the Internet. I'm
not saying that all journalists are this way; I'm just pointing out that it's
foolish to assume that just because a person works in the media, s/he's in
favor of free speech, especially unlimited free speech.

> I think that any compromise with government censorship is a bad idea.
> All we'd do is give them a little more while on the way towards the
> inevitable.  If we don't give them all the censorship power they
> want they'd just take it anyhow.  Better to hold out as well as
> we can while we can.

>From the technology point of view, there's no difference between helping
Chinese dissidents circumvent their government's restrictions on the net,
and helping neo-Nazis in Germany and helping child pornographers in the
U.S. No one can determine which of the countless bits of information that
travel over the Internet every second are false, or harmful, or subversive,
or otherwise not worthy of transnmission.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From jya at pipeline.com  Sat Feb  3 19:22:26 1996
From: jya at pipeline.com (John Young)
Date: Sun, 4 Feb 1996 11:22:26 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <199602040257.VAA20379@pipe3.nyc.pipeline.com>


   Lewis,

   Take heart and wisdom from this experience of being caught
   up in public events. Being used, and abused, by
   institutions for their impersonal, otherwordly, purposes.

   Public disputes are like that, when your personal
   advocacies are distorted, twisted back in unexpected forms 
   in assault on your seemingly impregnable position.

   Well done for this foray. But be prepared for shrewd
   opposition again as you continue behaving responsibly
   to challenge the day's short-sighted conventional wisdom.

   I think you shouldn't worry about thesis advisors, the
   thoughtful ones will understand your action and its
   underlying principles. They may be less daring and more
   cautious than you -- such is the burden of maturity -- but
   I suspect they will admire your audacity, and remember when
   they did the same in younger days when public disputes
   seemed more alluring and tractable -- as I do.

   Thanks much.

   John











From avatar at mindspring.com  Sat Feb  3 20:37:07 1996
From: avatar at mindspring.com (avatar at mindspring.com)
Date: Sun, 4 Feb 1996 12:37:07 +0800
Subject: Searching for the best
Message-ID: <199602040420.XAA23885@borg.mindspring.com>


Hi, Folks

        I am looking for the best file encryption program and the best file
wiping program.
PC compatible, perferably Win 95 compatible.
                                                                        Thanx
Charles Donald Smith Jr.
582 Clifton Rd. N.E.
Atlanta, Ga. 30307-1787
(404)-378-7282

REPUBLICAN; smaller government, less taxes, richer people, and proud children!! 






From tcmay at got.net  Sat Feb  3 20:38:46 1996
From: tcmay at got.net (Timothy C. May)
Date: Sun, 4 Feb 1996 12:38:46 +0800
Subject: New sig, let me know what you think!
Message-ID: 



Since Clinton is getting ready to sign the Exon Amendment/Communications
Decency Act/Telecom Bill, with some amazingly restrictive rules about what
kind of material can be sent over computers (especially if there's a chance
anyone under the age of 18 can see it), I have been worried about the
implications for my hobby. You see, I am also an amateur Biblical scholar,
and have been working on my "Modern Vernacular Translation."

For most of my messages involving speech, the CDA, censorship, etc., I plan
to include part of my translation as a kind of inspirational quote. Surely
Sen. Exon will not object to this material as "indecent"? After all, it's
the word of God.

I threw this together quickly, excerpting some online versions of the
Bible. Others could do the same thing, by quoting salacious material from
other sources. The letters of Thomas Jefferson, for example? Or
Congressional testimony itself, maybe stuff from the Meese Commission
reports? Juicy stuff there. Is the CDA going to make quoting from the
Congressional Record a crime? (I suppose it ought to be....)

--Tim May

[This Bible excerpt awaiting review under the Communications Decency Act]
And then Lot said, "I have some mighty fine young virgin daughters. Why
don't you boys just come on in and do em right here in my house - I'll just
watch!"....Later, up in the mountains, the younger daughter said. "Dad's
getting old. I say we should do him." So the two daughters got him drunk and
did him all that night. Sure enough, Dad got em pregnant....Onan really
hated the idea of doing his brother's wife and getting her pregnant while
his brother got all the credit, so he whacked off first....Remember, it's
not a good idea to have sex with your sister, your brother, your parents,
your pet dog, or the farm animals. [excerpts from the Old Testament, Modern
Vernacular Translation, TCM, 1996]







From gimonca at skypoint.com  Sat Feb  3 21:05:42 1996
From: gimonca at skypoint.com (Charles Gimon)
Date: Sun, 4 Feb 1996 13:05:42 +0800
Subject: New sig, let me know what you think!
In-Reply-To: 
Message-ID: 



Packwood Diaries?
Gingrich's novel?
Screenplay for Gramm's porno movie?
Anything involving a Kennedy?

 ***********************************************************************
        --The Interview--             | gimonca at skypoint.com
 George Clinton: "Suck on my soul,    | Minneapolis MN USA
 and I will lick your funky emotions!"| http://www.skypoint.com/~gimonca
 Dave Letterman: "Yuck!!"             | A lean, mean meme machine.
 ***********************************************************************

On Sat, 3 Feb 1996, Timothy C. May wrote:

> 
> Others could do the same thing, by quoting salacious material from
> other sources. The letters of Thomas Jefferson, for example? Or
> Congressional testimony itself, maybe stuff from the Meese Commission
> reports? Juicy stuff there. Is the CDA going to make quoting from the
> Congressional Record a crime? (I suppose it ought to be....)
> 





From jf_avon at citenet.net  Sat Feb  3 21:37:07 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sun, 4 Feb 1996 13:37:07 +0800
Subject: New sig, let me know what you think!
Message-ID: <9602040507.AA20267@cti02.citenet.net>


Tim May signature is truly a gem!


>[This Bible excerpt awaiting review under the Communications Decency Act]
>And then Lot said, "I have some mighty fine young virgin daughters. Why
>don't you boys just come on in and do em right here in my house - I'll just
>watch!"....Later, up in the mountains, the younger daughter said. "Dad's
>getting old. I say we should do him." So the two daughters got him drunk and
>did him all that night. Sure enough, Dad got em pregnant....Onan really
>hated the idea of doing his brother's wife and getting her pregnant while
>his brother got all the credit, so he whacked off first....Remember, it's
>not a good idea to have sex with your sister, your brother, your parents,
>your pet dog, or the farm animals. [excerpts from the Old Testament, Modern
>Vernacular Translation, TCM, 1996]






From jf_avon at citenet.net  Sat Feb  3 21:46:35 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Sun, 4 Feb 1996 13:46:35 +0800
Subject: free speach and the government
Message-ID: <9602040531.AA20987@cti02.citenet.net>


dlv at bwalk.dm.com (Dr. Dimitri Vulis) writes:

>Eric Murray  writes:
>> Stephan Mohr writes:

>I believe that any exception to unlimited free speech, be it libel, or
>copyright violation, or child pornography, or Nazi propaganda, or Chinese
>dissident materials, just isn't compatible with the cpunk agenda. No censorship
>is acceptable. That's an absolute.

     I agree with that.  Principles are important.  I agree that Sarin reciepes might
be dangerous.  I also agree that such information should not be broadcasted.  
But I think that this control should be effected by the individual poster, out of 
benevolence for Man, not enforced at the point of a gun by a govt that pretends 
that we are to dumb to act by ourselves.  The nature of the Internet is 
unique in the history of mankind.  We must adapt, *as individuals* not as "a society".

The collectivity is a statistical concept that have no existence, apart in the 
pretensions of the collectivists do-gooders.



>There's a widespread misconception that most journalists support freedom of
>speech for non-journalists. I deal with journalists occasionally, and my
>impression is that the attitude of some of them can be summarized as follows:
>"I'm an important guy because I can say something that hundreds of thousands of
>people will see/read; and I can libel another person and s/he won't be able to
>respond". People with this attitude are very threatened by the Internet. I'm
>not saying that all journalists are this way; I'm just pointing out that it's
>foolish to assume that just because a person works in the media, s/he's in
>favor of free speech, especially unlimited free speech.

I think it is safe to say, especially regarding coverage of the Internet by
popular medias, that even if there are some journalists that still have integrity,
most of their bosses don't.


>From the technology point of view, there's no difference between helping
>Chinese dissidents circumvent their government's restrictions on the net,
>and helping neo-Nazis in Germany and helping child pornographers in the
>U.S. No one can determine which of the countless bits of information that
>travel over the Internet every second are false, or harmful, or subversive,
>or otherwise not worthy of transnmission.

Well,  here I don't completely agree.  *you* can determine what is worth and 
what is not.
But again, I suppose that if you have rationnal arguments, you will be able
to convince other rationnal individuals.  I am not in favor of broadcasting 
neo-nazi scum all over because I think that their essence is the same as the one
underlying the censorship movement.  They share the same vision of man, only the
flavor change slightly.  OTOH, somebody presenting facts pertaining to nazism and
what happened to the jews (confirming or infirming) are acceptable, as long as 
they are *facts*.  But there are plenty of causes that seems worthwhile
to defends, so why pick up the mosts dubious?


Ciao

JFA






From jamesd at echeque.com  Sat Feb  3 22:03:21 1996
From: jamesd at echeque.com (James A. Donald)
Date: Sun, 4 Feb 1996 14:03:21 +0800
Subject: free speach and the government
Message-ID: <199602040548.VAA04878@shell1.best.com>


At 10:52 PM 2/3/96 +0000, Stephan Mohr wrote:
> But do
> you fighter[s] for free speech, in principle, think that nothing, really
> nothing, [should] be prevented [from] being published?

Yes:

> [...]
>
>I know, of course, that by accepting that there is something that
>shouldn't be available on the net, we would need something to decide what
>and how to ban. So I wonder what would be a more 'net'-like way of handling 
>this type of thing and how to prevent that some 'strong-armed' governments
>take the net over.

There is no "net-like" way of preventing people from communicating 
when one wishes to speak and another wishes to listen.  To attempt 
to achieve such a goal violates the principles that made the internet
possible, such as the "no settlements" rule.


 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From jamesd at echeque.com  Sat Feb  3 22:06:14 1996
From: jamesd at echeque.com (James A. Donald)
Date: Sun, 4 Feb 1996 14:06:14 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <199602040548.VAA04885@shell1.best.com>


At 08:00 PM 2/3/96 -0500, you wrote:
>
>James Donald may characterize me as gutless. I think he would probably be 
>correct to some extent.

You acted for liberty:  I failed to act:  How could I characterize you
as gutless?

 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From jamesd at echeque.com  Sat Feb  3 22:30:20 1996
From: jamesd at echeque.com (James A. Donald)
Date: Sun, 4 Feb 1996 14:30:20 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: <199602040611.WAA18584@blob.best.net>


http://www2.ari.net/home/bsabath/950711.html

At 12:25 PM 2/3/96 -0800, Jordan Hayes wrote:
>Sorry to inject a little scholarly research on this topic, but I
>would urge those of you who are interested in how this mythology
>was created and disseminated to do an AltaVista serach for Alperovitz;
>he's potentially the leading scholar on this subject.  I've read
>his book, and Tim probably ought to as well ...

SCHOLARLY RESEARCH!!!!

You do not know shit from beans:  Alperovitz is no more a scholar 
than Zundel is:  He is a historical revisionist 
who lies even more crudely than the holocaust revisionists.

It is clear that in the opinion of the high command, the decision to 
surrender after they were nuked was a dramatic and radical change of 
position.  Alperovitz says otherwise, thus he is either grotesquely 
ignorant or, more likely simply dishonest.


Alperovitz writes: 
        The use of the atomic bomb, most experts now believe, was totally
        unnecessary. Even people who support the decision for various 
        reasons acknowledge that almost certainly the Japanese would have
        surrendered before the initial invasion planned for November. 
        The U.S. Strategic Bombing Survey stated that officially in 1946. 

        We found a top-secret War Department study that said when the 
        Russians came in, which was August 8, the war would have ended 
        anyway. The invasion of Honshu, the main island, was not 

        [And so on and so forth]

After the second nuclear attack, the Japanese high command had a
meeting with the emperor:  They heard testimony on the effects of
atomic bombs.  About half wanted to surrender, about half argued that
Japan should die gloriously:  They were unaware that the US had just
used up almost its entire nuclear arsenal.  They expected that surrender
would be followed by the same kind of reign of terror, rape, brutal
degradation, and mass murder, that they inflicted on the people that
they conquered. They expected that failure to surrender would result
in continued nuclear bombardment at about the same rate.  (Both
beliefs were incorrect.)

The Emperor *at that meeting* made the decision to surrender, shocking
a large part of the high command, and then made a speech on radio
announcing the surrender, stating as reason for the surrender that if
they did not surrender, Japan would be utterly destroyed by nuclear
weapons.

Seeing as they were still debating the issue *after* two nuclear
weapons had landed on them, it seems reasonable to believe that
without atomic weapons, it would have been necessary to fight from
house to house from one end of Japan to the other.


When Hirohito ordered surrender in response to atomic bombing, the high 
command attempted to violently overthrow him, and when they failed, many
in the high command committed suicide.





>
>If you read nothing else on this topic, I urge you to check out
>an interview with him at http://www2.ari.net/home/bsabath/950711.html
>
>#endif
>
>/jordan
>
>
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From jamesd at echeque.com  Sat Feb  3 22:34:39 1996
From: jamesd at echeque.com (James A. Donald)
Date: Sun, 4 Feb 1996 14:34:39 +0800
Subject: Microsoft's CryptoAPI - thoughts?
Message-ID: <199602040611.WAA18599@blob.best.net>


At 11:11 AM 2/3/96 TZ, Wasser wrote:
> I have "standardized" the PS files on the MS website, so there should 
> be no more problems. Sorry for the inconvenience.

Thank you, but it would be even better to webify them.

I have webified them (http://www.jim.com/jamesd/mscryptoapi.html), 
but I am sure most people would prefer an official copy:

 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From anonymous-remailer at shell.portal.com  Sat Feb  3 22:48:58 1996
From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com)
Date: Sun, 4 Feb 1996 14:48:58 +0800
Subject: C2 and the Worst Case
Message-ID: <199602040628.WAA07276@jobe.shell.portal.com>


sameer  wrote:

> > The question is, how much would they get? How much information about c2
> > users would fall into the wrong hands?
>
>	The only information we have is the information you give
> us. If you don't give us your name, we don't have your name. If you
> don't give us the site you're coming from, we don't have the sit eyour
> coming from. They can't get information out of us that we don't
> have. That's our guiding principle, in terms of the privacy against
> government-level attack.

Are you saying that when someone with an anonymous mailbox on c2.org
retrieves his/her mail via a POP3 connection, no log is made of
the originating IP address?






From jamesd at echeque.com  Sat Feb  3 22:54:40 1996
From: jamesd at echeque.com (jamesd at echeque.com)
Date: Sun, 4 Feb 1996 14:54:40 +0800
Subject: Sometines ya just gotta nuke em-and nuke em again
Message-ID: <199602040622.WAA07274@shell1.best.com>


At 03:39 PM 2/3/96 -0800, paralax at alpha.c2.org wrote:
>Mr. Hayes MAY have used a condescending tone but you have exposed your
>racist roots again.  First you embarass yourself with you lack of knowledge,

Paralax does not know shit from beans.  He presumably imagines that Tim is
"embarrassed" because Tim's knowledge of the historical facts differs from
those facts dreamed up by the usual crew of apologists for totalitarian terror.
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From joseph at genome.wi.mit.edu  Sat Feb  3 22:59:18 1996
From: joseph at genome.wi.mit.edu (Joseph Sokol-Margolis)
Date: Sun, 4 Feb 1996 14:59:18 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <9602040642.AA19600@karlo>


what the hell was that? Surley you can't expect us to belive people wrote that?
--Joseph





From mccoy at communities.com  Sun Feb  4 00:14:23 1996
From: mccoy at communities.com (Jim McCoy)
Date: Sun, 4 Feb 1996 16:14:23 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: <199602040812.AAA27504@scylla.communities.com>


>	One thing that I'm worried about is InterNIC. As I understand it, it
>is a central company that is in the business of receiving domain name
>registrations, including the info on what that domain is connected to, and
>sending it out to various nameservers. The nameservers then use this to route
>some (not all, I do believe) traffic.

Close, but not quite.  The role that the InterNIC serves is to register 
domains
and to maintain the top-level mappings.  It is from InterNIC that the 
root-level 
nameservers load info regarding which domains are served by which 
nameservers.
The way this process works from any particular users point of view is as
follows:

1) You request that the host name www.foo.bar be resolved to an IP 
address.
2) Your TCP/IP software checks its local cache (if any) to see if it 
already
   has the requested information and if so it returns it without doing a
   lookup [there are timeouts and other bits involved but this is the 
simple version]
3) If a lookup is necessary your TCP/IP software digs up a pre-defined 
name/number
   for who is should ask.  This is the info that you enter into a 
resolv.conf file
   in unix, a MacTCP DNS setting, etc.  It is usually the nameserver for 
your
   internet service provider or a local nameserver for your network.  
Once the
   resolver knows who to ask it formats a query and sends it off.
4) This nameserver checks its cache to see if it already has the info and 
if not
   it forwards the request to another nameserver.  Eventually the request 
hits
   a root server; the root servers then check the domain name against 
their tables
   (the ones it loaded up from the NIC) and forward the request to the 
appropriate
   nameserver.
5) Eventually the request is forwarded to a nameserver which is able to 
give an
   authortative answer for this domain and the result is sent back to the 
original
   requester.

At any point in this chain it is possible for someone to decide who will 
give the
authoratative answer for this domain.  It is possible for you, the 
requester, to
decide for yourself who will be asked.  All you need to do is to add 
whatever
nameserver you trust early into the query chain and that server will be 
asked first
and only if it does not answer authoratatively will the regular 
nameservers be
asked to resolve the request.

The DNS system represents to oldest digital reputation system I know ot.  
It is _all_ 
about trust; if you think that someone is giving out bogus information or 
you want
your answers to come from someone else it is trivial to change the way 
your nameservice
is configured so that lookups happen in the manner that you want.  No one 
can control
how names are resolved into numbers unless someone else grants them that 
power.  There
was a minor rebellion among the internet service providers this fall when 
the NIC
announced that they would begin charging for their services and it flares 
up every now
and then when some of the larger independant ISPs begin to feel that the 
NIC is favoring
the major players like MCI, Sprint, et al. when it comes to address and 
routing blocks
and other name/IP number issues.  The point that is frequently raised to 
keep the NIC
in line is that there is nothing preventing these providers from going 
out and doing
whatever they want, whether it be establishing new root servers, 
allocating whatever
numbers they want, or just plain ignoring that the NIC exists.  And there 
would be
absolutely nothing that InterNIC could do about it, because that is how 
DNS works. The
biggest problems that would occur would be when there was a conflict in 
the namespaces
served (e.g. your lookup for www.foo.com returns one number when a 
InterNIC served
root nameserver responds and another when a different set of root 
nameservers respond)
and the number that would be returned would depend entirely on which 
nameservers your
query asked to get the answer.  In short, it would depend on who you 
decided to trust...

On a more cypherpunk-related note, it is actually quite trivial for you 
to create your
own shadow domains which are completely private to whatever group you 
want.  If you
want to create the foo.cypherpunk domain you can do it just by 
downloading the BIND
nameserver code and settting up a nameserver which answers queries for 
the top-level
.cypherpunk domain.  All that is required for someone else to resolve 
names in this
set of domains is for them to know that a .cypherpunk address needs to be 
resolved
by the nameserver you created (which involves adding only a single line 
in every DNS 
config system that I know of.)  It is also difficult for any authority to 
mandate 
that certain nameservers be used because the entire system is already so 
distributed 
as to make such a mandate useless (it would also cause such a performance 
hit for 
net connections that it would be about as effective as the old 55mph 
federal speed 
limits :)

jim
--
Jim McCoy
mccoy at communities.com





From jcobb at ahcbsd1.ovnet.com  Sun Feb  4 01:53:34 1996
From: jcobb at ahcbsd1.ovnet.com (James M. Cobb)
Date: Sun, 4 Feb 1996 17:53:34 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: 


 
 
  Rich, 
 
 
  Neither dropping nuclear weapons on Japanese cities nor an invasion 
  of Japan was necessary to secure surrender of the Japanese government. 
 
  David Kahn explains: 
 
    Communications intelligence contributed...in major ways to the 
    Allies' Pacific victory.  It stepped up American submarine sinkings 
    of the Japanese merchant fleet by one third. This cutting of Japan's 
    lifelines was, Premier Hideki Tojo said after the war, one of the 
    major factors that defeated Japan. 
 
       David Kahn.  "Codebreaking in World Wars I and II: The 
       Major Successes and Failures, Their Causes and Their 
       Effects" (1980).  In: Kahn on Codes: Secrets of the New 
       Cryptology.  Macmillan Publishing Co.  1983.  Page 108. 
 
 
    The water transport intercepts should provide case after case of how 
    American submarines won one of the most important victories in the 
    Pacific: the sinking of the Japanese merchant fleet.... 
 
       Kahn.  "Opportunities in Cryptology for Historians."  Op 
       cit.  P 289. 
  
 
    Some information came out shortly after World War II, when we 
    all heard about how we broke some Japanese codes before Pearl 
    Harbor, which...did help very much...in the successful American 
    submarine blockade of Japan, which very largely brought the Jap- 
    anese empire to its knees. 
 
       Kahn.  "Signals Intelligence in the 1980s" (1981).  Op cit. 
       P 292. 
 
   
 
             In other words, it was Starvation City. 
             --------------------------------------- 
 
  As an aside. these three quotations from Kahn on Codes, a collection 
  of articles, show that David's views in this regard are consistent 
  over the years. 
 
  Continuing-- 
 
  Dropping nuclear weapons on Japanese cities or an invasion of Japan 
  was not necessary to secure surrender of the Japanese government. 
   
  William Langer explains: 
 
    In the greatest air offensive in history [during May, June, and 
    July 1945] United States land-based and carrier-based aircraft des- 
    troyed or immobilized the remnants of the Japanese navy, shattered 
    Japanese industry, and curtailed Japanese sea communications by sub- 
    marine and air attack and extensive minefields.  United States bat- 
    tleships moved in to shell densely populated cities with impunity 
    and the Twentieth Air Force dropped 40,000 tons of bombs on Japanese 
    industrial centers in one month. 
 
       William Langer.  An Encyclopedia of World History. 
       Houghton Mifflin Co.  1948.  Page 1169. 

 
                    It was Devastation City. 
                    ------------------------ 

  Then why Hiroshima and Nagasaki? 
 
  There were two main reasons nuclear weapons were dropped on Japanese 
  cities: 
 
       (1)  generally, to proclaim Pax Americana...with a bang 
 
       (2)  specifically, to declare war on the Soviet Union. 
 
 
  For the sake of completeness, let's ask:  If it really had been 
  necessary to drop nuclear weapons on Japan in order to compel the 
  Japanese government to surrender, should they have been dropped? 
 
  Without hesitation. 
 
 
  Cordially, 
 
  Jim 
 
 

 
  NOTE.  The first part of the "Opportunities" article was published 
  in 1972.  The second part, dealing with World War II, was written 
  perhaps a decade later for publication in the collection. 
 
 






From alano at teleport.com  Sun Feb  4 02:03:42 1996
From: alano at teleport.com (Alan Olsen)
Date: Sun, 4 Feb 1996 18:03:42 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <2.2.32.19960203194631.00955980@mail.teleport.com>


At 12:46 PM 2/3/96 -0500, ErnstZundl at aol.com wrote:

>If you are a *true* Patriot, and a *true* Aryan, then you *MUST*
>make the journey to Antarctica and into the volcano!!  We owe it to
>the world, we owe it to the great Adolph Hitler, and we owe it to
>the White Race.

"But what about Hitler's Brain?"

|   Remember: Life is not always champagne. Sometimes it is REAL pain.   |
|"The moral PGP Diffie taught Zimmermann unites all| Disclaimer:         |
| mankind free in one-key-steganography-privacy!"  | Ignore the man      |
|`finger -l alano at teleport.com` for PGP 2.6.2 key  | behind the keyboard.|
|         http://www.teleport.com/~alano/          | alano at teleport.com  |






From secret at secret.alias.net  Sun Feb  4 02:26:56 1996
From: secret at secret.alias.net (K00l Secrets)
Date: Sun, 4 Feb 1996 18:26:56 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: <199602041005.EAA06068@paulsdesk.phoenix.net>


In article <960203124656_311380557 at emout09.mail.aol.com> ErnstZundl at aol.com writes:
> Instead, you can help me in my cause to make the Earth safe for White
> children.
> You can help me by joining me and my legions of Aryan Nazi UFO Supermen
> at the center of the Earth.  All you have to do to get there is enter the
> Earth's center by way of a volcano in Antarctica.
> 
> If you are a *true* Patriot, and a *true* Aryan, then you *MUST*
> make the journey to Antarctica and into the volcano!!  We owe it to
> the world, we owe it to the great Adolph Hitler, and we owe it to
> the White Race.
> 
> And please bring a sweater.  It's cold!

Is this guy really a Nazi, or just a complete nut?  I mean, if he's
out there convincing Neo-Nazis and Holocaust deniers to go freeze to
death at the South pole, as that really anti-semitic?





From frissell at panix.com  Sun Feb  4 03:53:43 1996
From: frissell at panix.com (Duncan Frissell)
Date: Sun, 4 Feb 1996 19:53:43 +0800
Subject: Futplex makes the news!
Message-ID: <2.2.32.19960204113951.009bca04@panix.com>


At 07:01 PM 2/3/96 -0800, Timothy C. May wrote:
>presence by Lewis. (From what I've seen at California universities, the
>folks with the long knives will still be trying to "get him."
>Unfortunately, with search tools like Alta Vista they can keep tabs on him
>semi-automatically and report any further evidence of his racist,
>mysogynistic, and anti-democratic views to the Dean of Students.)
>
>(I could add a smiley here, but it's really not very funny.)

But it's a state school.  All you have to do is sue.  Since academics are
gutless, they aren't that hard to face down.  So far, no one's really wanted
to face my mouth so they've left me alone once I made it clear that I was a
libertarian anarchist nut.

I feel sorry for Lewis though and wouldn't want him to do anything he wasn't
comfortable with.

DCF

"Then there was the time that my RA (Resident Assistant) in my dorm in a
small (private) liberal arts college in the Northwest found out I had a gun
in my room..."






From mab at crypto.com  Sun Feb  4 05:24:18 1996
From: mab at crypto.com (Matt Blaze)
Date: Sun, 4 Feb 1996 21:24:18 +0800
Subject: RC2 technical questions
In-Reply-To: <9601028232.AA823283956@snail.rsa.com>
Message-ID: <199602040753.CAA27660@crypto.com>


baldwin at rsa.com writes:
>         In a shameless attempt to move the discussion of RC2 into
> a more technical arena, here are some interesting questions to
> explore about RC2.
>                 --Bob
> 
> Key expansion
> - How can you tell whether the permutation is based on
>   some sequence of digits from PI?

[long list of other good and interesting questions deleted]

In a previous message, baldwin at rsa.com also wrote:
>WARNING NOTICE
...
>in such source code under applicable law, including without
>limitation trade secret and copyright protection.  In
>particular, RSA Data Security's RC2 (TM) symmetric block
>cipher source code has been illegally misappropriated and
>published.  Please be advised that these acts, as well as
>any retransmission or use of this source code, is a
>violation of trade secret, copyright and various other state
>and federal laws.  Any person or entity that acquires,
>discloses or uses this information without authorization or
>license to do so from RSA Data Security, Inc. is in
>violation of such laws and subject to applicable criminal
>and civil penalties, which may include monetary and punitive
>damages, payment of RSA's attorneys fees and other equitable
>relief.


Bob,

I'm confused by these two messages, as a non-lawyer (but I realize you're
also a non-lawyer).  How can RSADSI, on the one hand, expect to be able
to assert trade secret status over RC2 (with a warning to "...any person
who acquires, discloses or uses this information...") while at the same time
encouraging the world to examine and better understand the (illegally-
published) RC2 code?  To my lay mind, I cannot see how one can reconcile
your two messages.

I'm not trying to be cute or play lawyer.  I'm honestly confused as
to just what RSADSI's position here is.

-matt





From paralax at alpha.c2.org  Sun Feb  4 05:28:37 1996
From: paralax at alpha.c2.org (paralax at alpha.c2.org)
Date: Sun, 4 Feb 1996 21:28:37 +0800
Subject: Nuke em if ya got em "TCMay"
Message-ID: <199602041303.FAA05924@infinity.c2.org>


On Date: Sat, 03 Feb 1996 22:20:52 -0800 James A. Donald Wrote:

At 03:39 PM 2/3/96 -0800, paralax at alpha.c2.org wrote:

P> Mr. Hayes MAY have used a condescending tone but you have exposed your
P> racist roots again.  First you embarrass yourself with you lack of knowledge,

JAD> Paralax does not know shit from beans.  He presumably imagines that Tim is
JAD> "embarrassed" because Tim's knowledge of the historical facts differs from
JAD> those facts dreamed up by the usual crew of apologists for totalitarian terror.

JAD> James A. Donald

Historical facts and or personal interpretations thereof were never called in to question by me.  I took umbrage with Mr. May's insulting, insensitive and racist comments about Jews and the Japanese.  Whether Mr. May's is personally embarrassed by his public display of ignorance and bigotry matters not.  He did indeed embarrass himself on an 'International Stage'.

I may not know shit from beans (actually I do) but I do know cultural  insensitivity, racism, bigotry and ignorance when I see it displayed so blatantly.  I encouraged Mr.
May to return to topics 'cipher' before further embarrassment ensues.  I urge you to do
likewise.

A. Paralax View





From declan+ at CMU.EDU  Sun Feb  4 05:30:00 1996
From: declan+ at CMU.EDU (Declan B. McCullagh)
Date: Sun, 4 Feb 1996 21:30:00 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960203124656_311380557@emout09.mail.aol.com>
Message-ID: 


Excerpts from internet.cypherpunks: 4-Feb-96 Re: THE JEWS (ALL of
them!).. by K00l Secrets at secret.alia 
>  
> Is this guy really a Nazi, or just a complete nut?  I mean, if he's
> out there convincing Neo-Nazis and Holocaust deniers to go freeze to
> death at the South pole, as that really anti-semitic?

Ernst Zundel is indeed a National Socialist. But as others pointed out
in previous messages, his real email address is ezundel at cts.com. I
posted a message to fight-censorship last week on the emergence of the
Zundelimposter. It's archived at the remaining CMU mirror site, at:

http://www.gsia.cmu.edu:80/andrew/ml3e/www/Not_By_Me_Not_My_Views/censorship/im
poster.012896.txt

-Declan






From ErnstZundl at aol.com  Sun Feb  4 06:10:09 1996
From: ErnstZundl at aol.com (ErnstZundl at aol.com)
Date: Sun, 4 Feb 1996 22:10:09 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <960204084755_135434252@emout04.mail.aol.com>


>> if he's out there convincing Neo-Nazis and Holocaust deniers >> to go
freeze to death at the South pole, as that really
>> anti-semitic?

DUH!!

Nobody is going to freeze to death if they dress warmly.  That is just a myth
about Antarctica.  It is really a tropical paradise, but THE JEWS don't want
you to know that.  Besides, we will all be going *inside* a VOLCANO!  Even if
somehow Antarctica were freezing cold, we will be plenty warm inside the
volcano which leads to the Aryan Nazi UFO Base at the center of the Earth.

I am not asking Nazis and Holocaust deniers to freeze to death!  I am
inviting them to jump into a volcano, you fool!







From ErnstZundl at aol.com  Sun Feb  4 06:18:28 1996
From: ErnstZundl at aol.com (ErnstZundl at aol.com)
Date: Sun, 4 Feb 1996 22:18:28 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <960204084744_135434288@emout10.mail.aol.com>


>> Surley you can't expect us to belive people wrote that?

Who do you propose wrote it then?  Aryan Space Nazis?





From declan+ at CMU.EDU  Sun Feb  4 06:30:37 1996
From: declan+ at CMU.EDU (Declan B. McCullagh)
Date: Sun, 4 Feb 1996 22:30:37 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960204084755_135434252@emout04.mail.aol.com>
Message-ID: 


Excerpts from request: 4-Feb-96 Re: THE JEWS (ALL of them!).. by
ErnstZundl at aol.com 
> Nobody is going to freeze to death if they dress warmly.  That is just a myth
> about Antarctica.  It is really a tropical paradise, but THE JEWS don't want
> you to know that.  Besides, we will all be going *inside* a VOLCANO!  Even if
> somehow Antarctica were freezing cold, we will be plenty warm inside the
> volcano which leads to the Aryan Nazi UFO Base at the center of the Earth.
>  
> I am not asking Nazis and Holocaust deniers to freeze to death!  I am
> inviting them to jump into a volcano, you fool!

The ernstzundl at aol.com imposter obviously does not know that Xenu will
chain him to an Antarctic volcano and annihilate him with nuclear
weapons. Beware the thetans!

ObCrypto: Obviously someone as controversial as Zundel needs to PGP-sign
his messages. (Actually, *her* messages, since Ingrid posts for the
Zundelish One.) Does anyone want to show her how to use PGP? I think she
has a PPP connection from her computer at home to cts.com. Message
headers don't indicate what mailer she uses.

-Declan






From paralax at alpha.c2.org  Sun Feb  4 06:53:22 1996
From: paralax at alpha.c2.org (paralax at alpha.c2.org)
Date: Sun, 4 Feb 1996 22:53:22 +0800
Subject: Aegis PGP Shell
Message-ID: <199602041406.GAA11463@infinity.c2.org>


Gordon Campbell wrote: 

GRC> After doing a total reinstall of my system (don't ask) I discovered that I
GRC> don't have a copy of the Aegis PGP Shell distribution archive anywhere. I
GRC> attempted to grab it from http://iquest.com/~aegisrc as listed in the docs,
GRC> but the site doesn't exist.

GRC> Doesn anybody know what gives and where I can get a new copy of the archive?
GRC> I really like this shell and haven't figured out how to otherwise integrate
GRC> PGP with EudoraPro.

GRC> Gordon R. Campbell, Owner - Mowat Woods Graphics

>From alt.security.pgp another reader writes:

> It seems that iquest.com has dropped off the net today so the 
> normal url:  http://iquest.com/~aegisrc/beta2.htm is 
> unavailable.  With the weather around here right now, I doubt 
> it will be up any time soon.

> I've created a very quick mirror site at:
> http://fly.hiwaay.net/~lyman/pgpwsbeta.htm

> Please use it only if you cannot connect to the first url.

A. Paralax View





From dlv at bwalk.dm.com  Sun Feb  4 07:45:16 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Sun, 4 Feb 1996 23:45:16 +0800
Subject: free speach and the government
In-Reply-To: <9602040531.AA20987@cti02.citenet.net>
Message-ID: 


(Little crypto relevance, some technology)

jf_avon at citenet.net (Jean-Francois Avon (JFA Technologies, QC, Canada)) writes:
>
> I think it is safe to say, especially regarding coverage of the Internet by
> popular medias, that even if there are some journalists that still have integrity
> most of their bosses don't.

They may have integrity; they just adhere to different moral principles.
E.g., if their salaries are paid by the advertisers, they may feel that
they owe their allegiance to the advertisers, not the readers, and that
pleasing the advertisers is more important than telling the (whole) truth.

> >U.S. No one can determine which of the countless bits of information that
> >travel over the Internet every second are false, or harmful, or subversive,
> >or otherwise not worthy of transnmission.
>
> Well,  here I don't completely agree.  *you* can determine what is worth and
> what is not.

I can determine what's not worth reading for me. (I wish I had better technical
means to filter out the incoming traffic that I know is not worth my reading --
freedom of non-association, in addition to freedom of speech and freedom of
association :-). I could share my opinions with others (through a rating system
or by publicly urging everyone to *plonk* someone I don't like, although I find
this in bad taste). I can't determine that an item is so unworthy that it
should be suppressed and that someone else should be deprived of his right
to read it. In my opinion, I can't determine that a certain item of information
is not worth being published/transmitted at all. Someone else is likely to
be interested in the information that I'm not interested in.

> But again, I suppose that if you have rationnal arguments, you will be able
> to convince other rationnal individuals.  I am not in favor of broadcasting
> neo-nazi scum all over because I think that their essence is the same as the
> underlying the censorship movement.  They share the same vision of man, only

Frankly, I've never looked at the stuff the WC is trying to suppress. I know
enough on the subject to be convinced that it's not worth my time and effort.
But if someone wants to publish it, and someone else wishes to read what they
publish, they should be at liberty to do that. I don't think they're the same
as the WC's, who seek to suppress speech.

As for pciking a more popular cause for a test case, yes, I wish there was
something more savory (like PRC or SG dissidents), but "popular speech doesn't
need protection".

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From bernardo at alpha.c2.org  Sun Feb  4 07:56:06 1996
From: bernardo at alpha.c2.org (bernardo at alpha.c2.org)
Date: Sun, 4 Feb 1996 23:56:06 +0800
Subject: [noise] Re: Charter of PDX Cpunk meetings
Message-ID: <199602041518.HAA17608@infinity.c2.org>


jim bell wrote:

>> I think an explanation for this is due.  Jim is going to move his complaints
>> here instead of dealing with them with me no matter what I do...
>
> Alan Olsen is correct, here.

This is childish and pointless.  Please shut up or take it to email.

> But he (the anonymous poster):
> 1.  FLamed me on this national list, similarly to the way Alan Olsen later did.

FWIW, this is an _international_ list with a lot of people who are
just not interested in your petty bickering.  If you want to argue
about this, please do it in private.  If Alan posts responses to the
list, that's his problem.  You don't _have_ to answer in public.

> 2.  Failed to be willing to sustain the debate in a more appropriate list, 
> even under a stable nym.

You have something against anonymity?  In this case, perhaps this list
is not the best place to be.

> that I had been flamed by that anonymous poster.  The fact that he was
> anonymous says it all.  The fact that he has not returned says it all.  The 

The fact that he was anonymous says nothing whatsoever.  So what if
you received some email agreeing that you'd been flamed?

> the fact that I am relatively new here.  I have no intention of inflicting
> an unwelcome discussion of "Assassination Politics" on the list, and 

Actually, and Perry may disagree here, but I'd have no objection to a
discussion of "Assassination Politics", or any other nutty political
theories, as long as we can stick to reasonably mature discussion and
not flames and petty ego boosting.

> suffered any longterm loss of reputation of his own.  I, on the other hand, 
> use my REAL NAME.

Whoopie!  A True Name!  Big deal.  I care not one jot whether or not
you use your REAL NAME.  I have no way of knowing if it is, in fact,
your real name.  Should it make a difference?

No one is going to "suffer any longterm loss of reputation" by
disagreeing with you, or anyone else, whether or not they use a nym
(or anonymity).

> Only a fool would have taken an anonymous flamer seriously under those 
> circumstances.

An anonymous post is no less valid for being anonymous.  The only
advantage of a stable nym, whether or not it's a True Name, is the
ability to gain (or lose) reputation through the content of its
posts.  Perhaps a nym with some reputation is taken more seriously
than an anonymous poster, but so is an unknown nym.  Neither you nor
Alan has any reputation to speak of (to me, at least), so an anonymous
post has no less.

>> Jim ignored that request and I removed him from the list.
> 
> Read:  "Alan Olsen exercised his authority in his own personal fiefdom, the 
> "PDX Cypherpunks list."

Are you saying he doesn't have that right?  If it's his list, he can
do whatever the hell he likes with it.

> On the contrary, I have no interest in dealing with this sleazy character in 
> email.  He was the one who chose a national list to do his flaming and 
> baiting, and I think he deserves full "credit."

In other words, you are not interested in resolving any problem you
have with Alan, you just to make a lot of noise in public in an
attempt to "embarrass" him.  Go play on some other list where this
kind of thing is appreciated.

>> The following is the last I will say publically on the matter.
> 
> You're going to take your bat and ball and "go thwait home!"  You hear your 
> mommy calling, Alan.

This list periodically devolves into this childishness.  I'm glad Alan
is not going to say any more.  I award Alan 20 Reputation Points for
being mature enough to walk away (delayed long enough to see whether
he does)





From avatar at mindspring.com  Sun Feb  4 08:14:57 1996
From: avatar at mindspring.com (avatar at mindspring.com)
Date: Mon, 5 Feb 1996 00:14:57 +0800
Subject: Encryption Programs
Message-ID: <199602041551.KAA26343@borg.mindspring.com>


OBVIOUSLY the spokesman of the group. I ask for help and this is what I get?

        One more time, I'm well aware of the capabilities of PGP. What I'm
looking for is a program
that does a better job of binary encryption than just Radix 64 ASCII armoring.


>Return-Path: remailer at utopia.hacktic.nl
>Date: Sun, 4 Feb 1996 10:40:07 +0100
>To: avatar at mindspring.com
>From: anon-remailer at utopia.hacktic.nl (Name Withheld by Request)
>Organization: Hack-Tic International, Inc.
>XComm: This message was automaticly Remailed by an Anonymous Remailer.
>XComm: Report inappropriate use to 
>Subject: Encryption Programs
>From: House.of.the.Rising.Sun at utopia.hacktic.nl
>
>
>	wow, a fresh newbie with his first toy!  your lights work, too?
>    cypherpunks is not for you if you need to ask for encryption....
>
>	there's only one encryption program which is both simple and
>    effective: PGP.  if you don't know where to find it, use DEC's Alta
>    Vista web search engine in advanced mode for "mit NEAR pgp"
>
>	you can get a DOS image. there are some windows interfaces I
>    have been told, but fuck Bill Gates and horse he rode in on.
>
>	maybe some day, you'll find enlightenment on choice of operating
>    systems...  instead of following the herd to Gate's bank of mindless.
>
>
>>From avatar at mindspring.comSun Feb  4 09:06:32 1996
>Date: Sat, 03 Feb 1996 23:17:09 -0600
>From: avatar at mindspring.com
>To: cypherpunks at toad.com
>Subject: Searching for the best
>
>Hi, Folks
>
>        I am looking for the best file encryption program and the best file
>wiping program.
>PC compatible, perferably Win 95 compatible.
>                                                                        Thanx
>Charles Donald Smith Jr.
>582 Clifton Rd. N.E.
>Atlanta, Ga. 30307-1787
>(404)-378-7282
>
>REPUBLICAN; smaller government, less taxes, richer people, and proud
children!! 
>
>
Charles Donald Smith Jr.
582 Clifton Rd. N.E.
Atlanta, Ga. 30307-1787
(404)-378-7282

REPUBLICAN; smaller government, less taxes, richer people, and proud children!! 






From Andrew.Spring at ping.be  Sun Feb  4 08:17:40 1996
From: Andrew.Spring at ping.be (Andrew Spring)
Date: Mon, 5 Feb 1996 00:17:40 +0800
Subject: Alien factoring breakthroughs
Message-ID: 



>The Grays have renegged on their abduction quota agreement, and are
>abducting many more people than before. Most of these are returned, after
>being implanted with a device which allows the grays to have total control
>over their thoughts and actions. Approximately 40% of Americans now carry
>one of these devices, which are impossible to remove without killing the
>host.
>

The mark of a good conspiracy theory is its untestability.  Your theory
fails here, because you could perform autopsies on those hosts who have
died of natural causes to recover the mind control devices.

Suggest you amend the last sentence to read "...one of these devices, which
dissolve immediately upon death, and which are impossible to remove..."
etc, etc.







From PADGETT at hobbes.orl.mmc.com  Sun Feb  4 08:29:20 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 00:29:20 +0800
Subject: Don't type your yes/fraud response into your computer
Message-ID: <960204111411.202124c6@hobbes.orl.mmc.com>


>	At base, the moral to the story is that a compromised user machine
>permits essentially any and all activities to be suborned.  Only a smart
>card mechanism stands a chance of standing up to this, but that, in effect,
>makes the smart card the 'user machine'.

True and has been one reason the smartcards/tokens/etc have been available
for years. The other side of the coin is expense - for a smart card and 
reader you are looking at over $100. For a token alone (you enter the 
one-time response) $30-$60. In a mass-market environment, this is not
supportable.

OTOH, keyboard sniffing software is easy to detect because it must go 
resident and it must intercept the keystrokes. The fact that no software
has bothered to do this does not mean that it cannot be done. The 
easiest way for such software to act would be to ignore the machine software
and when sensitive material is to be passed, to do so via direct port 
(hardware) access - been a while since I looked at it but AFAIR is around
port 60h. (PC type machines)

This would take care of anything sitting on Int 09 or Int 16 since it would
be bypassed. Often a problem that looks difficult when viewed as a whole
becomes simple once you disassemble it.

Rather than try to find a workaround for a machine you do not trust, why not
develop a means to trust it ? Can do with software alone and that is cheap.

						Warmly,
							Padgett

ps Dave, what is this thingie on the 21st ? May be in the area (opportunity
   for plug here 8*).

pps Before y'all get too wrapped up in free-speech vs libel in the US I would 
    suggest studying the difference between criminal law and civil.





From PADGETT%TCCSLR at emamv1.orl.mmc.com  Sun Feb  4 08:51:28 1996
From: PADGETT%TCCSLR at emamv1.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 00:51:28 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <01I0TB0U7ZR600MSLZ@emamv1.orl.mmc.com>



>James Donald may characterize me as gutless. I think he would probably be 
>correct to some extent.

"Freedom is just another word for nothing more to lose." - Janis

						P.fla





From mang at lisgar.edu.on.ca  Sun Feb  4 09:40:35 1996
From: mang at lisgar.edu.on.ca (Mike Ang)
Date: Mon, 5 Feb 1996 01:40:35 +0800
Subject: "Nations see Internet as threat to security"
Message-ID: <199602041651.LAA05232@plethora.lisgar.edu.on.ca>



"Nations see Internet as threat to security" made the front page of the 
Saturday _Globe and Mail_.

There are some really nice lines in the article, which basically states 
that electronic freedoms through the Internet are a direct challenge to 
the power of nation states.  They mention all of the more recent 
examples in China, Germany, France, and the States.

Here are some of the more interesting paragraphs:

But as China, Germany,







From mang at lisgar.edu.on.ca  Sun Feb  4 09:44:58 1996
From: mang at lisgar.edu.on.ca (Mike Ang)
Date: Mon, 5 Feb 1996 01:44:58 +0800
Subject: "Nations see Internet.." continued
Message-ID: <199602041718.MAA05257@plethora.lisgar.edu.on.ca>



Sorry about that -- here's the whole thing again


"Nations see Internet as threat to security" made the front page of the 
Saturday _Globe and Mail_.

There are some really nice lines in the article, which basically states 
that electronic freedoms through the Internet are a direct challenge to 
the power of nation states.  They mention all of the more recent 
examples in China, Germany, France, and the States.

The author obviously wasn't afraid of making large claims.  Most of them 
were acceptable, but some seemed completely unsubstantiated (see below).

Here are some of the more interesting paragraphs:

But as China, Germany, the United States and now France have discovered 
recently, data sent electronically over the Internet can be every bit as 
threatening to a country's laws or its culture as armies of yesteryear.  
But its elusive nature makes it difficult to track down and impossible to 
eradicate.  And there is growing concern that the very existence of the 
Internet is a threat to the nation-state.

[..]

"We think of states as unitary bodies, but what they really are is a 
bundle of sovereignties -- economic sovereignty, military sovereignty, 
cultural and social sovereignty."  That bundle is now coming undone, or 
as Mr. Saffo put it, "Digital technology is the solvent leaching the glue 
out of the state as we know it."

..

It's not just cultural or social sovereignty that governments worry 
about.  The power to tax is also being eroded by the increase in economic 
transactions that take place over the Internet, some encrypted so that 
prying eyes at the tax department could not read them even if a tax 
inspector was fortunate enough to stumble upon them.  Drug dealers and 
terrorists are resorting increasingly to this means of moving funds.

..

However, advocates of unregulated cyberspace says [sic] this just means 
that the only people using encryption programs at the moment are those 
doing it illegally.  It's a similar argument to the one often made in 
Canada against gun control -- the bad guys already have weapons.

..


Yay, more FUD.  The article does a good job of raising some of the 
important issues.  But I _highly_ doubt that "drug dealers and 
terrorists" are using digital cash to transfer funds.  They also 
characterize strong encryption as something evil.

The author implies that main reason for encrypting financial
transactions is to evade the tax department - if I'm sending my credit 
card # across the net, _of course_ I'm going to encrypt it, and
when using digital cash, encryption is generally part of authentication.

Comparing crypto to guns works in the sense that the "bad guys" will 
always be able to have access to them.  However, I for one support gun 
control but do not support mandatory limits on crypto.  Where I live,
there are no theats that justify allowing everyone to carry guns - the 
threat to privacy and freedom of speech justifies allowing everyone to 
use strong crypto.  You can use a gun to deprive another person of their 
life - what harm can you do another with PGP?  Perhaps you can harm them 
by being able to spread hate propaganda, but I don't think that that is a 
strong enough argument.

	- Mike.

If you've got to flame me, do it by email.





From hayden at krypton.mankato.msus.edu  Sun Feb  4 10:02:30 1996
From: hayden at krypton.mankato.msus.edu (Robert A. Hayden)
Date: Mon, 5 Feb 1996 02:02:30 +0800
Subject: Need a "warning" graphic of some kind for CDA
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

Now that we all have web pages that are naughty and might be seen by 
little children, I'd like to hve some kind of a graphic that can 
universally be seen as a "Warning:  The following material is unsuitable 
for children and close-minded twits".  (or words to that effect).

Anybody with much more graphic design ability than I wanna take a crack 
at something that can be spread all over the net?  It shoudl poke as much 
fun as possible at the inaness of the CDA, while still being a legitimate 
effort to warn people that the material is offensive (just in case people 
start getting yanked off the street on CDA violations).



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: PGP Signed with PineSign 2.2

iQCVAwUBMRTStjokqlyVGmCFAQGA3QQA0HOMcmxT+y8NbNtI/ak9Jc1kcmjK5v2l
pO17j14IGiz3I+EwXkYMHkCPMup2CyxBZ3YTNkQ4wc8bbtUrYGy/fBSs/yA8Gfy+
TxmGb5uzdLqdhhkJHwgG1CpOkYocX9EN/LUDQ1lB7jDpW5PjNTG1EMkGq1/L3nG5
O3vI3hLrltw=
=D/1b
-----END PGP SIGNATURE-----
 
____           Robert A. Hayden      <=> hayden at krypton.mankato.msus.edu
\  /__     Finger for Geek Code Info <=>    Finger for PGP Public Key
 \/  /           -=-=-=-=-=-                      -=-=-=-=-=-
   \/        http://krypton.mankato.msus.edu/~hayden/Welcome.html

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+
K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++
R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+**
------END GEEK CODE BLOCK------






From farber at central.cis.upenn.edu  Sun Feb  4 10:16:49 1996
From: farber at central.cis.upenn.edu (Dave Farber)
Date: Mon, 5 Feb 1996 02:16:49 +0800
Subject: Need a "warning" graphic of some kind for CDA
Message-ID: <2.2.32.19960204180104.006b16b0@linc.cis.upenn.edu>


Posted-Date: Fri, 2 Feb 1996 21:09:19 -0500
X-Sender: farber at linc.cis.upenn.edu
Date: Fri, 02 Feb 1996 21:09:19 -0500
From: Dave Farber 
Subject: IP: Blue Ribbon Campaign invite [ with a endorsement from me
  djf]
To: interesting-people at eff.org (interesting-people mailing list)
X-Proccessed-By: mail2list

From: Dan Brown 

Greetings from the Electronic Frontier!


As you likely already know, on Feb. 1 1996 the United States House and
Senate voted on and overwhelmingly passed the Telecommunications Act almost
immediately after being reported out of committee, before the public was
able to read, much less comment upon this bill. 

The Electronic Frontier Foundation (EFF), decries the forfeiture of free
speech prescribed by the sweeping censorship provisions of the
telecommunications "reform" legislation

EFF is launching a campaign using a blue ribbon as a symbol to visually
communicate support for free speech in the electronic world.  As a provider
of content on the Internet we invite you to join in this awareness campaign
by displaying a link to our "Blue Ribbon" page where we will update what is
happening in the effort to preserve free speech. 

Pictures, HTML anchors and information on the progress of the campaign are
all available from http://www.eff.org/blueribbon.html. 

Don't wait in silence. Please join the fight against Internet Censorship!!



------------------------------------------------------



Dan Brown | System admin for the Electronic Frontier Foundation | brown at eff.org
    +1 415 436 9EFF Voice || +1 415 436 9993 Fax || +1 415 605 1481 Pager
         (Please leave area code _and_ phone number if you page me!)









From nsb at nsb.fv.com  Sun Feb  4 10:33:41 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Mon, 5 Feb 1996 02:33:41 +0800
Subject: Flaw in FV process (was FV and Netscape slagging each other off :-)
In-Reply-To: <2.2.32.19960131235757.00d078d8@mail.software.net>
Message-ID: 


Excerpts from mail.cypherpunks: 31-Jan-96 Flaw in FV process (was FV ..
John Pettitt at software.ne (1168*)

> In the FV model as I understand it I'd have to ship the software and wait for 
> an approve/deny/fraud from the user.  If it's anything but approved I'm SOL,
> I still have to pay Microsoft for the product but I didn't get paid.

Actually, that's not quite right.  People dealing in physical goods
typically ship them AFTER the "yes" response from the user.  And one of
the next enhancements to our system, currently implemented and in
testing in-house, will feature digitally signed notices to merchants
when credit card authorization is obtained.  At that point, the
merchant's risk will be no greater than in traditional mail-order credit
card sales.

> Solve that process flaw and I'll add FV support to software.net.

Glad to hear it!  -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Sun Feb  4 10:34:33 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Mon, 5 Feb 1996 02:34:33 +0800
Subject: XMAS Exec
In-Reply-To: 
Message-ID: 


Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV Demonstrates Fatal F..
Dr. Dimitri Vulis at bwalk. (1227)

> I'd like to take an exception to this description of the XMAS EXEC, since
.............
> I had serious doubts that the person who wrote it was malicious.

Agreed completely.  I didn't mean to imply that the author was
malicious, merely that it well-illustrated the "social engineering"
approach to getting users to run untrusted code.  What I was saying is
that someone who *was* malicious could have used the same approach as
the attack vector for getting our credit card snooper (or other nasty
code) onto lots of consumer machines.  This came up, in the discussion,
because most people on this list seem to believe (correctly, I think)
that the hardest part of the attack we outlined is the initial infection
vector.  -- Nathanielx
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From merriman at arn.net  Sun Feb  4 10:52:46 1996
From: merriman at arn.net (David K. Merriman)
Date: Mon, 5 Feb 1996 02:52:46 +0800
Subject: Need a "warning" graphic of some kind for CDA
Message-ID: <2.2.32.19960204061752.00686e1c@arn.net>


-----BEGIN PGP SIGNED MESSAGE-----

At 11:37 AM 02/4/96 -0600, Robert A. Hayden wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Now that we all have web pages that are naughty and might be seen by 
>little children, I'd like to hve some kind of a graphic that can 
>universally be seen as a "Warning:  The following material is unsuitable 
>for children and close-minded twits".  (or words to that effect).
>
>Anybody with much more graphic design ability than I wanna take a crack 
>at something that can be spread all over the net?  It shoudl poke as much 
>fun as possible at the inaness of the CDA, while still being a legitimate 
>effort to warn people that the material is offensive (just in case people 
>start getting yanked off the street on CDA violations).
>

Hmmmmm. Maybe a doll with an international 'no' sign superimposed?

Dave Merriman

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRQyXcVrTvyYOzAZAQHXhQP/dnOLwoE5iTf5sNBwPaBl/1+7tXftWIc2
KyxSqqEhgLOcBssTo56Yt7r5TMFVukbWDirNuJW4xFRqFJovw2fG2XdpxMUJlVHF
McjIgXbddYWuyjZ+G04uiKcaoMRYFMFajOipIDkTYSNHBMkfDkxbLNrT3YMNpeCx
nDyvzpX+tGM=
=iqHi
-----END PGP SIGNATURE-----
-------------------------------------------------------------
"It is not the function of our Government to keep the citizen
from falling into error; it is the function of the citizen to
keep the Government from falling into error."
Robert H. Jackson (1892-1954), U.S. Judge
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
My web page: http://www.geocities.com/CapitolHill/1148







From jpp at software.net  Sun Feb  4 11:33:44 1996
From: jpp at software.net (John Pettitt)
Date: Mon, 5 Feb 1996 03:33:44 +0800
Subject: Don't type your yes/fraud response into your computer
Message-ID: <2.2.32.19960204182512.0071a52c@mail.software.net>


At 11:14 AM 2/4/96 -0500, A. Padgett Peterson, P.E. Information Security wrote:
>OTOH, keyboard sniffing software is easy to detect because it must go 
>resident and it must intercept the keystrokes. The fact that no software
>has bothered to do this does not mean that it cannot be done. The 
>easiest way for such software to act would be to ignore the machine software
>and when sensitive material is to be passed, to do so via direct port 
>(hardware) access - been a while since I looked at it but AFAIR is around
>port 60h. (PC type machines)
>
>This would take care of anything sitting on Int 09 or Int 16 since it would
>be bypassed. Often a problem that looks difficult when viewed as a whole
>becomes simple once you disassemble it.

Nice try - but the virtual machine model used by intel supports interception
of I/O operations.  Now one could get into timing how long the I/O takes to
detect interception by the memory manager but it would be a royal pain since
the keyboard I/O controller latency is rather machine specific.

I still think the basic 'if the machine is not secure all bets are off'
premis stands.





--
John Pettitt
email:         jpettitt at well.sf.ca.us (home)
               jpp at software.net       (work)    







From tallpaul at pipeline.com  Sun Feb  4 11:43:11 1996
From: tallpaul at pipeline.com (tallpaul)
Date: Mon, 5 Feb 1996 03:43:11 +0800
Subject: Sometines ya just gotta nuke em-and nuke em again
Message-ID: <199602041921.OAA19675@pipe8.nyc.pipeline.com>


"Neither the atomic bombing nor the entry of the Soviet Union 
into the war forced Japan's surrender. She was defeated before 
either of these events took place." 
 
     General of the Army Douglas MacArthur 
 
"It is my opinion that the use of this barbarous weapon at 
Hiroshima and Nagasaki was of no material success in our war 
against Japan. The Japanese were already defeated and ready to 
surrender because of the effective sea blockade and the 
successful bombing with conventional weapons. ... My own feeling 
was that in being the first to use it, we adopted an ethical 
standard common to the barbarians of the Dark Ages." 
 
     Admiral William Leahy, Chairman of the Joint Chiefs of Staff 
 
"The Japanese were ready to surrender and it wasn't necessary to 
hit them with that awful thing... I hated to see our country be 
the first to use such a weapon." 
 
     General of the Army Dwight D. Eisenhower 
 
These statements by the Allied military commanders were not 
deeply buried in graduate school libraries or military archives. 
They were widely printed and discussed in the media during last 
year's discussion over the Enola Gay exhibit at the Smithsonian 
Museum. 
 
Now the mere fact that the Allied military commanders all agreed 
that the nuclear bombings were unnecessary does not automatically 
mean that the commanders were correct. Theoretically, J.A. Donald 
and T.C. May might have a greater understanding. But both Donald 
and May must justify this hypothesis with evidence and logic, not 
mere assertion. 
 
Thus, J.A. Donald was perfectly free to write in Message-Id: 
<199602040622.WAA07274 at shell1.best.com> on Feb. 03 22:20 that: 
 
"Paralax does not know shit from beans.  He presumably imagines 
that Tim is 'embarrassed' because Tim's knowledge of the 
historical facts differs from those facts dreamed up by the usual 
crew of apologists for totalitarian terror." 
 
In what way and to what extent did General of the Army MacArthur, 
the senior Allied commander in the Pacific Theater not "know shit 
from beans?" 
 
In what way and to what extent was MacArthur one of the "usual 
crew of apologists for totalitarian terror?" 
 
In what way and to what extent did Chief of Staff Leahy not know 
"shit from beans?" 
 
In what way and to what extent was Leahy one of the "usual crew 
of apologist for totalitarian terror?" 
 
In what way did General Eisenhower especially not know "shit from 
beans" about this issue, given his access to all available 
information when he was President? 
 
In what way and to what extent was President Eisenhower one of 
the "usual crew of apologists for totalitarian terror?" 
 
J.A. Donald seems particularly taken with the originality and 
accuracy of the phrase "shit for beans" to reflect certain states 
of philosophical and historical knowledge for he repeated it in 
his next message Message-Id: 
<199602040611.WAA18584 at blob.best.net> on Feb. 3, 22:09 where he 
wrote: 
 
"SCHOLARLY RESEARCH!!!! 
 
"You do not know shit from beans:  Alperovitz is no more a 
scholar  than Zundel is:  He is a historical revisionist who lies 
even more crudely than the holocaust revisionists. 
 
"It is clear that in the opinion of the high command, the 
decision to  surrender after they were nuked was a dramatic and 
radical change of  position.  Alperovitz says otherwise, thus he 
is either grotesquely  ignorant or, more likely simply 
dishonest." 
 
In what way was General MacArthur an "historical revisionist" and 
in what way did he "lie even more crudely than the holocaust 
revisionists?" In what way was he "grotesquely ignorant or, more 
likely simply dishonest?" 
 
In what way of Chief of Staff Leahy? or President Eisenhower? 
 
One does not normally find J.A. Donald's phrases in civilized or 
cultured discourse over political and historical issues. His 
language is that of the demagogue, not the scientist. But he is 
entitled to use the language he wishes, just as other people have 
a similar right to examine his behavior and motivation in terms 
of identical language. 
 
We know, for example, that the pickpocket when caught may point 
to an innocent person and loudly cry "stop thief" in an effort to 
mislead the public by denouncing an innocent person for the very 
behavior for which the pickpocket is guilty. 
 
J.A. Donald voluntarily choose to present the dispute in terms of 
people who "don't know shit for beans," who are "apologists for 
totalitarian terror," who are "historical revisionists," who are 
"grotesquely ignorant or, more likely simply dishonest." 
 
Given the respective lineup of sources, what information and 
analysis would J.A. Donald present to us to lead us to conclude 
that his characterizations accurately reflect General MacArthur, 
Chief of Staff Leahy, and General Eisenhower rather than, like 
the pickpocket, J.A. Donald himself? 
 
T.C. May, while arguing essentially the same historic view as 
J.A. Donald (or rather vice versa) approaches the issue in a 
fundamentally different manner. T.C. May uses logic where J.A. 
Donald uses demagogic rhetoric. (I do not here refer to T.C. 
May's characterization of other racial/ethnic/national groups 
about which others on the list have posted.) 
 
When I read the first post by T.C. May on the mass nuclear 
bombings of civilians I thought his post was: a) off-topic for 
the cypherpunks list and; b) wrong. 
 
At that time I dismissed the idea of a public reply, thinking 
that he may have had a bad day, misunderstood the issue, or any 
of a thousand other reasons that have led me and indeed all of us 
to behave in a similar fashion at one time or another. 
 
But he re-posted on the thread in Message-Id: 
 on Feb 3, 15:54 where he 
wrote: 
 
"(I've also received several long articles from people who seemed 
outraged that I was belittling the dropping of the bomb. I wasn't 
belittling it. Far from it. The Japs surrendered after the second 
bomb, so it was obviously not a trivial matter to them.)" 
 
I think his logic is at fault here in several ways. 
 
First, I think his logic is invalid because it is a "non 
sequitur." That is the statement that the Japanese did not take 
the bombing as trivial is true but not related to the argument. 
"2 + 2 = 4" is similarly true but unrelated; and I know of no 
group of people who, whatever their politics, consider mass 
nuclear bombings of civilians to be a "trivial matter." 
 
Second, I think his logic is invalid because it commits the "post 
hoc ergo propter hoc" fallacy that goes, in essence "after this, 
therefore because of this." 
 
"The Japanese surrender came after the bomb, therefore it came 
because of the bomb" is the invalid argument. One could, to use a 
"reductio ad absurdum" counter argument, saying with equal 
(in)validity that John Smith ate a bowl of beans, took a shit, 
and the next day the Japanese surrendered, therefore the 
surrender occurred because of the beans and the shit." 
 
Indeed the Japanese surrendered, but the evidence by three top 
(THE three top?) Allied commanders show that the surrender was 
not produced by either bombs, shit, or beans. 
 





From sameer at c2.org  Sun Feb  4 11:48:31 1996
From: sameer at c2.org (sameer)
Date: Mon, 5 Feb 1996 03:48:31 +0800
Subject: RC2 technical questions
In-Reply-To: <199602040753.CAA27660@crypto.com>
Message-ID: <199602041859.KAA09877@infinity.c2.org>


> 
> I'm confused by these two messages, as a non-lawyer (but I realize you're
> also a non-lawyer).  How can RSADSI, on the one hand, expect to be able

	Giving Bob the benefit of the doubt here, I'm assuming that he
passed on the legal warning as a service to his employer, but he made
his post talking about RC2's technical strengths as an individual, not
speaking for his employer.

-- 
Sameer Parekh					Voice:   510-601-9777x3
Community ConneXion, Inc.			FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org/ (or login as "guest")		sameer at c2.org





From x93ojg at juliet.stfx.ca  Sun Feb  4 11:51:38 1996
From: x93ojg at juliet.stfx.ca (Still)
Date: Mon, 5 Feb 1996 03:51:38 +0800
Subject: How do I quit list?
In-Reply-To: 
Message-ID: 


Could someone tell me how to quit this list, I just dont have the time to 
read anything that is being sent to it.

Thanks

--

	     T H E  M A N , T H E  M Y T H , T H E  L E G E N D . 
******************************************************************************
* Dylan "Still" Boudreau	* Knowledge is proud that she knows so much; *
* Internet: x93ojg at stfx.ca	* Wisdom is humble that she knows no more.   *
******************************************************************************
*       Homepage: http://juliet.stfx.ca/people/stu/x93ojg/welcome.html       *  
******************************************************************************

		When someone says, "That's a good question." 
		 You can be sure it's a lot better than the 
		         answer you're going to get.







From dlv at bwalk.dm.com  Sun Feb  4 11:55:29 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Mon, 5 Feb 1996 03:55:29 +0800
Subject: Need a "warning" graphic of some kind for CDA
In-Reply-To: <2.2.32.19960204061752.00686e1c@arn.net>
Message-ID: 


"David K. Merriman"  writes:
> >Now that we all have web pages that are naughty and might be seen by
> >little children, I'd like to hve some kind of a graphic that can
> >universally be seen as a "Warning:  The following material is unsuitable
> >for children and close-minded twits".  (or words to that effect).
>
> Hmmmmm. Maybe a doll with an international 'no' sign superimposed?

Either the 'no' sign (red crossed circle) or a wide red cross over one of:
 rattle
 baby bottle / pacifier
 disposable diapers (with contents visible)
  safety pin?

I'd like to think of some variation of skull+bones or the 'radioactive' sign.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From dlv at bwalk.dm.com  Sun Feb  4 12:23:18 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Mon, 5 Feb 1996 04:23:18 +0800
Subject: XMAS Exec
In-Reply-To: 
Message-ID: 


Nathaniel Borenstein  writes:
> Dr. Dimitri Vulis at bwalk. (1227)
>
> > I'd like to take an exception to this description of the XMAS EXEC, since
> .............
> > I had serious doubts that the person who wrote it was malicious.
>
> Agreed completely.  I didn't mean to imply that the author was
> malicious, merely that it well-illustrated the "social engineering"
> approach to getting users to run untrusted code.  What I was saying is
> that someone who *was* malicious could have used the same approach as
> the attack vector for getting our credit card snooper (or other nasty
> code) onto lots of consumer machines.  This came up, in the discussion,
> because most people on this list seem to believe (correctly, I think)
> that the hardest part of the attack we outlined is the initial infection
> vector.  -- Nathanielx

In '87, many people received an unsolicited executable from a known source, and
ran it without thinking twice. (If A has B's address in his nickname file, then
B probably knows and trusts A to some extent.) I hope users today know better.

I don't see why stopping a keyboard sniffer is any harder than stopping any
other virus/trojan - and most shops manage to keep them out.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From jordan at Thinkbank.COM  Sun Feb  4 13:02:05 1996
From: jordan at Thinkbank.COM (Jordan Hayes)
Date: Mon, 5 Feb 1996 05:02:05 +0800
Subject: Sometines ya just gotta nuke em-and nuke em again
Message-ID: <199602041956.LAA16514@Thinkbank.COM>


	From tallpaul at pipeline.com Sun Feb  4 11:47:09 1996

	When I read the first post by T.C. May on the mass nuclear
	bombings of civilians I thought his post was: a) off-topic
	for the cypherpunks list and; b) wrong.

By the way, the certainly *is* a crypto-relevance to this thread,
since much of what we knew at the time about the Japanese high
command and their motivations and actions was learned through MAGIC
intercepts.  It also has quite a lot to do with how these intercepts
(and related documents) were released over time; the intentionality
of what was released, when, and how shows a good deal about how
this subject was managed by our government.

Since I practically started it (by calling into question Tim's
recitation of the story invented about the 500,000 Americans "saved"
by dropping the bomb), I'd like to call on those who are interested
in it to do some more searching, reading, analyzing and talking.

But not here.

Thanks,

/jordan





From nobody at REPLAY.COM  Sun Feb  4 13:03:36 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Mon, 5 Feb 1996 05:03:36 +0800
Subject: Futplex makes the news!
Message-ID: <199602042013.VAA28130@utopia.hacktic.nl>


Duncan Frissell  wrote in "Re: Futplex makes the news!":

[..]
"Then there was the time that my RA (Resident Assistant) in my dorm in a
small (private) liberal arts college in the Northwest found out I had a gun
in my room..."

Ah. The only semester I lived on campus, the RA was our roommate, who
just finished doing a round of bong hits with us, then walked around
the hall and busted everyone else who was smoking dope.

It's sad when a noneteen year old kid tries to act like your mother or father.









From dmandl at panix.com  Sun Feb  4 13:07:43 1996
From: dmandl at panix.com (dmandl at panix.com)
Date: Mon, 5 Feb 1996 05:07:43 +0800
Subject: Need a "warning" graphic of some kind for CDA
In-Reply-To: 
Message-ID: 


On Sun, 4 Feb 1996, Robert A. Hayden wrote:

> Now that we all have web pages that are naughty and might be seen by 
> little children, I'd like to hve some kind of a graphic that can 
> universally be seen as a "Warning:  The following material is unsuitable 
> for children and close-minded twits".  (or words to that effect).

How about a full-color, actual-size GIF of an erect penis?  I think
that ought to get the message across to most concerned parents that my
web page is not for little Johnny.

   --D.

--
Dave Mandl
dmandl at panix.com
http://www.wfmu.org/~davem





From hayden at krypton.mankato.msus.edu  Sun Feb  4 13:07:54 1996
From: hayden at krypton.mankato.msus.edu (Robert A. Hayden)
Date: Mon, 5 Feb 1996 05:07:54 +0800
Subject: Need a "warning" graphic of some kind for CDA
In-Reply-To: <2.2.32.19960204180104.006b16b0@linc.cis.upenn.edu>
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

[Information abotu the EFF's Blue Ribbion campain deleted to save space]

What I was proposing was not he blue ribbion.  The ribbion is for 
supporting basic electronic rights.  What kind of graphic I was looking 
for was something that would serve as a universal warning saying "The 
following is naughty stuff, don't look here except at your own risk".  A 
combination of disclaimer and warning and tongue-in-cheek protest against 
the inane laws.  

The Blue Ribbion is something different...


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: PGP Signed with PineSign 2.2

iQCVAwUBMRT8qDokqlyVGmCFAQHJZAP9GeSRQ1WqP4R5Z4Z2TufMAIa5mKAqNOAw
+enF2/yehDMLaAc39H1rCuIgtA+SfRnu2qehOyLOv+e7boAmsvsKj8AqxDWqhHtY
g0PppUT7lH33T6WqldN4/t1vHg51sdH2JN/KMrz09hw4L1JHBmbmJaFfzR1vHPYS
RI1pVs0oiiE=
=+LWV
-----END PGP SIGNATURE-----
 
____           Robert A. Hayden      <=> hayden at krypton.mankato.msus.edu
\  /__     Finger for Geek Code Info <=>    Finger for PGP Public Key
 \/  /           -=-=-=-=-=-                      -=-=-=-=-=-
   \/        http://krypton.mankato.msus.edu/~hayden/Welcome.html

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+
K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++
R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+**
------END GEEK CODE BLOCK------






From alano at teleport.com  Sun Feb  4 13:38:45 1996
From: alano at teleport.com (Alan Olsen)
Date: Mon, 5 Feb 1996 05:38:45 +0800
Subject: Concerning Jim Bell
Message-ID: <2.2.32.19960204211446.00948c20@mail.teleport.com>


-----BEGIN PGP SIGNED MESSAGE-----

It has been brought to my attention that I did not make this as
clear as it should be.

        I consider Mr. Bell to be a crank and a loon.

        He has no interest in any sort of honest discussion.

        He wishes to draw in others in the hope of "punishing
me".

- From now on, I am ignoring all of his posts and "killfiling"
him.

You may now go back to your scheduled and unscheduled lives.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMRUhaeQCP3v30CeZAQGCpAf9FvV2sIHX9q5qajkgXWJsG7EG1JgMOvdH
XeRhc0qCrFJPcYfDBFvP6+Ck1dnsYNVzY+wDhMRDpHqky0KegRNENOFiU6NBhy+U
mbSCxlFU4FTa+xwRAm7BF8a0G1HGXkFzUOP6O7zf/WONE3+3EZr+aPlr0cm5maja
Xz5bRzi1SKlDQsxNK/msvYKXYyU5CLX2lVCGf7/qro2QezLNMz5skf9GJ9Tq7S5P
1gOiVjzNzYnmJj+76Uz+72zlvOHjIYrxf5FxsDsqqda2dBRyX9vmPmpWUMLBcoPi
kgZ4GtHryVgjKy5dkxk3U24hJIRYZiLwWl8gDiFuJDnC0PZwR3w7aQ==
=Lfox
-----END PGP SIGNATURE-----
Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From stephan.mohr at uni-tuebingen.de  Sun Feb  4 13:59:33 1996
From: stephan.mohr at uni-tuebingen.de (Stephan Mohr)
Date: Mon, 5 Feb 1996 05:59:33 +0800
Subject: free speech and the government
Message-ID: <2.2.16.19960204221354.2eb748c6@mailserv.uni-tuebingen.de>


At 16:02 03.02.1996 -0800, you wrote:
>Stephan Mohr writes:
>> 
>> Well, I feel that I agree with the people on the right of free speech for
>> i.e. the neo-nazi stuff or other political, ideological and/or religious
>> ideas. But there is still something that leaves me uneasy: imagine there
>> would be a way to easily make a powerful poison, easily applicated to
>> your town's water-reservoir, or a very easy way to build some strong
>> explosive device. etc. Actually, I think that stuff like this does exist
>> already.
>> 
>> But the idea that one day I just put 'easy made deadly poison for millions'
>> into my webcrawler and whoop there it is on my screen or on the screen of any
>> other fool, doesn't sound to right to me. I would like things like this
>> to be better put aside and locked up.
>
>You can't put the genie back into the bottle.
>Once something is invented or described, the knowledge
>is out there.  Someone who wants to use that knowledge
>for "wrong" purposes can find it.
>
>Maybe a lot of people around the world could agree that
>the knowledge to make something really dangerous (say Sarin nerve gas) 
>should be suppressed.  But where do we draw the line?  If
>we, or rather our government acting obstensibly in our interest, decides
>to supress the information on how to make Sarin, not too many people
>will complain.  But the tendency of governments is to regulate and
>restrict and tax more.   What happens when governments suppress
>knowledge on how to make gunpowder?  Or printing presses?  Or
>encryption?
>
Actually, I am glad that the whole story started over some neo-nazi stuff
and not a recipe to easily make a very potent poison. I wonder if there
would have been as many 'poison-sites' as there are zundel-sites. And what
'poison-site'-maintainers would think after some fool would have used the
poison to kill a bunch of kindergarten-kids by putting it into their food.
And how some governments would react and what type of restriction on the net
would not only be accepted, but even demanded by the people. Yeah, I know,
the guy could have gotten the idea elsewhere as well, but you know how
people think and how governments like to link unrelated stuff to gain power.

And it is nice to see how much publicity you can give to something by
prohibiting it.


>Many people argue (rightly IHMO) that once started on the slippery slope
>of suppressing knowledge there's no stopping until we're all
>under the boot heel of the police state.
>
>[..]

I think that you are right in saying that you can't put the genie back into
the bottle. But I think it makes a big difference if you make it widely
available to everyone and maybe even to people who do not want to have it. 

It would be nice to have some type of obstacle in the way to this type of
information. It is like putting drugs, alcohol and other dangerous stuff out
of the reach of children. Or putting a fence at some dangerous cliff to
prevent people from falling over. The dangerous stuff will still be there
and you just can't flatten every hill. But there is a responsibility that
comes with information as well as with any other thing. 

So I do not want to outlaw some type of information, I agree that this is
not feasible (I hope) nor desirable. But I think that there should be some
possibility of control on a public medium. Not to control the content but to
control the access. The idea is to give control to those in need of control
without interfering with the free exchange of information of others. This
could be done, for example, by giving them a choice of providers or browser
software (jewish, catholic, anarchist, terrorist, gay, straight ...
flavoured provider/browser). So you can say whatever you want, but everyone
can decide whether he or she wants to listen to you or not (in a more
sophisticated way, of course). And it is not just 'don't click on my page than'.

Here encryption may play an important role: not only to protect your
privacy, but also to protect others from having to read your stuff.

Most or the governments will not accept the idea of free speech like this.
And I am afraid, but I guess they could still tear down the whole net if
they want to. So, wouldn't it be better that, if there should be some type
of control technology, that it is conceived by the netizen and not by, say
the german, chinese, or french government.

Stephan






From ampugh at mci.newscorp.com  Sun Feb  4 14:17:01 1996
From: ampugh at mci.newscorp.com (Alan Pugh)
Date: Mon, 5 Feb 1996 06:17:01 +0800
Subject: Imminent Death of Usenet Predicted
Message-ID: <199602042156.QAA17688@camus.delphi.com>


>What if looking at a JPEG were like buying beer?  The default is
>that a 12 year old isn't going to fool the guy at 7-11, but if
>their parents buy a beer and give it to 'em, what the heck?
>Consuming alcohol is not regulated; *purchasing* it is.
>
>Don't forget: the fact that "porno on the net" (for instance) is
>an issue *at all* is a *failure* of technology.  It would be a
>non-issue if USENET wasn't essentially a technology vacuum.

indeed. and Who is doing the most to make sure that the technology
necessary (strong widespread crypto) to make porno on the net a 
non-issue? if the governments of the world weren't such a bunch of 
collective paranoid pricks, i believe we'd be in the process of 
implementing global encryption on the internet and private networks 
as well. 

the public needs to be informed that thus 'failure of technology' is 
completely unnecessary. one of the things that _really_ pisses me off
is that the very same people who are restricting the access of crypto
technology are the ones who are screaming that they need to restrict 
other fundamental freedoms because of the their own stupid policies.

writing this, it is obvious that their policy is entirely reasonable
and in fact necessary if it is your fundamental goal to restrict freedom.
i believe this to be the case when considering governments in general, 
and the u.s. govt. in particular.

amp








From cea01sig at gold.ac.uk  Sun Feb  4 14:31:15 1996
From: cea01sig at gold.ac.uk (Sean Gabb)
Date: Mon, 5 Feb 1996 06:31:15 +0800
Subject: enquiry
Message-ID: 



Is anyone out there able to give me the e-mail address of 

	Smith Micro Software, Inc
	51 Columbia
	Aliso Veijo
	California 92656

I need to ask about some software written by them.  Any help would leave 
me very grateful.

Sean Gabb.





From alano at teleport.com  Sun Feb  4 14:36:01 1996
From: alano at teleport.com (Alan Olsen)
Date: Mon, 5 Feb 1996 06:36:01 +0800
Subject: Encryption and Backups
Message-ID: <2.2.32.19960204221301.0093a448@mail.teleport.com>


Something that I have not seen addressed is the need for strong encryption
in backup software.

Most backup software has an "encryption" option, but I have seen few that
have anything resembling strong encryption.  Furthermore, I have seen no
real push for strong encryption for backups at all.

I see this as a product that corporations should be demanding.  It is
difficult to walk off with a computer, but a dat tape can be slipped in a
pocket with little notice.  If it happens to be of a server or important
system, valuable information would be in the hands of whoever could decrypt
it.  (And off site alot of resources could be thrown at decrypting the
data.) Weak or no encryption of backups could be a potential problem with
the security of a business.  (Of course, if you leave tapes lying around,
you are asking for trouble anyways...)

Might be an idea for a product there...  (And you can bet law enforcement
would throw a hissy fit about its existence.)

Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From x93ojg at juliet.stfx.ca  Sun Feb  4 14:41:40 1996
From: x93ojg at juliet.stfx.ca (Still)
Date: Mon, 5 Feb 1996 06:41:40 +0800
Subject: None
In-Reply-To: <199602042117.PAA05965@vishnu.alias.net>
Message-ID: 


On Sun, 4 Feb 1996, Mr. Boffo wrote:

> > Could someone tell me how to quit this list, I just dont
> > have the time to read anything that is being sent to it.
> 
> Yes. You can turn your modem off :)
> 

Hey Boffo, Don't be an idiot!!  It is hard to turn off your modem when 
you are on a university network.  Don't be so quick to be a smart ass.  
If you don't have anything productive to say then shut the fuck up!!
						  ~~~~~~~~~~~~~~~~~~

--

	     T H E  M A N , T H E  M Y T H , T H E  L E G E N D . 
******************************************************************************
* Dylan "Still" Boudreau	* Knowledge is proud that she knows so much; *
* Internet: x93ojg at stfx.ca	* Wisdom is humble that she knows no more.   *
******************************************************************************
*       Homepage: http://juliet.stfx.ca/people/stu/x93ojg/welcome.html       *  
******************************************************************************

		When someone says, "That's a good question." 
		 You can be sure it's a lot better than the 
		         answer you're going to get.







From cea01sig at gold.ac.uk  Sun Feb  4 14:52:31 1996
From: cea01sig at gold.ac.uk (Sean Gabb)
Date: Mon, 5 Feb 1996 06:52:31 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <960204084755_135434252@emout04.mail.aol.com>
Message-ID: 


What little I know about Mr Zundel convinces me that he's not the most 
pleasant man to know.  But really, these purported messages from him are 
so grossly unlikely, they defeat their object.

Sean Gabb.


On Sun, 4 Feb 1996 
ErnstZundl at aol.com wrote:

> >> if he's out there convincing Neo-Nazis and Holocaust deniers >> to go
> freeze to death at the South pole, as that really
> >> anti-semitic?
> 
> DUH!!
> 
> Nobody is going to freeze to death if they dress warmly.  That is just a myth
> about Antarctica.  It is really a tropical paradise, but THE JEWS don't want
> you to know that.  Besides, we will all be going *inside* a VOLCANO!  Even if
> somehow Antarctica were freezing cold, we will be plenty warm inside the
> volcano which leads to the Aryan Nazi UFO Base at the center of the Earth.
> 
> I am not asking Nazis and Holocaust deniers to freeze to death!  I am
> inviting them to jump into a volcano, you fool!
> 
> 
> 





From don at cs.byu.edu  Sun Feb  4 14:58:48 1996
From: don at cs.byu.edu (Don)
Date: Mon, 5 Feb 1996 06:58:48 +0800
Subject: Wading through lame crap, plus on-topic privacy stuff
In-Reply-To: 
Message-ID: 


>   Neither dropping nuclear weapons on Japanese cities nor an invasion 
>   of Japan was necessary to secure surrender of the Japanese government. 

Doesn't anyone bother to delete cpunks from the CC before sending this off
topic stuff? And since I know it's coming, please refrain from trying to
relate it to anything relevant here with some kind of japan-crypto or
wrongful governmental action ObCrypto's. What I had for lunch is just as
irrelevant, but that doesn't mean it becomes relevant if I can somehow
involve encryption.


Dangit, wheres my procmail. Does anyone use gnus for this list? I think
I need a scoring system.


Now for the on-topic stuff. Looking through my mail yesterday, noticed a
credit card application from BofA. Despite the fact that they didn't want
to give me a card three years ago, they have offered a student card to me.
I figured that it was a lucky guess, them knowing I'm a student again. Then
I noticed they were kind enough to fill in my school ("Main Campus" too) into
the appropriate blank. Now, that's either a really good guess, or else they've
been out looking me up. I'm currently writing a letter to BofA telling them
they can kiss my rear if they're going to go around keeping tabs on me. They
should at least be more careful about letting me on to them.

This got me interested in which companies keep track of what information. I'm
now going to write to my other credit companies and ask something like:

   I am interested in knowing what information your company keeps track of    
   which is not directly related to my credit history, my balance, and my   
   current address. For example, do you maintain or seek out any of the 
   following information:

   Change in Marital Status that don't relate to credit account
   change or loss of employment
   spending habits, ie, types of goods, dollar amounts and locations,
     for any purpose
   credit or bank accounts with other companies, for any purpose

Can anyone suggest anything else to ask about? I know, for example, that some
companies keep track of spending so as to be able to call you up if you, for
example, start buying large numbers of cars in asia. Or maybe they have a red
flag that goes up if you start to max out all your other credit cards or
something. But I've run out of things that I think they're keeping track of
that they don't need to. I suppose DNA samples is probably still a bit away.

Don








From alano at teleport.com  Sun Feb  4 15:06:47 1996
From: alano at teleport.com (Alan Olsen)
Date: Mon, 5 Feb 1996 07:06:47 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <2.2.32.19960204224813.0095ec64@mail.teleport.com>


At 10:20 PM 2/4/96 +0000, Sean Gabb wrote:
>What little I know about Mr Zundel convinces me that he's not the most 
>pleasant man to know.  But really, these purported messages from him are 
>so grossly unlikely, they defeat their object.

Why is it that so many people took those messages as _actually_ being from
the real Mr. Zundel?  The text is obviously a parody.

I guess most of Usenet has been disconnected from any reliable clue server...

Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From ses at tipper.oit.unc.edu  Sun Feb  4 15:24:13 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Mon, 5 Feb 1996 07:24:13 +0800
Subject: Wading through lame crap, plus on-topic privacy stuff
In-Reply-To: 
Message-ID: 


Even your on-topic stuff wasn't really on-topic "-)

You can relax - the bank doesn't have a bunch of PIs snooping around to 
find out what you're up to. What actually happens is that the university 
sells the list of registered students to various organisations for use in 
direct-mail campaigns. 


(defun modexpt (x y n)  "computes (x^y) mod n"
  (cond ((= y 0) 1) 	((= y 1) (mod x n))
	((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n))
	(t (mod (* x (modexpt x (1- y) n)) n))))






From tcmay at got.net  Sun Feb  4 15:39:34 1996
From: tcmay at got.net (Timothy C. May)
Date: Mon, 5 Feb 1996 07:39:34 +0800
Subject: enquiry
Message-ID: 


At 10:11 PM 2/4/96, Sean Gabb wrote:
>Is anyone out there able to give me the e-mail address of
>
>        Smith Micro Software, Inc
>        51 Columbia
>        Aliso Veijo
>        California 92656
>
>I need to ask about some software written by them.  Any help would leave
>me very grateful.

Use the Force, Luke!

Smith Micro Software, Inc

51 Columbia
Aliso Viejo, CA 92656
Phones: Main - (714) 362-5800, Sales - (800) 964-7674, Technical Support -
(714) 362-2350, Fax - (714) 362-2300, Automated Fax-On-Demand -
(714) 362-2396, BBS: (714) 362-5822
EMail: CompuServe - 74431,1044; Internet - sales at smithmicro.com


--Tim


[This Bible excerpt awaiting review under the Communications Decency Act]
And then Lot said, "I have some mighty fine young virgin daughters. Why
don't you boys just come on in and do em right here in my house - I'll just
watch!"....Later, up in the mountains, the younger daughter said. "Dad's
getting old. I say we should do him." So the two daughters got him drunk and
did him all that night. Sure enough, Dad got em pregnant....Onan really
hated the idea of doing his brother's wife and getting her pregnant while
his brother got all the credit, so he whacked off first....Remember, it's
not a good idea to have sex with your sister, your brother, your parents,
your pet dog, or the farm animals. [excerpts from the Old Testament, Modern
Vernacular Translation, TCM, 1996]







From EALLENSMITH at ocelot.Rutgers.EDU  Sun Feb  4 15:58:19 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Mon, 5 Feb 1996 07:58:19 +0800
Subject: Sometines ya just gotta nuke em-and nuke em again
Message-ID: <01I0TPKBDGZQA0UULQ@mbcl.rutgers.edu>


	Since the only cryptographic relevance here is whether the US knew
about Japan's current state, and that isn't actually relevant, I won't
respond to the list further on this. I regard the dropping of the bomb as
right because it saved American lives, no matter who you believe on how many.
America was on the side of good in WWII, and the Japanese (as much as they
fail to admit it publically, including to their schoolchildren) were on the
evil one. This is the case for several reasons:
	First, the Japanese had allied themselves with the Nazis.
	Second, the Japanese had done definite wrongs in China and elsewhere.
	Third, the Japanese attacked the US first (and it doesn't matter
whether the US knew about it beforehand).

	It also doesn't matter whether Truman et al were considering the
effects on the Soviet Union. To use a current example, just because an ISP
is paid doesn't mean that that ISP is wrong to keep on Neo-Nazi material. 
	If you wish to continue this discussion; feel free to do so via private
email.
	-Allen





From wlkngowl at unix.asb.com  Sun Feb  4 16:05:21 1996
From: wlkngowl at unix.asb.com (Mutatis Mutantdis)
Date: Mon, 5 Feb 1996 08:05:21 +0800
Subject: Our "New Order"
Message-ID: <199602042338.SAA12103@UNiX.asb.com>


On Sat, 3 Feb 1996 11:30:48 -0700, David M. Rose wrote:

>In view of the fact that our government seems bent on abrogating its
>citizens' rights to free speech, has anyone done a survey indicating which
>foreign countries have the best Net connections to the U.S. (excepting, of
>course, Germany and possibly France)?

>It may be expedient for Planned Parenthood and others whose points of view
>differ somewhat from those approved under our "New Order"* to explore
>alternatives in order to reach their constituencies.

The law makes anyone accessing material lable... even if you connect
to a foreign site where it's legal there, if it's banned in the US,
you can still get screwed (in theory).

Methinks the time is right for a "PGPScape" web browser.

Rob.







From wlkngowl at unix.asb.com  Sun Feb  4 16:06:00 1996
From: wlkngowl at unix.asb.com (Mutatis Mutantdis)
Date: Mon, 5 Feb 1996 08:06:00 +0800
Subject: [CONSPIRACYPUNKS] RC2 Source Code - Legal Warning from RSADSI
Message-ID: <199602042333.SAA11998@UNiX.asb.com>


On Sat, 03 Feb 1996 21:30:47 -0500, you wrote:


>Anonymous writes:
>>      It is becoming obvious to anyone with two brain cells to rub
>> together that RC4 and now RC2 have been deliberately released by RSA
>> Data Security.

>Anyone with more than two brain cells might feel otherwise, however.

...and if they look at the algorithm (public knowl now), they may
trust it less.  At least a few clumps of ganglia I have feel that way
about the alleged RC2.








From EALLENSMITH at ocelot.Rutgers.EDU  Sun Feb  4 16:10:43 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Mon, 5 Feb 1996 08:10:43 +0800
Subject: Jamming and privacy problem
Message-ID: <01I0TP2E3C9SA0UULQ@mbcl.rutgers.edu>


	It looks like one non-political solution to this problem would be
a gadget to jam the receiver so it can't activate the transponder or,
alternately, receive the transponder's signal. Cryptographic relevance?
They might start doing something tricky with frequencies, etcetera.
	-Allen	

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, send an empty message to  rre-help at weber.ucsd.edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date:       Sat, 03 Feb 96 10:21:11 EST
From:       Computer Privacy Digest Moderator  
To:         Comp-privacy at uwm.edu
Subject:    Computer Privacy Digest V8#012

Computer Privacy Digest Sat, 03 Feb 96              Volume 8 : Issue: 012

----------------------------------------------------------------------

Date: 01 Feb 1996 19:25:04 -0800 (PST)
From: Phil Agre 
Subject: Universal Tracking of Road Traffic

I have here the most amazing document.  It is a Request for Proposals
(number 95-7, dated January 1996) from the State of California Air
Resources Board (Research Division, 2020 L Street, Sacramento CA 95814)
entitled "Incorporation of Radio Transponders into Vehicular On-Board
Diagnostic Systems".  The ARB wants someone to build transponders and
receivers that allow computers to automatically poll cars to determine
if their emissions systems are failing, in the process accumulating a
database of the cars' locations on particular dates and times.

According to the RFP, by 1996 new cars and light trucks in California
are required to have onboard systems that illuminate a dashboard light
if the emissions systems are malfunctioning.  Since the appearance of
this light does not ensure that the car's owner will get the emissions
system fixed, the ARB is proposing that new cars and light trucks
starting in the year 2000 (it doesn't say all of them, but it does say
1,000,000 of them) be required to include transponders that can
broadcast the car's VIN number, the emissions system fault codes, the
vehicle's location at the time of the query, and a status code.  The
receivers are supposed to be capable of automatically polling the
"fleet" of cars equipped with transponders and storing in a database
the following information: date and time of current and last query,
VIN, status and fault codes, and "vehicle location (to the zip code
level, and city)".  The contractor also "shall produce a public service
video documenting the system and explaining the concept and the
benefits of such a transponder-assisted approach to enhancing the
present I/M [Inspection and Maintenance] program."

In case it's not clear, the ARB is envisioning a system under which
cars sold in California will be required to incorporate a device ("no
larger than a pack of cigarettes") that the state can use to track its
whereabouts at all times.  This plan poses a greater threat to
individual privacy than automatic toll collection or any other plan
currently under development for non-commercial transport informatics,
so far as I know.  Environmental concerns are real, and the air in Los
Angeles is a crime, but plenty of means are available for alleviating
air pollution without constructing the technological groundwork for an
authoritarian society.

--
Phil Agre

------------------------------

End of Computer Privacy Digest V8 #012
******************************





From remailer at flame.alias.net  Sun Feb  4 16:57:18 1996
From: remailer at flame.alias.net (Flame Remailer)
Date: Mon, 5 Feb 1996 08:57:18 +0800
Subject: None
Message-ID: <199602050015.BAA10473@utopia.hacktic.nl>


    >> > Could someone tell me how to quit this list, I just dont >
    >> have the time to read anything that is being sent to it.
    >> 
    >> Yes. You can turn your modem off :)
    >> 

> Hey Boffo, Don't be an idiot!!  It is hard to turn off your
> modem when you are on a university network.  Don't be so
> quick to be a smart ass.  If you don't have anything
> productive to say then shut the fuck up!!

	Wow.. Looks like someone didn't get their nap. Maybe someday
he'll figure out about anonymous remailers too and quite trying to
argue with Mr. Boffo. :)









From shamrock at netcom.com  Sun Feb  4 17:14:26 1996
From: shamrock at netcom.com (Lucky Green)
Date: Mon, 5 Feb 1996 09:14:26 +0800
Subject: [NOISE] Is this email getting through?
Message-ID: 


I have not received any CP traffic for several days. Repeated
(re-)subscription requests didn't generate a reply from majordomo. If this
message shows up on the list, please let me know.

Puzzled,

-- Lucky Green 
   PGP encrypted mail preferred.







From gibo at ripco.com  Sun Feb  4 17:21:55 1996
From: gibo at ripco.com (Giles Bowkett)
Date: Mon, 5 Feb 1996 09:21:55 +0800
Subject: cypherpunks-d V2 #480
Message-ID: 


>From: Cecelia A Clancy 
>Date: Sat, 3 Feb 1996 18:06:32 -0500 (EST)
>Subject: Re: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
>
>On Sat, 3 Feb 1996 ErnstZundl at aol.com wrote:
>
>Ernst Zu"ndel's e-mail address is ezundel at cts.com.  He is on on
>AOL to me knowledge.

[snip]

>The above text does not feel like Zu"ndel to me.  I think
>that this ErnstZundel at aol.com might very well be an imposter.
>The above is not the real Zu"ndel's speaking or writing
>style.  Zu"ndel does not want books burned and people persecuted
>nor does he want certain races and ethnic groups declared
>inferior.


My God, you're kidding!  The Zundel post might have been a JOKE?!  But I
believed every word of it!



=========================================>>>http://pages.ripco.com/~gibo

"Tree-borne kettle-girl...I love you."  -- from Ranma 1/2







From dlv at bwalk.dm.com  Sun Feb  4 17:43:42 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Mon, 5 Feb 1996 09:43:42 +0800
Subject: Wading through lame crap, plus on-topic privacy stuff
In-Reply-To: 
Message-ID: <68usiD56w165w@bwalk.dm.com>


Don  writes:
> Now for the on-topic stuff. Looking through my mail yesterday, noticed a
> credit card application from BofA. Despite the fact that they didn't want
> to give me a card three years ago, they have offered a student card to me.
> I figured that it was a lucky guess, them knowing I'm a student again. Then
> I noticed they were kind enough to fill in my school ("Main Campus" too) into
> the appropriate blank. Now, that's either a really good guess, or else they'v
> been out looking me up. I'm currently writing a letter to BofA telling them
> they can kiss my rear if they're going to go around keeping tabs on me. They
> should at least be more careful about letting me on to them.

Most likely, BofA just obtained the mailing list of all students from your
school and mailed the same offer to all. If you read the fine print, you'll
probably find that your application is still subject to their credit approval.

> This got me interested in which companies keep track of what information. I'm
> now going to write to my other credit companies and ask something like:
...

If you haven't read the book _Privacy for Sale: How Computerization Has Made
Everyone's Private Life an Open Secret_ by Jeffrey Rothfeder
(ISBN 0-671-73492-x), I suggest you get hold of it. You'll be amazed. :-)

>    spending habits, ie, types of goods, dollar amounts and locations,
>      for any purpose

Most definitely! When you charge things to your credit cards, the types of
products and services you purchase, and the typical amounts you spend
all go into your consumer profile, available for the right price.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From dlv at bwalk.dm.com  Sun Feb  4 17:49:03 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Mon, 5 Feb 1996 09:49:03 +0800
Subject: [FLAME] Concerning Jim Bell
In-Reply-To: <2.2.32.19960204211446.00948c20@mail.teleport.com>
Message-ID: 


THE FOLLOWING IS A FLAME.

Alan Olsen  writes:
> It has been brought to my attention that I did not make this as
> clear as it should be.

Alan, you've indicated previously that you won't post anything more on this
subject to cypherpunks at toad.com.

>         I consider Mr. Bell to be a crank and a loon.

You're certainly entitled to your opinion. You might be interested to know that
I consider Jim Bell to be highly intelligent, knowledgeable, and overall nice
person. I'm particularly impressed by his calm and restrained response to your
provocations. I've also formed a rather negative opinion of you, based on your
actions in this incident.

>         He has no interest in any sort of honest discussion.

I can say with confidence that no one on this cp list has any interest in
the flame war that you're trying to drag in here, nor in a discussion of Jim's
views that are not crypto-related. You apparently tried and failed to start a
discussion of Jim's non-crypto-related views in this forum, which no one really
gives a rat's ass about. Honest or dishonest, the discussion of Jim's political
views has nothing to do with encryption.

>         He wishes to draw in others in the hope of "punishing
> me".

You're punishing yourself by destroying your credibility and carrying on this
silly flame war. You've kicked Jim off of "your" mailing list, pushing the
flame war that you've started to this list. I don't appreciate this.

> - From now on, I am ignoring all of his posts and "killfiling"
> him.

Jim is already ignoring you. So should everyone else. Please stick to your
promise. So far, you've posted several times more on this subject than Jim.

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From PADGETT at hobbes.orl.mmc.com  Sun Feb  4 18:03:24 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 10:03:24 +0800
Subject: Protecting the innocent on the nets
Message-ID: <960204203505.2020e029@hobbes.orl.mmc.com>


About a year ago I came up with a mechanism to allow subscription or
controlled circulation magazines to be distributed on the net. Not
saying is new, just was new to me. Seems like it would be a mechanism
for anyone to communicate/access Web pages without crypto, yet allowing
protection of such things from those requiring such protection.

Concept works like this: LZ (or most other) compressed files have two 
elements - a data dictionary and ordered pointers to that dictionary.

Now say you took a large number of text files/.Gifs/.Jpegs/whatever and
created a universal (well nearly) data dictionary that would fit on a 
CD-Rom. Using large patterns and good ordering techniques could achieve
good throughput.

Now to a group of subscribers/friends/whatever, the disk is distributed
in a controlled manner.

Once distribution is made, then what is sent on the net/put on the Web
page are just the pointers to the data dictionary plus any patterns not
in the dictionary (low enough not to create anything intelligable).

What you have is a gigantic book code with a copyrightable book for which
you can control the circulation. Those under age need not apply. If they
obtain one, then it was illegally and you have made a "good faith attempt"
IMNSLO to protect the innocent.

Can even change the CD-Rom dictionary *order* yearly/montly/whatever if
you want.

Comment ?
					Warmly,
						Padgett

ps if you reply to the list, *please* do not copy me, my volume is silly
   enough without getting duplicates as it is.





From PADGETT at hobbes.orl.mmc.com  Sun Feb  4 18:05:08 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 10:05:08 +0800
Subject: Don't type your yes/fraud response into your computer
Message-ID: <960204190820.2020e029@hobbes.orl.mmc.com>


>Nice try - but the virtual machine model used by intel supports interception
>of I/O operations. 

(something educating prior generations how to apply a near vacuum to shelled
embryos).

Sure it does - why it is essential for protective activity to begin while
the system is still in REAL mode following boot. Might also need to write
a .VXD (horrors)

>I still think the basic 'if the machine is not secure all bets are off'
>premis stands.

Oh I agree, just believe that software can make a machine secure (or at
least detect when security cannot be assured which is almost as good). 

Might I suggest you take a look at the "safe PC" discussions on Virus-L c.a
1989-1990. We were talking about virus protection then but is the same
thing. Believe it or not, we even had real and protected mode discussions
back in those days while we were waiting for Noah (only guy who ever took
out a cattle boat and wound up half-way up a mountain...).

					Warmly,
						Padgett





From EALLENSMITH at ocelot.Rutgers.EDU  Sun Feb  4 18:28:48 1996
From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH)
Date: Mon, 5 Feb 1996 10:28:48 +0800
Subject: Computer Law Observer
Message-ID: <01I0TPOQUFDOA0UULQ@mbcl.rutgers.edu>


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, send an empty message to  rre-help at weber.ucsd.edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: 29 Jan 1996 18:01:16 -0500
From: Galkin at aol.com
Subject: The Computer Law Observer #16

=====================================
GENERAL INFO: The Computer Law Observer is distributed (usually) weekly
for free and is prepared by William S. Galkin, Esq. The Observer is
designed specifically for the non-lawyer. To subscribe, send e-mail to
wgalkin at earthlink.com. All information contained in The Computer Law
Observer is for the benefit of the recipients, and should not be relied
on or considered as legal advice. Copyright 1996 by William S. Galkin.
=====================================

ABOUT THE AUTHOR: Mr. Galkin is an attorney in private practice in
Owings Mills, Maryland (which is a suburb of Baltimore). He is an
adjunct professor of Computer Law at the University of Maryland School
of Law and has concentrated his private practice in the Computer Law
area since 1986. He represents small startup, midsized and large
companies, across the U.S. and internationally, dealing with a wide
range of legal issues associated with computers and technology, such as
developing, marketing and protecting software, purchasing and selling
complex computer systems, and launching and operating a variety of
online business ventures. He also enjoys writing about computer law
issues!

===> Mr. Galkin is available for consultation with individuals and
companies, wherever located, and can be reached as follows: E-MAIL:
wgalkin at earthlink.com/TELEPHONE: 410-356-8853/FAX: 410-356-8804/MAIL:
10451 Mill Run Circle, Suite 400, Owings Mills, Maryland 21117.
Articles in The Observer are available to be published as columns in
both print and electronic publications. Please contact Mr. Galkin for
the terms of such usage.

*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
ELECTRONIC PRIVACY RIGHTS AND POLICE POWER
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+

[This is the third of a series of articles discussing privacy rights in
the digital age.]

It's no secret. Law enforcement agents are closely monitoring traffic
on the Internet. It is also no secret that crime is proliferating on
the Internet at a frightening pace. Law enforcement agents are a bit
unnerved as they watch their tried and true methods of law enforcement
become antiquated. However, law enforcement on the Internet is starting
to come of age.

Here are some recent examples:

(1) The Secret Service set up a bogus bulletin board system for the
purpose of attracting people who want to sell stolen cellular phone
codes. Thieves often get these codes by using scanners which pick up
the code-embedded signals emitted from moving cars. The result: six
arrests and seizure of 20 computer systems.

(2) The Justice Department ended a two-year investigation into use of
America Online (AOL) for the distribution of child pornography and
perpetration of other sex-crimes. The result: 125 homes were searched,
computer systems seized and numerous arrests made across the country.

(3) Just this month, the Secret Service noticed that Virtual Visions
(http://www.vv.com/~gilmore/head/heads.html) put up a new web page
which shows the heads of public figures such as Bob Dole, Boris Yeltsin
and Bill Gates, slowly exploding. Virtual Visions intended this to be
political satire. The result: the developer of the web page received a
visit from the Secret Service.

The Fourth Amendment -

The objectives of law enforcement and of personal privacy are on a
collision course on the Information Highway. Law enforcement personnel
desire access to as much information as possible to conduct their
investigations. Individuals want to restrict access to personal
information.  It is necessary to achieve a balance between effective
law enforcement and personal privacy. How the Fourth Amendment to the
U.S. Constitution is interpreted will play a crucial role in
determining where this balance is reached.

The 4th Amendment prohibits government agents from conducting
unreasonable searches and seizures. The Supreme Court has defined a
seizure of property as a "meaningful interference with an individual's
possessory interest in that property." The concept of seizure of
information differs dramatically from seizure of tangible property.
Seizure of tangible property means that the owner has been deprived of
the use and possession of the property. Whereas, when information is
"seized" the owner may still have possession of the information.  It is
just that the information has been copied and is now also in the hands
of someone else.

It could be argued that under the Fourth Amendment no seizure occurs
when digital information is merely copied. However, applying the
analysis used to prohibit wiretapping (which has been defined as a
seizure), seizure of information would also fall within the
constitutional definition of seizure.  In the information context,
"seizure" should be interpreted as meaning being deprived of the
ability to control the disclosure and dissemination of the information.
This ability to control is the value of the possessory interest of
information.

The application of the term "search" in the digital environment is more
complicated. An unlawful search requires as a prerequisite that (1)
subjectively, the person in possession of the item searched had an
actual expectation of privacy and (2) objectively, the person had an
expectation of privacy. The subjective expectation of privacy element
has been criticized, because in theory, it would be very easy for the
government to eliminate any expectation of privacy by announcing that
it will perform broad searches.  However, in practice, the Supreme
Court has focused on the objective requirement.

On one end of the spectrum is data resident in a stand-alone computer.
Here, there is certainly an objective expectation of privacy. On the
other end of the spectrum lie the vast open areas of the Internet, such
as web pages and newsgroups to which there can be no objective
expectation of privacy.

Accordingly, law enforcement agents are free to roam through these open
areas, assemble records on who is participating in which groups, and
what they are saying. For example, if the Secret Service wanted to
assemble all the messages that you posted in newsgroups in the last
year (the technology to perform this search available) in order to
determine your political positions, this would not violate the Fourth
Amendment.

The middle ground is where the legal battles will be fought. This will
primarily involve information that is in the possession of a third
party, and is not readily accessible to the public.

Under traditional constitutional analysis, where information is
disclosed to a third party, the expectation of privacy is abandoned.
For example, most state laws, and the federal Constitution, permit
wiretapping if one party to the conversation consents. However, the
scope of the abandonment will usually only apply to the amount of
information needed by the recipient.

For example, the telephone numbers you dial are disclosed to the phone
company in order that the phone company can perform its service.
Thereby, a person abandons the expectation regarding the number
dialed.  However, even though the content of telephone conversations is
also given over to the phone company, this content is not needed for
the phone company to perform its service. Therefore, the content of
phone conversations retains the expectation of privacy.

By analogy, this would also apply to e-mail messages maintained on a
service provider's equipment. Information such as the senders' and
recipients' addresses, the file sizes and times of transmissions are
not private. But the content of the messages would be.

In the workplace, an employer is not permitted to consent to a search
of personal areas of an employee. For example, a desk draw that
contains personal correspondence. By accepted convention, this is a
private area.

Private network directories which require a password to enter would
probably also retain an expectation of privacy. However, in each case,
a court will look at specific corporate policies to determine whether
there is an objective expectation of privacy or whether the employee
was informed that the employer may at any time without notice enter
these pass-worded directories.

Along these lines, since a court wants to determine the objective
expectation of privacy, an agreement that an employer will not consent
to a search would have no effect. What would be needed is an agreement
that the employer will not access these private areas, which deprives
the employer of the right to consent.

When determining the objective expectation privacy, courts will have to
balance the value of the particular privacy interest claimed against
the level of the law enforcement interest.  Only this month, America
Online under subpoena turned over personal e-mail records relating to a
criminal investigation where the murderer allegedly met the victim in
an AOL chat room. AOL has been criticized for not challenging the
subpoena. AOL's position is that if it receives a search warrant, it
will comply. This case highlights the valid competing interests of both
law enforcement and personal privacy.





From attila at primenet.com  Mon Feb  5 10:37:59 1996
From: attila at primenet.com (attila)
Date: Mon, 5 Feb 96 10:37:59 PST
Subject: "Can't we all just get along?"
In-Reply-To: <199602050758.XAA04847@Networking.Stanford.EDU>
Message-ID: 


On Sun, 4 Feb 1996 Pot at networking.stanford.edu wrote:

> This is not FLAMEpunks.
> 
	WHAT???   --and miss all the fun?


__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From alanh at infi.net  Mon Feb  5 10:53:06 1996
From: alanh at infi.net (Alan Horowitz)
Date: Mon, 5 Feb 96 10:53:06 PST
Subject: Sometimes ya just gotta nuke em
In-Reply-To: 
Message-ID: 



<<"In other words it was stvation/devastation city">>

  It was lot worse than that on the Japanese-imperialits occupied islands 
of the Pacific when the Nisei troops choosenot to surrender and instead, 
mad last-ditch charges against AMerican lines - which killed not a small 
number of Americans. And of course, there were the suicide bombers.

Submarine operations don't cost zero lives, either. In fact, just plain 
old regular military logistics - keeping the boys mobilized and in place 
ina theatre of operations - don't cost zero lives, even if there are _no_ 
hostilities.

And while all the starvation and devastation was going on in Japanese
cities, the Japanese troops were torturing and murdering Allied POWs, and
Asian civilains in all the Japanese-occupied teritories. Those people
deserved liberation, too. 

I think you give your game away when you complain about how we were being 
unfair to Comrade Stalin.

As far as Pax Americana goes, the Japanese just _volunteered_ to_increase_
the payments they make to support the American garrison in Japan. The
non-Okinawans want us in their country. I guess they know that the
alternative is a Red Chinese garrison. 

And lots of other Asians are afraid of the same alternative - or of 
Japanese garrisons in their homeland. THey've "been there, done that".

Alan Horowitz 
alanh at norfolk.infi.net






From simsong at vineyard.net  Sun Feb  4 18:56:33 1996
From: simsong at vineyard.net (Simson L. Garfinkel)
Date: Mon, 5 Feb 1996 10:56:33 +0800
Subject: FV's blatant double standards
Message-ID: 


At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
>FV demonstrated, through it's "card sharp" or whatever, that
>real-time transactions are vulnerable to sniffers on the recipient's
>own machine. Of course. We all knew that. But the mistake is to
>assume that FV isn't _equally_ vulnerable to that threat. If you
>can write a trojan that will somehow get privileged access to my
>machine, trap my keystrokes, and identify my credit card number,
>you can certainly write one that will, sitting on my machine:
>    "intercept the user's electronic mail, read the confirmation
>    message from First Virtual's computers, and send out a fraudulent
>    reply"
>(to quote from Simson's article). Simson further quotes FV's Lee
>Stein: "A single user can be targeted, Stein said, but ''it is very
>difficult. . . . There are too many packets moving . . . to too many
>different machines.''" - which is of course equally true for real-time
>Netscape transactions.

Oh, I think that such a program can be written. However, it would be much
harder to get right, considering all of the different ways that people read
e-mail.


=============
Simson's Schedule:

Feb 2 - Feb 5 - Cambridge: Conference on Freely Redistributable Software
Feb 7 - Feb 13 - Baltimore: American Association for the Advancement of
Science.
Feb. 28 - March 1 - Seybold, Boston.
March 23 - NYC. MacFair.
March 27 - March 30: Cambridge. Computers, Freedom and Privacy.







From steve at miranova.com  Mon Feb  5 11:09:48 1996
From: steve at miranova.com (Steven L Baur)
Date: Mon, 5 Feb 96 11:09:48 PST
Subject: fcpunx subscribe (FCPUNX is not on miranova.com)
In-Reply-To: <4C254DF0F18@sjulaw.stjohns.edu>
Message-ID: 


Although this particular request was sent to the cypherpunks mailing
list, others continue to send requests to my mailbox.

>>>>> "Wendy" == "Wendy Fu"  writes:

Wendy> endWendy Fu, Network Manager 
Wendy> St. John's University School of Law
Wendy> 8000 Utopia Parkway, Jamaica, NY 11439
Wendy> E-Mail Address: wfu at sjulaw.stjohns.edu
Wendy> Phone: (718)990-1666

I don't know how my address got associated with this list, but please,
*do not* send requests about FCPUNX to steve at miranova.com.

Requests about how to set up Gnus scoring for performing your own
filtering of the cypherpunks list are welcome.

-- 
steve at miranova.com baur
Unsolicited commercial e-mail will be proofread for $250/hour.





From llurch at networking.stanford.edu  Sun Feb  4 19:16:05 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Mon, 5 Feb 1996 11:16:05 +0800
Subject: [NOISE] Sound bites re the Zundel German censorship thing (fwd)
Message-ID: 


[Bcc'd to the webcom.com guys FYI]

Sorry if you get duplicate copies, but I agree with Tim that mailing list
cross-pollution is bad. 

*Not* for broader redistribution, because they deserve privacy, but 
illustrative for, say, certain knee-jerk anti-PC forces here, is the fact 
that the two people who run webcom.com (Bcc'd) have been reported to be:

1. Grandson of a Holocaust victim
2. Activist with PEN and Amnesty International

I think we're all on the right side here, and for all the right reasons.

-rich

---------- Forwarded message ----------
Date: Sun, 4 Feb 1996 17:56:19 -0800
From: Rich Graves 
To: fight-censorship+ at andrew.cmu.edu
Newgroups: alt.censorship, comp.org.eff.talk, alt.internet.media-coverage
Subject: Maudlin sound bites re the Zundel German censorship thing

I put this together for the few journalists who actually bothered to ask
for quotes, rather than taking or manufacturing them without asking. 

Sent to CMU fight-censorship and relevant newsgroups (not counting
alt.revisionism, where this is not really relevant); will also send
separately to cypherpunks. I'm not on any other lists, but feel free to
pass it along, with PGP signature intact. 

-rich

---------- Forwarded message ----------
Subject: Re: Quote for Guardian newspaper

-----BEGIN PGP SIGNED MESSAGE-----

Please cite me as rich at c2.org without Stanford affiliation. Yes, I can 
handle any amount of mail, and I'd much rather have to answer questions 
than be misinterpreted.

Pick and choose and edit at will. The email address rich at beep.stanford.edu
goes to an alphanumeric pager (cellular beeper, whatever you call it on
your side of the pond) that takes 60 characters from the Subject: line;
please use it to confirm quotes at deadline.

Some material, from least to most maudlin:

I am not a free speech activist. As Rosa Parks explains her refusing to
move to the back of a racially segregated bus, "I was tired." The Internet
belongs to all of us, and if parts of it are cordoned off for even the
most noble political reasons, then we are all diminished, and totalitarian
regimes like China's are given another excuse. This was an important point
to underscore, but it should be noted that all I did was send a half dozen
electronic mail messages and copy a few files, which took less than an
hour of my time. 

No less important than the fight against censorship itself, for me, is
that hateful demagogues like Ernst Zundel be denied their spurious appeals
to "anti-censorship." Mr. Zundel is no more of a free speech activist than
are the leaders of the IRA. Repression only breeds criminality. 

As Tolkien or any good German fairy tale will tell you, the evil troll,
when exposed to the light of day, will turn to stone. Evil trolls like Mr.
Zundel might still frighten children, but as statues in the Wiesenthal
Center's Museum of Tolerance they can no longer harm us; and ultimately,
these statues will attract pigeons, weather with time, and crumble to dust.

Now that the power of the Net has been demonstrated, we have taken down
our mirror sites. Now the onus is on Mr. Zundel, in the spotlight of world
attention, to reveal his true friends by calling on them to come to his
aid. Now we know that Mr. Zundel's friends include Joe Bunkley, a
notorious racist at Georgia State University. Joe Bunkley's mirror site,
and those of other friendly mirror sites, cannot all be censored; in fact,
to my knowledge, no action has been taken against any mirror site. 
Indeed, the DFN/WiN network that serves most German universities 
restored access to Mr. Zundel's original site some days ago. 

Let Mr. Zundel's conspiracy theories about Jews and UFO bases in
Antarctica into the public domain, and let us see who will believe them,
and who will laugh. I am a great fan of Milan Kundera, who teaches us that
the only responses to a totalitarian buffoon are laughter and memory.
Nizkor: we will remember. (No, I'm not Jewish)

Zundel's hate should never be ignored, but it can be publicly refuted and
ridiculed, which has far greater moral and practical effect than
censorship. "Eternal vigilance is the price of liberty" can be 
interpreted many ways. Let freedom ring.

- -rich

On Sun, 4 Feb 1996, Azeem Azhar wrote:

> Hi,
> 
> I'm a journalist on the UK Guardian newspaper
> I'm doing a background piece the Zundel bnusiness.
> Could you give me a short quotable quote about why you're doing it:
> Extreme non-tech if you could.
> ASAP?
> Cool
> 
> Azeem
> 
> Azeem Azhar                            vx: 0171-713 4193
> The Guardian                           fx: 0171-713 4154
> 119 Farringdon Road                    azeem at dial.pipex.com
> London EC1R 3ER                        aa at guardian.co.uk (alt)
> All opinions are my own unless otherwise stated.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRU8nY3DXUbM57SdAQHz7gP/VHY9mkoZ4NdJ3bklnH+cKjCXxcT8uxTb
bSm/+f/iYe06C2XN3g5O5VVDQiPn0jA4aWJCwP1ntkkZmEsYyIBjRCQgMTBvNqt2
7blwHlLsEelJU2AaqMwK6z+4jiOdgp2InXYOjGsFZZaNwn0gCvbhaUbl5uYy4BV5
9tXMt9ZG95k=
=GzMs
-----END PGP SIGNATURE-----







From jimbell at pacifier.com  Sun Feb  4 19:23:28 1996
From: jimbell at pacifier.com (jim bell)
Date: Mon, 5 Feb 1996 11:23:28 +0800
Subject: Our "New Order"
Message-ID: 


At 11:26 PM 2/4/96 GMT, Mutatis Mutantdis wrote:
>On Sat, 3 Feb 1996 11:30:48 -0700, David M. Rose wrote:
>
>>In view of the fact that our government seems bent on abrogating its
>>citizens' rights to free speech, has anyone done a survey indicating which
>>foreign countries have the best Net connections to the U.S. (excepting, of
>>course, Germany and possibly France)?
>
>>It may be expedient for Planned Parenthood and others whose points of view
>>differ somewhat from those approved under our "New Order"* to explore
>>alternatives in order to reach their constituencies.
>
>The law makes anyone accessing material lable... even if you connect
>to a foreign site where it's legal there, if it's banned in the US,
>you can still get screwed (in theory).
>
>Methinks the time is right for a "PGPScape" web browser.
>
>Rob.

Let me see if I understand  this concept correctly.  The remote site would
pre-encrypt the transmitted data, so that when received it could be
decrypted by the requestor according to his (or a temporarily chosen, to
avoid disclosing the actual recipient.) public key, so as to disguise both
the material and perhaps also the actual requestor?

Excellent idea!







From thad at hammerhead.com  Sun Feb  4 19:30:01 1996
From: thad at hammerhead.com (Thaddeus J. Beier)
Date: Mon, 5 Feb 1996 11:30:01 +0800
Subject: RC2 protected by copyright?
Message-ID: <199602050211.SAA18120@hammerhead.com>



RSA issued a statement claiming that anyone using RC2(TM) would be in
violation of various laws.  I think that they might have a point.

You can't protect an idea with trade secrets, certainly not a software
idea, if you intend to sell the software.  It is easy to reverse
engineer it; this is probably what happened with RC2.

But, what about copyright?   Now, copyrights cannot protect ideas, only
the expression of those ideas.  An algorithm is clearly an idea, you could
write a program that would implement it in a completely different way,
not just by translating it (translations are still protected by
copyright). 

RC2, though, as 256 bytes of seemingly random data at the head of it,
in a permutation table.  This is clearly not any idea, but a bit of
text.  This text would have to be copied to any interoperable RC2.
(You could surely use some different permutation, and probably most
of the 256! permutations would be equally secure, but would not
interoperate with RC2).  I would expect that this copying of text be
held to be a violation of copyright.

Some might argue that 256 bytes is so small that perhaps it couldn't
be copyrighted.  Copyright clearly can't protect use of a word, or
a short phrase (1000 points of light, say).  If the permutation table
at the beginning was 65536 16-bit numbers, instead of 256 bytes, then
the copyright protection be that much stronger and less open to debate.

Do any of the real lawyers on the list want to take a crack at this?
Has anybody heard any noise from RSA describing exactly how they
intend to go after people?

thad
-- Thaddeus Beier                     thad at hammerhead.com
   Technology Development                   408) 286-3376
   Hammerhead Productions        http://www.got.net/~thad 





From tcmay at got.net  Sun Feb  4 19:30:54 1996
From: tcmay at got.net (Timothy C. May)
Date: Mon, 5 Feb 1996 11:30:54 +0800
Subject: Arthur C. Clarke Supports Strong Crypto
Message-ID: 



(Pardon me for mentioning crypto...)

Arthur C. Clarke, known to most of you (author of many SF works, coiner of
the phrase: "all sufficiently advanced technlogies are indistinguishable
from magic," mention by Alan Olsen yesterday), has a role in a "Discovery
Channel" program called "Mysterious Universe."

The episode tonight dealt with famous ciphers, including the Beale Cipher
(buried gold), the Voynich Manuscript (who knows what it is), and the
Vinland Map (my ancestors beat the Italians to the New World).

Clarke concluded by opining that strong ciphers that can only be read by
the intended recipient are now more important than ever.

--Tim May


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From tcmay at got.net  Sun Feb  4 19:38:55 1996
From: tcmay at got.net (Timothy C. May)
Date: Mon, 5 Feb 1996 11:38:55 +0800
Subject: [NOISE] Sound bites re the Zundel German censorship thing (fwd)
Message-ID: 


At 2:05 AM 2/5/96, Rich Graves wrote:

>Sorry if you get duplicate copies, but I agree with Tim that mailing list
>cross-pollution is bad.
>
>*Not* for broader redistribution, because they deserve privacy, but
>illustrative for, say, certain knee-jerk anti-PC forces here, is the fact
>that the two people who run webcom.com (Bcc'd) have been reported to be:
>
>1. Grandson of a Holocaust victim
>2. Activist with PEN and Amnesty International
>
>I think we're all on the right side here, and for all the right reasons.
...

Thanks, Rich!

I really think the Wiesenthal Center and whatnot could really make some
good points, and gain new friends, by PUTTING THE HOLOCAUST DENIAL CRAP ON
THEIR SERVERS!

Yes, an extreme step. But think of what it would say?

--Tim


[This Bible excerpt awaiting review under the Communications Decency Act]
And then Lot said, "I have some mighty fine young virgin daughters. Why
don't you boys just come on in and do em right here in my house - I'll just
watch!"....Later, up in the mountains, the younger daughter said. "Dad's
getting old. I say we should do him." So the two daughters got him drunk and
did him all that night. Sure enough, Dad got em pregnant....Onan really
hated the idea of doing his brother's wife and getting her pregnant while
his brother got all the credit, so he whacked off first....Remember, it's
not a good idea to have sex with your sister, your brother, your parents,
your pet dog, or the farm animals. [excerpts from the Old Testament, Modern
Vernacular Translation, TCM, 1996]







From WlkngOwl at UNiX.asb.com  Sun Feb  4 20:07:12 1996
From: WlkngOwl at UNiX.asb.com (Deranged Mutant)
Date: Mon, 5 Feb 1996 12:07:12 +0800
Subject: "PGP-Scape"? (was Re: Our "New Order")
Message-ID: <199602050334.WAA17133@UNiX.asb.com>



jimbell at pacifier.com wrote:

[..]
> >Methinks the time is right for a "PGPScape" web browser.
[..]

> Let me see if I understand  this concept correctly.  The remote site would
> pre-encrypt the transmitted data, so that when received it could be
> decrypted by the requestor according to his (or a temporarily chosen, to
> avoid disclosing the actual recipient.) public key, so as to disguise both
> the material and perhaps also the actual requestor?

Something like that, yes.  Anything to where someone watching cannot 
tell what a person is reading from a web site... even better if one 
cannot tell who is reading it. Anonymizing proxies would also be 
nice.

There's also less worry about secure transactions, since if 
everything's encrypted it's harder to tell if a transaction is taking 
place, viewing porno or subversive or religious, literature,  or if
you're just reading something mundane.

So much for vaporware, though.

> Excellent idea!

So is fast-than-light travel, but only if it's implemented.

Rob.
 
--- "Mutant" Rob 

Send a blank message with the subject "send pgp-key"
(not in quotes) for a copy of my PGP key.





From jamesd at echeque.com  Sun Feb  4 20:20:51 1996
From: jamesd at echeque.com (jamesd at echeque.com)
Date: Mon, 5 Feb 1996 12:20:51 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: <199602050359.TAA03592@news1.best.com>


At 04:36 AM 2/4/96 -0500, James M. Cobb wrote:
>  Neither dropping nuclear weapons on Japanese cities nor an invasion 
>  of Japan was necessary to secure surrender of the Japanese government. 

After the first nuclear bomb was dropped, the Japanese government
held a cabinet meeting in which they summoned Nishina, head of the
atomic program, and asked him if he could duplicate atomic weapons
within a few months.

After two nuclear weapons had been dropped on Japan, the cabinet concluded
that Japan faced utter destruction with nuclear weapons, and some advocated
surrender.  But according to emperor Hirohito

   "At the time of the surrender, there was no prospect of agreement"

Even with two nuclear weapons, surrender was far from assured.  It was touch
and go:  Had the coup succeeded, Japan would not have surrendered, and 
a considerably more nuclear bombing would have been necessary.  The bullet
holes in the imperial palace testify that even after two nuclear bombs,
there was a substantial faction of the government determined not to surrender.

It was certainly true that Japan was defeated, and reasonable people may
disagree on justice of using nuclear weapons under these circumstances, but
to claim, as Alperovitz claims, that Japan was on the verge of surrender, 
is not a mere difference of opinion on the interpretation of the facts, but
a simple, crude, barefaced, blatant lie.

 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From m.purcell at navy.gov.au  Sun Feb  4 20:43:03 1996
From: m.purcell at navy.gov.au (LEUT Mark Purcell)
Date: Mon, 5 Feb 1996 12:43:03 +0800
Subject: Windows PGP mail reader
In-Reply-To: <4eaksb$6i9@recepsen.aa.msen.com>
Message-ID: <4f0llo$mln@soap.news.pipex.net>


In article <4eaksb$6i9 at recepsen.aa.msen.com>, jims at conch.aa.msen.com says...
>
>Hi.  Can anyone recommend a Windows based email/POP3 reader that can decrypt
>content?  Please reply  via email:


Have a look at Pegasus Mail.  It handles PGP very nicely with a recent
addition. by John Navas, both are free:  
http://users.aimnet.com/~jnavas/winpmail.htm

Mark






From bdavis at thepoint.net  Sun Feb  4 20:44:18 1996
From: bdavis at thepoint.net (Brian Davis)
Date: Mon, 5 Feb 1996 12:44:18 +0800
Subject: Encryption and Backups
In-Reply-To: <2.2.32.19960204221301.0093a448@mail.teleport.com>
Message-ID: 


On Sun, 4 Feb 1996, Alan Olsen wrote:

> Something that I have not seen addressed is the need for strong encryption
> in backup software.
> 
> Most backup software has an "encryption" option, but I have seen few that
> have anything resembling strong encryption.  Furthermore, I have seen no
> real push for strong encryption for backups at all.
> ... 
> Might be an idea for a product there...  (And you can bet law enforcement
> would throw a hissy fit about its existence.)

Indeed.  Many on the law enforcement/prosecution side of the key escrow 
debate are more concerned about encryption of files and backup than they 
are about encrypted email ... 

EBD

> Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction





From lmccarth at cs.umass.edu  Sun Feb  4 20:49:26 1996
From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu)
Date: Mon, 5 Feb 1996 12:49:26 +0800
Subject: RC2 protected by copyright?
In-Reply-To: <199602050211.SAA18120@hammerhead.com>
Message-ID: <199602050413.XAA05802@opine.cs.umass.edu>


(IANAL, and I'm not even attempting a lay interpretation of the _legal_ 
issues in this message)

thad writes:
> But, what about copyright?   Now, copyrights cannot protect ideas, only
> the expression of those ideas.  An algorithm is clearly an idea, you could
> write a program that would implement it in a completely different way,
> not just by translating it (translations are still protected by
> copyright). 
> 
> RC2, though, as 256 bytes of seemingly random data at the head of it,
> in a permutation table.  This is clearly not any idea, but a bit of
> text.  This text would have to be copied to any interoperable RC2.
> (You could surely use some different permutation, and probably most
> of the 256! permutations would be equally secure, but would not
> interoperate with RC2).  I would expect that this copying of text be
> held to be a violation of copyright.

>From a technical perspective, I can't say that the permutation table is
"clearly not an idea", although that view has some significant allure.
I think many cryptographers would agree that the S boxes in DES represent 
some pretty weighty ideas indeed, and constitute an intrinsic part of the
algorithm. Offhand the precise construction of the RC2 permutation table
doesn't seem to me to be nearly as important to the strength of RC2 as the
S boxes are to DES' strength. I'm certainly no expert. But I'm a little 
hesitant to dismiss the specified table as "a bit of text". 

Do you think the table would be more like an idea if it turned out to be
determined by pi ?  (not a rhetorical question)

-Lewis 		`I went down to the demonstration/ 
to get my fair share of abuse/ singing we're gonna vent our frustration/
if we don't, gonna blow a 50A fuse" -Nanker Phelge





From llurch at networking.stanford.edu  Sun Feb  4 21:31:24 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Mon, 5 Feb 1996 13:31:24 +0800
Subject: Turn yourself in!
In-Reply-To: <199602050252.SAA24214@jobe.shell.portal.com>
Message-ID: 


Very cute, but I hope this doesn't degenerate into serious mail-bombing 
(which I'm sure it will, unfortunately).

The simple text "Fuck the CDA up the ass!" should do. Sorry I'm not very 
creative with such things.

-rich

On Sun, 4 Feb 1996 anonymous-remailer at shell.portal.com wrote:

> The alt.tasteless crowd is currently discussing the CDA, with
> some predictable results, and some not so predictable...
> If you wish to participate in mass civil disobedience, follow
> these instructions: Send a message CC'd to your local media's net
> address and to justice.usdoj.gov (Department of Justice) which
> contains something to the effect of, "I wish to turn myself in
> for the crime of distributing offensive material via the Internet
> and as evidence, provide the following:"
> Attach some sort of uuencoded data to your message as "evidence".
> Make sure that every possible media outlet hears loud and clear
> that you want every last case prosecuted.





From tallpaul at pipeline.com  Sun Feb  4 21:56:17 1996
From: tallpaul at pipeline.com (tallpaul)
Date: Mon, 5 Feb 1996 13:56:17 +0800
Subject: free speech and the government
Message-ID: <199602050510.AAA21140@pipe5.nyc.pipeline.com>


On Feb 04, 1996 14:40:51, 'Alan Olsen ' wrote: 
 
 
 
> 
>Crypto relevence:  Some people regard the ability to hide "dangerous" 
>information to be as "dangerous" as the information hidden.  Freedom of 
>Speech includes the right to choose who can listen to that speech. 
> 
 
I do not think that his last sentence is accurate. 
 
The primary example os a group that exercises its freedom of speech (maybe
even fights in the courts for it) by holding a rally in the Village Green.
Does their right to hold their rally also include the right to choose who
can listen to the rally speeches in the Village Green? Of course not! 
 
Fundamentally, I think that speaking is a speech issue; determining who can
listen is a privacy issue. They are very much *not* the same thing. 
 
The separation is not done away with by things like the cellular phone
anti-eavesdropping or satellite cable broadcast laws. (Aspects of the
separation are, however, addressed by PGPhone, or rather should one say
made "unaddressable". 
 
 
--tallpaul 
 
PS: Olsen's post did have some good themes on the nature of the internet
"as public library." 





From PADGETT at hobbes.orl.mmc.com  Sun Feb  4 21:58:37 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 13:58:37 +0800
Subject: The Story Lady
Message-ID: <960205000641.202190a1@hobbes.orl.mmc.com>


  >> Let me see if I understand  this concept correctly.  The remote site would
  >> pre-encrypt the transmitted data, so that when received it could be
  >> decrypted by the requestor according to his (or a temporarily chosen, to
  >> avoid disclosing the actual recipient.) public key, so as to disguise both
  >> the material and perhaps also the actual requestor?
  
  >Something like that, yes.
  
  As the quote went "It goes something like this...Not *exactly* like this
  but something...".
  
  What netscape does is to receive a signed public key, encrypt the session key,
  & return *that*. The session is then encrypted with a fast symmetric algo.
  (RC4-40 Netsape/export, IDEA - PGP). So PGP/scape would do exactly the same
  thing with trivial changes to the monkey-motion.
  
  Now Government approved PGP/BE - something to strive for 8*).
  
  					warmly,
  						Padgett






From jdoe-0007 at alpha.c2.org  Sun Feb  4 22:01:33 1996
From: jdoe-0007 at alpha.c2.org (jdoe-0007 at alpha.c2.org)
Date: Mon, 5 Feb 1996 14:01:33 +0800
Subject: Jim Bell - Murderous Terrorist
Message-ID: <199602050306.TAA01578@infinity.c2.org>


Dr. Vulis writes:

AO> Alan Olsen  writes:

AO> I consider Mr. Bell to be a crank and a loon.

DV> You're certainly entitled to your opinion. You might be interested to know that
DV> I consider Jim Bell to be highly intelligent, knowledgeable, and overall nice
DV> person. I'm particularly impressed by his calm and restrained response to your
DV> provocations. I've also formed a rather negative opinion of you, based on your
DV> actions in this incident.

Jim Bell has advocated nothing less than paid death squads using crypto as a
means to hide payment to these murderous terrorists.  If you can find a conspirator
of murder as " highly intelligent, knowledgeable, and overall nice person" then
you also are in need of immediate mental health intervention.

Should the mainstream media ever get wind of Bell's lunacy it will be one more
nail in the crypto-coffin spurring the Feds and international anti-crypto efforts to
a frenzy.  Bell is either a total fucking lunatic of the extreme right wing (having
read his suck ups posts supporting General Linda Thompson) or an agent 
provocateur for the Feds.  One is as bad as the other.  To quote your own
words to Mr. Olsen; " I've also formed a rather negative opinion of you, based
on your actions in this incident."

AO> He has no interest in any sort of honest discussion.

DV>  Honest or dishonest, the discussion of Jim's political views has nothing 
DV> to do with encryption.

His plans for death squads success DEPENDS on the anonymity provided by
CRYPTO!

AO> He wishes to draw in others in the hope of "punishing me".

DV> You're punishing yourself by destroying your credibility and carrying on this
DV> silly flame war. You've kicked Jim off of "your" mailing list, pushing the
DV> flame war that you've started to this list. I don't appreciate this.

And you think YOU have credibility here?  Sounds like you are cut from
the same murderous cloth as Jim Bell.

I pray that if by some freak of anarchy Bell's plan ever comes to
fruition both you and Bell will be the first victims of your own murderous
madness.







From ses at tipper.oit.unc.edu  Sun Feb  4 23:12:09 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Mon, 5 Feb 1996 15:12:09 +0800
Subject: Sometimes ya just gotta nuke em
In-Reply-To: <199602050359.TAA03592@news1.best.com>
Message-ID: 


On Sun, 4 Feb 1996 jamesd at echeque.com wrote:

> 
> After the first nuclear bomb was dropped, the Japanese government
> held a cabinet meeting in which they summoned Nishina, head of the
> atomic program, and asked him if he could duplicate atomic weapons
> within a few months.

Japan's nuclear program effectively ended on April 12th when the 
headquarters were destroyed (by conventional bombs). There program never 
really got very far, lacking both funding and Hungarians :)

> It was certainly true that Japan was defeated, and reasonable people may
> disagree on justice of using nuclear weapons under these circumstances, but
> to claim, as Alperovitz claims, that Japan was on the verge of surrender, 
> is not a mere difference of opinion on the interpretation of the facts, but
> a simple, crude, barefaced, blatant lie.

That's a pretty strong statement; the Japanese government was split into 
two camps, with the hawks slightly in the acendancy. Facts were changing 
on the ground, making it clear that things were about to get a lot worse 
(Stalin was about to enter the war against Japan, supplied were running 
short and gettirng worse (thanks to intercepts); Curtis LeMay had reduced 
just about every city apart from Hiroshima and had command of the air.

All these factors could very well have changed the balance of power 
within the government without the presence of nuclear weapons; no sure 
thing, but not impossible. 







From jcobb at ahcbsd1.ovnet.com  Sun Feb  4 23:14:44 1996
From: jcobb at ahcbsd1.ovnet.com (James M. Cobb)
Date: Mon, 5 Feb 1996 15:14:44 +0800
Subject: A Sign of the Future
Message-ID: 


 
 
  Friend, 
 
 
          A 02 04 96 Reuter Information Service newsstory 
          ----------------------------------------------- 
 
         GERMANS' INTERNET CRACKDOWN A SIGN OF THE FUTURE 
 
                     datelined BONN, Germany 
 
                             reports: 
 
    ...growing alarm among governments at the uglier side of the 
    worldwide computer network. 
 
 
  What is this "uglier side"? 
 
  German Research and Technology Minister Juergen Ruettgers shouts: 
 
    "We cannot tolerate a situation in which anything goes." 
 
 
                               THAT 
 
                           intolerance 
 
 
               is the U*G*L*I*E*S*T side of the 'Net. 
 
 
  Last week Ruettgers declared 

    ...that Bonn respected free speech but must also do more to 
    regulate the Internet.... 
 
 
  When it comes to wiping out free speech 
 
                     --A*N*Y*T*H*I*N*G goes! 
 
 
  The prosecutors have even 
 
    ...contacted the Deutsche Forschungsnetz, the national scien- 
    tific research network. 
 
 
  Following orders from the superpower, its puppet "nation states" 
  are wrecking the genuine Internet. 
 
  Nicholas Negroponte, director of MIT's Media Lab, popped up in 
  Bonn last week to put a high gloss on the "situation": 
 
    "The Internet cannot be regulated.  It's not that laws aren't 
    relevant, it's that the nation state is not relevant.  
 
                    [ DECEPTION IS VIOLENCE ] 
 
    This is the next discussion we will have.  
 
                 [ If the superpower permits! ]  
 
    Cyberlaw is by its nature global and 
 
                 [ You had better sit down... ] 
 
    we're not very good at global law." 
 
 
  Nick's a big shot at Wired magazine.  So it should be no surprise 
  to learn that Wired attacked cypherpunks in its 01 96 issue.  In 
  a fake interview with "Wired's patron saint," Marshall McLuhan is 
  made to say (p 130): 
 
    Concerns about privacy and anonymity are outdated. Cypherpunks 
    think they are rebels with a cause, but they are really senti- 
    mentalists. 
 
 
    The era of politics based on private identities, anonymous indi- 
    viduals, and independent citizens began with the French Revolution 
    and Napoleon's armies...and ended with Hitler....  The cypherpunks 
    are still marching to the same martial music. 
 
 
  Please note HOW Wired equates liberty, equality, fraternity with 
  capitalistic fascism, as David Kahn calls it.  Equating the two in 
  that manner is the same as rejecting the former while embracing the 
  latter.  Further: ending one sentence with "Hitler" while ending the 
  very next sentence with "the same [Nazi rally] martial music" tends 
  to identify Nazis and cypherpunks.  (Of course those few cypherpunks 
  who fancy themselves an "elite" SERVE the wolves at Wired.) 
 
  Deception is violence: it accustoms people to being violated. 
 
 
  Cordially, 
 
  Jim 
 
 
 
 
  NOTE.  "...in the 1930s...capitalistic fascism did not inspire the 
  dread among many establishment figures that communism did."  --David 
  Kahn.  Kahn on Codes: Secrets of the New Cryptology.  Macmillan Pub- 
  lishing Co.  1983.  Page 277. 
 
  The Nando News online filename of the newsstory is: 
 
                         info5_28474.html 
 
 
  Gary Wolf wrote "Channeling McLuhan. The Wired Interview with Wired's 
  patron saint."  He is executive editor of HotWired. 
 
  This critical essay was composed 02 04 96. 
 
 







From norm at netcom.com  Sun Feb  4 23:17:16 1996
From: norm at netcom.com (Norman Hardy)
Date: Mon, 5 Feb 1996 15:17:16 +0800
Subject: cipherpunk mail at Netcom.com
Message-ID: 


The list of addressees is made from the "From" fields that include
"netcom.com" in CP mail that appeared on the CP list Tuesday and Wednesday
last week. I have received no CP mail since then. Have you?







From llurch at networking.stanford.edu  Sun Feb  4 23:22:45 1996
From: llurch at networking.stanford.edu (Rich Graves)
Date: Mon, 5 Feb 1996 15:22:45 +0800
Subject: [NOISE] Sound bites re the Zundel German censorship thing (fwd)
In-Reply-To: 
Message-ID: 


On Sun, 4 Feb 1996, Timothy C. May wrote:

> I really think the Wiesenthal Center and whatnot could really make some
> good points, and gain new friends, by PUTTING THE HOLOCAUST DENIAL CRAP ON
> THEIR SERVERS!
> 
> Yes, an extreme step. But think of what it would say?

They already have one of the best compilations of racist links on the 
Web, which according to posts on Stormfront-L is often used by the Aryan 
Overloard types (snicker) to keep tabs on each other.

There are some copyright and ease-of-updating issues associated with 
mirroring the opposition's files. PGP authentication of Web pages would 
help. I've offered to show Zundel how to do it, but for some strange 
reason, he hasn't been answering my mail as promptly as he used to.

-rich





From thad at hammerhead.com  Sun Feb  4 23:24:54 1996
From: thad at hammerhead.com (Thaddeus J. Beier)
Date: Mon, 5 Feb 1996 15:24:54 +0800
Subject: RC2 protected by copyright?
Message-ID: <199602050503.VAA18831@hammerhead.com>


Lewis (nee' Futplex) McCarthy writes:

> I think many cryptographers would agree that the S boxes in DES represent
> some pretty weighty ideas indeed, and constitute an intrinsic part of the
> algorithm. Offhand the precise construction of the RC2 permutation table
> doesn't seem to me to be nearly as important to the strength of RC2 as the
> S boxes are to DES' strength. I'm certainly no expert. But I'm a little 
> hesitant to dismiss the specified table as "a bit of text". 

> Do you think the table would be more like an idea if it turned out to be
> determined by pi ?  (not a rhetorical question)

Yes, the table would have been more an idea, and less "just text" if it
was derived from pi (as the comment in the posted code suggests...)

What I was suggesting is a way to get the tremendous protection of
copyright (that is, 75 year term, no filing fees, protected from birth, no
secrecy required) on ciphers. 

Now, this was tried with video games, each Nintendo cartridge had in
it something like "copyright Nintendo", as a way to try to get that
protection, and I believe that they lost in court (if my memory is
correct)

Everyone knows the story of the compositions of the S-Boxes in DES, that
they just happen to contain constants that make it difficult to attack
DES with differential cryptanalysis.  There are almost an infinite number
of S-Boxes that would have that property (probably more that wouldn't).
But if you were going to write a code that would interoperate
with somebody else's DES, there is absolutely no way to do describe it
except to enumerate the S-Boxes, hence perhaps violating the copyright.
You can say "make it resistant to linear and differential cryptanalysis",
and you may get something as good, or better, but it wouldn't interoperate.

thad
-- Thaddeus Beier                     thad at hammerhead.com
   Technology Development                   408) 286-3376
   Hammerhead Productions        http://www.got.net/~thad 





From WlkngOwl at UNiX.asb.com  Sun Feb  4 23:28:19 1996
From: WlkngOwl at UNiX.asb.com (Deranged Mutant)
Date: Mon, 5 Feb 1996 15:28:19 +0800
Subject: Let's get back to crypto already (enough with the FUDism)
Message-ID: <199602050540.AAA19506@UNiX.asb.com>



Subject says it.

Idle talk can wait until legislation doesn't matter... and it won't 
when there's freely available source and binaries for a secure 
telnet, a private/anonymizing web browser/server/proxy, terminal and 
bbs programs, file transfers, etc.  I think these are at the moment a 
bit more important than digital cash (when these exist, e-cash will 
follow).

There's lots of work to be done.

Whatever happened to "cypherpunks write code"? it seems that various 
governments are writing laws a lot faster...

--- "Mutant" Rob 

Send a blank message with the subject "send pgp-key"
(not in quotes) for a copy of my PGP key.





From bretts at trojan.neta.com  Sun Feb  4 23:40:58 1996
From: bretts at trojan.neta.com (Brett Smith)
Date: Mon, 5 Feb 1996 15:40:58 +0800
Subject: retailer
Message-ID: <01BAF30A.FCA982E0@ppp-236-120.neta.com>


please send info






From mixmaster at vishnu.alias.net  Sun Feb  4 23:43:31 1996
From: mixmaster at vishnu.alias.net (Mr. Boffo)
Date: Mon, 5 Feb 1996 15:43:31 +0800
Subject: None
Message-ID: <199602042117.PAA05965@vishnu.alias.net>


> Could someone tell me how to quit this list, I just dont
> have the time to read anything that is being sent to it.

Yes. You can turn your modem off :)





From frantz at netcom.com  Sun Feb  4 23:55:03 1996
From: frantz at netcom.com (Bill Frantz)
Date: Mon, 5 Feb 1996 15:55:03 +0800
Subject: cipherpunk mail at Netcom.com
Message-ID: <199602050723.XAA27370@netcom6.netcom.com>


At 10:06 PM 2/4/96 -0800, Norman Hardy wrote:
>The list of addressees is made from the "From" fields that include
>"netcom.com" in CP mail that appeared on the CP list Tuesday and Wednesday
>last week. I have received no CP mail since then. Have you?

I have only received one message.  Since all of the header dates are from
last Tuesday, it may not count.  BTW - I received it sometime between
Saturday morning and Sunday night.  (I was out of town over the weekend.):

>Return-Path: 
>Received: from toad.com by mail2 (8.6.12/Netcom)
>        id SAA08759; Tue, 30 Jan 1996 18:10:42 -0800
>Received: by toad.com id AA04747; Tue, 30 Jan 96 12:50:10 PST
>Received: from callandor.cybercash.com by toad.com id AA04741; Tue, 30 Jan 96
>12:50:00 PST
>Received: by callandor.cybercash.com; id PAA02048; Tue, 30 Jan 1996 15:54:55
>-0500
>Received: from cybercash.com(204.254.34.52) by callandor.cybercash.com via
>smap (g3.0.3)
>        id xma002021; Tue, 30 Jan 96 15:54:28 -0500
>Received: from [204.254.34.231] by cybercash.com.cybercash.com (4.1/SMI-4.1)
>        id AA04051; Tue, 30 Jan 96 15:47:06 EST
>Message-Id: 
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Date: Tue, 30 Jan 1996 15:51:24 -0400
>To: tcmay at got.net (Timothy C. May)
>From: cme at cybercash.com (Carl Ellison)
>Subject: Re: Denning's misleading statements
>Cc: Cypherpunks at toad.com
>Sender: owner-cypherpunks at toad.com
>Precedence: bulk
>
>At 20:49 1/27/96, Timothy C. May wrote:
>>I've never met Dorothy Denning, so I hesitate to characterize her as a
>>villainess. But certainly she's the only noted cryptographer I know of
>>who's gone so far out on a limb to defend a position the vast majority of
>>computer scientists, civil libertarians, and cryptographers scoff at.
>
>I've met some others -- most noteably Silvio Micali [but he has a financial
>interest in that position].  However, DERD is the only one I've met
>who is all the way over on Freeh's side.
>
> - Carl
>
>
>+--------------------------------------------------------------------------+
>| Carl M. Ellison   cme at acm.org     http://www.clark.net/pub/cme           |
>| PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 |
>|   "Officer, officer, arrest that man!  He's whistling a dirty song."     |
>+----------------------------------------------------------- Jean Ellison -+
>
>
>

Bill


-----------------------------------------------------------------
Bill Frantz                   Periwinkle  --  Computer Consulting
(408)356-8506                 16345 Englewood Ave.
frantz at netcom.com             Los Gatos, CA 95032, USA







From ravage at ssz.com  Mon Feb  5 00:24:15 1996
From: ravage at ssz.com (Jim Choate)
Date: Mon, 5 Feb 1996 16:24:15 +0800
Subject: Question of Congressional Lawmaking Power (fwd)
Message-ID: <199602050759.BAA10465@einstein.ssz.com>


Forwarded message:
>From owner-ctlug at ssz.com Mon Feb  5 01:59:09 1996
From: Jim Choate 
Message-Id: <199602050759.BAA10442 at einstein.ssz.com>
Subject: Question of Congressional Lawmaking Power
To: ctlug at ssz.com (CT-LUG Mailing List)
Date: Mon, 5 Feb 1996 01:59:02 -0600 (CST)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 7702      
Sender: owner-ctlug at ssz.com
Precedence: bulk
Reply-To: ctlug at ssz.com


Hi all,

To those with no interest I apologize. To those who were at the meeting this
evening discussing the limitations of Congress and the purported 'elastic
clause', this is what I found:


---------------------------------------------------------------------------
  
				ARTICLE I. 
 
	[Powers of Congress.] 
 
Section 8.  The Congress shall have Power To lay and collect Taxes, 
Duties, Imposts and Excises, to pay the Debts and provide for the common 
Defence and general Welfare of the United States; but all Duties, Imposts 
and Excises shall be uniform throughout the United States; 
	To borrow Money on the credit of the United States; 
	To regulate Commerce with foreign Nations, and among the several 
States, and with the Indian Tribes; 
	To establish a uniform Rule of Naturalization, and uniform Laws 
on the subject of Bankruptcies throughout the United States; 
	To coin Money, regulate the Value thereof, and of foreign Coin, 
and fix the Standard of Weights and Measures; 
	To provide for the Punishment of counterfeiting the Securities 
and common Coin of the United States; 
	To establish Post Offices and post Roads; 
	To promote the Progress of Science and useful Arts, by securing 
for limited Times to Authors and Inventors the exclusive Right to their 
respective Writings and Discoveries; 
	To constitute Tribunals inferior to the Supreme Court; 
	To define and punish Piracies and Felonies committed on the high 
Seas, and Offences against the Law of Nations; 
	To declare War, grant Letters of Marque and Reprisal, and make 
Rules concerning Captures on Land and Water; 
	To raise and support Armies, but no Appropriation of Money to 
Use shall be for a longer Term than two Years; 
	To provide and maintain a Navy; 
	To make Rules for the Government and Regulation of the land and 
naval forces; 
	To provide for calling forth the Militia to execute the Laws of 
the Union, suppress Insurrections and repel Invasions; 
	To provide for organizing, arming, and disciplining the Militia, 
and for governing such Part of them as may be employed in the Service of 
the United States, reserving to the States respectively, the Appointment 
of the Officers, and the authority of training and Militia according to 
the discipline prescribed by Congress; 
	To exercise exclusive Legislation in all Cases whatsoever, over 
such District (not exceeding ten Miles square) as may, by Cession of 
particular States, and the Acceptance of Congress, become the Seat of 
Government of the United States, and to exercise like authority over all 
Places purchased by the Consent of the Legislature of the State in which 
the Same shall be, for the Erection of Forts, Magazines, Arsenals, dock-Yards, 
and other needful Buildings; -- And 
	To make all Laws which shall be necessary and proper for carrying 
into execution the foregoing Powers, and all other Powers vested by this 
Constitution in the Government of the United States, or in any Department or 
Officer thereof. 

---------------------------------------------------------------------------

I believe that the section that was refered to is the last sentence
regarding the making of all laws necessary for carrying out the powers
detailed here and elsewhere in the Constitution. This article clearly states
that it is not an open ended empowerment. It covers only those items
specificaly covered in the body of the Constitution. At the time it was
written it was clear that the founding fathers did not want a federal
government which was not hampered or constrained in its ability to pass laws
and carry out duties. If a court or body makes the assertion that this
article empowers Congress to make any law then they are sadly misinformed
and possibly intentionaly misrepresenting the intent of the founding fathers
and the limitations on Congress placed there by them.

This article no more authorized (for example) the creation of the DEA, FDA,
or EPA than it authorizes them to take property without just compensation.
If this was taught you either through a textbook or a public school then
feel cheated and lied to, you were (possibly with premeditation).

---------------------------------------------------------------------------

And in regards to the limitation of federal lawmaking and questions of
jurisdiction covered in the 10 amendments...

----------------------------------------------------------------------------

 
				ARTICLE IX. 
 
	The enumeration of the Constitution, of certain rights, shall 
not be construed to deny or disparage others retained by the people. 
 
 
 
				ARTICLE X. 
 
	The powers not delegated to the United States by the Constitution, 
nor prohibited by it to the States, are reserved to the States respectively, 
or to the people. 
 
------------------------------------------------------------------------------

The intent is clear. If there is a question of jurisdiction then it will
ALWAYS fall to the states or the people, and NEVER to the federal
government. In short, the federal government and the Supreme Court are not
and were never intended to be the last word on anything in this country. The
10th clearly leaves that to the states and the people.

Neither of these Amendments have been tested or used in a court in this
country for 200 years. This is a telling tale. The courts and legislative
bodies (as well as any reasonable person) will see immediately that the
federal government has usurped powers and duties not theirs to execute short
of a constitutional amendment. This not only includes laws allowing the
seizing of private property for public use without just compensation
(irrespective of the source of that private property) but drug laws, food
regulation laws, environmental laws, etc. The last time Congress acted in a
constitutional manner regarding this was the amendments dealing with
prohibition and its repeal. Since that time Congress and the courts have
taken powers reserved for the states and the people and acted upon them
without authorization. In short the Congress of the US has acted in a manner
assuming exemption from constitutional limitations since the late 20's. What
this country needs is a legal test of both the 9th and 10th amendments.

Questions regarding Internet and free speech are immediately resolved as
non-issues on the federal level. It also makes jurisdictional extensions
such as Tennessee arresting and prosecuting a person in California for
downloading files (whatever they might contain) a non sequitar unless money
is exchanged (in which case Congress may tax it, not prohibit it). It also
clearly prohibits outside entities such as Germany from prosecuting anyone
in the US for their actions on the Internet. If Germany wishes to constrain
the content of Internet that is fine. It is between Germany and its people.
Another example is gun ownership. It is not a federal issue. It is a state
issue and should be resolved on a state by state level. Congress has no more
authority vested by the Constitution to limit a persons ownership of a
water pistol or a atom bomb, and this is the way it should be. The issue is
one of a state level unless Congress wishes to propose a constitutional
amendment changing or revoking the 2nd. (again as it should be).

I personaly refuse to support any political party which does not support and
intend on testing both of these amendments. At this time there is not one
political party (even the Libertarian) who will touch this issue. I strongly
suggest that you demand support for these two amendments from any legislator
that you might support.


                                                  Jim Choate
                                                  ravage at ssz.com






From jya at pipeline.com  Mon Feb  5 04:18:43 1996
From: jya at pipeline.com (John Young)
Date: Mon, 5 Feb 1996 20:18:43 +0800
Subject: China Censors
Message-ID: <199602051207.HAA25830@pipe1.nyc.pipeline.com>


The NY Times today reports on China's new rules for censoring 
the Internet.


URL: http://www.nytimes.com/yr/mo/day/front/china-censor.html








From bruen at wizard.mit.edu  Mon Feb  5 04:56:03 1996
From: bruen at wizard.mit.edu (bob bruen)
Date: Mon, 5 Feb 1996 20:56:03 +0800
Subject: Boston Globe and Nazism
Message-ID: 



I thought this clip would be of interest. Just in case you were not sure 
which directionship censorship on the net was heading. Anyone remember Joe
McCarthy? 

                            bob
-----------------------------------------------------------------------------
Boston Sunday Globe page 74, February 4, 1996.
Business Review section, Highlights of the week: Jan.28-Feb.3.


Goosestepping in cyberspace

The politics of the Internet make strange bedfellows. When the German
government moved to bar German Internet users from downloading material
on a neo-Nazi net site, the free-speech-in-cyberspace crowd reacted by
downloading the stuff and posting it all over the net. Joseph Goebels
would be proud.





From andreas at artcom.de  Mon Feb  5 05:10:05 1996
From: andreas at artcom.de (Andreas Bogk)
Date: Mon, 5 Feb 1996 21:10:05 +0800
Subject: verification of randomness
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

Hi...

I've built a random number generator based on the noise of a Zener
diode. Now I'd like to verify it's correct operation. I'd be very
grateful if someone could point me to existing software for randomness
tests or additional tests not mentioned in Knuth.

I'll make the design of the generator available as soon as I've
verified it's operation.

Andreas


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAgUBMRVyMUyjTSyISdw9AQHUSQP/UK3ubued8U3iB4FDO5WAsiEV+F2/100O
0w42NSZbry5+07u+l9eJN/ogpECZ9yIltWM7slkKZS0q0TGQ4zCucHoDPKhubMHs
gQqjkmgXTs0drqRn+BYPoQFYPyiYLeBr67BRqsQFyp7neuMC5NN10NpL9y4bcAS2
8NBB7yFh9d0=
=RD04
-----END PGP SIGNATURE-----





From don at cs.byu.edu  Mon Feb  5 05:12:27 1996
From: don at cs.byu.edu (Don)
Date: Mon, 5 Feb 1996 21:12:27 +0800
Subject: Nyms with keys
Message-ID: 


I am compiling a list of PGP keys from well known nyms. I only remember a few,
I was wondering if anyone could think of any others:

Pr0duct Cypher
CancelMoose
Cypherpunk Enquirer needs one, if nothing more than for kicks
Scamizat
any signatures on RC2, RC4 for HP, etc.

I'd swear there's a couple more but I can't think of them.

Also wondering if anyone besides Bill Stewart has been done anything with
nym-key-signing, especially on a first-come first-serve, no verification
basis.

thanks

Don


Discovered today that secretly replacing your computer with a can of Folgers
crystals(TM) undermines all online security. I will be applying for a patent
soon which uses a Mr Coffee(TM) machine to detect this invasion.

PS: ObNukes: None.





From anonymous-remailer at shell.portal.com  Mon Feb  5 05:13:01 1996
From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com)
Date: Mon, 5 Feb 1996 21:13:01 +0800
Subject: Turn yourself in!
Message-ID: <199602050252.SAA24214@jobe.shell.portal.com>


The alt.tasteless crowd is currently discussing the CDA, with
some predictable results, and some not so predictable...
If you wish to participate in mass civil disobedience, follow
these instructions: Send a message CC'd to your local media's net
address and to justice.usdoj.gov (Department of Justice) which
contains something to the effect of, "I wish to turn myself in
for the crime of distributing offensive material via the Internet
and as evidence, provide the following:"
Attach some sort of uuencoded data to your message as "evidence".
Make sure that every possible media outlet hears loud and clear
that you want every last case prosecuted.






From dlv at bwalk.dm.com  Mon Feb  5 05:17:01 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Mon, 5 Feb 1996 21:17:01 +0800
Subject: verification of randomness
In-Reply-To: 
Message-ID: 


andreas at artcom.de (Andreas Bogk) writes:
> I've built a random number generator based on the noise of a Zener
> diode. Now I'd like to verify it's correct operation. I'd be very
> grateful if someone could point me to existing software for randomness
> tests or additional tests not mentioned in Knuth.

Dear Andreas,

Here are a couple of tests:

1. Maurer's test (very good, published later than Knuth)

/************************************************************

Ueli Maurer's randomness test
(C) 1993 Dimitri Vulis, all rights reserved

For details, see:
Ueli M. Maurer. ``A Universal Statistical Test for Random Bit
Generators.'' {\em Journal of Cryptology,\/} {\bf5} (1992), pp.~89--105.

*************************************************************/

#include 
#include 
#include 
#include 

void rndinit(void);
unsigned char rndgetbyte(void);

/*

We produce a stream of random bits. We look at them in blocks of L
bits at a time. Maurer uses 8-bit bytes  s_n, recommends 6 <= L <= 16.

*/

#define L 8
/* 2**L */
#define vv 256

int main(void) {
/*
the count of s_n's random bytes
*/
long n=1;
/*
fTU is the average \log_2(a_n),
where a_n is the number of bytes since the previous occurrence of the
same value. a_n = n for first occurrence (hopefully skipped using Q below)
*/
double fTU=0.0;
/*
Every time we obtain a random byte, we save its position n here,
so we can computer a_n, the number of bytes since last occurence
*/
static long lastseen[vv];
/*
the number of bytes to skip before computing
compute the average, hoping that all possible byte values will
occur and lastseen will be non-zero. M recommends Q >= 10 * 2**L.
*/
long Q;
/*
the number of bytes to use to compute fTU.
M recommends K as large as possible >= 1000 * 2**L
*/
long K;
/*
E(L) is the expected value of fTU for a truly random sequence
*/
#define E 7.1836656
/*
V(L) is the variance of a_n for a truly random sequence (from M; table below)
*/
#define V 3.238
/*
If you decide to change L:
L       E               V
6       5.2177052       2.954
7       6.1962507       3.125
8       7.1836656       3.238
9       8.1764248       3.311
10      9.1723243       3.356
11      10.170032       3.384
12      11.168765       3.401
13      12.168070       3.410
14      13.167693       3.416
15      14.167488       3.419
16      15.167379       3.421
*/
/*
c(L,K) from M (13)
*/
double C;
/*
standard deviation of a truly random sequence from M (14)
*/
double sigma;
/*
fTU's distance in sigmas from the expected value
*/
double y;
/*
rho is the rejection rate, the probability that a sequence is bad
*/
double rho;

unsigned char r;

printf("Enter Q>=%-7ld:",10L*vv);   fflush(stdout); scanf("%ld",&Q);
printf("Enter K>=%-7ld:",1000L*vv); fflush(stdout); scanf("%ld",&K);

C=0.7-0.8/L+(1.6+12.8/L)*pow(K,-4.0/L); /* (13) */
/* M: C close to 0.6 for L=8 */
sigma=C*pow(V/K,0.5);           /* (14) */
/* M: grows as 1/\sqrt{K} */

/* initialize lastseen to 0 */
memset((void*)lastseen,0,sizeof(lastseen));

rndinit();

for (; nQ)
  fTU+=log((double)(n-lastseen[r]));
 lastseen[r]=n;
 }

/* compute the average and convert from natural log to log_2 */
fTU/=K*log(2.0);
y=fabs((fTU-E)/sigma);

rho=erf(-y/sqrt(2.0))+1;

printf("fTU=%lg, %lg*%lg from  e.v. %lg, rho=%lg --- %s\n",
fTU,y,sigma,E,rho,
(rho < 0.0001 ? "unacceptable" :
(rho < 0.001 ?  "marginal" :
"acceptable")));

return(0);
}

/*
Use C library's pseudo-random number generator
*/

void rndinit(void)
{
srand(1);
}

unsigned char rndgetbyte(void) {
static unsigned state=0;
static int rrr;

if (state^=1) {
 rrr=rand();
 return(unsigned char)(rrr & 0xff);
 }
else
 return(unsigned char)((rrr>>8) & 0xff);
}

2. You probably have this one:

/* ***************************************************************
 * chi.c --
 *
 * Copyright 1993 Peter K. Boucher
 * Permission to use, copy, modify, and distribute this
 * software and its documentation for any purpose and without
 * fee is hereby granted, provided that the above copyright
 * notice appear in all copies.
 *
 * Usage:  chi [input_file [output_file]]
 *
 * This program counts the occurances of each character in a file
 * and notifies the user when a the distribution is too ragged or
 * too uniform.
 *
 * Because the chance of getting byte B after byte A should be 1:256
 * (for all A's and B's), the program also checks that the successors
 * to each byte are randomly distributed.  This means that for each byte
 * value (0 - 255) that occurs in the text, a count is kept of the
 * byte value that followed in the text, and the frequency distribution
 * of these succeeding bytes is also checked.
 *
 */

#include 

#define NUM_BYTES 256L
#define BUFSIZE 8192
#define min_nps 5.0
#define min_testable (NUM_BYTES*min_nps)

#define V01     (205.33) /*  1% chance it's less */
#define V05     (219.09) /*  5% chance it's less */
#define V25     (239.39) /* 25% chance it's less */
#define V50     (254.33) /* 50% chance it's less */
#define V75     (269.88) /* 75% chance it's less */
#define V95     (293.16) /* 95% chance it's less */
#define V99     (310.57) /* 99% chance it's less */

#define min_chichi5 (20.0*min_nps) /* min prob. 5% */
#define min_chichi3 (4.0*min_nps) /* min prob. 25% */

#ifdef DEBUG
#define CFNAME "chi.dat"
#define min_chichi7 (100.0*min_nps) /* min prob. 1% */
#endif

#define AB(X)  (((X) >= 0.0) ? (X) : -(X))

double cnt[NUM_BYTES] = {0.0}; /* should be all zeros. */
double successors[NUM_BYTES][NUM_BYTES] = {{0.0}}; /* should be all zeros. */

static unsigned char buf[BUFSIZE];
static FILE *ifp, *ofp;

FILE *
my_fopen(file, type)
char *file, *type;
{
  FILE *fp;

  if ((fp = fopen(file, type)) == NULL) {
      (void)fprintf(stderr, "Can't open '%s' for '%s'\n", file, type);
      exit(1);
  }
  return(fp);
}

double
get_V(n,Y)
double n;
double *Y;
{
#define k (256)
#define p (1.0/256.0)
    double sum = 0.0;
    double divider = (n*p);
    double tmp;
    long i;

    for (i=0; i C3_75) {
        check++;
        if (V3 > C3_95) {
            check++;
            if (V3 > C3_99) {
                check++;
            }
        }
    } else if (V3 < C3_25) {
        check--;
        if (V3 < C3_05) {
            check--;
            if (V3 < C3_01) {
                check--;
            }
        }
    }
    return(check);
}

double
chichi5(n,cgt_95,c75_95,c50_75,c25_50,c05_25,clt_05)
double  n,cgt_95,c75_95,c50_75,c25_50,c05_25,clt_05;
{
    double sum = (cgt_95*cgt_95)/(0.05*n);
    sum += (c75_95*c75_95)/(0.20*n);
    sum += (c50_75*c50_75)/(0.25*n);
    sum += (c25_50*c25_50)/(0.25*n);
    sum += (c05_25*c05_25)/(0.20*n);
    sum += (clt_05*clt_05)/(0.05*n);
    return( sum - n );
}

int
check_chichi5(n,cgt_95,c75_95,c50_75,c25_50,c05_25,clt_05)
double        n,cgt_95,c75_95,c50_75,c25_50,c05_25,clt_05;
{
#define C5_01 0.5543
#define C5_05 1.1455
#define C5_25 2.675
#define C5_75 6.626
#define C5_95 11.07
#define C5_99 15.09
    double V5;
    int check = 0;

    if (n < min_chichi5) {
        return( check_chichi3(n,cgt_95+c75_95,c50_75,c25_50,c05_25+clt_05) );
    }
    if ((V5 = chichi5(n,cgt_95,c75_95,c50_75,c25_50,c05_25,clt_05)) > C5_75) {
        check++;
        if (V5 > C5_95) {
            check++;
            if (V5 > C5_99) {
                check++;
            }
        }
    } else if (V5 < C5_25) {
        check--;
        if (V5 < C5_05) {
            check--;
            if (V5 < C5_01) {
                check--;
            }
        }
    }
    return(check);
}

#ifdef DEBUG
double
chichi7(n,cgt_99,c95_99,c75_95,c50_75,c25_50,c05_25,c01_05,clt_01)
double        n,cgt_99,c95_99,c75_95,c50_75,c25_50,c05_25,c01_05,clt_01;
{
    double sum = (cgt_99*cgt_99)/(0.01*n);

    sum += (c95_99*c95_99)/(0.04*n);
    sum += (c75_95*c75_95)/(0.20*n);
    sum += (c50_75*c50_75)/(0.25*n);
    sum += (c25_50*c25_50)/(0.25*n);
    sum += (c05_25*c05_25)/(0.20*n);
    sum += (c01_05*c01_05)/(0.04*n);
    sum += (clt_01*clt_01)/(0.01*n);
    return( sum - n );
}

int
check_chichi7(n,cgt_99,c95_99,c75_95,c50_75,c25_50,c05_25,c01_05,clt_01)
double        n,cgt_99,c95_99,c75_95,c50_75,c25_50,c05_25,c01_05,clt_01;
{
#define C7_01 1.239
#define C7_05 2.167
#define C7_25 4.255
#define C7_75 9.037
#define C7_95 14.07
#define C7_99 18.48
    double V7;
    int check = 0;

    if (n < min_chichi7) {
        return( check_chichi5(n,cgt_99+c95_99,c75_95,c50_75,
                                c25_50,c05_25,c01_05+clt_01) );
    }
    if ((V7=chichi7(n,cgt_99,c95_99,c75_95,c50_75,
                      c25_50,c05_25,c01_05,clt_01)) > C7_75) {
        check++;
        if (V7 > C7_95) {
            check++;
            if (V7 > C7_99) {
                check++;
            }
        }
    } else if (V7 < C7_25) {
        check--;
        if (V7 < C7_05) {
            check--;
            if (V7 < C7_01) {
                check--;
            }
        }
    }
    return(check);
}
#endif

double
fill_arrays()
{
   double size=0.0;
   long ch,next,l,i;

   if ((ch = getc(ifp)) != EOF) { /* prime the pump */
       cnt[ch] = size = 1.0;
       while ((l = fread(buf, 1, BUFSIZE, ifp)) > 0) {
           for (i=0; i V99) {
       desc = ": *******Non-random (hi)\n";
#ifdef DEBUG
       tocc_gt_99++;
#endif
   } else if (V > V95) {
       desc = ": Suspect (hi)\n";
#ifdef DEBUG
       tocc_95_99++;
#endif
   } else if (V > V75) {
       desc = ": Acceptible (hi)\n";
#ifdef DEBUG
       tocc_75_95++;
#endif
   } else if (V > V50) {
       desc = ": Excellent (hi) !!!!!!!\n";
#ifdef DEBUG
       tocc_50_75++;
#endif
   } else if (V > V25) {
       desc = ": Excellent (lo) !!!!!!!\n";
#ifdef DEBUG
       tocc_25_50++;
#endif
   } else if (V > V05) {
       desc = ": Acceptible (lo)\n";
#ifdef DEBUG
       tocc_05_25++;
#endif
   } else if (V > V01) {
       desc = ": Suspect (lo)\n";
#ifdef DEBUG
       tocc_01_05++;
#endif
   } else {
       desc = ": *******Non-random (lo)\n";
#ifdef DEBUG
       tocc_lt_01++;
#endif
   }

   fprintf(ofp, "Occurance  V = %.2f (n = %.0f)%s", V, size, desc);


#ifdef DEBUG
   tocc_tests++;
   if (V < tocc_lowest) tocc_lowest = V;
   if (V > tocc_highest) tocc_highest = V;
#endif

   for (i=0; i= min_testable) {
           if ((V = get_V(cnt[i],successors[i])) > V99) {
               suc_gt_99++;
           } else if (V > V95) {
               suc_95_99++;
           } else if (V > V75) {
               suc_75_95++;
           } else if (V > V50) {
               suc_50_75++;
           } else if (V > V25) {
               suc_25_50++;
           } else if (V > V05) {
               suc_05_25++;
           } else if (V > V01) {
               suc_01_05++;
           } else {
               suc_lt_01++;
           }
           suc_tests++;
           if (V < suc_lowest) suc_lowest = V;
           if (V > suc_highest) suc_highest = V;
       }
   }
   if (suc_tests > 0.0) {
       fprintf(ofp,
               "Successor Vd = %.2f %.2f %.2f %.2f %.2f %.2f %.2f %.2f\n",
                suc_gt_99*100.0/suc_tests,
                suc_95_99*100.0/suc_tests,
                suc_75_95*100.0/suc_tests,
                suc_50_75*100.0/suc_tests,
                suc_25_50*100.0/suc_tests,
                suc_05_25*100.0/suc_tests,
                suc_01_05*100.0/suc_tests,
                suc_lt_01*100.0/suc_tests);
       fprintf(ofp,
               "               deviation %d, (lowest = %.2f, highest = %.2f)\n",
               check_chichi5(suc_tests,
                             suc_gt_99+suc_95_99,suc_75_95,suc_50_75,
                             suc_25_50,suc_05_25,suc_01_05+suc_lt_01),
               suc_lowest, suc_highest);
   }

#ifdef DEBUG
   tsuc_tests += suc_tests;
   if (suc_lowest < tsuc_lowest) tsuc_lowest = suc_lowest;
   if (suc_highest > tsuc_highest) tsuc_highest = suc_highest;
   tsuc_gt_99 += suc_gt_99;
   tsuc_95_99 += suc_95_99;
   tsuc_75_95 += suc_75_95;
   tsuc_50_75 += suc_50_75;
   tsuc_25_50 += suc_25_50;
   tsuc_05_25 += suc_05_25;
   tsuc_01_05 += suc_01_05;
   tsuc_lt_01 += suc_lt_01;

   chi_dat = my_fopen(CFNAME, "w");
   fprintf(chi_dat, "%-14.0f - Total number of occurance tests\n",
           tocc_tests);
   fprintf(chi_dat, "%-14.2f - Highest V from an occurance test\n",
           tocc_highest);
   fprintf(chi_dat, "%-14.2f - Lowest V from an occurance test\n",
           tocc_lowest);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests above  %.2f\n",
           tocc_gt_99, V99);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_95_99, V95, V99);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_75_95, V75, V95);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_50_75, V50, V75);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_25_50, V25, V50);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_05_25, V05, V25);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests %.2f - %.2f\n",
           tocc_01_05, V01, V05);
   fprintf(chi_dat, "%-14.0f - Number of occurance tests below  %.2f\n",
           tocc_lt_01, V01);
   fprintf(chi_dat, "%-14.0f - Total number of successor tests\n",
           tsuc_tests);
   fprintf(chi_dat, "%-14.2f - Highest V from an successor test\n",
           tsuc_highest);
   fprintf(chi_dat, "%-14.2f - Lowest V from an successor test\n",
           tsuc_lowest);
   fprintf(chi_dat, "%-14.0f - Number of successor tests above  %.2f\n",
           tsuc_gt_99, V99);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_95_99, V95, V99);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_75_95, V75, V95);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_50_75, V50, V75);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_25_50, V25, V50);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_05_25, V05, V25);
   fprintf(chi_dat, "%-14.0f - Number of successor tests %.2f - %.2f\n",
           tsuc_01_05, V01, V05);
   fprintf(chi_dat, "%-14.0f - Number of successor tests below  %.2f\n",
           tsuc_lt_01, V01);
   fprintf(chi_dat,
           "Occurance Vd = %.2f %.2f %.2f %.2f %.2f %.2f %.2f %.2f",
            tocc_gt_99*100.0/tocc_tests,
            tocc_95_99*100.0/tocc_tests,
            tocc_75_95*100.0/tocc_tests,
            tocc_50_75*100.0/tocc_tests,
            tocc_25_50*100.0/tocc_tests,
            tocc_05_25*100.0/tocc_tests,
            tocc_01_05*100.0/tocc_tests,
            tocc_lt_01*100.0/tocc_tests);
   fprintf(chi_dat, " (deviation %d)\n",
           check_chichi7(tocc_tests,
                         tocc_gt_99,tocc_95_99,tocc_75_95,tocc_50_75,
                         tocc_25_50,tocc_05_25,tocc_01_05,tocc_lt_01));
   if (tsuc_tests > 0.0) {
       fprintf(chi_dat,
               "Successor Vd = %.2f %.2f %.2f %.2f %.2f %.2f %.2f %.2f",
                tsuc_gt_99*100.0/tsuc_tests,
                tsuc_95_99*100.0/tsuc_tests,
                tsuc_75_95*100.0/tsuc_tests,
                tsuc_50_75*100.0/tsuc_tests,
                tsuc_25_50*100.0/tsuc_tests,
                tsuc_05_25*100.0/tsuc_tests,
                tsuc_01_05*100.0/tsuc_tests,
                tsuc_lt_01*100.0/tsuc_tests);
       fprintf(chi_dat, " (deviation %d)\n",
               check_chichi7(tsuc_tests,
                             tsuc_gt_99,tsuc_95_99,tsuc_75_95,tsuc_50_75,
                             tsuc_25_50,tsuc_05_25,tsuc_01_05,tsuc_lt_01));
   }
   fclose(chi_dat);
#endif
}

int
main(argc,argv)
int argc;
char **argv;
{
   ifp = (argc > 1) ? my_fopen(argv[1],"rb") : stdin;
   ofp = (argc > 2) ? my_fopen(argv[2],"w") : stdout;
   chi_2_test();

   return(0);
}


---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From jimbell at pacifier.com  Mon Feb  5 05:17:28 1996
From: jimbell at pacifier.com (jim bell)
Date: Mon, 5 Feb 1996 21:17:28 +0800
Subject: [noise] Re: Charter of PDX Cpunk meetings
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

At 07:18 AM 2/4/96 -0800, bernardo at alpha.c2.org wrote:
>jim bell wrote:
>
>>> I think an explanation for this is due.  Jim is going to move his 
complaints
>>> here instead of dealing with them with me no matter what I do...
>>
>> Alan Olsen is correct, here.
>
>This is childish and pointless.  Please shut up or take it to email.

Odd that you would say this, even more odd that you would post it to the 
Cypherpunks list.  The only reason I am posting this is that you appear to 
be taking a remarkably similar position to Alan Olsen.

>
>> But he (the anonymous poster):
>> 1.  FLamed me on this national list, similarly to the way Alan Olsen 
later did.
>
>FWIW, this is an _international_ list with a lot of people who are
>just not interested in your petty bickering.  If you want to argue
>about this, please do it in private.

Then why didn't you send me the email directly, and NOT copy the list.  
Somehow, it appears you have a double standard.  The only reason I'm 
responding to you now, ON CYPHERPUNKS, is that you appear to be 
hypocritically asking me to "keep it off the list" at the same time to 
failed to do the same yourself.  Sounds like a double-standard.  Your 
behavior is remarkably remeniscent of Alan Olsen himself.

>  If Alan posts responses to the
>list, that's his problem.  You don't _have_ to answer in public.

It's been pointed out to me that because Alan flamed me in public, 
anonymously, on Cypherpunks, I am entitled to have it known what he did.

>> 2.  Failed to be willing to sustain the debate in a more appropriate list, 
>> even under a stable nym.
>
>You have something against anonymity?  In this case, perhaps this list
>is not the best place to be.

I think you're deliberately pretending to misunderstand.  I have nothing 
against anonymity.  While a "newbie," I was under the impression that the 
term "stable nym" (my usage) refers to an anonymous alias that is 
untraceable.  In fact, it was _I_ who suggested that this anonymous flamer 
(now apparently self-admittedly identified as Alan Olsen himself) adopt a 
stable nym and debate me on some other area more appropriate for the 
subject.  While I do feel there is CP relevance to the digital cash/good 
encryption/network applications of "Assassination Politics," I didn't want 
to force this on what I would like to think of as a "not particularly 
political" list.

(Recent topics have battered the distinction, I realize.  I don't want to 
make it "worse," however.)

>> that I had been flamed by that anonymous poster.  The fact that he was
>> anonymous says it all.  The fact that he has not returned says it all.  The 
>
>The fact that he was anonymous says nothing whatsoever.  So what if
>you received some email agreeing that you'd been flamed?

The point is, some people seem to agree that what this anonymous flamer did 
was against "nettiquette," or at least against CP typical behavior.  Had he 
made his criticisms with a stable nym and been willing to sustain a serious 
debate (possibly on another area) that would have signalled that he was 
believeable and serious.  He was not, however.


>> the fact that I am relatively new here.  I have no intention of inflicting
>> an unwelcome discussion of "Assassination Politics" on the list, and 
>
>Actually, and Perry may disagree here, but I'd have no objection to a
>discussion of "Assassination Politics", or any other nutty political
>theories, as long as we can stick to reasonably mature discussion and
>not flames and petty ego boosting.

"..other nutty political theories"?  Harummmph!  Well, I guess you got your 
"not so subtle" dig in, there.  I'd like to see a bit more widespread 
approval of such a discussion before actively starting it, anyway, 
especially by some of the "old-timers" here.  (Sadly, as I newbie, I don't 
really even know who the "old timers" are!)  But recently, there's been too 
much traffic anyway!


>> suffered any longterm loss of reputation of his own.  I, on the other hand, 
>> use my REAL NAME.
>
>Whoopie!  A True Name!  Big deal.  I care not one jot whether or not
>you use your REAL NAME.  I have no way of knowing if it is, in fact,
>your real name.  Should it make a difference?

Not necessarily.  As I pointed out before, I'm happy to debate a stable nym 
(a term I learned only a few weeks ago, BTW).  But completely anonymous 
flames from a person who cuts and runs does not improve the S/N ratio of 
this or any other list.

>No one is going to "suffer any longterm loss of reputation" by
>disagreeing with you, or anyone else, whether or not they use a nym
>(or anonymity).

I didn't want anybody to even be able to use the excuse of "I feared for my 
life debating with that vile purveyor of that wacky idea, 'Assassination 
Politics.'  "    I invited him to use a stable nym.


>> Only a fool would have taken an anonymous flamer seriously under those 
>> circumstances.
>
>An anonymous post is no less valid for being anonymous. 

You may be surprised that I absolutely agree.  However, the post was not 
merely "anonymous" but flaming, and the poster didn't stick around.  In 
other words, its anonymity didn't do it in, the motivation of the poster 
did, however.

> The only
>advantage of a stable nym, whether or not it's a True Name, is the
>ability to gain (or lose) reputation through the content of its
>posts.  Perhaps a nym with some reputation is taken more seriously
>than an anonymous poster, but so is an unknown nym.  Neither you nor
>Alan has any reputation to speak of (to me, at least), so an anonymous
>post has no less.

But on the other hand, a flaming "debate" on CP doesn't help any of YOU 
guys, the other readers of CP.  


>>> Jim ignored that request and I removed him from the list.
>> 
>> Read:  "Alan Olsen exercised his authority in his own personal fiefdom, the 
>> "PDX Cypherpunks list."
>
>Are you saying he doesn't have that right?  If it's his list, he can
>do whatever the hell he likes with it.

No, I merely translated "Olsen-speak" into language most of the rest of us 
could understand.  He had that right.  On the other hand, the exercise of 
this right displays Olsen's behavior for all to see.  I wanted there to be 
no doubt on the national list what Alan Olsen was doing.


>> On the contrary, I have no interest in dealing with this sleazy character 
in 
>> email.  He was the one who chose a national list to do his flaming and 
>> baiting, and I think he deserves full "credit."
>
>In other words, you are not interested in resolving any problem you
>have with Alan, you just to make a lot of noise in public in an
>attempt to "embarrass" him.  Go play on some other list where this
>kind of thing is appreciated.
>
>>> The following is the last I will say publically on the matter.
>> 
>> You're going to take your bat and ball and "go thwait home!"  You hear your 
>> mommy calling, Alan.
>
>This list periodically devolves into this childishness.  I'm glad Alan
>is not going to say any more. 

I am, too.


> I award Alan 20 Reputation Points for
>being mature enough to walk away (delayed long enough to see whether
>he does)

As long as the record reflects his misbehavior, I am satisfied as well.

Jim Bell
jimbell at pacifier.com

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRVpWfqHVDBboB2dAQEzVgQAgIjr4L3tYYgoIAe+H25y8b/Z+mIRq+xz
HaTNntpFyBmIO3hGFLYNW90QurXd0sFHgRQJ0ohN103buI1j1NkqX1O7seKv3FaG
0png19/IkbrssZ7QwXUJU5tVuRY9h6eGi7pt2Rdj/OpkL3neyqKmYu3UmmOHZtMa
j2R/pWwdCwE=
=WXd4
-----END PGP SIGNATURE-----






From pagre at weber.ucsd.edu  Mon Feb  5 05:22:45 1996
From: pagre at weber.ucsd.edu (Phil Agre)
Date: Mon, 5 Feb 1996 21:22:45 +0800
Subject: Jamming and privacy problem
Message-ID: <199602050100.RAA21512@weber.ucsd.edu>


The emissions tracking proposal might have another sort of relevance to
cryptography.  Assuming (it's a big assumption, but entertain it for a
moment) that we agree that some type of automatic enforcement mechanism
for emissions-based repairs were a good thing, how could it be built
without identifying any individuals to the authorities?  What I find so
utterly over-the-top about the ARB proposal is that it is capable of
maintaining records on everybody everywhere, whether they are violating
any laws or not.  Of course they'll promise to protect privacy, and they
may even promise not to capture any records for people whose emissions
fault codes come up clean (though they say nothing about this in the RFP).
But such assurances would be nonsense, since once the system is in place
a simple software change would cause the system to revert back to the
total-surveillance functionality described in the RFP.  The key, then,
is designing systems so that simple software changes under the control
of the authorities can turn them into instruments of oppression.  This
design consideration is hard to even formulate accurately in the context
of traditional system design methodologies, which assume that everything
in sight comes with identifiers and that *the* way for a system to relate
to something is to represent it in terms of those identifiers.  Digital
cash and other such schemes are so profound precisely because they break
with this underlying assumption, forcing systems to think thoughts like
"this person (whoever s/he may be) has paid $1 to travel on this road",
"this person (whoever s/he may be) is eligible for an upgrade to first
class", "this person (whoever s/he may be) is obeying emissions laws",
and so on.  Philosophers and linguists call these "indexical" (or, more
precisely, "deictic") because they identify an individual contextually
without appealing to a name or other universal identifier.

Phil





From frankw at in.net  Mon Feb  5 05:41:33 1996
From: frankw at in.net (Frank Willoughby)
Date: Mon, 5 Feb 1996 21:41:33 +0800
Subject: Fair Credit Reporting Act and Privacy Act
Message-ID: <9602051325.AA08532@su1.in.net>


FWIW, while the goal of the cypherpunks in helping to promote secure
private communications by making encryption publicly available on a 
worldwide scale, definitely helps socially backward countries which 
have dictators (communist or otherwise), it misses its mark somewhat 
in the USA.  Personally, I think that in the USA, this is treating 
the symptom, but not the disease.

Probably the easiest way of ensuring that personal information isn't 
wantonly distributed by credit agencies or (anyone else) is to update 
our Privacy Act - which is ridiculously out-of-date and badly in need of
being re-written.  It is also hampered by its apparent lack of teeth.

My personal recommendation would be a law like Germany's BDSG. The BDSG
(BundesDatenSchutzGesetz which translates to: Federal Information/Data 
Protection Law (aka Privacy Act).  Even better would be a law like the 
one in Austria (which I understand has the world's strictest privacy act.  
(Hooray for the Austrians).  8^)

If the Privacy Act were rewritten to be as strict as the BDSG, businesses
would have a (mandatory) legal requirement to:

o Ensure that personal data is stored properly (by encrypting it, etc)
o Ensure that personal data is not distributed
o Ensure that databases are *not* being maintained which describe the
   characteristics of individuals (buying habits, income, property 
   ownership, etc) wantonly propagated by marketing (direct mail, 
   telemarketing, etc) companies.  

  (Note that credit bureaus still have a function, but they would be 
   (forced to be) responsible for ensuring that compliance with the 
   Privacy Act would be maintained.  This could result in better
   safeguards being implemented by the credit bureaus.)


resulting in the following by-products:

o the promotion of the use & implementation of encryption - including
   the possibility of ITAR being reduced or eliminated for the export
   of encryption products
o reduced propagation of personal information
o reduced amount of junk mail that winds its way to our mailboxes each day  8^)
o reduced amounts of tele-marketing  8^)


If pressure were brought to bear on the law-makers to rewrite the Privacy
Act to give it qualities like the BDSG, etc, then this would significantly
help achieve the cypherpunks' goal of promoting secure private communications.
(I realize this isn't the only goal of the c'punks, but its a start).  As the 
changes would be made within "the system" as opposed to outside of it, there
would be virtually no hassle from the government.

IOW, changing the Privacy Act will probably solve a variety of problems while
achieving the c'punks goal of secure personal communications.


Food for thought.

Best Regards,


Frank

The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified
Home of the Free Internet Firewall Evaluation Checklist








From m5 at dev.tivoli.com  Mon Feb  5 06:01:28 1996
From: m5 at dev.tivoli.com (Mike McNally)
Date: Mon, 5 Feb 1996 22:01:28 +0800
Subject: free speach and the government
In-Reply-To: <2.2.16.19960203234059.2eb7ed1c@mailserv.uni-tuebingen.de>
Message-ID: <9602051343.AA16098@alpha>



Stephan Mohr writes:
 > Well, maybe my imagination isn't strong enough to make my point. But do
 > you fighter for free speech, in principle, think that nothing, really
 > nothing, shouldn't be prevented of being published? And by being
 > published, I mean published in the net, not at loompanics (who knows
 > loompanics?).

Well, if it's OK to publish via Loompanics I don't see what your point
is.  Anybody psychotic enough to poison a municipal water supply won't
be deterred by being denied on-line access to information.

Remember that far, far more people walk in and out of bookstores and
libraries every day than log into a computer connected to the
Internet.

______c_____________________________________________________________________
Mike M Nally * Tiv^H^H^H IBM * Austin TX    * I want more, I want more,
       m5 at tivoli.com * m101 at io.com          * I want more, I want more ...
               *_______________________________





From m5 at dev.tivoli.com  Mon Feb  5 06:09:42 1996
From: m5 at dev.tivoli.com (Mike McNally)
Date: Mon, 5 Feb 1996 22:09:42 +0800
Subject: Imminent Death of Usenet Predicted
In-Reply-To: <01I0SEGNWJAYA0UTZ4@mbcl.rutgers.edu>
Message-ID: <9602051345.AA19001@alpha>



E. ALLEN SMITH writes:
 > 	Now, this can all be fought in the courts and will likely be defeated..
 > but it would still cause some problems. Am I completely incorrect, or do the
 > programmers on here and elsewhere need to start coming up with a better way to
 > do things?

InterNIC does what it does by general agreement.  It has no special
dispensation from a deity to control internet addressing.

______c_____________________________________________________________________
Mike M Nally * Tiv^H^H^H IBM * Austin TX    * I want more, I want more,
       m5 at tivoli.com * m101 at io.com          * I want more, I want more ...
               *_______________________________





From PADGETT at hobbes.orl.mmc.com  Mon Feb  5 06:44:58 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Mon, 5 Feb 1996 22:44:58 +0800
Subject: Protecting the innocent on the nets
Message-ID: <960205092959.20213e8d@hobbes.orl.mmc.com>


David rote:
>If so, then using the dictionary as the key seems bad---the
>compression dictionary is not designed to obscure the data, but to aid
>in compression.  The dictionary might well be easy to guess.  For
>example, some compression schemes use a Huffman coding on their
>dictionary.  If so, one can guess that short pointers into the
>dictionary correspond to common plaintext strings.  Using such a
>dictionary as an encryption system is security through obscurity.

Oh Heavens to Betsy, I was not trying to describe *crypto*, that might
be regulated. Was describing a mechanism to comply with the new Scudderite
laws concerning protecting the innocent from nasty sights.

Figure it this way: can duplicate CD-Roms for a quarter. If a subscription
costs $19.95/yr then who is going to bother with cloning it ? "controlled
circulation" magazines would save postage. Web pages could be posted with 
nothing but pointers (don't tell me you have never sat waiting for a
little red bar to reach the end) and assurance that only a specified audience
could look at the pretty pictures (which compress the best of all 8*).

Further, if the intent is to satisfy a law then would this not be a "good 
faith" attempt to do so ? Zippy's friends have decided what is not safe to be
on the net in the clear but they have not said what it takes to protect the
innocent while allowing consenting adults their freedom to communicate.

If I want good crypto I just use PGP (and the Enclyptor makes it real easy).
This is something completely different.
						Warmly,
							Padgett





From cmullins at cwa.com  Mon Feb  5 07:09:45 1996
From: cmullins at cwa.com (Charlie Mullins)
Date: Mon, 5 Feb 1996 23:09:45 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
In-Reply-To: <9602031850.AA18675@frumious-bandersnatch.MIT.EDU>
Message-ID: <31161B4A.794BDF32@cwa.com>


sethf at MIT.EDU wrote:
> 
>         HOLD YOUR FLAMES! That message looks like a troll designed to
> set us all off arguing. DON'T FEED THE TROLL.
> 
> --
> Seth Finkelstein                                sethf at mit.edu
> Disclaimer : I am not the Lorax. I speak only for myself.
> Freedom of Expression URL http://www.mit.edu:8001/activities/safe/home.html


I took it as a rather humorous parody.

--

Charlie Mullins





From alano at teleport.com  Mon Feb  5 07:23:47 1996
From: alano at teleport.com (Alan Olsen)
Date: Mon, 5 Feb 1996 23:23:47 +0800
Subject: free speech and the government
Message-ID: <2.2.32.19960204224051.00955628@mail.teleport.com>


At 09:25 PM 2/4/96 +0000, Stephan Mohr wrote:

>Actually, I am glad that the whole story started over some neo-nazi stuff
>and not a recipe to easily make a very potent poison. 

For some strange reason, people believe it is difficult to find information
on such things.

I picked up my copy of _Poisons and Poisoners_ by C. J. S. Thompson at
Barnes and Noble in the discount section for $9.98.  Books on the topic can
also be picked up in bookstores catering to Murder Mystery fans.  (Some
excelent descriptions of esoteric poisons can be derived from these books.)

"Forbidden" information is hard to forbid with the existance of the printing
press.  Electronic networks make the information even more available.  Are
you suggesting that we burn all the books with "dangerous" information?  And
who's definition of "danger" do we take?  Yours? Mine? The National Council
of Churches?

Crypto relevence:  Some people regard the ability to hide "dangerous"
information to be as "dangerous" as the information hidden.  Freedom of
Speech includes the right to choose who can listen to that speech.

Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From karl.ike at sihope.com  Mon Feb  5 07:47:11 1996
From: karl.ike at sihope.com (Karl Ike)
Date: Mon, 5 Feb 1996 23:47:11 +0800
Subject: No Subject
Message-ID: <199602051531.JAA07578@unix1.sihope.com>


Attila: I'm not in the business of running or hiding. I'm just an average,
everyday working guy that doesn't like credit reporting agencies, what they
stand for or what they do for money. I didn't say that I was going to do
this. I just had the idea! I don't have the knowledge or the money to spend.
That doesn't mean that there is someone out there that would jump at the idea.

I just don't like the idea that these assholes know more about me than my
mother and sell my private and personal information to anyone for big bucks.
My credit is fine, just ask my banker or better yet, my mom.

I am assumming that you know far more people on the internet since I have
only been on for a month and have done three e-mail. I'm just suggesting to
get the idea out and someone will take the ball and run. Yes, they will be a
hunted man, but not a US citizen. Someone out there with a laptop and a
cellular, living on a cruise ship, just may enjoy the idea.

Just me, Karl






From hal9001 at panix.com  Mon Feb  5 08:05:51 1996
From: hal9001 at panix.com (Robert A. Rosenberg)
Date: Tue, 6 Feb 1996 00:05:51 +0800
Subject: Encryption and Backups
Message-ID: 


At 20:33 2/4/96, John Pettitt wrote:

>On Sun, 4 Feb 1996, Alan Olsen wrote:
>
>> Something that I have not seen addressed is the need for strong encryption
>> in backup software.
>>
>> Most backup software has an "encryption" option, but I have seen few that
>> have anything resembling strong encryption.  Furthermore, I have seen no
>> real push for strong encryption for backups at all.
>> ...
>> Might be an idea for a product there...  (And you can bet law enforcement
>> would throw a hissy fit about its existence.)
>>
>CP Backup (part of PC Tools for Central Point aka Symantec) has DES. As to
>how good the implementation is: I have no idea.


Retrospect (a Mac Tape/Floppy Backup Utility) also has an Encryption Option
I think.







From PADGETT at hobbes.orl.mmc.com  Mon Feb  5 08:11:19 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Tue, 6 Feb 1996 00:11:19 +0800
Subject: [NOISE] Futplex makes the news!
Message-ID: <960204195726.2020e029@hobbes.orl.mmc.com>


OK, I give up. Took off the head phones  connected to the TO, went downstairs,
set the V-15 Type II on the Dual 1019 to 7/8 gm. Patched to the Pioneer 1500TD
amp feeding front AR-5's and rear AR-2ax's, cranked to "pain" and spun some
vinyl.

"Freedom's just anotha' word foa nothin' left to lose." - Janis Joplin &
Full Tilt Boogie Band, Columbia PC 32168 (first one I found in the pile -
believe the original was on a album with her standing spraddlelegged with
the big grin - is here *somewhere*. Credit on th record was K. Kristofferson
and F. Foster. (Had to go downstairs, contrary to popular belief, everything
is not in my den 8*).
						warmly,
							Padgett





From dlv at bwalk.dm.com  Mon Feb  5 08:11:42 1996
From: dlv at bwalk.dm.com (Dr. Dimitri Vulis)
Date: Tue, 6 Feb 1996 00:11:42 +0800
Subject: [NOISE] Is this email getting through?
In-Reply-To: 
Message-ID: <2mVsiD57w165w@bwalk.dm.com>


shamrock at netcom.com (Lucky Green) writes:
> I have not received any CP traffic for several days. Repeated
> (re-)subscription requests didn't generate a reply from majordomo. If this
> message shows up on the list, please let me know.

You've probably received no CP traffic because none was posted to the
mailing list. Have you getting much noise, sound, fury, and the flaming of
innocent anonymous remailers? :-)

---

Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps





From tcmay at got.net  Mon Feb  5 08:13:25 1996
From: tcmay at got.net (Timothy C. May)
Date: Tue, 6 Feb 1996 00:13:25 +0800
Subject: Songs, Janis, Left to Lose, and Salinas
Message-ID: 


At 12:57 AM 2/5/96, "A. Padgett Peterson, P.E. Information Security"
OK, I give up. Took off the head phones  connected to the TO, went downstairs,
>set the V-15 Type II on the Dual 1019 to 7/8 gm. Patched to the Pioneer 1500TD
>amp feeding front AR-5's and rear AR-2ax's, cranked to "pain" and spun some
>vinyl.

You might want to explain to the GenXers what "vinyl" is.


>"Freedom's just anotha' word foa nothin' left to lose." - Janis Joplin &
>Full Tilt Boogie Band, Columbia PC 32168 (first one I found in the pile -
>believe the original was on a album with her standing spraddlelegged with
>the big grin - is here *somewhere*. Credit on th record was K. Kristofferson
>and F. Foster. (Had to go downstairs, contrary to popular belief, everything
>is not in my den 8*).

Speaking of this song, I live "near Salinas."

--Tim


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From nobody at REPLAY.COM  Mon Feb  5 08:14:32 1996
From: nobody at REPLAY.COM (Anonymous)
Date: Tue, 6 Feb 1996 00:14:32 +0800
Subject: Indecent Trash
Message-ID: <199602042352.AAA09555@utopia.hacktic.nl>


-----BEGIN PGP SIGNED MESSAGE-----

On 10 Jan 96 at 10:42, t byfield wrote:

> At 10:26 PM 1/9/96, Alexander 'Sasha' Chislenko wrote:
> 
> >- Landfills:  They are probably the richest source of detailed 
> >   historical information that is not obtainable from any 
> >   other source and can be used to reconstruct the detailed 
> >   history of society, economy, technology and any single 
> >   person with incredible detail.

> I ain't holding my breath until someone develops a search 
> engine for Fresh Kills.

I can see it now... about the time that Grandson of Altavista 
finally yields a URL for Jimmy Hoffa's body in some dump 
somewhere the government will have figured out that it's so 
much simpler to catalog the stuff on the way IN, when all the 
artifacts are fresh and unmixed. While we're all watching what 
the government does to intercept packets, they will be routing 
*trash* packets through mysterious "garbage routers."  

As the stink grows stronger, someone will conceive of anonymous 
trash forwarders. They will accept unidentified trash, no 
questions asked, anonymize it with random DNA and fingerprint 
whorls, and sneak it into public trash receptacles. DNA 
generators will enable the mischievous to plant fabricated 
indications that Hillary did indeed have something going with 
Vince, the late Khomeini (hey, hard is hard, right?) as well as 
legions of four-footed friends, confirming the suspicions of 
multitudes.

As the piles of trash-based data grow, some Senator from
Nebraska will sound the alarm that kids are too easily exposed
to the indecent signs of private behavior retrievable on the
Net and will propose draconian measures to hold everyone
responsible for their contributions to the city landfill. 
Public receptacles will be closed. Trash will only be collected 
from registered Identifed Surplus Providers (ISP's). $250,000 
fine for disposing of a condom in a dump accessible from the 
Internet... 10 years in prison for carelessly tossing those 
nasty Polaroids in the kitchen compactor. The trash of the world
will have to be made safe for kids to view.

Everything will be a lot easier to trace and control if the
garbage input is fully identified. Barcodes on trash bags
might do for starters. Access to the garbage system might have
to be restricted to those 18 and over. Trash collectors could
be made responsible for content, drafting them without pay into
the ranks of the trash police. People could be encouraged to
report suspicious trash, and trash-related activities like
neighbors sneaking out at night to place an innocent-looking
compactor bag down the block with someone else's trash.  

For their own protection, youngsters might be required to retain 
all their garbage until age 18 and then, in a solemn ceremony 
worthy of the true significance of coming of age, pitch it all 
(duly anonymized to prevent abuse of minor indiscretions) from 
their new position as lawful participants in the world garbage 
system, friends and well-wishers trying to applaud and hold their 
noses at the same time (try it -- if you're not careful you can 
break your own nose, but hey, that'll work, too!). Who knows? 
Maybe Heinlein's advocacy of keeping kids in a barrel and feeding 
them through a hole until age 18 will enjoy resurgence among the 
compulsively protective while the Web meanwhile will provide real 
time underground data on Heinlein's rpm rate.

Protecting the trash of youth will, however, give rise to the 
hiding of adult trash among that of the underaged. The government
will have to root out offenders and "impute" suspicious trash 
to the parents. Those with no visible source of trash will of 
course be suspect, and will have to emit innocent trash to 
cover themselves. This will give rise to the practice of "trash 
laundering," in which agents convert nasty trash to innocuous 
trash that may then be tossed into any monitored, controlled 
channels with no repercussions.

Trash laundering will become a grave offense to the 
accompaniment of government and Ad Council PSA's and free 
brochures from Pueblo, Colorado. Blatant offenders who have 
fled to foreign climes will be kidnapped, some will be tortured,
because the War Against Filth will be a moral commitment of the 
national body. Foreign governments headed by suspected trash 
traffickers will be toppled in quickie invasions, their leaders 
brought back in chains to disappear into federal dungeons. Public 
debate will center on the legalities and rationalizations of 
using the military in policing domestic trash, while agencies 
such as the FBI cry for more budget to fight the scourge that 
threatens the decency of the nation's repositories.

Control of trash will spread inevitably to control of liquid 
wastes, whereupon a terrible discovery will be made: Everyone, 
but everyone, emits unspeakable bodily products. At that point 
the government will have no choice but to reluctantly declare 
everyone an outlaw and execute the populace.

It's all as logical as what happens when you introduce division 
by zero way down at the bottom of the complex equation where it 
isn't so noticeable.

We Jurgar Din
(that will have to suffice: I do not yet live in a free country)

+"The battle, Sir, is not to the strong alone. It is to the+
+vigilant, the active, the brave. Besides, Sir, we have no +
+election. If we were base enough to desire it, it is now  +
+too late to retire from the contest." -Patrick Henry 1775 +


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBVAwUBMPS/PEjw99YhtpnhAQH1UQH5AdXBd7AvG6xT7x/cTXf5W1cAUXzoJ+GB
N0/SPrdoJnbUSN5LkJDwoVwA/eiL6/LVN9CjtmQwmydyBysM7M/7Xw==
=q+CF
-----END PGP SIGNATURE-----











From jimbell at pacifier.com  Mon Feb  5 08:17:20 1996
From: jimbell at pacifier.com (jim bell)
Date: Tue, 6 Feb 1996 00:17:20 +0800
Subject: verification of randomness
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

At 03:57 AM 2/5/96 +0100, Andreas Bogk wrote:

>I've built a random number generator based on the noise of a Zener
>diode. Now I'd like to verify it's correct operation. I'd be very
>grateful if someone could point me to existing software for randomness
>tests or additional tests not mentioned in Knuth.
>I'll make the design of the generator available as soon as I've
>verified it's operation.
>Andreas

Excellent!  Sounds like a worthwhile project.  If you have an email mailing 
list, put me on it please.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRWRnvqHVDBboB2dAQFgWwQAlgxpZ1Bx21HRU39ikFUKBFoewtfjVzcD
zwOjkf5IXyITNV1IZmwmbIyzVmu1ndWr4NHhZZhxD9jCyzC6qFqvED/7Zye4vUdV
XkcTDIBqqa334Awm7dsDMwvC2GKhHbCLIcZSI7gXBf/5C3V42EKdvi18Bqn9cs5M
vJ0OnN93iBY=
=MmWv
-----END PGP SIGNATURE-----






From karl.ike at sihope.com  Mon Feb  5 08:23:01 1996
From: karl.ike at sihope.com (Karl Ike)
Date: Tue, 6 Feb 1996 00:23:01 +0800
Subject: No Subject
Message-ID: <199602050558.XAA17819@unix1.sihope.com>


It is impossible to get changes in the Fair Credit Reporting Act in the
traditional way. Credit reporting agencies have far too much personal
information that is passed out with incrediable ease at the consumers expense. 

I have a suggestion! 

Today, with TRW, Equifax and TransUnion's vast network, it is easy to obtain
anyone's credit report from various sources. Do you think if someone,
outside of the USA, obtained the credit reports on half, maybe all, of the
US Senators, congressmen, judges, etc, and published them in their entirity,
on the internet, from outside the US, would get their attention? Then there
would be changes, overnight, protecting the right of privacy! Let them
become the victim of credit reporting agencies once and shit will happen
overnight. 

If someone who is not a US citizen does this from outside the US, I don't
think that they can be held accountable under US law? I am new to the
internet and don't have a clue how to do it, but someone out there does and
probably has a friend in Bankok that will help him. Put the word out! 






From Kevin.L.Prigge-2 at cis.umn.edu  Mon Feb  5 08:39:16 1996
From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge)
Date: Tue, 6 Feb 1996 00:39:16 +0800
Subject: [local] Minneapolis CP get-together
Message-ID: <311629354a51002@noc.cis.umn.edu>



Who: Minneapolis Cypherpunks
What: Local get-together & key signing party
When: Saturday, Feb 10th @ approx 5pm -> ???
Where: Applebees (3200 W Lake St)

I'll be facilitating a key signing, send your public key to me
before hand to get on the list. If you have any questions or need
directions, let me know.





From steven at echonyc.com  Mon Feb  5 08:39:51 1996
From: steven at echonyc.com (Steven Levy)
Date: Tue, 6 Feb 1996 00:39:51 +0800
Subject: A Sign of the Future
In-Reply-To: <199602050625.AAA00118@proust.suba.com>
Message-ID: 


Give me a break.  I do not work for Wired but I write for them at times, 
and most often my subject is crypto related. I can tell you for a fact 
that there is no anti-cypherpunk policy there. I have a long article that 
deals in part with cypherpunk-related cryptanlysis in the March issue and 
I was, as is always the case, left to make my own editorial judgement.

On Mon, 5 Feb 1996, Alex Strasheim wrote:

> >     Concerns about privacy and anonymity are outdated. Cypherpunks 
> >     think they are rebels with a cause, but they are really senti- 
> >     mentalists. 
> 
> I'm not much for big conspiracy theories, but I like the little ones.
> 
> If this was really in Wired, do you think it was written before or after 
> Tim dissed that magazine here?
> 
> 
> 





From cnd at triode.apana.org.au  Mon Feb  5 08:47:09 1996
From: cnd at triode.apana.org.au (Christopher Drake)
Date: Tue, 6 Feb 1996 00:47:09 +0800
Subject: Intro from a list reader
Message-ID: <199602051620.DAA06735@triode.apana.org.au>


Hello,

        My name is Christopher Drake, I own the company NetSafe.  We
        manufacture and sell one product - NetSafe - which prevents one
        small but universally unadressed, serious problem in computer
        security:  We prevent passwords (etc) from being stolen with
        Key Press Password recorders (KPPRs).

        My interest in this list is to stay up-to-date with the industry.

        You may recently have heard of the First Virtual announcement re:
        credit card number theft via automated means: our software specifically
        prevents this.

        Full details can be found at    http://pobox.com/~netsafe

        Interested parties from the recent cypherpunks meeting might
        like to note my public key: after the discussion I finally did it :-)


NetSafe. PO Box 298, North Sydney 2060, Australia.  (24hrs) Tel:+61 2 9966 1995
WWW: http://pobox.com/~netsafe   E-Mail: NetSafe at pobox.com  Fax: (02) 9957 1991

NetSafe provides inexpensive military certified security software to protect 
against key-press password recorders, trojan horses, viruses, etc. Antitamper
antitraceing antidissasembly protection is also included.

>>>>>>>>> Passwords should be protected in a manner that is consistent <<<<<<<<<
>>>>>>>>> with the damage that could be caused by their compromise.    <<<<<<<<<

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.i

mQCNAjD/mQAAAAEEAP/////NetSafe+PGP+key////We+provide+inexpensive
AntiFraud/theft+etc+Security+Software5tGfKREuINIWsQqsLNS+uAneN9M
SuMu37f+NU/U2djtxE/b9h4bJ4wb8h3QkBiuTAS1QjpxpxryQzZ10zzGQe8VAAUR
tChDaHJpc3RvcGhlciBOLiBEcmFrZSA8TmV0U2FmZUBQb2JveC5jb20+
=SGC/
-----END PGP PUBLIC KEY BLOCK-----







From raph at CS.Berkeley.EDU  Mon Feb  5 09:23:10 1996
From: raph at CS.Berkeley.EDU (Raph Levien)
Date: Tue, 6 Feb 1996 01:23:10 +0800
Subject: List of reliable remailers
Message-ID: <199602051450.GAA04545@kiwi.cs.berkeley.edu>


   I operate a remailer pinging service which collects detailed
information about remailer features and reliability.

   To use it, just finger remailer-list at kiwi.cs.berkeley.edu

   There is also a Web version of the same information, plus lots of
interesting links to remailer-related resources, at:
http://www.cs.berkeley.edu/~raph/remailer-list.html

   This information is used by premail, a remailer chaining and PGP
encrypting client for outgoing mail, which is available at:
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz

   For the PGP public keys of the remailers, finger
pgpkeys at kiwi.cs.berkeley.edu

This is the current info:

                                 REMAILER LIST

   This is an automatically generated listing of remailers. The first
   part of the listing shows the remailers along with configuration
   options and special features for each of the remailers. The second
   part shows the 12-day history, and average latency and uptime for each
   remailer. You can also get this list by fingering
   remailer-list at kiwi.cs.berkeley.edu.

$remailer{"extropia"} = " cpunk pgp special";
$remailer{"portal"} = " cpunk pgp hash";
$remailer{"alumni"} = " cpunk pgp hash";
$remailer{"bsu-cs"} = " cpunk hash ksub";
$remailer{"c2"} = " eric pgp hash reord";
$remailer{"penet"} = " penet post";
$remailer{"ideath"} = " cpunk hash ksub reord";
$remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek";
$remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord";
$remailer{"rahul"} = " cpunk pgp hash filter";
$remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?";
$remailer{"ford"} = " cpunk pgp hash ksub ek";
$remailer{"hroller"} = " cpunk pgp hash latent ek";
$remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord";
$remailer{"robo"} = " cpunk hash mix";
$remailer{"replay"} = " cpunk mix pgp hash latent cut post ek";
$remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord";
$remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek";
$remailer{"ecafe"} = " cpunk mix";
$remailer{"wmono"} = " cpunk mix pgp. hash latent cut";
$remailer{"shinobi"} = " cpunk mix hash latent cut ek reord";
$remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub";
$remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord";
$remailer{"tjava"} = " cpunk mix pgp hash latent cut";
$remailer{"pamphlet"} = " cpunk pgp hash latent cut ?";
$remailer{'alpha'} = ' alpha pgp';
$remailer{'gondonym'} = ' alpha pgp';
$remailer{'nymrod'} = ' alpha pgp';
catalyst at netcom.com is _not_ a remailer.
lmccarth at ducie.cs.umass.edu is _not_ a remailer.
usura at replay.com is _not_ a remailer.

Groups of remailers sharing a machine or operator:
(c2 robo hroller alpha)
(gondolin gondonym)
(flame hacktic replay)
(alumni portal)
(vishnu spook wmono)

Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys
for the remailers. Fingering this address works too.

Note: The remailer list now includes information for the alpha
nymserver.

Last update: Mon 5 Feb 96 6:47:36 PST
remailer  email address                        history  latency  uptime
-----------------------------------------------------------------------
ford     remailer at bi-node.zerberus.de     +--+++++..-+  8:06:08  99.94%
portal   hfinney at shell.portal.com         *#+*########      :42  99.94%
alumni   hal at alumni.caltech.edu           +-+#+ ---*##    27:01  99.81%
pamphlet pamphlet at idiom.com               +++++++ ++++    44:57  99.80%
alpha    alias at alpha.c2.org               ***** ***-**    18:20  99.72%
hroller  hroller at c2.org                   ###### ##-##    12:23  99.63%
mix      mixmaster at remail.obscura.com     ++-+- -----+  1:25:43  99.56%
gondolin mix at remail.gondolin.org                 ----   7:30:27  99.47%
flame    remailer at flame.alias.net         --+++ + -++-  1:17:58  99.41%
ecafe    cpunk at remail.ecafe.org           ##*## + ##*#     1:46  99.41%
c2       remail at c2.org                    ***** *** **    23:58  99.29%
nymrod   nymrod at nym.alias.net             ***+*** ***      7:40  99.18%
gondonym alias at nym.gondolin.org                   *--   4:42:54  98.55%
shinobi  remailer at shinobi.alias.net        #### # *#-#    33:56  98.34%
extropia remail at extropia.wimsey.com       _.__.-.---   21:13:22  97.85%
vishnu   mixmaster at vishnu.alias.net        +*+****--+     37:03  96.15%
penet    anon at anon.penet.fi               __.-__  _ .  44:43:59  92.95%
rahul    homer at rahul.net                  ** ## ****##     4:49  99.66%
hacktic  remailer at utopia.hacktic.nl          ** + ****     8:01  89.57%
replay   remailer at replay.com                 *- +****      6:41  80.79%
tjava    remailer at tjava.com               *#####           2:46  32.29%

   History key
     * # response in less than 5 minutes.
     * * response in less than 1 hour.
     * + response in less than 4 hours.
     * - response in less than 24 hours.
     * . response in more than 1 day.
     * _ response came back too late (more than 2 days).

   cpunk
          A major class of remailers. Supports Request-Remailing-To:
          field.
          
   eric
          A variant of the cpunk style. Uses Anon-Send-To: instead.
          
   penet
          The third class of remailers (at least for right now). Uses
          X-Anon-To: in the header.
          
   pgp
          Remailer supports encryption with PGP. A period after the
          keyword means that the short name, rather than the full email
          address, should be used as the encryption key ID.
          
   hash
          Supports ## pasting, so anything can be put into the headers of
          outgoing messages.
          
   ksub
          Remailer always kills subject header, even in non-pgp mode.
          
   nsub
          Remailer always preserves subject header, even in pgp mode.
          
   latent
          Supports Matt Ghio's Latent-Time: option.
          
   cut
          Supports Matt Ghio's Cutmarks: option.
          
   post
          Post to Usenet using Post-To: or Anon-Post-To: header.
          
   ek
          Encrypt responses in reply blocks using Encrypt-Key: header.
          
   special
          Accepts only pgp encrypted messages.
          
   mix
          Can accept messages in Mixmaster format.
          
   reord
          Attempts to foil traffic analysis by reordering messages. Note:
          I'm relying on the word of the remailer operator here, and
          haven't verified the reord info myself.

   mon
          Remailer has been known to monitor contents of private email.
          
   filter
          Remailer has been known to filter messages based on content. If
          not listed in conjunction with mon, then only messages destined
          for public forums are subject to filtering.
          

Raph Levien





From Pot at networking.stanford.edu  Mon Feb  5 10:55:11 1996
From: Pot at networking.stanford.edu (Pot at networking.stanford.edu)
Date: Tue, 6 Feb 1996 02:55:11 +0800
Subject: "Can't we all just get along?"
Message-ID: <199602050758.XAA04847@Networking.Stanford.EDU>


This is not FLAMEpunks.





From sameer at c2.org  Mon Feb  5 10:59:05 1996
From: sameer at c2.org (sameer)
Date: Tue, 6 Feb 1996 02:59:05 +0800
Subject: A Sign of the Future
In-Reply-To: <199602050625.AAA00118@proust.suba.com>
Message-ID: <199602050805.AAA05132@infinity.c2.org>


	Everyone disses that magazine here. Don't be paranoid.
> 
> >     Concerns about privacy and anonymity are outdated. Cypherpunks 
> >     think they are rebels with a cause, but they are really senti- 
> >     mentalists. 
> 
> I'm not much for big conspiracy theories, but I like the little ones.
> 
> If this was really in Wired, do you think it was written before or after 
> Tim dissed that magazine here?
> 
> 


-- 
Sameer Parekh					Voice:   510-601-9777x3
Community ConneXion, Inc.			FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org/ (or login as "guest")		sameer at c2.org





From ses at tipper.oit.unc.edu  Mon Feb  5 10:59:38 1996
From: ses at tipper.oit.unc.edu (Simon Spero)
Date: Tue, 6 Feb 1996 02:59:38 +0800
Subject: Sometimes ya just gotta nuke em
In-Reply-To: 
Message-ID: 


On Mon, 5 Feb 1996, Robert A. Rosenberg wrote:

> I agree - Not only were there two different separation methods but the two
> bombs dropped on Japan were of different designs (I think that the
> Hiroshima bomb was the same design as the land test version and the
> Nagasaki one was the untested design [so that if used, there would have
> been a tested design for the first drop]).

Actually, it was the other way round. The bomb dropped on Hiroshima was 
an enriched uranium gun type bomb; the devices exploded at Trinity and 
Nagasaki were imploded plutonium devices. The Little-Boy design was not 
tested before being dropped as 1) the design was so (theoretically) 
simple that if it didn't work, nothing would, and 2) there wasn't enough 
enriched uranium to make two of them.

Simon
p.s.
  Everybody interested in this subject should read "The making of the 
Atom Bomb" by Richard Rhodes; it's an amazing book, well worth its 
Pulitzer. The section dealing with Hiroshima in the seconds and days after 
the explosion is incredibly painful to read.





From jamesd at echeque.com  Mon Feb  5 10:59:51 1996
From: jamesd at echeque.com (jamesd at echeque.com)
Date: Tue, 6 Feb 1996 02:59:51 +0800
Subject: Jim Bell - Murderous Terrorist
Message-ID: <199602050730.XAA22544@shell1.best.com>


At 07:06 PM 2/4/96 -0800, jdoe-0007 at alpha.c2.org wrote:
>Jim Bell has advocated nothing less than paid death squads using crypto as a
>means to hide payment to these murderous terrorists. 

Terrorists are people who create terror by random murder, by killing the
innocent:  Clearly this is the exact opposite of what Jim Bell advocates.

The word terrorist was originally applied primarily to government organizations
of terror, most notably the french revolution.  You seem to be using the word
"terror" to mean  "Non government use of force"  So by your definition, 
George Washington was a terrorist, whereas the Stalin and the French 
Revolutionary tribunal were not terrorists.

By your definition of terrorist, there are plenty of advocates of "terrorism"
on this mailing list.

> If you can find a conspirator
> of murder as " highly intelligent, knowledgeable, and overall nice person"
then
> you also are in need of immediate mental health intervention.

or possibly you need to comprehend the difference between governmental decrees
and morality.

 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From jf_avon at citenet.net  Mon Feb  5 11:00:25 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Tue, 6 Feb 1996 03:00:25 +0800
Subject: Marshall McLuhan and encryption...
Message-ID: <9602050736.AA08295@cti02.citenet.net>



>  Nick's a big shot at Wired magazine.  So it should be no surprise 
>  to learn that Wired attacked cypherpunks in its 01 96 issue.  In 
>  a fake interview with "Wired's patron saint," Marshall McLuhan is 
>  made to say (p 130): 
> 
>    Concerns about privacy and anonymity are outdated. Cypherpunks 
>    think they are rebels with a cause, but they are really senti- 
>    mentalists. 

Well, maybe McL. would have spit such nonsense, very characteristical of him.

"The media is the message" is among the biggests con jobs performed on humanity.
It's like having a guy dying form thirst and telling him: "The pipe is the beverage"...

One fine example of the destruction of reason.

If a PGP encrypted message was sent to Mr.McLuhan, could he see if it is a
"there is a contract on you..." or "happy new year" or "I love you..."


To any Cypherpunks, the media *IS NOT* the message!

Dear Wired peoples and Mr. McLuhan: get lost!

>    The era of politics based on private identities, anonymous indi- 
>    viduals, and independent citizens began with the French Revolution 
>    and Napoleon's armies...and ended with Hitler....  The cypherpunks 
>    are still marching to the same martial music. 

     He is partially right.  With Renaissance, came the idea that Reason and human mind 
were powerfull and that knowledge, because man's only survival tool is reason, is a value 
to pursue.  

But french revolution did not convey theses ideas, neither
did Napoleon.  And Hitler definitely not.   
All of the three were, ultimately, collectivists or looters.

Therefore, the author of the text is guilty of setting up straw man and of
context blanking.

JFA
Reality Is.  Existence exists.  Words have a precise meaning.  $






From attila at primenet.com  Mon Feb  5 11:02:08 1996
From: attila at primenet.com (attila)
Date: Tue, 6 Feb 1996 03:02:08 +0800
Subject: violating politicians privacy
In-Reply-To: <199602050558.XAA17819@unix1.sihope.com>
Message-ID: 



    attila sez:

	well, I take it as assumed correct that illegally violating the
    credit and personal information of member os Congress (might as well 
    include the Clintons and the Gores) would get a response on privacy.

	but you would be a targt of an incredible manhunt. For example,
    I can give you the name of an online information provider (if I was
    so disposed --which I am _not_, as I do not wish to be labelled as a 
    conspirator) who would provide the credit, medical, and background 
    reports of 500+ individuals for $20-25 a pop.  then you take out an 
    account on a system with a false id and does not require credit cards 
    (pay cash, not cheque)  --mail each one to the target rep/sen/bubba 
    after mailing the whole set to Geraldo, or some other slimball.

	but, I think I would put my money on further laws to really 
    clamp down on free speech. and, if you ever were caught, don't 
    expect all of us to donate one day a month for 10-50 years to visit
    you in the slammer.

	more laws, more political police, more prisons  --that's their 
    motto. 

	enjoy

_________________________________________________________________ attila__


On Sun, 4 Feb 1996, Karl Ike wrote:

> It is impossible to get changes in the Fair Credit Reporting Act in the
> traditional way. Credit reporting agencies have far too much personal
> information that is passed out with incrediable ease at the consumers expense. 
> 
> I have a suggestion! 
> 
> Today, with TRW, Equifax and TransUnion's vast network, it is easy to obtain
> anyone's credit report from various sources. Do you think if someone,
> outside of the USA, obtained the credit reports on half, maybe all, of the
> US Senators, congressmen, judges, etc, and published them in their entirity,
> on the internet, from outside the US, would get their attention? Then there
> would be changes, overnight, protecting the right of privacy! Let them
> become the victim of credit reporting agencies once and shit will happen
> overnight. 
> 
> If someone who is not a US citizen does this from outside the US, I don't
> think that they can be held accountable under US law? I am new to the
> internet and don't have a clue how to do it, but someone out there does and
> probably has a friend in Bankok that will help him. Put the word out! 
> 

__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From WFU at sjulaw.stjohns.edu  Mon Feb  5 11:12:14 1996
From: WFU at sjulaw.stjohns.edu (Wendy Fu)
Date: Tue, 6 Feb 1996 03:12:14 +0800
Subject: fcpunx subscribe
Message-ID: <4C254DF0F18@sjulaw.stjohns.edu>


endWendy Fu, Network Manager 
St. John's University School of Law
8000 Utopia Parkway, Jamaica, NY 11439
E-Mail Address: wfu at sjulaw.stjohns.edu
Phone: (718)990-1666





From an359557 at anon.penet.fi  Mon Feb  5 11:13:03 1996
From: an359557 at anon.penet.fi (an359557 at anon.penet.fi)
Date: Tue, 6 Feb 1996 03:13:03 +0800
Subject: C2 and the Worst Case
Message-ID: <9602051739.AA09360@anon.penet.fi>



>Are you saying that when someone with an anonymous mailbox on c2.org
>retrieves his/her mail via a POP3 connection, no log is made of
>the originating IP address?

It's even worse than that. The IP address/hostname that connects to c2 shows
up when you finger that user on c2!

Sameer, can you please change that? An anonymous user don't wanna leave a
trail as obvious as an IP address.

--****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION***
Your e-mail reply to this message WILL be *automatically* ANONYMIZED.
Please, report inappropriate use to                abuse at anon.penet.fi
For information (incl. non-anon reply) write to    help at anon.penet.fi
If you have any problems, address them to          admin at anon.penet.fi





From mark at unicorn.com  Mon Feb  5 11:24:56 1996
From: mark at unicorn.com (Mark Grant, M.A. (Oxon))
Date: Tue, 6 Feb 1996 03:24:56 +0800
Subject: Telecoms Bill
Message-ID: 



Well, if "cypherpunks write code", is there any code we should be writing 
in response to this?

	Mark






From owner-cypherpunks at toad.com  Mon Feb  5 12:13:59 1996
From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com)
Date: Tue, 6 Feb 1996 04:13:59 +0800
Subject: No Subject
Message-ID: 



<<"In other words it was stvation/devastation city">>

  It was lot worse than that on the Japanese-imperialits occupied islands 
of the Pacific when the Nisei troops choosenot to surrender and instead, 
mad last-ditch charges against AMerican lines - which killed not a small 
number of Americans. And of course, there were the suicide bombers.

Submarine operations don't cost zero lives, either. In fact, just plain 
old regular military logistics - keeping the boys mobilized and in place 
ina theatre of operations - don't cost zero lives, even if there are _no_ 
hostilities.

And while all the starvation and devastation was going on in Japanese
cities, the Japanese troops were torturing and murdering Allied POWs, and
Asian civilains in all the Japanese-occupied teritories. Those people
deserved liberation, too. 

I think you give your game away when you complain about how we were being 
unfair to Comrade Stalin.

As far as Pax Americana goes, the Japanese just _volunteered_ to_increase_
the payments they make to support the American garrison in Japan. The
non-Okinawans want us in their country. I guess they know that the
alternative is a Red Chinese garrison. 

And lots of other Asians are afraid of the same alternative - or of 
Japanese garrisons in their homeland. THey've "been there, done that".

Alan Horowitz 
alanh at norfolk.infi.net






From owner-cypherpunks at toad.com  Mon Feb  5 12:21:40 1996
From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com)
Date: Tue, 6 Feb 1996 04:21:40 +0800
Subject: No Subject
Message-ID: 


On Sun, 4 Feb 1996 Pot at networking.stanford.edu wrote:

> This is not FLAMEpunks.
> 
	WHAT???   --and miss all the fun?


__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From WFU at sjulaw.stjohns.edu  Mon Feb  5 12:49:57 1996
From: WFU at sjulaw.stjohns.edu (Wendy Fu)
Date: Tue, 6 Feb 1996 04:49:57 +0800
Subject: fcpunx subscribe
Message-ID: <4C1F80260A3@sjulaw.stjohns.edu>


Wendy Fu, Network Manager 
St. John's University School of Law
8000 Utopia Parkway, Jamaica, NY 11439
E-Mail Address: wfu at sjulaw.stjohns.edu
Phone: (718)990-1666





From owner-cypherpunks at toad.com  Mon Feb  5 12:55:36 1996
From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com)
Date: Tue, 6 Feb 1996 04:55:36 +0800
Subject: No Subject
Message-ID: 


>> INFORMATION IS INSECURE THE MOMENT YOU TOUCH A KEY.
>
>> This does not mean that Internet commerce is dead.  Any scheme that is
>> not based on self-identifying one-way financial instruments such as
>> credit cards will be essentially unaffected by this problem.  Moreover,
>> even credit cards may be made safe on the Internet using one of two
>> approaches:  secure hardware add-ons and the First Virtual approach.

etc.

My name for this kind of software:

  Terminate and Stay Clueless


-------------------------------------------------------------------------
Steven Weller                      |  "The Internet, of course, is more
                                   |  than just a place to find pictures
                                   |  of people having sex with dogs."
stevenw at best.com                   |       -- Time Magazine, 3 July 1995







From owner-cypherpunks at toad.com  Mon Feb  5 13:32:37 1996
From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com)
Date: Tue, 6 Feb 1996 05:32:37 +0800
Subject: No Subject
Message-ID: 


Although this particular request was sent to the cypherpunks mailing
list, others continue to send requests to my mailbox.

>>>>> "Wendy" == "Wendy Fu"  writes:

Wendy> endWendy Fu, Network Manager 
Wendy> St. John's University School of Law
Wendy> 8000 Utopia Parkway, Jamaica, NY 11439
Wendy> E-Mail Address: wfu at sjulaw.stjohns.edu
Wendy> Phone: (718)990-1666

I don't know how my address got associated with this list, but please,
*do not* send requests about FCPUNX to steve at miranova.com.

Requests about how to set up Gnus scoring for performing your own
filtering of the cypherpunks list are welcome.

-- 
steve at miranova.com baur
Unsolicited commercial e-mail will be proofread for $250/hour.





From warlord at MIT.EDU  Mon Feb  5 13:54:26 1996
From: warlord at MIT.EDU (Derek Atkins)
Date: Tue, 6 Feb 1996 05:54:26 +0800
Subject: Encryption Programs
In-Reply-To: <199602041551.KAA26343@borg.mindspring.com>
Message-ID: <9602052013.AA18934@oliver.MIT.EDU>


> OBVIOUSLY the spokesman of the group. I ask for help and this is what I get?
> 
>         One more time, I'm well aware of the capabilities of PGP. What I'm
> looking for is a program
> that does a better job of binary encryption than just Radix 64 ASCII armoring.

Umm, I think you might be a little confused.  Either that, or you
mis-typed.  What do you mean by "better job of binary encryption than
just Radix 64 ASCII armoring"?  PGP does a lot more than just Ascii
Armor.  The Ascii Armor is just a self-recognizing transport
mechanism, nothing more.

The real meat behind PGP is its encryption and key management
utilities.  PGP uses the IDEA cipher, combined with RSA key
management, to securely encrypt any kind of file.  The Ascii Armor is
used solely to protect the PGP files during transport over email and
other ascii-only protocols.

I hope this clears up any possible misconceptions.

-derek





From frissell at panix.com  Mon Feb  5 13:55:35 1996
From: frissell at panix.com (Duncan Frissell)
Date: Tue, 6 Feb 1996 05:55:35 +0800
Subject: Fair Credit Reporting Act and Privacy Act
Message-ID: <2.2.32.19960205200507.006fa0ac@panix.com>


At 08:25 AM 2/5/96 -0500, Frank Willoughby wrote:

>If the Privacy Act were rewritten to be as strict as the BDSG, businesses
>would have a (mandatory) legal requirement to:
>
>o Ensure that personal data is stored properly (by encrypting it, etc)
>o Ensure that personal data is not distributed
>o Ensure that databases are *not* being maintained which describe the
>   characteristics of individuals (buying habits, income, property 
>   ownership, etc) wantonly propagated by marketing (direct mail, 
>   telemarketing, etc) companies.  
>

Unfortunately, it would also:

*  Require government registration of computers and databases containing
information about people (whether these computers are used by business or
individuals).  This eases regulation of computers and future confiscation.

*  Reduce market efficiency by making it harder to match buyers and sellers
(because neither could easily find out about he other) thus causing higher
prices and poorer people. 

*  Do nothing to protect personal information from the government which
would get to collect more of it than ever in the course of enforcing data
protection laws.

If you don't want people to know things about you, don't tell them.

DCF






From abarrett at ee.net  Mon Feb  5 13:55:48 1996
From: abarrett at ee.net (abarrett at ee.net)
Date: Tue, 6 Feb 1996 05:55:48 +0800
Subject: IMC Resolving Email Security Complexity Workshop
Message-ID: <311670b0.idoc@idoc.idoc.ie>


Found this in the box the other day - thought it might be of interest, esp 
regarding secure email standards.

Warmest regards,
AJ

<---- Begin Forwarded Message ---->
Return-Path: dcrocker at brandenburg.com
Date: Tue, 23 Jan 1996 10:20:50 -0800
To: (potential attendees)
From: Dave Crocker 
Subject: IMC Resolving Email Security Complexity Workshop

This is a query of your interest in participating in a working meeting.

As an initial activity of the newly-formed Internet Mail Consortium, we are
hoping to use the coincident timing of EMail World in San Jose and the ISOC
Security Conference in San Diego to call for an all-day meeting on the
matter of email security. (If you aren't familiar with the IMC, please
check out info at imc.org or .)

This note is intended as a pre-announcement and a solicitation for feedback
concerning your interest.  We'd like to get a sense of the number and range
of folks who might/can/will attend.  We do not yet have logistics or
finances fully worked out, but the timing pressure is tight enough to
warrant this letter before the official announcement.  Comments about the
activity and, especially, an indication of availability, willingness, and
(best of all) intention to attend would be highly welcome.

	Please pass this note on to others who you think are
	(or should be) interested in email security.


Specifics

As its first activity, the Internet Mail Consortium proposes to organize a
one-day workshop to consider the problem of multiple MIME-based security
mechanisms.  This is a complicated topic with a long and painful history,
but the previous pain is insignificant when compared to what is emerging
for vendors and, worse still, for users.

Our proposal is to conduct an open meeting with attendance by principals
and others involved in this area of work.  We will invite the key
contributors and solicit additional attendance by vendors, providers,
users, and technologists who are concerned with email security.

The attendance goal is to have a critical mass of those with the technical
expertise and industry involvement to review and debate the requirements,
capabilities, and possibilities.  The work goal is to seek common ground
for a common solution.

While we are not overly hopeful that the end of the day will see peace and
resolve among the masses, we do hope for a large amount of improved
understanding and some amount of convergence.  With luck, there will even
be improvement in the clarity of constituency for the different technical
choices -- that is, a strengthening of the political base for some of the
alternatives.

We would like to hold the event:

		Wednesday, 21 February
		8:30 am - 5:30 pm (all day)
		(Near) EMail World event, San Jose Convention Center, CA.

This is the last day of EMail World and the day before a two-day ISOC
Security conference in San Diego.

We propose to structure the meeting with a tight agenda, having a very
focused sequence of work on the problem; this is definitely not for general
education.  Some amount of review is appropriate, but not much.  Attendees
will be expected to be knowledgeable in the basic technologies, so that
only general systems design and specific algorithm choices need to be
cited. To help everyone prepare, the Internet Mail Consortium will organize
a set of mail-response and Web pages with references and summaries of the
current technologies, and will establish a mailing list for exchanges
leading up to the meeting.


Proposed Agenda

Morning
	Brief descriptions of the candidate solutions
	Review of the functional and technical requirements
	Review the extent to which each alternative satisfies the requirements
	Seek consensus about the requirements

Afternoon
	Haggle about the strengths and weaknesses of the technical alternatives
	Explore the choices and/or negotiate a preferred solution

Those who have worked on this topic in the IETF are quite tired of the
whole situation, but the unfortunate reality is that the current product
and user choices are quite problematic. We need to continue seeking a
viable service.

We expect to charge $50 per person, to cover basic costs.  I should
have more details about this next week.

Please do let us know your comments.  Thanks!

d/

--------------------
Dave Crocker                                                +1 408 246 8253
Brandenburg Consulting                                fax:  +1 408 249 6205
675 Spruce Dr.                                     dcrocker at brandenburg.com
Sunnyvale, CA  94086 USA                         http://www.brandenburg.com



<----  End Forwarded Message  ---->

__________________________________________________________________
Out the buffer,         | PGP encrypted e-mail preferred.
Through the com port,   | Finger for Public Key.
Over the POTS line,     | Also available on a key server near you.
Into the NT Box,        |
Up the fractional T1,   | Key ID: 0X457AA6BD
Onto the backbone,      | Keyprint: 99 C7 17 3B 32 08 3F 17
Nothin' but 'Net.       |           F4 A9 42 A9 2F BC 39 B1
------------------------------------------------------------------








From paralax at alpha.c2.org  Mon Feb  5 13:58:34 1996
From: paralax at alpha.c2.org (paralax at alpha.c2.org)
Date: Tue, 6 Feb 1996 05:58:34 +0800
Subject: attila sez
Message-ID: <199602052019.MAA05730@infinity.c2.org>


On Date: Mon, 5 Feb 1996 06:49:57 +0000 (GMT)

a>    attila sez:

a>	It is not whether paralax does not know shit from beans, but that
a>    he proves to all that he would prefer to censor TCMay and James A.
a>    Donald than listen to their opinions, despite the fact he posted his
a>    own rather trivial and absurd point. 

a>    political correctness and the liberal news intrepretations of "all

I seek to censor no one.  I prefer to confront racisim whenever and wherever
I see (read) it.  Mr. May embarassed himself with his denigrating application
of the word "Jap" to describe the Japanese people after demonstrating a gross
lack of knowledge and sensitivity about Jews.  It is NOT a matter of "political
correctness" unless YOU and Mr. May believe refraining from addressing an
African-American as a nigger the moral equivalent of sucumbing to "politcal 
correctness".

a> with this, I suppose I have been entered upon your "list" of 
a> enemies of the 'statist' nation along with TCMay and James A. Donald,

All three of you would be flattering yourselves if any of you thought you made
anybody's list.

A. Paralax View





From jpp at software.net  Mon Feb  5 14:22:28 1996
From: jpp at software.net (John Pettitt)
Date: Tue, 6 Feb 1996 06:22:28 +0800
Subject: FV's blatant double standards
Message-ID: <2.2.32.19960205213944.0109c138@mail.software.net>


At 09:26 AM 2/4/96 -0500, Simson L. Garfinkel wrote:
>At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
>>FV demonstrated, through it's "card sharp" or whatever, that
>>real-time transactions are vulnerable to sniffers on the recipient's
>>own machine. Of course. We all knew that. But the mistake is to
>>assume that FV isn't _equally_ vulnerable to that threat. If you
>>can write a trojan that will somehow get privileged access to my
>>machine, trap my keystrokes, and identify my credit card number,
>>you can certainly write one that will, sitting on my machine:
>>    "intercept the user's electronic mail, read the confirmation
>>    message from First Virtual's computers, and send out a fraudulent
>>    reply"
>>(to quote from Simson's article). Simson further quotes FV's Lee
>>Stein: "A single user can be targeted, Stein said, but ''it is very
>>difficult. . . . There are too many packets moving . . . to too many
>>different machines.''" - which is of course equally true for real-time
>>Netscape transactions.
>
>Oh, I think that such a program can be written. However, it would be much
>harder to get right, considering all of the different ways that people read
>e-mail.
>
>
The code looks something like this:

1) hook into the winsock and look for an FV message in the web data stream,
save the ID.

2) now look for an approve/deny/fraud, when you see one you know that the
user uses 
an IP connection for mail and web.

3) Forward the ID to an anon box.

4) Look for outbound FV messages with 'fraud' or 'deny' and change to 'approve'.

Clearly this will miss AOL, CI$ etc al but thats not important.

The issue is not FV noticing the error, they will, it's how long it takes
 and how much you can steal in the interim.

There is a Helen Keller quote I'm rather fond of which starts:
 "Security is mostly a superstition ..."

  *If the machine is not secure all bets are off*

The most likly failure vector for this attack is that so few people use FV :-)







John Pettitt, jpp at software.net
VP Engineering, CyberSource Corporation, 415 473 3065
 "Technology is a way of organizing the universe so that man
  doesn't have to experience it." - Max Frisch






From jya at pipeline.com  Mon Feb  5 14:57:53 1996
From: jya at pipeline.com (John Young)
Date: Tue, 6 Feb 1996 06:57:53 +0800
Subject: TWP on Indecency Protest
Message-ID: <199602052229.RAA14765@pipe3.nyc.pipeline.com>


   The Washington Post, February 5, 1996, p. A8.


   Language on 'Indecency' Sparks Telecommunications Bill
   Protest

   By John Schwartz


   Provisions in the overhaul of the nation's
   telecommunications laws that call for regulating adult
   materials on the Internet have sparked a storm of anger and
   protest on that medium.

   "This is the kind of legislation you'd see from a lot of
   senators and congressmen who have never logged on," said
   Michael Godwin, staff counsel for the Electronic Frontier
   Foundation, a civil liberties group. "The Christian Right
   thinks they've hit a home run here, but the inning isn't
   over."

   The provisions, proposed by Sen. J. James Exon (D-Neb.),
   have gained momentum with support from religious
   conservative organizations. The legislation would make it
   illegal to make "indecent" material available to minors via
   computer, with penalties of two years in prison and up to
   $250,000 in fines. Exon called passage last week "a victory
   for children and families," adding, "We've come to a
   successful closing of the 'peep show' doors to our youth."
   President Clinton has said he will sign the bill.

   Those opposed to the regulations, however, said the
   "indecency" standard, which has been used in broadcast
   regulation cases, is too vague and would seriously restrict
   the potential of the emerging on-line medium.

   "I am concerned this legislation places restrictions on the
   Internet that will come back to haunt us," said Sen.
   Patrick J. Leahy (D-Vt.). He warned that quoting from such
   works as "Catcher in the Rye" and "Ulysses" in on-line
   discussions could court prosecution and said that making it
   illegal to "make available" indecent language would outlaw
   posting of messages or images that a child might see.
   "Imagine if the Whitney Museum ... were dragged into court
   for permitting representations of Michelangelo's David to
   be looked at by kids."

   But John McMickle, an aide to Sen. Charles E. Grassley
   (R-Iowa), said drafters rejected the idea that Userious
   works of redeeming value" would fall within the law, which
   he said would apply only to "patently offensive" material.
   McMickle said the bill "is not a Comstock-type effort to
   wipe out literature or political speech."

   The American Civil Liberties Union, the Electronic Frontier
   Foundation and other organizations are preparing a lawsuit
   challenging the indecency provisions on constitutional
   grounds. Other legal actions are in the works. An on-line
   publication, American Reporter, has announced it will soon
   publish a column by a Texas judge denouncing the
   legislation intentionally salted with "indecent" language;
   Randall Boe, a Washington attorney for the American
   Reporter, said he would immediately sue after publication.

   "We want to move promptly to have this statute set aside as
   unconstitutional," Boe said. "The longer it's in place, the
   greater the harm done to the Internet and to the First
   Amendment." Boe's firm, Arent, Fox, Kintner, Plotkin &
   Kahn, was defense council in the landmark "seven dirty
   words" case, which set the legal standard for indecent
   language in broadcasting based on a monologue by comedian
   George Carlin.

   Cathleen Cleaver, director of legal studies for the Family
   Research Council, said yesterday she expected such suits
   and that her conservative organization, which has pushed
   for on-line regulation, would fight to uphold it.

   The Justice Department has stated that the legislation
   would be vulnerable to attack on constitutional grounds.
   But in response to a letter from Grassley, Assistant
   Attorney General Andrew Fois noted last week that the
   department is defending the indecency standard in
   legislation "and will continue to defend similar statutes
   against constitutional challenges, so long as we can assert
   a reasonable defense consistent with the Supreme Court
   rulings in this area."

   -----













From frankw at in.net  Mon Feb  5 15:22:25 1996
From: frankw at in.net (Frank Willoughby)
Date: Tue, 6 Feb 1996 07:22:25 +0800
Subject: Fair Credit Reporting Act and Privacy Act
Message-ID: <9602052254.AA15929@su1.in.net>


Verily at 03:05 PM 2/5/96 -0500, Duncan Frissell did write:

>At 08:25 AM 2/5/96 -0500, Frank Willoughby wrote:
>
>>If the Privacy Act were rewritten to be as strict as the BDSG, businesses
>>would have a (mandatory) legal requirement to:
>>
>>o Ensure that personal data is stored properly (by encrypting it, etc)
>>o Ensure that personal data is not distributed
>>o Ensure that databases are *not* being maintained which describe the
>>   characteristics of individuals (buying habits, income, property 
>>   ownership, etc) wantonly propagated by marketing (direct mail, 
>>   telemarketing, etc) companies.  
>>
>
>Unfortunately, it would also:
>
>*  Require government registration of computers and databases containing
>information about people (whether these computers are used by business or
>individuals).  This eases regulation of computers and future confiscation.

Works great in theory, not in practice.  Having worked in Germany for 9 
years, I can *guarantee* that the German gov't hasn't implemented the 
above.  It may have been a good idea (in their eyes, not mine), but it 
isn't implementable in a democratic society - it bogs down in the 
implementation phase).  

Are you planning on registering every computer system that each person and 
company has with the gov't?  Most sysadmins I know are up to their ears in
work and are barely able (if at all) to recognize which users they have on 
their system, and why they have accounts at all (business justification).  
This might also get pretty wild when the ISPs get polled in terms of usage.  
(Compuserve notwithstanding).  

Gathering the registration data will be a bear to implement - keeping it 
current will be impossible (for the forseeable future).  Besides, this
would cast further shadows of "big brother" and remind former "ossies"
in the former GDR/DDR  & eastern block of days gone by - which they would 
probably rather not remember.

Also, just because Germany tries this approach (and fails), doesn't mean 
we have to repeat their mistake in this area.


>
>*  Reduce market efficiency by making it harder to match buyers and sellers
>(because neither could easily find out about he other) thus causing higher
>prices and poorer people. 

Actually, it would probably increase market efficiency as they would be 
spending their marketing budget on other appropriate methods which have 
a higher success-ratio.  I don't know what the success rates are of 
mass-mailings, or tele-marketing, but I doubt if they approach 1% (wild 
guess).  Seriously - what is your first impulse when you reach the phone
and find out the caller is a tele-marketer?  The annoyance factor is 
rather high for these.  More than likely, this was also the reason that
unsolicited mass-faxing of marketing info was forbidden by law a while 
ago?

FWIW, personally, I think many marketing organizations have gone off the 
deep end in their efforts to try to be effective (to wit: putting logos
on clothing, in video games, etc; sponsor's logos in Home Pages, 3-5 minutes
of TV commercials every 6-10 minutes of TV (for those rare moments one gets 
to watch TV (thank heavens for cable TV & CNN)).  8^)


>
>*  Do nothing to protect personal information from the government which
>would get to collect more of it than ever in the course of enforcing data
>protection laws.
>

You're assuming this isn't happening now?  IMO, that would be a rather naive
assumption.  Personally, I think that the law should also consider exactly 
this point.  The gov't should have no more access to personal information 
than it needs to carry on its job - and we as taxpayers should decide how 
much access they need to have.


>If you don't want people to know things about you, don't tell them.

Agreed....But, this essentially means giving up your phone, your credit 
cards, your house, your car, your job, and generally withdrawing from
society.  Not a particularly viable plan, IMO.  The main problem is 
that the companies do little to nothing about protecting an individual's
private data.  It isn't any of my business how much money, you make, 
the amount your home is worth, your credit rating, info about your 
family (wife, kids, etc), religion, etc - yet, all of these are within
the easy access of many individuals who don't have a "need-to-know" of 
this information.  If I don't have a "need-to-know" about this info, I
shouldn't be able to access it.

>
>DCF

Of course since we are re-writing the Privacy Act from scratch, we can
leave out the items you mentioned & design it the way it should be.

Best Regards,


Frank






From rsalz at osf.org  Mon Feb  5 15:56:28 1996
From: rsalz at osf.org (Rich Salz)
Date: Tue, 6 Feb 1996 07:56:28 +0800
Subject: IEEE Security Symposium Program
Message-ID: <9602052328.AA02380@sulphur.osf.org>


Date: Mon, 5 Feb 1996 14:14:22 -0800
To: pem-dev at tis.com, ietf-pkix at tandem.com, ipsec-owner at ans.net
>From: Stephen Kent 
Subject: IEEE Symposium Program Announcement

I'm distributing a copy of this year's program to members of these
security-oriented WG mailing lists as a means of "getting the word out" to
individuals who may be interested in attending this sort of conference.  As
the chair of the former PEM WG, and current co-chair of the PKI WG, I feel
that this announcement is appropriate for these lists, and I hope my fellow
IPSEC WG members agree that it is appropriate for that list as well.  I
apologize in advance for those of you who, like me, will receive multiple
copies of this announcement.

Steve
===========================================================================



1996 IEEE SYMPOSIUM ON SECURITY AND PRIVACY                    _/_/
                                                            _/    _/
                                                           _/           _/
May 6-8, 1996                                                _/_/    _/_/_/
The Claremont Resort,                                           _/    _/
Oakland, California                                       _/   _/
                                                           _/_/
Sponsored by the                                                  _/_/_/
IEEE Technical Committee on Security and Privacy                 _/   _/
In cooperation with the                                         _/   _/
International Association of Cryptologic Research              _/_/_/
                                                              _/
Symposium Committee                                          _/
Dale M. Johnson, General Chair                                    _/_/_/  _/_/
Stephen Kent, Vice Chair                                        _/   _/ _/
John McHugh, Program Co-Chair                                  _/   _/ _/
George W. Dinolt, Program Co-Chair                             _/_/_/ _/_/_/
                                                                  _/ _/   _/
                        PRELIMINARY PROGRAM                      _/ _/   _/
                         Subject to Change                      _/   _/_/

MONDAY, MAY 6

08:30-09:00  WELCOMING REMARKS:  Dale Johnson and John McHugh

09:00-10:30  PANEL:  Object Management Group CORBA Security Standard
                Moderator:  Terry Benzel
                Participants:  TBA

10:30-11:00  BREAK

11:00-12:00  COVERT CHANNELS

             An Analysis of the Timed Z-Channel
                Ira S. Moskowitz, Steven J. Greenwald, Myong H. Kang

             Defining Noninterference in the Temporal Logic of Actions
                Todd Fine

12:00-13:30  LUNCH

13:30-15:00  PANEL:  Goals for Computer Security Education
                Cynthia Irvine, Chair
                Leslie Chalmers
                Karl Levitt
                Steven F. Barnett
                Jim Schindler
                Roger R. Schell

15:00-15:30  BREAK

15:30-17:00  FIVE-MINUTE RESEARCH TALKS SESSION

             Submissions in the form of one-page ASCII abstracts
             due by email to mchugh at cs.pdx.edu no later
             than 2 April 1996. See http://www.cs.pdx.edu/SP96/
             for more information.
             Abstracts to be distributed at the conference.

18:00-19:30  RECEPTION

TUESDAY, MAY 7

09:00-10:30  DOMAIN SPECIFIC SECURITY

             Security for Medical Information Systems
                Ross Anderson

             Discussion
                Discussants TBA

10:30-11:00  BREAK

11:00-12:00  PROTOCOLS

             Entity Authentication
                Dieter Gollmann

             A Fair Non-repudiation Protocol
                Jianying Zhou, Dieter Gollmann

             Limitations on Design Principles for Public Key Protocols
                Paul Syverson

12:00-13:30  LUNCH

13:30-15:00  DATABASES

             Ensuring Atomicity of Multilevel Transactions
                Paul Ammann, Sushil Jajodia, Indrakshi Ray

             View-Based Access Control with High Assurance
                Xiaolei Qian

             Supporting Multiple Access Control Policies in Database Systems
                Elisa Bertino, Sushil Jajodia, Pierangela Samarati

15:00-15:30  BREAK

15:30-17:00  BIOLOGICALLY INSPIRED TOPICS IN COMPUTER SECURITY

             An Immunological Approach to Change Detection: Algorithms,
             Analysis, and Implications
                Patrik D'Haeseleer, Stephanie Forrest, Paul Helman

             A Sense of Self for UNIX Processes
                Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji,
                Thomas A. Longstaff

             Cryptovirology: Extortion Based Security Threats and
Countermeasures
                Adam Young, Moti Yung

17:30-19:30  TECHNICAL COMMITTEE MEETING

WEDNESDAY, MAY 8

09:00-10:30  MODELING

             A Security Model of Dynamic Labeling Providing a Tiered Approach to
             Verification
                Simon Foley, Li Gong, Xiaolei Qian

             A Communication Agreement Framework of Access Control
                Martin Roscheisen, Terry Winograd

             Decentralized Trust Management
                Matt Blaze, Joan Feigenbaum, Jack Lacy

             Security Properties and CSP
                Steve Schneider

10:30 11:00  BREAK

11:00 12:30  NETWORKS

             Security Flaws in the HotJava Web Browser
                Drew Dean, Dan S. Wallach

             On Two Proposals for On-line Credit-card Payments using Open
             Networks: Problems and Solutions
                Wenbo Man

             Secure Network Objects
                Leendert van Doorn, Martin Abadi, Mike Burrows, Edward Wobber

             Run-Time Security Evaluation (RTSE) for Distributed Applications
                Cristina Serban, B. McMillin

12:30 12:45  CONCLUDING REMARKS

12:45        SYMPOSIUM ADJOURNS

1996 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY              _/_/
                                                                  _/    _/
                   REGISTRATION FORM                             _/          _/
                                                                   _/_/   _/_/_/
          Name:_______________________________________________       _/    _/
                                                               _/   _/
   Affiliation:_______________________________________________  _/_/
                                                                    _/_/_/
Postal Address:_______________________________________________     _/   _/
                                                                  _/   _/
               _______________________________________________   _/_/_/
                                                                _/
               _______________________________________________ _/
                                                                  _/_/_/  _/_/
         Phone:_______________________________________________  _/   _/ _/
                                                               _/   _/ _/
           Fax:_______________________________________________ _/_/_/ _/_/_/
                                                                  _/ _/   _/
         Email:_______________________________________________   _/ _/   _/
                                                                _/   _/_/
Note:  Address information will be distributed to attendees.

Please enter the appropriate registration category.  Payment must be included
and must be by credit card or by check in U.S. dollars, drawn on a U.S. bank,
made payable to "IEEE Symposium on Security and Privacy."  Dates are strictly
enforced by postmark.

  Advance registration (up to 29 March 1996)
     ___   Member of the IEEE (Member # ____________, required)........$310.00
     ___   Non-Member..................................................$385.00
     ___   Full-time Student...........................................$100.00
  Late registration (from 30 March 1996)
     ___   Member of the IEEE (Member # ____________, required)........$370.00
     ___   Non-Member..................................................$460.00
     ___   Full-time Student...........................................$100.00

Do you wish to present at a poster session or lead an evening discussion?
                                                               [ ] Yes  [ ] No

Do you have any special requirements?_________________________________________

Please indicate your method of payment by checking the appropriate box:

  [ ] Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM)

  Credit card authorization:
  (Charges will appear on your statement as made by IEEE COMPUTER SOCIETY)

         Visa        MasterCard      American Express     Diners Club
         [ ]            [ ]                [ ]                [ ]

  Credit Card Number:_________________________________________________________

  Card Holder Name:______________________________Expiration Date:_____________

  Signature:__________________________________________________________________

Mail registration to:                     Or FAX this form (CREDIT CARD
        Stephen Kent                      REGISTRATIONS ONLY) to:
        BBN Corporation                   FAX:    +1 617 873-4086
        MS 13/2A                          VOICE:  +1 617 873-6328
        70 Fawcett Street
        Cambridge, MA 02140

>>>>SORRY, NO REGISTRATIONS BY EMAIL.  NO REFUNDS.<<<<

Five-Minute Research Talks Session
==================================
At the 1995 Symposium a session of five-minute research talks was held for the
first time.  These proved very popular, so there will be another session this
year.  It is being held on Monday to give attendees more opportunities to
contact the presenters during the rest of the conference.  If you are interested
in presenting a five-minute talk, please submit a one-page abstract in ASCII
format by email to mchugh at cs.pdx.edu no later than 2 April 1996.  See
http://www.cs.pdx.edu/SP96/ for more information.  Abstracts to be distributed
at the conference.  Please note that the five-minute time limit will be strictly
enforced.


Evening Sessions
================
The 1996 IEEE Symposium on Research in Security and Privacy will accommodate
poster sessions and evening discussions.  There will be rooms with blackboards
and bulletin boards for interested parties to post presentations on work in
progress, recent research results, and innovative proposals, or to lead
discussions on topics of current interest.  These rooms will be available Monday
and Tuesday, May 6 and 7, from 8 p.m. to midnight.  If you are interested in
posting a presentation or organizing a discussion on a particular topic, please
indicate so on the registration form.


Hotel Reservations - The Claremont Resort
=========================================
The Claremont Resort in Oakland, California is 20 minutes from San Francisco and
just over an hour from Napa Valley.  It is situated in the Oakland-Berkeley
hills overlooking the San Francisco Bay on 22 acres of beautifully landscaped
lawns and gardens.  Facilities include the Claremont Pool and Tennis Club and
The Spa at the Claremont.

Oakland Airport is 14 miles from the hotel, or attendees may choose to fly into
San Francisco and rent a car.  SuperShuttle (+1 510 268-8700) provides service
from the San Francisco Airport or the Oakland Airport to the Claremont Resort.
The charge is $15 from Oakland Airport and $18 from San Francisco Airport, per
person one way.  Parking is available at the hotel at a cost of $8 per day for
guests and a maximum of $9 per day for non-guests.

Hotel reservations must be made under the group name IEEE Symposium on Security
and Privacy.  The group rate is $102 single, $114 double occupancy, plus 11%
tax.  The cut-off date for reservations is Saturday, April 6, 1996.
Reservations made after this date will be accepted on a space available basis.
Reservations must be accompanied by an advance deposit or credit card guarantee.
You may cancel your individual reservations up to 72 hours prior to arrival,
after which your deposit becomes non-refundable.  Please be advised the check-in
time is after 3:00 p.m.; check-out is 12 noon.

For reservations and information, contact: The Claremont Resort, Ashby and
Domingo Avenues, Oakland, CA 94623-0363; Phone: +1 800 551-7266 (7 a.m. to
8:30 p.m., PST) or +1 510 843-3000; Fax: +1 510 549-8582.








From cp at proust.suba.com  Mon Feb  5 15:57:34 1996
From: cp at proust.suba.com (Alex Strasheim)
Date: Tue, 6 Feb 1996 07:57:34 +0800
Subject: A Sign of the Future
In-Reply-To: 
Message-ID: <199602050625.AAA00118@proust.suba.com>


>     Concerns about privacy and anonymity are outdated. Cypherpunks 
>     think they are rebels with a cause, but they are really senti- 
>     mentalists. 

I'm not much for big conspiracy theories, but I like the little ones.

If this was really in Wired, do you think it was written before or after 
Tim dissed that magazine here?







From cp at proust.suba.com  Mon Feb  5 16:05:49 1996
From: cp at proust.suba.com (Alex Strasheim)
Date: Tue, 6 Feb 1996 08:05:49 +0800
Subject: "PGP-Scape"? (was Re: Our "New Order")
In-Reply-To: <199602050334.WAA17133@UNiX.asb.com>
Message-ID: <199602050621.AAA00111@proust.suba.com>


> There's also less worry about secure transactions, since if 
> everything's encrypted it's harder to tell if a transaction is taking 
> place, viewing porno or subversive or religious, literature,  or if
> you're just reading something mundane.

I think I must be missing something here.  Aren't you describing an SSL 
web server?  Different algorithms, but basically the same idea?

> So is fast-than-light travel, but only if it's implemented.

Netscape 2.0 is out for real -- everyone can now pick their certs.  GAK 
just got harder.







From jpp at software.net  Mon Feb  5 16:06:01 1996
From: jpp at software.net (John Pettitt)
Date: Tue, 6 Feb 1996 08:06:01 +0800
Subject: Encryption and Backups
Message-ID: <2.2.32.19960205043354.00703aa4@mail.software.net>



On Sun, 4 Feb 1996, Alan Olsen wrote:

> Something that I have not seen addressed is the need for strong encryption
> in backup software.
>
> Most backup software has an "encryption" option, but I have seen few that
> have anything resembling strong encryption.  Furthermore, I have seen no
> real push for strong encryption for backups at all.
> ... 
> Might be an idea for a product there...  (And you can bet law enforcement
> would throw a hissy fit about its existence.)
>
CP Backup (part of PC Tools for Central Point aka Symantec) has DES. As to
how good the implementation is: I have no idea.

--
John Pettitt
email:         jpettitt at well.sf.ca.us (home)
               jpp at software.net       (work)    







From alano at teleport.com  Mon Feb  5 16:08:28 1996
From: alano at teleport.com (Alan Olsen)
Date: Tue, 6 Feb 1996 08:08:28 +0800
Subject: Encryption and Backups
Message-ID: <2.2.32.19960205053656.00942c50@mail.teleport.com>


At 08:33 PM 2/4/96 -0800, John Pettitt wrote:
>
>On Sun, 4 Feb 1996, Alan Olsen wrote:
>
>> Something that I have not seen addressed is the need for strong encryption
>> in backup software.

>CP Backup (part of PC Tools for Central Point aka Symantec) has DES. As to
>how good the implementation is: I have no idea.

I have a copy, but I have not yet verified the key sizes.  It is on my list
of projects.  (My current project is for determining if an app is accessing
your PGP files under Win95.  I may be stuck for a bit though...  Looks like
I might need the DDK to compile it.)
Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction
        `finger -l alano at teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
         Is the operating system half NT or half full?






From hal9001 at panix.com  Mon Feb  5 16:08:32 1996
From: hal9001 at panix.com (Robert A. Rosenberg)
Date: Tue, 6 Feb 1996 08:08:32 +0800
Subject: Sometimes ya just gotta nuke em
Message-ID: 


At 8:33 2/3/96, "A. Padgett Peterson, P.E. Information Security"
Tim rote:
>>At 4:12 AM 2/3/96, Rich Graves wrote:
>>>Who holds up the nuking of Hiroshima and Nagasaki as great victories
>>>against tyranny?
>>Since you ask, I do.
>
>And the biggest secret of the war was that "Fat Man" was the *last* A-bomb
>we had or could build for about a year (had taken several *years* to
>separate enough fissionable material for the three via two entirely
>different processes).
>
>To me this is the great strength of the USA: given a theoretical problem, we
>will develop a hundred different solutions, try them all in parallel, and at
>least one will work.

I agree - Not only were there two different separation methods but the two
bombs dropped on Japan were of different designs (I think that the
Hiroshima bomb was the same design as the land test version and the
Nagasaki one was the untested design [so that if used, there would have
been a tested design for the first drop]).







From jimbell at pacifier.com  Mon Feb  5 16:08:35 1996
From: jimbell at pacifier.com (jim bell)
Date: Tue, 6 Feb 1996 08:08:35 +0800
Subject: Arthur C. Clarke Supports Strong Crypto
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

At 08:05 PM 2/4/96 -0800, Timothy C. May wrote:
>
>(Pardon me for mentioning crypto...)
>
>Arthur C. Clarke, known to most of you (author of many SF works, coiner of
>the phrase: "all sufficiently advanced technlogies are indistinguishable
>from magic," mention by Alan Olsen yesterday), has a role in a "Discovery
>Channel" program called "Mysterious Universe."

Actually, it was _I_ who mentioned this quote, but didn't specifically 
recall whom to ascribe it to.  Perhaps Tim May didn't see it; a week or so 
ago May engaged in a shotgun-type killfile addition, including me when I was 
merely ( I still believe...) the victim in a local flamewar.  If there is 
somebody out there who:

1.  Is on speaking terms with Tim May.
and
2.  Has a little respect for my commentary, I would very much appreciate it 
if you would forward this comment to him to ensure that he sees it. 

The truly ironic thing is that Tim wrongly ascribes the comment to Alan 
Olsen, who is apparently the (recently admitted) perpetrator of at least one
flamewar 
against me.

Jim Bell
jimbell at pacifier.com

Klaatu Burada Nikto

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCUAwUBMRWQLvqHVDBboB2dAQF8zwP3SjAAIP46pqwsygL4Hm8YOChJ6xfIs4Vq
vp+8rjMvPmZwxNtGN+7kcRTbXmau5P3MePSp94iK6k8qwisNqsoqCYkMBxs198fg
2YRZvfLAMQ0xsVznUSRA4bBTI3mLAv868xleSkIwhSjJ271qKUaI2K5exY1FgVK/
JnaVHWZTeQ==
=tjA2
-----END PGP SIGNATURE-----






From attila at primenet.com  Mon Feb  5 16:08:36 1996
From: attila at primenet.com (attila)
Date: Tue, 6 Feb 1996 08:08:36 +0800
Subject: "Nations see Internet.." continued
In-Reply-To: <199602041718.MAA05257@plethora.lisgar.edu.on.ca>
Message-ID: 


On Sun, 4 Feb 1996, Mike Ang wrote:

> 
> Comparing crypto to guns works in the sense that the "bad guys" will 
> always be able to have access to them.  However, I for one support gun 
> control but do not support mandatory limits on crypto.  Where I live,
> there are no theats that justify allowing everyone to carry guns 
>
	well, I'll tell you what, we'll export 10,000 of our inner city 
    gang members north; then you think about leaving _all_ weapons in
    the hands of the central state who increasingly is failing to provide 
    adequate protection for the weak members of its society.

>- the 
> threat to privacy and freedom of speech justifies allowing everyone to 
> use strong crypto.  You can use a gun to deprive another person of their 
> life - what harm can you do another with PGP?  Perhaps you can harm them 
> by being able to spread hate propaganda, but I don't think that that is a 
> strong enough argument.
> 
> 	- Mike.
> 
> If you've got to flame me, do it by email.
> 

__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From tcmay at got.net  Mon Feb  5 16:08:40 1996
From: tcmay at got.net (Timothy C. May)
Date: Tue, 6 Feb 1996 08:08:40 +0800
Subject: Fair Credit Reporting Act and Privacy
Message-ID: 


[I urge people to put thread names in the subject lines, and not just leave
the subjects as "Re:" or "Your mail." I have added a subject line.]

At 5:58 AM 2/5/96, Karl Ike wrote:
>It is impossible to get changes in the Fair Credit Reporting Act in the
>traditional way. Credit reporting agencies have far too much personal
>information that is passed out with incrediable ease at the consumers expense.
>
>I have a suggestion!
>
>Today, with TRW, Equifax and TransUnion's vast network, it is easy to obtain
>anyone's credit report from various sources. Do you think if someone,
>outside of the USA, obtained the credit reports on half, maybe all, of the
>US Senators, congressmen, judges, etc, and published them in their entirity,
>on the internet, from outside the US, would get their attention? Then there
>would be changes, overnight, protecting the right of privacy! Let them
>become the victim of credit reporting agencies once and shit will happen
>overnight.

"Protecting the right of privacy"? If I tell Joe Bob that you welshed on a
debt made in the past, something that the person you welshed on has
informed me of, how is this a violation of your right of privacy?

Better yet, abolish the laws about so-called "Fair Credit Reporting."

If Tim's Pretty Good Credit Reporting knows that Joe Blow filed for
bankruptcy in 1975, by what right should men with guns come to his file
cabinets and announce that he may not reveal true information that is older
than, say, 8 years? Facts are facts. Not just for 8 years, or even 20
years. Debts incurred 30 years ago and not paid may still be useful bits of
information in deciding whether to extend credit to a person.

And even possibly untrue things are not the main justification for the
FCRA. The FCRA is _not_ primarily designed to correct wrong information,
but to place time limits on correct information. It limits speech. And it
interferes with rational economic decisions.

Fortunately, strong crypto and cyberspatial data havens will make
enforcement of the FCRA increasingly difficult.

--Tim


Boycott espionage-enabled software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









From attila at primenet.com  Mon Feb  5 16:08:46 1996
From: attila at primenet.com (attila)
Date: Tue, 6 Feb 1996 08:08:46 +0800
Subject: Nuke em if ya got em "TCMay"
In-Reply-To: <199602041303.FAA05924@infinity.c2.org>
Message-ID: 



    attila sez:

	It is not whether paralax does not know shit from beans, but that
    he proves to all that he would prefer to censor TCMay and James A.
    Donald than listen to their opinions, despite the fact he posted his
    own rather trivial and absurd point. 

    political correctness and the liberal news intrepretations of "all
    men are created equal" with reverse discrimination, destruction of
    the work ethic for the dole, and the New World Order whose need is
    more and more cheaper labor, even to the point of disenfranchising 
    whole element of America society to achieve a worker's underclass is 
    the shit part of beans and shit.

	with this, I suppose I have been entered upon your "list" of 
    enemies of the 'statist' nation along with TCMay and James A. Donald,
    and that my prejudged conviction and sentence requires me to write
    30,000 lines of debugged C source code before the end of this year. 

	how about 30,000 lines of debugged Ada source for you?  --while
    I add you to procmailrc:

    	    :0:
	    * ^[FRST].*paralax
	    assholes

	have a nice day, hopefully enlightening

		attila 
__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.
__________________________________________________________________________

On Sun, 4 Feb 1996 paralax at alpha.c2.org wrote:

> On Date: Sat, 03 Feb 1996 22:20:52 -0800 James A. Donald Wrote:
> 
> At 03:39 PM 2/3/96 -0800, paralax at alpha.c2.org wrote:
> 
> P> Mr. Hayes MAY have used a condescending tone but you have exposed your
> P> racist roots again.  First you embarrass yourself with you lack of knowledge,
> 
> JAD> Paralax does not know shit from beans.  He presumably imagines that Tim is
> JAD> "embarrassed" because Tim's knowledge of the historical facts differs from
> JAD> those facts dreamed up by the usual crew of apologists for totalitarian terror.
> 
> JAD> James A. Donald
> 
> Historical facts and or personal interpretations thereof were never called in to question by me.  I took umbrage with Mr. May's insulting, insensitive and racist comments about Jews and the Japanese.  Whether Mr. May's is personally embarrassed by his public display of ignorance and bigotry matters not.  He did indeed embarrass himself on an 'International Stage'.
> 
> I may not know shit from beans (actually I do) but I do know cultural  insensitivity, racism, bigotry and ignorance when I see it displayed so blatantly.  I encouraged Mr.
> May to return to topics 'cipher' before further embarrassment ensues.  I urge you to do
> likewise.
> 
> A. Paralax View
> 








From ErnstZundl at aol.com  Mon Feb  5 16:18:13 1996
From: ErnstZundl at aol.com (ErnstZundl at aol.com)
Date: Tue, 6 Feb 1996 08:18:13 +0800
Subject: THE JEWS (ALL of them!) Try to kick Ernst Zundel off Usenet!!
Message-ID: <960205183439_313485220@emout05.mail.aol.com>


Ich habe kleine Hoden





From junger at pdj2-ra.F-REMOTE.CWRU.Edu  Mon Feb  5 16:25:20 1996
From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger)
Date: Tue, 6 Feb 1996 08:25:20 +0800
Subject: Sometimes ya just gotta nuke em
In-Reply-To: 
Message-ID: 


Alan Horowitz writes:

:   It was lot worse than that on the Japanese-imperialits occupied islands 
: of the Pacific when the Nisei troops choosenot to surrender and instead, 
: mad last-ditch charges against AMerican lines - which killed not a small 
: number of Americans. And of course, there were the suicide bombers.

Who were those second generation Japanese Americans who ``choosenot to
surrender and instead, mad last-ditch charges against AMerican lines''?

I am afraid that I find this all rather cryptic, which I guess makes
it appropriate.

--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
Internet:  junger at pdj2-ra.f-remote.cwru.edu    junger at samsara.law.cwru.edu





From koontz at MasPar.COM  Mon Feb  5 16:28:46 1996
From: koontz at MasPar.COM (David G. Koontz)
Date: Tue, 6 Feb 1996 08:28:46 +0800
Subject: RC2 source code post to sci.crypt
Message-ID: <9602052347.AA18642@argosy.MasPar.COM>



So, who cancelled the post anyway?





From vgebes at jp.psi.com  Mon Feb  5 16:36:47 1996
From: vgebes at jp.psi.com (Vincent Gebes)
Date: Tue, 6 Feb 1996 08:36:47 +0800
Subject: Sometimes ya just gotta nuke em
In-Reply-To: 
Message-ID: <199602060001.JAA14299@jp.psi.com>


Hi,

While avoiding the many political issues in this thread to
which my opinion is of little value,

 > As far as Pax Americana goes, the Japanese just _volunteered_ to_increase_
 > the payments they make to support the American garrison in Japan. The
 > non-Okinawans want us in their country.

this is so far off the mark as to be hilarious.  Public opinion
against US troops in Japan is pretty high.  Don't confuse what
the government does to have any bearing on what people want.
Also realize that US mass media's portrayal of events in Japan
may be quite different than that of Japan's mass media.  I would
expect that this is true elsewhere as well...

Vince Gebes
PSI Japan





From rishab at best.com  Mon Feb  5 16:49:39 1996
From: rishab at best.com (Rishab Aiyer Ghosh)
Date: Tue, 6 Feb 1996 08:49:39 +0800
Subject: No Subject
Message-ID: <199602052258.OAA25368@comsec.com>


India's Department of Telecommunications (DoT) charges a licence
fee of $50,000 per _annum_ for BBS operators, and nearly twice
as much for e-mail providers. It is preparing to finalise a policy
for Internet service providers; as it doesn't understand the distintion
between Internet _networks_ (MCI, Sprintnet etc) and "retail" providers
(the geek in the garage), it is planning to charge well over $100,000
in annual licence fees. This is totally against the opinions of Telecom
Secretary R K Takkar, as expressed to my newsletter, The Indian 
Techonomist, some months ago. 

I spoke to Mr Takkar for some time, providing him the "education" that 
he asked for in my newsletter and that large datacom companies here have 
been curiously averse to give him. He appreciated my point of view, and
invited me to send a proposal for an alternative datacom policy, which
I have done (and which is summarised below). I hope to meet him next week 
to follow this up. As a major part of my call for removing restraints is 
based on the Internet's treatment by other world governments, I would like 
letters of support to show this. 

My proposal may appear tame, but it isn't really. It will allow small
ISPs to pay as little as $150 a year in licence fees; reduce the (high)
likelihood of cartels between large companies; and entrench electronic
free-speech at (some) parity with other media. (Note that the DoT has
said that it is "not considering" blocking access to parts of the Net
for reasons of morals or security. This despite the local media's loudly
proclaimed discovery that the Net is 97.34% paedophile, or whatever.)

     Highlights
     
     1. Definitions
     - The category for E-mail providers becomes redundant,
       leaving international gateway, national network, and
       "retail" service providers
     - Content providers have constitutional protection as
       electronic publishers
     - BBSes do not require licensing, being content providers
     
     2. Goals
     - Licence fees not for revenue generation, but to
       ensure responsibility (unavoidable. Mr Takkar's words)
     - Licence fees based on telecom infrastructure costs,
       not revenues (at the moment, a licence is almost like income tax)
     - Regulation required for free and fair competition (see below)
     - TRAI should also handle datacom regulation, and datacom consumer
       complaints (the Telecom Regulatory Authority of India is likely
       to be very independent of the government, headed by a former
       Supreme Court judge)
     
     3. Regulation
     - Equal access to gateway, network and service
       providers (to prevent denial of service and cartels, very
       likely here without explicit rules preventing them)
     - Rationalisation of DoT leased line tariff structure
       (now, a network costs more than the sum of its parts! too 
       complicated to explain briefly)
     
     4. Licensing
     - Uniform fee structure for gateway, network and
       service providers (say 2.5% of leased line costs, which
       are known as they are provided by the DoT)
     - Barriers to entry greatly reduced (minimal ISP pays $150 p.a)
     - However, total licence fee revenue for DoT not
       significantly reduced (important for success of this proposal;
       large nationwide network may still pay $100,000+ thanks to its
       huge leased line requirements)
     
The full text of the proposal will be made publicly available on the
Net sometime next week. Those who would like to see it, and a template
for a letter of support, should send me mail at dcom-appeal at dxm.org.
I would like letters from non-commercial organisations, lobby groups,
policy bodies, and so on, but NOT datacom companies (I wouldn't
mind _personal_ letters of support from them, but they wouldn't do
for the DoT). I would particularly like to see something from Hong Kong,
which I have used as a good example of how to do things in Asia.

Thanks,
Rishab

----------------------------------------------------------------------
The Indian Techonomist - newsletter on India's information industry
http://dxm.org/techonomist/                             rishab at dxm.org
Editor and publisher: Rishab Aiyer Ghosh           rishab at arbornet.org
Vox +91 11 6853410; 3760335;     H 34 C Saket, New Delhi 110017, INDIA






From lull at acm.org  Mon Feb  5 17:39:05 1996
From: lull at acm.org (John Lull)
Date: Tue, 6 Feb 1996 09:39:05 +0800
Subject: Encryption and Backups
In-Reply-To: <2.2.32.19960205043354.00703aa4@mail.software.net>
Message-ID: <311621cd.3804730@smtp.ix.netcom.com>


On Sun, 04 Feb 1996 20:33:54 -0800, you wrote:

> CP Backup (part of PC Tools for Central Point aka Symantec) has DES. As to
> how good the implementation is: I have no idea.

CP backup does not work reasonably under Win95, certainly not under
NT, and Symantec has announced that they are NOT upgrading it, or
Fastback, or Norton backup, all of which they own.





From Kevin.L.Prigge-2 at cis.umn.edu  Mon Feb  5 18:17:33 1996
From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge)
Date: Tue, 6 Feb 1996 10:17:33 +0800
Subject: RC2 question [No Nuke Content]
Message-ID: <3116b6973db4002@noc.cis.umn.edu>


Could someone throw a little light my way with
regards to the permute[] array being derived from
pi? I'm just not seeing it, I guess. 

Sorry for the interruption, I owe the list several
off-topic flames and a discussion of some random
non-crypto stuff at a later date.

-- 
Kevin L. Prigge         | "You can always spot a well informed man -
UofM Central Computing  |  his views are the same as yours."  
email: klp at tc.umn.edu   |  - Ilka Chase 
PGP Key Fingerprint =  FC E5 EE E7 8B 2E E9 D5  DA 1C 5D 6B 98 52 F6 24  






From jpp at software.net  Mon Feb  5 18:48:32 1996
From: jpp at software.net (John Pettitt)
Date: Tue, 6 Feb 1996 10:48:32 +0800
Subject: FV's blatant double standards
Message-ID: <2.2.32.19960206020035.00e2bea8@mail.software.net>


At 08:39 PM 2/5/96 -0500, Simson L. Garfinkel wrote:
>Yes, clearly if you are not concerned about missing 50-75% of First Virtual's 
>users, this attack will work just fine.
>-simson
>
>
Who cares - if 25 to 50% of a systems users are
vulnderable doesn't that make it weak ?

John Pettitt, jpp at software.net
VP Engineering, CyberSource Corporation, 415 473 3065
 "Technology is a way of organizing the universe so that man
  doesn't have to experience it." - Max Frisch






From jirib at sweeney.cs.monash.edu.au  Mon Feb  5 19:34:06 1996
From: jirib at sweeney.cs.monash.edu.au (Jiri Baum)
Date: Tue, 6 Feb 1996 11:34:06 +0800
Subject: [noise] Re: Crippled Notes export encryption
In-Reply-To: <2.2.32.19960125090719.008efa3c@mail.teleport.com>
Message-ID: <199602060311.OAA11630@sweeney.cs.monash.edu.au>


Hello

Alan Olsen wrote:

...
> So we could launch Jeff Wienstien in a rocket without violating ITAR as long
> as we do not sell him.

Forget about Jeff, how about PGP? Put it on a rocket (I'm *sure* there's
an amateur rocket club conveniently located near the border), and off
you go! (I guess you'd want to check @ 126.1 first, though).

Have I missed anything?


Jiri
--
If you want an answer, please mail to .
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)





From bit-bucket at lsd.com  Mon Feb  5 20:06:36 1996
From: bit-bucket at lsd.com (Dave Del Torto)
Date: Tue, 6 Feb 1996 12:06:36 +0800
Subject: [NOISE] just a few bits shy of a soul...
Message-ID: 


While chatting with a friend recently over brown rice in Boulder CO, he
said something that I found raw-ther amusin'. Thought I'd share it. We'd
been discussing bit-sizes of keys vs fifth-generation NSA cryptanalytical
systems, etc and he said:

 "Wow, it's amazing how much [NSA] computing power is placed in
  service of [such a] '1-bit' consciousness."

Heh...

   dave







From ddt at lsd.com  Mon Feb  5 20:16:32 1996
From: ddt at lsd.com (Dave Del Torto)
Date: Tue, 6 Feb 1996 12:16:32 +0800
Subject: CONTEST: Name That Program!
Message-ID: 


At 12:10 AM 1/31/96, Bill Stewart wrote:
>At 11:45 AM 1/30/96 -0500, Nathaniel Borenstein  wrote:
>> In fact, I'd settle for getting onto 10% of the machines, although I
>> suspect I could get onto more like 80% without raising a sweat.

If I were you, Nathaniel, I'd drop that petard of yours on the ground, grab
a very absorbent hankie and run like hell. ;)

>You've alleged that Macs and Unixen should be about as easy as Windows
>machines to crack with your CardShark.  I disagree - most Mac users I
>know have been using virus protectors more consistently and reliably
>than DOS/Windows users.  However, if their virus software only stops
>known viruses, rather than anything modifying critical resources,
>you might get away with it for long enough to surf some numbers.
 [elided]

Actually, for those who don't know, one of the most ubiquitous anti-viral
utilities for Macs (Symantec Antivirus for Macintosh, aka "SAM") also
offers a mode that constantly watches for any generic attempt to modify
crucial file/app/system resources -- and offers the opportunity to deny
such attempts. Thus, it doesn't _only_ offer protection against "known"
attacks. It even specifies which application/virus is trying to modify
which file, allows the user to teach it that certain mods are verboten and
halts activity until the user decides how to proceed. This makes it all but
impossible (if a Mac is so-protected) to even introduce a
trojan-keystroke-sniffing-credit-card-transmitter, much less use it to take
over the TCP stack (MacTCP) without the user's knowledge.

As for FV's recent "discovery:"
[a] I'm glad if FV _really_ wants to educate the public, but I hope they
find a better way next time than a "hey, we found this really simple way to
hack the universe, but we're not telling all you 13-year-old juvenile
delinquent hacker-wannabes" broadcast (talk about yer invitations!),
[b] confused why NB didn't anticipate the fuss and prepend a short
disclaimer onto his posting of it to cpunx (how about _thrice_ burnt,
Nathaniel?),
[c] unimpressed by all the vitriol it stirred up and the glee exhibited by
everyone in slamming Nathaniel and Co. (lighten up, even if it was
deserved) and
[d] bummed that no-one remembered my keycapture utility survey of nearly a
year and a half ago...as in "gee, I wish _I'd_ thoughta that." ;)

Frankly, I wonder if, in the long run, FV's stunt hasn't wrought more harm
than good: I got a late-night call from a worried but clueless friend
asking me to clarify this "credit card sniffer thing" he'd heard about from
someone else: he was all worried that there was an invisible virus on his
machine. >sigh< It's seems the brush has been set afire: now which way will
the winds blow?

Cheers,

   dave

____________________________________________________________________________
"With annual interest, compounded every nanosecond, that'll be $0.02000018."








From weidai at eskimo.com  Mon Feb  5 20:26:49 1996
From: weidai at eskimo.com (Wei Dai)
Date: Tue, 6 Feb 1996 12:26:49 +0800
Subject: Disperse/Collect version 1.0
Message-ID: 


To follow up on a post last year where I suggested that Rabin's 
information dispersal scheme might be useful for sending large files 
across unreliable remailer networks, I built a shareware package called 
Disperse/Collect out of my own Crypto++ library.  Disperse splits up 
files into redundant pieces and encodes them in base 64.  Collect decodes 
them and reconstructs the original files.  You can download this software 
from my home page at http://www.eskimo.com/~weidai.

Wei Dai






From jonl at well.com  Mon Feb  5 21:04:59 1996
From: jonl at well.com (Jon Lebkowsky)
Date: Tue, 6 Feb 1996 13:04:59 +0800
Subject: Mike Godwin at HotWired
Message-ID: <199602060446.UAA17724@well.com>


PLEASE RECIRCULATE!

Mike Godwin, staff counsel for EFF and eloquent supporter of civil 
liberties online and off, will be our guest at HotWired's Electronic 
Frontiers Forum this Thursday, February 8, at 7PM PST, 9PM CST, 10PM EST.

Coincidentally, President Clinton is scheduled to sign the Telecom Bill 
the same day, and the '48 Hours of Protest' demonstration will begin when 
the bill is signed.

We encourage online activists to participate in the ongoing EF Forums as a 
chat space wherein we can discuss new developments and issues of 
organization in support of a free and open Internet. A login is required 
but the account is free. We're at http://www.hotwired.com/club or 
telnet://chat.wired.com:2428.

thanks,
Jon L.

http://www.hotwired.com/eff

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jon Lebkowsky                       http://www.well.com/~jonl
Electronic Frontiers Forum, 7PM PST Thursdays 
Vice President, EFF-Austin                     
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=






From hal9001 at panix.com  Mon Feb  5 23:43:20 1996
From: hal9001 at panix.com (Robert A. Rosenberg)
Date: Tue, 6 Feb 1996 15:43:20 +0800
Subject: Arthur C. Clarke Supports Strong Crypto
Message-ID: 


At 21:06 2/4/96, jim bell wrote:

>At 08:05 PM 2/4/96 -0800, Timothy C. May wrote:
>>
>>(Pardon me for mentioning crypto...)
>>
>>Arthur C. Clarke, known to most of you (author of many SF works, coiner of
>>the phrase: "all sufficiently advanced technlogies are indistinguishable
>>from magic," mention by Alan Olsen yesterday), has a role in a "Discovery
>>Channel" program called "Mysterious Universe."
>
>Actually, it was _I_ who mentioned this quote, but didn't specifically
>recall whom to ascribe it to.

It is known (at least among Science Fiction Fans) as "Clarke's Law" and I
seem to remember it more accurately phrased as "Any sufficiently advanced
technology is indistinguishable from Magic". It is similar to suggesting
that "Magic is any Technology that you do not understand".







From wlkngowl at unix.asb.com  Tue Feb  6 03:02:05 1996
From: wlkngowl at unix.asb.com (Deranged Mutant)
Date: Tue, 6 Feb 1996 19:02:05 +0800
Subject: re Telecoms Bill
Message-ID: <199602061038.FAA12752@bb.hks.net>


-----BEGIN PGP SIGNED MESSAGE-----

mianigand at unique.outlook.net ("Michael Peponis") wrote:

>I think the first problem would be how to hide a sites true location.  >For example, if I have a domain called xxx.offensivestuff.org, how would
>I hide the sight so that while it is freely accessable to those who are
>looking for it, yet not allow a goverment agency to home in on the
>geographical locations via trace route.

That's a problem... data havens come to mind, but that's another issue.
Keeping the data in a domain/country where it is not restricted, or where
laws are very laxly enforced is one start... then the issue is using
crypto so that one can get the material from a country that restricts
it.

[Off topic... DC Nets/Anonymous or encrypted IRC comes to mind too...]

[..]
>Of course, this approch would result in a slower connection and more >packet hops.

A price for maintaining security and anonyimity...

[..]
>:On the non-net side of things, implementing encrypted >:BBS/communications and file-transfers is useful.  I'm told PGP-Phone
[..]
>
>I like this idea, but I am not sure how the laws work.  For example if a >BBS had subscribers sign a voucher stating that they were not agent of a
>goverment agency, would it hold up? would lying constitue entapment?

It wouldn't work, and would make them more interested in the material
that BBS has.  Any what about DMV/DOT employees, clerks, firemen, 
hospital employees, etc., who are non-enforcement people?

Encryption would restrict wiretapping.  If users send private encrypted
email to each other (Isn't there a PBBS program that allows users to
PGP-encrypt private mail to each other...?) that's another layer of
security.  Keeping the BBS on an encrypted partition also helps.

BBS's aren't as prone to snooping as networks are, but then again, why
should government employees be the only type of snooper?

The comm program could also implement a kind of zero-knowledge proof
or digital sig rather than the standard login, making the BBS secure
against someone hacking an account.



- --Rob

Just some suggestions to dilute the noise ratio...


- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMRcvjyoZzwIn1bdtAQGl2gF+INNeeX6GH9oX/8KSB0NPIi2ifzDuBVSu
d2fwPoAmiJ3ds7mzBPCn3msATxaCROFd
=kPGx
-----END PGP SIGNATURE-----





From attila at primenet.com  Tue Feb  6 03:05:55 1996
From: attila at primenet.com (attila)
Date: Tue, 6 Feb 1996 19:05:55 +0800
Subject: CypherPunks as Teachers; source material [Re: Hey, we are quaint! , (Was: A Sign of the Future)]
In-Reply-To: 
Message-ID: 



	I agree:

	    "Cypherpunks Teach"
		Bill Humphries  

    --the only way to get the message across.

	Jeffersonians?  Publicly, Jefferson espoused universal suffrage 
    for all Freemen as opposed to Madison-Hamilton-Federalists. Both sides
    had a fully "republican" bi-cameral legislature with separate executive
    and justice branches for the checks and balances.
	Jefferson differed in his approach to social issues: far more 
    empathetic than the Federalists who could exhibit traits of feudalism 
    rather easily. In his writings, etc. Jefferson could be considered a
    nascent libertarian.  How today's Democratic Party can claim 
    Jefferson as their founding father is certainly past my comprehension.

	The following are reprintings of excellent books:

            Works of Fisher Ames, as published by Seth Ames, W.B. Allen,
	editor, Indianapolis: Liberty Fund, two volumes, 1,708 pages,
	hardcover, $30.00. 
            Democracy and Liberty, by William Edward Hartpole Lecky,
	Indianapolis:  Liberty Fund, two volumes, 1,025 pages, hardcover,
	$20.00. 
    
    and well worth the read, despite their size. Lecky was a historian 
    with perspective, not a revisionist.  Excellent coverage of the fallacy
    of democracies starting with the Greek city-states. Ames was an American
    statesman (graduated from Harvard Law at 16) and was a Representative
    from Massachusetts in the first Congress thru 1799 when his ill-health
    forced retirement. In his writings, he states:

	    Democracy means the absolute reign of "public opinion," the
	disappearance of the rule of law, and the sweeping away of
	protections built into a true government of law. 

	Jefferson certainly would role over at the degeneration of "his"
    party which began in the 30s as liberal news, particularly radio,
    demagougues discovered they could fan the riff-raff and control the
    direction of government. 
	With Democratic control of the house all but six years from 1932
    to 1994 (48-54) and Democratic Presidents for all but 20 of 60 years: 
    [Eisenhower (if he was a Republican), Nixon-Ford, Reagan and Bush], 
    the cynical press effectively rewrote the modus operandi of the
    Federal government; with the advent of nationwide televison in the 
    late 50s --the deed was done.  Roosevelt started with "...a chicken 
    in every pot" but today that is a a piker --you need two cars in the 
    garage, TVs in every room, etc. or as quipped once (Butts on the way 
    to his media crucifixion): "...loose shoes, a tight pussy, and a warm
    place to shit."
	
	I have an excellent review of both books by Fr. James Thorton
    Notre Dame, I think.

	Anyone who would like a copy of the review, mail a blank message 
    with the Subject: DEM_lib and it shall be sent.

	Both texts clearly define what the problem is today even though 
    both are over 100 years old. the survivors of their length will have
    a clear understanding of limited republics and rabble-run democracy,
    and with Leaky's work, some excellent historical references.

	attila

On Mon, 5 Feb 1996, Bill Humphries wrote:

> Steve Levy replied to Alex Strasheim over an alledged 'plot' to discredit
> cypherpunks at Wired Magazine:
> 
> >Give me a break.  I do not work for Wired but I write for them at times,
> >and most often my subject is crypto related.
> 
> [...]
> 
> >On Mon, 5 Feb 1996, Alex Strasheim wrote [citing Gary Wolf 'channeling
> >McLuhan']:
> >
> >> >     Concerns about privacy and anonymity are outdated. Cypherpunks
> >> >     think they are rebels with a cause, but they are really senti-
> >> >     mentalists.
> >>
> >> I'm not much for big conspiracy theories, but I like the little ones.
> 
> 
> 
> Hey folks, we are quaint Jeffersonians for the most part here. We believe
> that reasoned arguement should carry the day instead of FUD (fear,
> uncertainty and doubt). And that privacy is a good thing. Whereas modern,
> marketing driven media (as described by McLuhan) will use FUD and whatever
> else it takes to deliver an audience. Ask any of the people who have been
> publicly tarred as Nazi's for their involvement over the Zundel/Hollow
> Earth/webcom business.
> 
> Wolf's portrayal of McLuhan is spot on, because media producers who give a
> damn about anonymity and privacy aren't going to land the big contracts.
> The money to buy bandwidth and servers wants the highest quality data
> availiable so we can be coerced to spend every minute we aren't working,
> commuting, sleeping, or fornicating (was f*cking before the CDA) as
> 'consumers.'
> 
> And many people aren't going to think of these issues, not because they are
> dumb, but because they are so busy working to provide for their families to
> spend any time in the reflective/meditative state required to make
> political choices.
> 
> I suggest that Cypherpunks add one more slogan to their list:
> 
>                "Cypherpunks teach."
> 
> Because no one is going to invest in the time and effort to use PGP,
> remailers, and blind web proxies unless they understand why they should.
> I'm going to invest in the time to show my family and friends why these
> technologies are important so when I mention PGP to someone they'll have
> something other than the soundbite "only Nazis use strong encryption" to
> fall back on.
> 
> 
> 
> bill.humphries at msn.fullfeed.com
> "The more you know, the more jokes you get" -- Tompkins and Kaufman
> 
> 

__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From sameer at c2.org  Tue Feb  6 03:13:21 1996
From: sameer at c2.org (sameer)
Date: Tue, 6 Feb 1996 19:13:21 +0800
Subject: C2 and the Worst Case
In-Reply-To: <9602051739.AA09360@anon.penet.fi>
Message-ID: <199602060551.VAA25665@infinity.c2.org>


sigh.

http://www.c2.org/members/docs/shell.phtml

	This was fixed *ages* ago.

-- 
Sameer Parekh					Voice:   510-601-9777x3
Community ConneXion, Inc.			FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org/ (or login as "guest")		sameer at c2.org





From roy at sendai.cybrspc.mn.org  Tue Feb  6 03:14:35 1996
From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail)
Date: Tue, 6 Feb 1996 19:14:35 +0800
Subject: How would an FV attack fail? (was: Re: FV's blatant double standards)
In-Reply-To: <199602060139.UAA03880@vineyard.net>
Message-ID: <960205.233714.1y9.rnr.w165w@sendai.cybrspc.mn.org>


-----BEGIN PGP SIGNED MESSAGE-----

In list.cypherpunks, simsong at vineyard.net writes:

> Yes, clearly if you are not concerned about missing 50-75% of First
> Virtual's users, this attack will work just fine.

Could you characterize the failure modes?  I see 2 main ones:

    Confirmation notices directed to another address invisible to the
    successfully infiltrated attacker.

    Failure to initially infiltrate:

        Infiltration attempt failed.

        Potential victim never contacts infection vector.

I'm curious how you'd estimate the breakdown over these modes, and if
you see additional failure modes I've missed.
- -- 
Roy M. Silvernail --  roy at cybrspc.mn.org will do just fine, thanks.
          "Does that not fit in with your plans?"
                      -- Mr Wiggen, of Ironside and Malone (Monty Python)
          PGP public key available upon request (send yours)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRbrPxvikii9febJAQFxxwP+MjHD4lRb8kMiFF+5DlN4OTZqolyQWlfE
aj2Tk59/FNrOctW4Gqv4b3EkTuLdc1se1CDs/UDQQilmSNiF5cxfJauPVyETQG3H
0NZ5T7wI9WrJp6JVxc4DVwu7aUZwmcDYB6tKPT2ZsH2jhKGz9pUn8kieZt4zM+/7
T0e80OEELvA=
=ZGC2
-----END PGP SIGNATURE-----





From jirib at sweeney.cs.monash.edu.au  Tue Feb  6 03:14:46 1996
From: jirib at sweeney.cs.monash.edu.au (Jiri Baum)
Date: Tue, 6 Feb 1996 19:14:46 +0800
Subject: Anti-Nazi Authentication [Was: Tim's paranoid rant about Declan...]
In-Reply-To: 
Message-ID: <199602060545.QAA12048@sweeney.cs.monash.edu.au>


-----BEGIN PGP SIGNED MESSAGE-----

Hello Rich Graves 
  and bryce at colorado.edu
  and "Declan B. McCullagh" , cypherpunks at toad.com
 
> On Fri, 2 Feb 1996, Bryce wrote:
...
> For the paranoid, it would be an added assurance that they are reading the
> original file at the original location. Otherwise, anybody could copy the
> Web page, modify it, and give it someone else's PGP signature. 
...

So? I guess it's plagiarism, but there's nothing you can do about it
anyway. If someone wants to claim your words, let them sign.

...
> But yeah, it would look awfully silly, especially to the non-PGP-aware
> public. An unobstrusive PGP logo (below) would be great, and might become
> a status symbol, like those cheesy HTML validation service and Internet
> Audit Bureau logos (which I have used on a few pages). 
> 
> > Just put a "PGP signed" logo at the bottom of the
> > page.  If the user clicks on it then it hrefs to a .asc
...
> Yeah, I like the idea of a standardized logo. A lot.

One other thing - what about inline images?

I guess you could put an MD5 hash of the image into the IMG tag,
as a new attribute (you don't necessarily want to sign each of the
images separately).

I'm not sure how to do links, but I guess for the time being you'd
leave them unsigned, with a disclaimer or something on the signature file.

Have a look at http://www.cs.monash.edu.au/~jirib (my home page).
Is that more-or-less what you have in mind?

(Sorry about the cruddy logo - anybody a better artist than I am?)


Hope that makes sense...

Jiri
- --
If you want an answer, please mail to .
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMRbq+yxV6mvvBgf5AQHUCgQAscQZb0fq9X+quFmOGGa/7D75yzbYeVjr
IPYDkyHo51Sd+mUUyD8Wt7EtepcVgp5FNEgej0KjjA4gNMbTccZUdp+VoWm0mIDW
qhENaWHvyFZ75+LuyeGqjd3WpvaI2yLzY5+48U5/iBo7XYMNuecZu7cRk+NmhZfv
dEFT4eWUwy4=
=Z14V
-----END PGP SIGNATURE-----





From attila at primenet.com  Tue Feb  6 03:19:18 1996
From: attila at primenet.com (attila)
Date: Tue, 6 Feb 1996 19:19:18 +0800
Subject: Likely application for high-bandwidth proxies (fwd)
In-Reply-To: <199602060324.WAA09394@opine.cs.umass.edu>
Message-ID: 


On Mon, 5 Feb 1996 lmccarth at cs.umass.edu wrote:

> It would appear that a potentially very popular application for high-
> bandwidth anonymizing proxies has arrived: 
>

	come on Lewis...  where's the sight  address? 

	on a little more serious point; the use of multiple high
    bandwidth proxies is fast becoming essential to screen your
    address from the enquiring target, thereby forcing the Feds to
    use either very extensive sniffers or the power of the subpoena (not 
    much luck if the records disappear nightly...).  The only clinker is 
    the big sites are startig to require registration with legal warnings 
    --next of course is payment and they want a credit card --not a check
    or cybercash --a credit card for open debit. 

		attila
 
> Forwarded message from list-managers-digest:
> > From: Project Genesis 
> > Date: Mon, 05 Feb 1996 02:42:13 -0500
> > Subject: Speaking of spams...
> > 
> > Did I mention that Project Genesis is an organization specializing in
> > religious education?  The message below explains why all of our public lists
> > are moderated. I value privacy and have grave doubts about things like the
> > Exon amendment (which may make Internet providers liable), but I also think
> > that we need to ensure that the Internet not become one big red-light
> > district. Spams like this are a step in the wrong direction. It hit several
> > of our religion-oriented lists.
> > 
> > Ken
> > 
> > >Sender: kristina at free.org          [User Unknown - I told her to go away.]
> > >Subject: LIVE NUDE VIDEOCONFERENCING!
> > >
> > >Hi,
> > >My name is Kristina.  I'm a nude model and I'd
> > >love to take my clothes off and entertain you.
> > >You can watch me live and in color on your 
> > >computer.  We can type back and forth and I'll
> > >be happy to perform your erotic fantasy.  If
> > >this sounds like fun, visit the website and
> > >download the software. The address is
> > >http://www.[I don't plan to help them].com or you can get the
> > >software from the BBS at 815-[ditto].  I'll
> > >turn the camera on in my studio and wait to 
> > >hear from you.  I think you'll like what I have
> > >to show you.  This isn't a movie...you make a
> > >request and I'll probably fulfill it for you.
> > >Look for my picture on the Website.  Hope to 
> > >see you soon!
> > >
> > >Love,
> > >Kristina
> 

__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From mab at research.att.com  Tue Feb  6 03:19:28 1996
From: mab at research.att.com (Matt Blaze)
Date: Tue, 6 Feb 1996 19:19:28 +0800
Subject: Report available: "Minimal Key Lengths for Symmetric Ciphers"
Message-ID: <199602060707.CAA01434@nsa.tempo.att.com>


At the request of the Business Software Alliance (BSA), an ad hoc
panel of seven cryptologists and computer scientists met last November
to address the question of the minimum key length required to provide
adequate security against exhaustive search in commercial applications
of symmetric cryptosystems.  We have just completed our report.

We adopted a simple, and somewhat conservative, methodology in an
effort to gain a realistic understanding of what size keys might
actually be vulnerable in practice.  It is common in analysis of key
length to give all benefit of the doubt to the capabilities of the
potential attacker and to make very generous assumptions about the
technology and resources that might be available to mount an attack.
In our analysis, however, we assumed that the attacker would employ
only conventional, commercially-mature technologies and would be
limited by budget and time constraints.  We used several different
technologies to design attack strategies that accommodate the budgets
of various hypothetical attackers, from individual ``hackers'' to
well-funded enterprises.  Our conclusions, therefore, represent an
approximation of an ``upper bound'' on the strength of various size
keys; I believe more efficient attacks than those we considered might
also be possible and should be taken into account by the prudent
cryptosystem designer.

The abstract of the report follows below.

A PostScript copy of the full text of the report is available in
     ftp://ftp.research.att.com/dist/mab/keylength.ps
An ASCII version is available in
     ftp://ftp.research.att.com/dist/mab/keylength.txt

(The report will also likely appear on the BSA's web site shortly).

-matt (speaking only for himself)

=======================================================================
	      Minimal Key Lengths for Symmetric Ciphers
	       to Provide Adequate Commercial Security

		    A Report by an Ad Hoc Group of
		Cryptographers and Computer Scientists

			      Matt Blaze (1)
			   Whitfield Diffie (2)
			   Ronald L. Rivest (3)
			    Bruce Schneier (4)
			  Tsutomu Shimomura (5)
			    Eric Thompson (6)
			    Michael Wiener (7)

			     January 1996


			       ABSTRACT

    Encryption plays an essential role in protecting the privacy of
electronic information against threats from a variety of potential
attackers.  In so doing, modern cryptography employs a combination of
_conventional_ or _symmetric_ cryptographic systems for
encrypting data and _public key_ or _asymmetric_ systems for
managing the _keys_ used by the symmetric systems.  Assessing the
strength required of the symmetric cryptographic systems is therefore
an essential step in employing cryptography for computer and
communication security.

    Technology readily available today (late 1995) makes 
_brute-force_ attacks against cryptographic systems considered adequate
for the past several years both fast and cheap.  General purpose
computers can be used, but a much more efficient approach is to employ
commercially available _Field Programmable Gate Array (FPGA)_
technology.  For attackers prepared to make a higher initial
investment, custom-made, special-purpose chips make such calculations
much faster and significantly lower the amortized cost per solution.

    As a result, cryptosystems with 40-bit keys offer virtually no
protection at this point against brute-force attacks.  Even the U.S.
Data Encryption Standard with 56-bit keys is increasingly inadequate.
As cryptosystems often succumb to `smarter' attacks than brute-force
key search, it is also important to remember that the keylengths
discussed here are the minimum needed for security against the
computational threats considered.

    Fortunately, the cost of very strong encryption is not
significantly greater than that of weak encryption.  Therefore, to
provide adequate protection against the most serious threats ---
well-funded commercial enterprises or government intelligence agencies
--- keys used to protect data today should be at least 75 bits long.
To protect information adequately for the next 20 years in the face of
expected advances in computing power, keys in newly-deployed systems
should be at least 90 bits long.

-----------------------------------------
1. AT&T Research, mab at research.att.com
2. Sun Microsystems, diffie at eng.sun.com
3. MIT Laboratory for Computer Science, rivest at lcs.mit.edu
4. Counterpane Systems, schneier at counterpane.com
5. San Diego Supercomputer Center, tsutomu at sdsc.edu
6. Access Data, Inc., eric at accessdata.com
7. Bell Northern Research, wiener at bnr.ca





From lmccarth at cs.umass.edu  Tue Feb  6 03:39:36 1996
From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu)
Date: Tue, 6 Feb 1996 19:39:36 +0800
Subject: Likely application for high-bandwidth proxies (fwd)
Message-ID: <199602060324.WAA09394@opine.cs.umass.edu>


It would appear that a potentially very popular application for high-
bandwidth anonymizing proxies has arrived: 

Forwarded message from list-managers-digest:
> From: Project Genesis 
> Date: Mon, 05 Feb 1996 02:42:13 -0500
> Subject: Speaking of spams...
> 
> Did I mention that Project Genesis is an organization specializing in
> religious education?  The message below explains why all of our public lists
> are moderated. I value privacy and have grave doubts about things like the
> Exon amendment (which may make Internet providers liable), but I also think
> that we need to ensure that the Internet not become one big red-light
> district. Spams like this are a step in the wrong direction. It hit several
> of our religion-oriented lists.
> 
> Ken
> 
> >Sender: kristina at free.org          [User Unknown - I told her to go away.]
> >Subject: LIVE NUDE VIDEOCONFERENCING!
> >
> >Hi,
> >My name is Kristina.  I'm a nude model and I'd
> >love to take my clothes off and entertain you.
> >You can watch me live and in color on your 
> >computer.  We can type back and forth and I'll
> >be happy to perform your erotic fantasy.  If
> >this sounds like fun, visit the website and
> >download the software. The address is
> >http://www.[I don't plan to help them].com or you can get the
> >software from the BBS at 815-[ditto].  I'll
> >turn the camera on in my studio and wait to 
> >hear from you.  I think you'll like what I have
> >to show you.  This isn't a movie...you make a
> >request and I'll probably fulfill it for you.
> >Look for my picture on the Website.  Hope to 
> >see you soon!
> >
> >Love,
> >Kristina





From nsb at nsb.fv.com  Tue Feb  6 03:50:47 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Tue, 6 Feb 1996 19:50:47 +0800
Subject: FV's blatant double standards
In-Reply-To: <2.2.32.19960205213944.0109c138@mail.software.net>
Message-ID: 


I've debunked this one before, but let me say it again.  John outlines
essentially the same scheme for an automated attack on FV that was
previously posted by Jeff Weinstein at Netscape.  (Actually, to be fair,
Jeff's was considerably more sophsticated in its attempt to avoid
detection by FV.)  John's approach will essentially change all negative
FV confirmation answers to positive ones.  There are a couple of key
flaws in his approach:

1.  He doesn't explain how he's going to spot the VirtualPIN in the
outgoing stream.  Given the non-structured nature of the VirtualPIN,
this alone probably requires more sophistication than our entire attack
program.

2.  He acknowledges that this approach will miss anyone who isn't buying
things from the machine that actually composes his mail messages.  What
he doesn't seem to realize, however, is that this means that any
automated attack will cause "fraud" to be called as soon as it hits a
user of AOL, Compuserve, etc.  Jeff's approach would last a bit longer,
but is also vulnerable to heterogeneous mail environments.  The real
point is that an automated attack like this one is undermined by email
heterogeneity, which will cause FV's fraud department to be alerted
quite quickly & trace things down.  In contrast, the attack we've
outlined on credit card numbers is simple, single-step, and has no
obvious "misfiring path" that would lead to quick detection.  It could
do its dirty work for a long time.  

Simson's comment almost, but not quite, made this clear:

> Yes, clearly if you are not concerned about missing 50-75% of First Virtual's 
> users, this attack will work just fine.

The "just fine" is incorrect, however, because those 50-75% will not be
MISSED, they will be attacked incompletely, and they will object to
false transactions, causing our fraud department to launch an
investigation.  This attack would get stopped pretty quickly, I believe.
 -- Nathaniel
--------
Nathaniel Borenstein 
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com





From nsb at nsb.fv.com  Tue Feb  6 04:11:25 1996
From: nsb at nsb.fv.com (Nathaniel Borenstein)
Date: Tue, 6 Feb 1996 20:11:25 +0800
Subject: FV has 91 day lag between sales and payment
In-Reply-To: 
Message-ID: <9602061157.AA07794@ nsb.fv.com>


Excerpts from mail.cypherpunks: 31-Jan-96 FV has 91 day lag between s..
Vincent Cate at offshore.co (4108*)

> The FV 90 day lag is their main downside in my opinion (though defaulting
> to not paying if the customer does not answer email is another problem). 
> So FV does not take any risk at all - and a merchant has to have enough
> extra capital to let 3 months worth of sales sit at FV. Some ideas for
> ways that they or someone else could improve on this: 

Actually, we've gotten approval from our banking partners to waive the
holding time entirely for customers who fill out an application and win
the bank's approval.  We're working on the technical and logistical
aspects of this right now.  -- Nathaniel





From jimbell at pacifier.com  Tue Feb  6 04:37:20 1996
From: jimbell at pacifier.com (jim bell)
Date: Tue, 6 Feb 1996 20:37:20 +0800
Subject: Jim Bell - Murderous Terrorist
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----


[while I am replying to this anonymous, flaming message from what MAY be a 
stable nym, I specifically request a consensus opinion on whether I should 
continue to comment in this way.  Some people say that a discussion of my 
"Assassination Politics" idea (containing, as it does, issues of good 
encryption and digital cash implemented with good encryption and blinding) 
is "on-topic" here, but on the other hand it does seem to bring out the 
flamers among us.  I would be happy to go either way:  To continue to 
respond to what is obviously a strenuous debate, or to ignore the issue 
here, in this area, and to direct the debate to another.]

At 07:06 PM 2/4/96 -0800, jdoe-0007 at alpha.c2.org wrote:
>Dr. Vulis writes:
>
>AO> Alan Olsen  writes:
>
>AO> I consider Mr. Bell to be a crank and a loon.
>
>DV> You're certainly entitled to your opinion. You might be interested to 
know that
>DV> I consider Jim Bell to be highly intelligent, knowledgeable, and 
overall nice
>DV> person. I'm particularly impressed by his calm and restrained response 
to your
>DV> provocations. I've also formed a rather negative opinion of you, based 
on your
>DV> actions in this incident.
>
>Jim Bell has advocated nothing less than paid death squads 

No, I haven't.  The term "squad" implies more than one person.  In practice, 
I think those people who are motivated to collect the anonymous awards will 
be individually self-selected people, and will not come in the form of 
"squads."  If anything, the use of a "squad" defeats the entire purpose of 
the anonymity provided by my idea: Quite literally, nobody in the world 
except the killer himself needs to know who he is.

>using crypto as a
>means to hide payment to these murderous terrorists.

   Aside from the fact that the difference between "terrorists" and 
"freedom fighters" is primarily a matter of point of view, in effect you are 
merely objecting to people being able to defend themselves anonymously, by 
proxy as it were.

>  If you can find a conspirator
>of murder as " highly intelligent, knowledgeable, and overall nice person" 
then
>you also are in need of immediate mental health intervention.

As my essay makes clear, the whole purpose of the system is to KEEP most 
people from being "conspirators of murder" by the legal definition.  You may 
disapprove of people being able to defend themselves from government abuse, 
but I actually encourage it. 


>Should the mainstream media ever get wind of Bell's lunacy it will be one more
>nail in the crypto-coffin spurring the Feds and international anti-crypto 
efforts to
>a frenzy.

As you know well, my current opinion is that the theory is tantamount to 
being inevitable.  If anybody is worked up into a "frenzy," it'll be because 
they are afraid I might actually be correct.  Anyone who is really convinced
I am 
wrong will be quite calm, because they "know" nothing will come of my idea.

>  Bell is either a total fucking lunatic of the extreme right wing 

For the record, I was a minarchist libertarian for about 19 years, until
about a year ago when I realized that pure anarchy (with protection for
rights) could actually be made stable.  I have as little sympathy for the
"extreme right wing" as I do the "extreme left wing." 

And as I'm happy to point out, I upset both of their "apple carts" just as
effectively, so both categories have "good" reason to hate me.


>(having
>read his suck ups posts supporting General Linda Thompson)

This is an extremely odd assertion.  While I have certainly heard of Linda 
Thompson (the highly controversial Indiana lawyer) I don't recall having 
written much about her, and certainly not on the Internet and 
certainly not within the last year or so.  I don't think I've ever 
"defended" her, although I have occasionally criticized a few of her critics 
as buffoons.  Because they WERE buffoons!  (This does not automatically make 
Linda Thompson look any better, however.

In fact, the only communication I've ever seen from her on the subject of 
"Assassination Politics" was actually critical.  I responded, correcting 
some false conclusions of hers, and I never heard anything more from her.

Even so, I challenge this guy to show (or even describe the "where and when" 
of these "suck up posts."  


> or an agent provocateur for the Feds. 

This is rich!  I've proposed a system which may spell inevitable doom for 
the Feds no matter what they do, no matter what they try, and this guy tries 
to claim that I'm an "agent provocateur" for them!  In past  posts I've 
mentioned that I carefully considered the question of whether or not my 
posting would help or hinder the adoption of the "Assassination Politics" 
idea, and I came to the conclusion that the worst situation would be if the 
government could keep its ultimate weaknesses disguised for a few more 
years.  That's why I published when I did.

The first person to think of an "Assassination Politics" idea was probably
some well-paid apparatchik in the NSA, who (quite opposite of my position)
was terrified that it might come true.

> One is as bad as the other.  To quote your own
>words to Mr. Olsen; " I've also formed a rather negative opinion of you, based
>on your actions in this incident."
>
>AO> He has no interest in any sort of honest discussion.
>
>DV>  Honest or dishonest, the discussion of Jim's political views has nothing 
>DV> to do with encryption.
>
>His plans for death squads success DEPENDS on the anonymity provided by
>CRYPTO!

Some anti-gunners argue that the public shouldn't be allowed to own guns 
because they might do something wrong with them.  They are fools.  If 
anti-crypto people take the same position with respect to crypto, they are 
even WORSE fools.

Jim Bell
jimbell at pacifier.com

Klaatu Burada Nikto
"Something is going to happen.   Something...   Wonderful!"

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMRbXR/qHVDBboB2dAQFdEgQApk8IhefbWiA9+Ae6ypaHWA6216yTZvYJ
Jox1G/fpdToYeQpfQF6ARCl1dAmLjq7qSe5chJo4IF8W7sMbtSiOKMCNY8xIG6IL
cS3XTRXELyNX8YEsHy7A8bYyaKe0J2X4M1MEcmWqVjt4HiaQ4dConh0pm7zc/5wy
hXTDsvIEaQc=
=D087
-----END PGP SIGNATURE-----






From acceso2 at diatel.upm.es  Tue Feb  6 04:53:15 1996
From: acceso2 at diatel.upm.es (Usuario Acceso2)
Date: Tue, 6 Feb 1996 20:53:15 +0800
Subject: PGP's "only for your eyes"
Message-ID: <260*/S=acceso2/OU=diatel/O=upm/PRMD=iris/ADMD=mensatex/C=es/@MHS>


Hi

Maybe some of you already know about this.

Whe reading PGP's "Only for your eyes" messages, the program creates a 
temporary file containing the plaintext in the directory where the cyphertext 
file is.

So, don't worry about this option, it's quite useless.

Best

Jaime






From olbon at dynetics.com  Tue Feb  6 06:38:42 1996
From: olbon at dynetics.com (Clay Olbon II)
Date: Tue, 6 Feb 1996 22:38:42 +0800
Subject: Fair Credit Reporting Act and Privacy Act
Message-ID: 



In discussions regarding privacy of personal information, Tim Philp has
advocated a "privacy law" similar to those in Europe.  My response is - why
do we always need a law to protect ourselves?  Nowadays the first solution
always appears to be run to mommy govt and ask for help.  In this case
there is clearly the potential for market based solutions.  The problem now
is that there is almost no market!  If people were truly interested in
privacy, there would be a "privacy credit card" and "privacy health care"
that refused to give out information except upon the approval of the
individual concerned.  Once people become interested in their privacy, I
think these sorts of things will appear.

A place where laws are clearly applicable however is in limiting the amount
and type of info the government can gather.

my 2 cents,

        Clay


---------------------------------------------------------------------------
Clay Olbon II            | olbon at dynetics.com
Systems Engineer         | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302  | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy       | PGP262 public key: finger olbon at mgr.dynetics.com
Troy, MI 48083-1109      | pgp print: B97397AD50233C77523FD058BD1BB7C0
    "To escape the evil curse, you must quote a bible verse; thou
     shalt not ... Doooh" - Homer (Simpson, not the other one)
---------------------------------------------------------------------------







From bplib at wat.hookup.net  Tue Feb  6 06:55:17 1996
From: bplib at wat.hookup.net (Tim Philp)
Date: Tue, 6 Feb 1996 22:55:17 +0800
Subject: Fair Credit Reporting Act and Privacy Act
In-Reply-To: <2.2.32.19960205200507.006fa0ac@panix.com>
Message-ID: 


On Mon, 5 Feb 1996, Duncan Frissell wrote:

> Unfortunately, it would also:
> 
> *  Require government registration of computers and databases containing
> information about people (whether these computers are used by business or
> individuals).  This eases regulation of computers and future confiscation.
> 
I don't believe that this follows at all. All that would be required 
would be a statutory obligation to comply with the legislation. Should a 
breach occur, civil and criminal penalties would apply. No need for prior 
restraint.

> *  Reduce market efficiency by making it harder to match buyers and sellers
> (because neither could easily find out about he other) thus causing higher
> prices and poorer people. 
> 
It would not make it harder for buyers and sellers to get together, it 
would simply increase the risk. It may lead to higher prices, but I am 
prepared to pay something to protect my privacy.

> *  Do nothing to protect personal information from the government which
> would get to collect more of it than ever in the course of enforcing data
> protection laws.
> 
It would be very hard to prevent the government keeping files on you. 
They have requirements such as tax collection etc that would require 
keeping files. What I would like to see is similar protection of my data 
that is stored on goverment computers. Should my information be released, 
the agency responsible should have to pay compensation. Such is the price 
of not keeping my information secret.

> If you don't want people to know things about you, don't tell them.
> 
I agree that in the absolute sense, this is true. However, it is not 
practical to do so in our modern society. If you are prepared to live 
without credit or health insurance you can do this but the price is too 
high for most people to consider.
Regards,
Tim Philp





From Bill.Humphries at msn.fullfeed.com  Tue Feb  6 06:56:27 1996
From: Bill.Humphries at msn.fullfeed.com (Bill Humphries)
Date: Tue, 6 Feb 1996 22:56:27 +0800
Subject: Hey, we are quaint! (Was: A Sign of the Future)
Message-ID: 


Steve Levy replied to Alex Strasheim over an alledged 'plot' to discredit
cypherpunks at Wired Magazine:

>Give me a break.  I do not work for Wired but I write for them at times,
>and most often my subject is crypto related.

[...]

>On Mon, 5 Feb 1996, Alex Strasheim wrote [citing Gary Wolf 'channeling
>McLuhan']:
>
>> >     Concerns about privacy and anonymity are outdated. Cypherpunks
>> >     think they are rebels with a cause, but they are really senti-
>> >     mentalists.
>>
>> I'm not much for big conspiracy theories, but I like the little ones.



Hey folks, we are quaint Jeffersonians for the most part here. We believe
that reasoned arguement should carry the day instead of FUD (fear,
uncertainty and doubt). And that privacy is a good thing. Whereas modern,
marketing driven media (as described by McLuhan) will use FUD and whatever
else it takes to deliver an audience. Ask any of the people who have been
publicly tarred as Nazi's for their involvement over the Zundel/Hollow
Earth/webcom business.

Wolf's portrayal of McLuhan is spot on, because media producers who give a
damn about anonymity and privacy aren't going to land the big contracts.
The money to buy bandwidth and servers wants the highest quality data
availiable so we can be coerced to spend every minute we aren't working,
commuting, sleeping, or fornicating (was f*cking before the CDA) as
'consumers.'

And many people aren't going to think of these issues, not because they are
dumb, but because they are so busy working to provide for their families to
spend any time in the reflective/meditative state required to make
political choices.

I suggest that Cypherpunks add one more slogan to their list:

               "Cypherpunks teach."

Because no one is going to invest in the time and effort to use PGP,
remailers, and blind web proxies unless they understand why they should.
I'm going to invest in the time to show my family and friends why these
technologies are important so when I mention PGP to someone they'll have
something other than the soundbite "only Nazis use strong encryption" to
fall back on.



bill.humphries at msn.fullfeed.com
"The more you know, the more jokes you get" -- Tompkins and Kaufman







From simsong at vineyard.net  Tue Feb  6 07:04:54 1996
From: simsong at vineyard.net (Simson L. Garfinkel)
Date: Tue, 6 Feb 1996 23:04:54 +0800
Subject: How would an FV attack fail? (was: Re: FV's blatant double standards)
Message-ID: 


At 11:37 PM 2/5/96, Roy M. Silvernail wrote:
>
>Could you characterize the failure modes?

Sure thing. Most people on this planet do not read their email through a
TCP/IP stack. They either log onto another program or they use a
proprietary front-end. There are actually many, many different ways that
people send email. That's one of the reasons that FV has been successful
--- you don't need a live TCP/IP connection to the internet to use it.


=============
"Superior technology is no match for superior marketing."
=============
Simson on Tour:

Feb 2 - Feb 5 - Cambridge: Conference on Freely Redistributable Software
Feb 7 - Feb 13 - Baltimore: American Association for the Advancement of
Science.
Feb. 28 - March 1 - Seybold, Boston.
March 23 - NYC. MacFair.
March 27 - March 30: Cambridge. Computers, Freedom and Privacy.







From avatar at mindspring.com  Tue Feb  6 07:33:55 1996
From: avatar at mindspring.com (avatar at mindspring.com)
Date: Tue, 6 Feb 1996 23:33:55 +0800
Subject: Encryption Software
Message-ID: <199602061516.KAA28650@borg.mindspring.com>



Thanks,Derek

        My goof. I reread the manual and it is clear now. Why I didn't catch
it the first go round,
I don't know. I guess I'm just blind or stupid. Thanks again for your
help..........BY the way,
does any one know of a "good" file wiping program that I can either download
or buy.
Preferably, military grade.
Charles Donald Smith Jr.

||The government  is my shepherd I need not work. It alloweth me to lie
 down on a good job. It leadeth me beside stilled factories. It destroyeth
 my initiative. It leadeth me in the path of a parasite for politics sake. YEA,
 though I walk through the valley of laziness and deficet spending I shall
 fear no evil, for the government is with me. It prepareth an economic utopia
 for me by appropriating the earnings of my grandchildren. It filleth my head
 with false security. My inefficiency runeth over. Surely, the government 
should care for me all the days of my life, and I will dwell in a fools paradise
forever.................AMEN!   || nuke'm if ya got'em||






From PADGETT at hobbes.orl.mmc.com  Tue Feb  6 07:37:20 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Tue, 6 Feb 1996 23:37:20 +0800
Subject: Why am I wrong?
Message-ID: <960206100646.2021253f@hobbes.orl.mmc.com>



>I am posting this pondering to cypherpunks in hopes that it will be refuted.

OK you is rong.

>	One of the largest problems in the debate over public access to 
>cryptography is the fact that both sides of the issue hold absolute beliefs.
>They are unwilling to compromise, and often seem unwilling 
>to decide on a solution which is anything but a total win for their side.

This is normal when no parent is around.

>	On one side of the debate we find the law enforcement community. 
>This group is totally opposed to the concept of public access to 
>cryptography. 

No, most in law enforcement at the working level have no opinion one way 
or the other. Many I talk to know what it is but few have ever seen 
any more complicated than Lotto tickets. The prevailing attitute (which
I happen to share so am biased) is that >most< criminals are not very
intelligent else they would not be criminals.

>Although they claim this to be false, the reality is that 
>these people think its ok for anyone to keep a secret, as long as no one 
>is keeping secrets from them.

Secrets rarely enter into law enforcement. Determining what the truth is
in the face of conflicting data is more often the case

>As Jim Kallstrom, assistant FBI director, put it, "unless 
>you're a criminal, you have nothing to fear from the government." 

At the same time, we have a massive division in this country (do not know 
about others) in which the aim of most citizens is to avoid any contact
with the government if at all possible since invariably the citizen loses
in the exchange.

>The law is often very wrong, and even our lofty constitutional values 
>do not prevent bad laws. When the law is wrong, the law's enforcer is 
>the criminal.

Dangerous attitude to take. The law is never wrong because it is the law.
The fact that a law exists may be wrong but that has nothing to do with the
law itself, it merely is. The law's enforcer would be derelect in his/her
duty if she/he did *not* enforce the law.

(Now sometimes the *enforcement* is over zealous but that is a human matter.

 That is the definition of natural law, 

>People MUST have the right to dissent. 

Is the great strength of the US.

>People must have the right to oppose bad laws

No must, they do.

>and in many cases people must have the capability to violate bad 
>laws with impunity.

Disagree. There may be times when laws are violated with just csause but 
the violator must do so with the expectation of retribution else the law 
is meaningless.

>As Socrates would say, if people know the what is good and what 
>is bad, they will always choose the good, because the good is what is 
>most desirable.

However Pavlov proved that perceptions may be distorted. What is good
today may be evil tomorrow and a lack of stability leads to insanity.

To me "selective enforcement" is a cop-out.

>That is why law enforcement is very restricted in the Constitution. 

Law enforcement is not restricted by the constitution, law *enactment*
is ("Congress shall make no law...").

>The "compromise" the law enforcement community has 
>suggested, key-escrow, is not a compromise at all, because it makes it 
>impossible for people to keep secrets from the government.

No one needs to agree to the compromise. However I believe that good
crypto with key escrow (provided the escrow holder is trusted) is
compelling for a number of reasons, mainly because it provides a means 
to protect information that has no protection today.

Everyone screams about porn on the net. Personally I find the *concept*
of pornography to be an indication of a social problem that no one is willing
to admit to. Crypto provides a means to shield children from the "adult
conspiracy". Haven't seen any mention of that. Crypto will provide the
essential mechanism for Internet Electronic Commerce as MasterCard/Visa
have announced. If I send my 1040 to the IRS on the net, I *want* the gov
to be able to read it.

Public crypto is necessary for the US government to comply with its own
regulations. It will exist. 

Now there are three basic elements that must be understood as a foundation
for discussion. 
a) we are guarenteed free speech
b) there is no requirement that anyone must be able to understand it
c) we have no right to tell anyone not to listen. 

Look at these three items. Anything that denies one or more of these elements
is wrong. May take a while to realize why but will happen.

One corollary: every citizen is responsible for the effect of exercising
his/her right to free speech. You have the right to shout "fire" in a theater
or to threaten the sax man but may be arrested for it. This is not a 
restriction on free speech since each is narrowly defined specification.

"Libel" also carries very specific  specifications that must be met. Does 
anyone here think that a libel suit is a restriction on free speech ?

At the same time nothing compels speech - "You have the right to remain
silent".

Moving right along, the next question would be "could the government
restrict crypto ?" The answer is essentially no since the government
would have to first define what crypto was e.g. prove that Navajo 
was in fact crypto. The compelling problem is that given any random 
string of bits, I could come up with an algorithm/book code/OTP from 
which *anything* could be extracted.

Want a pedophile .GIF to extract from the Gettysburg Address - no problem.
Want to extract the Communist Manifesto from ITAR - hokay. The fact is
that anything could be shown to be an encryption of almost anything else
since good crypto is indestinguishable from random noise. The corrolry being
that it would be impossible to prove that something *wasn't* crypto.

In fact it would be possible that given an encrypted message, using one key,
a first message would appear, given another, a second. Which is the real
message ? (see the fifth amendment)

Thus it would seem to me to be (not a lawyer or a politician so what do I know
- we used to have an ordinamce near here requiring alligators to be leashed)
very difficult to legislate anything concerning crypro since first crypto
would have to be defined and second it would have to be able to be detected -
a requirement for all text to be in third-grade flat ASCII won't fly.

"A bear's natural habitat is a Studebaker".
						Warmly,
							Padgett





From pierre at dragon.achilles.net  Tue Feb  6 07:51:23 1996
From: pierre at dragon.achilles.net (Pierre Bourque)
Date: Tue, 6 Feb 1996 23:51:23 +0800
Subject: FV's blatant double standards
In-Reply-To: 
Message-ID: 



On Tue, 6 Feb 1996, Simson L. Garfinkel wrote:

> =============
> "Superior technology is no match for superior marketing."
> =============

How true !

Pierre Bourque
Mercenary Scribbler
SurfBoard: here
And on the Left Coast: pierre at well.com






From jamesd at echeque.com  Tue Feb  6 08:17:40 1996
From: jamesd at echeque.com (jamesd at echeque.com)
Date: Wed, 7 Feb 1996 00:17:40 +0800
Subject: attila sez
Message-ID: <199602061549.HAA09723@news1.best.com>


At 12:19 PM 2/5/96 -0800, paralax at alpha.c2.org wrote:
>I seek to censor no one.  I prefer to confront racisim whenever and wherever
>I see (read) it.  Mr. May embarassed himself with his denigrating application
>of the word "Jap" to describe the Japanese people after demonstrating a gross
>lack of knowledge and sensitivity about Jews.  

For the terminally clue deprived:  Once again:  Tim's
remarks concerning the holocaust were *irony*, get it *irony*.

And calling japanese japs seems reasonably appropriate when also
calling them mass murdering terrorists.

 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd at echeque.com






From ddt at lsd.com  Tue Feb  6 08:19:23 1996
From: ddt at lsd.com (Dave Del Torto)
Date: Wed, 7 Feb 1996 00:19:23 +0800
Subject: [NOISE] Paranormally Good Privacy
Message-ID: 


[  Sorry, but I couldn't resist these excerpts from The mini-Annals of  ]
[  Improbable Research ("mini-AIR" Issue #1996-02, Feb, 1996)  --dave   ]

................................. cut here .................................

-----------------------------------------------------------
1996-02-05	Paranormal Spoon Incident

In the last issue of mini-AIR, we offered, free of charge, to test any
reader who wished to know if he or she has paranormal powers. Testees were
instructed to sit in a quiet corner and mentally send us their names and
addresses. Alas, we had to terminate the testing program after readers in
England and Israel reported a rash of bent spoons and then mentally lodged
police complaints against us. We are now engaged in extra-cognitively
presenting evidence to demonstrate that, whatever is bent or twisted, it is
not the spoons.


-----------------------------------------------------------
1996-02-06	PGP-Y

Our paranormal testing program has already had one commercial spin-off. Our
engineers have developed a truly foolproof data security protocol. It is
called PGP-Y -- "Pretty Good Parasychology." The mechanism is simple. You
imagine that you have transmitted data to someone; that person then
imagines that he has received it. Using PGP-Y, any type of information can
be transmitted over the Internet with complete security. The key is that
the data is transmitted high over the net -- so high that the data actually
travels above the net rather than within it. The data is transmitted
telepathically (and for those who distrust electronic funds, we also have a
scheme for transmitting cash and gold plate telekinetically.)

................................. cut here .................................


--

   dave

_______________________________________________________________
"OK, now everybody who believes in Telekinesis, raise my hand."







From attila at primenet.com  Tue Feb  6 08:20:30 1996
From: attila at primenet.com (attila)
Date: Wed, 7 Feb 1996 00:20:30 +0800
Subject: Likely application for high-bandwidth proxies (fwd)
In-Reply-To: <199602060736.CAA10630@opine.cs.umass.edu>
Message-ID: 


On Tue, 6 Feb 1996 lmccarth at cs.umass.edu wrote:

> attila writes:
> > 	come on Lewis...  where's the sight  address? 
> 
> Project Genesis  forwarded:
> > > > >http://www.[I don't plan to help them].com 
> 

	just raggin' -what the hell do I need with phony hamburger on the
    screen when I have steak at home?


> I didn't obfuscate the URL; that was done by the person who forwarded the
> message to list-managers (where I saw it). Maybe you can find it with Alta
> Vista. Since they were apparently spamming mailing lists, maybe someone has
> already pulled the plug on them.
>
	plug pulling for spamming --sure; but for the rest, everyone to 
    their own taste (whew, that was bitter....)
 
> -Lewis "Despite all my rage, I am still just a rat in a cage" -Smashing
> P'kins
> 
	they say you have a fixed number of heartbeats in your life time; 
    running in a cage at full hearbeat shortens your life span --but, you'll
    be lean and mean to go!

__________________________________________________________________________
    go not unto usenet for advice, for the inhabitants thereof will say:
      yes, and no, and maybe, and I don't know, and fuck-off.
_________________________________________________________________ attila__

    To be a ruler of men, you need at least 12 inches....
    There is no safety this side of the grave.  Never was; never will be.







From mianigand at unique.outlook.net  Tue Feb  6 08:22:39 1996
From: mianigand at unique.outlook.net (Michael Peponis)
Date: Wed, 7 Feb 1996 00:22:39 +0800
Subject: re Telecoms Bill
Message-ID: <199602060924.DAA08571@unique.outlook.net>


-----BEGIN PGP SIGNED MESSAGE-----

>Well, if "cypherpunks write code", is there any code we should be
>writing in response to this?

:I'm not familiar with SSL protocols, but something that would anonymize 
:web page access and keep it entirely encrypted (not just credit card or
:forms transactions) would be good.

I think the first problem would be how to hide a sites true location.  For 
example, if I have a domain called xxx.offensivestuff.org, how would I hide the 
sight so that while it is freely accessable to those who are looking for it, 
yet not allow a goverment agency to home in on the geographical locations via 
trace route.

I remember reading a number of articles about floating sites, the only problem 
is with the way Internet routing tables are structured, given that the site 
would constantly spoof different ip's to make it harder to track, or maybe even 
hacking some of the routing tables on the larger gateways, it could cause all 
sorts of problems with traffic.  ie domain xxx.offensivesutt.org has the 
routing information for www.fluffybunnies.com, but if xxx.offensivestuff.com 
moves, then that routining information is invalid. resulting in numerous 
broadbad broadcasts trying to determine the correct route to 
www.fluffybunnies.com.

Additonally, a number of bogus proxie servers could be set up to confuse 
traffic analysis in attempting to determine what the true endpoint of a 
transfer is.

At some point, the data could be encrypted by a proxie server, and sent to the 
final destination.  Thus just like e-mail is reordered by remailers, 
HTTP/FTP/Telnet connections can be shuffled around to foil analysis.

Of course, this approch would result in a slower connection and more packet 
hops.

:Encrypted/truly anonymous ftp would be nice (though some folx would 
:understandably have problems with truly anonymous uploads, and crypto 
:export restrictions in the US could be problematic legally).

Under the forementioned technique, it would not be problematic technically.

:I think there is already work on encrypted telnet (stel) by the CERT/IT 
:people.

I have seen an SSL telnet client source code on hactic I think.

:On the non-net side of things, implementing encrypted BBS/communications 
:and file-transfers is useful.  I'm told PGP-Phone is supposed to support 
:encrypted communications/file-transfers... so a host-script language that 
:enables a simple BBS would be nice.

I like this idea, but I am not sure how the laws work.  For example if a BBS 
had subscribers sign a voucher stating that they were not agent of a goverment 
agency, would it hold up? would lying constitue entapment?

If not, then yes, encrypting the data would provide protection becasue no one 
would be able to detect what was being passed.  under this approch 
 information gained by wiretapping would not be usefull.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMRau2EUffSIjnthhAQHnhgP/SgH4SA6yKRlkgnJ198jw2SBaZ5SqsNRF
YYtyHWeWcGqf30ghoe20Bvfug7oaJrB5jO+fqJ6DiL5Wp2onmWL6MTrReEpt7q1t
8ESRgyO/ndVDBhiQHWxLY1tynVBJxUbCrxvMHyPtpTIRXQtZsFlM6Iw8lndbnUbK
RofiuhFzDlU=
=n9n+
-----END PGP SIGNATURE-----
Regards,
Michael Peponis
PGP Key Avalible form MIT Key Server,or via finger





From rsalz at osf.org  Tue Feb  6 08:36:56 1996
From: rsalz at osf.org (Rich Salz)
Date: Wed, 7 Feb 1996 00:36:56 +0800
Subject: attila sez
Message-ID: <9602061611.AA03651@sulphur.osf.org>


>of the word "Jap" to describe the Japanese people after demonstrating a gross

You know what is on the sign of Honda dealerships in Paris?
	JapAuto

Go figure.






From jf_avon at citenet.net  Tue Feb  6 09:13:27 1996
From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada)
Date: Wed, 7 Feb 1996 01:13:27 +0800
Subject: [noise] the individual and the tribe
Message-ID: <9602061649.AA14934@cti02.citenet.net>


Rob said:

> ... in the sense that
>tribal societies are individualist.

I absolutely don't agree.  The subordination of the individual to the tribe
is fundamental of their vision of the world.  Individualism is not about the
personnal opinions, it is about the vision of Man as an entity in itself, not
a type of cattle that owe his service to the collectivity of the tribe.

Crypto makes the tribe (and it's sorcerers) loose their grip... :)

JFA







From tony at secapl.com  Tue Feb  6 10:11:08 1996
From: tony at secapl.com (Tony Iannotti)
Date: Wed, 7 Feb 1996 02:11:08 +0800
Subject: Release of Pronto Secure first Beta
In-Reply-To: <9602061652.AB19328@commtouch.co.il>
Message-ID: 


On Tue, 6 Feb 1996, geoff klein wrote:
 
> We plan to make Pronto Secure available via FTP at the end of this week. 
> Parties interested in joining the beta-test program are invited to send me 
> pgp-signed e-mail requesting download instructions and our public key for 
> authenticating the version. Beta-testers who provide us with feed-back will 

  Here is the public key to decode upcoming signed message::

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzCwv/YAAAEEAMW6NTWHwgwxIbPTBAZjirYPoHNcW0yAb23k+EMLBbG9WIRa
h84U6+Ob0XQYoP6U57JCAVpkWz/OiPfAt7qoFaQgEtugl+XTRqYqxF4zueQpS5Bi
n/3HsGiig+daZDDTwvxvuqbB2K+AV2WzOlOjRQI3HssEHl0OtqPu8jBP0vEJAAUR
tB9Ub255IElhbm5vdHRpIDx0b255QHNlY2FwbC5jb20+
=BICo
-----END PGP PUBLIC KEY BLOCK-----


_________________________________________________________________________
Tony Iannotti                                                Security APL
tony at secapl.com                                         101 Hudson Street
201/332-2020                                        Jersey City, NJ 07302





From stend at grendel.texas.net  Tue Feb  6 10:15:39 1996
From: stend at grendel.texas.net (Sten Drescher)
Date: Wed, 7 Feb 1996 02:15:39 +0800
Subject: [NOISE] Alien factoring breakthroughs
In-Reply-To: 
Message-ID: <199602061654.KAA02165@grendel.texas.net>


Andrew.Spring at ping.be (Andrew Spring) said:

>> The Grays have renegged on their abduction quota agreement, and are
>> abducting many more people than before. Most of these are returned,
>> after being implanted with a device which allows the grays to have
>> total control over their thoughts and actions. Approximately 40% of
>> Americans now carry one of these devices, which are impossible to
>> remove without killing the host.
>> 

AS> The mark of a good conspiracy theory is its untestability.  Your
AS> theory fails here, because you could perform autopsies on those
AS> hosts who have died of natural causes to recover the mind control
AS> devices.

	Yes, but if the Grays systematically abduct all first year med
school students, who is going to perform the autopsies?

AS> Suggest you amend the last sentence to read "...one of these
AS> devices, which dissolve immediately upon death, and which are
AS> impossible to remove..."  etc, etc.

	Alternatively, the mind control devices are nanites,
undetectable by terran technology.  This also circumvents the problem
of detection while the host is alive.

-- 
#include                                /* Sten Drescher */
Unsolicited email advertisements will be proofread for a US$100/page fee.





From jpp at software.net  Tue Feb  6 10:33:46 1996
From: jpp at software.net (John Pettitt)
Date: Wed, 7 Feb 1996 02:33:46 +0800
Subject: FV's blatant double standards
Message-ID: <2.2.32.19960206180750.00caaa14@mail.software.net>


At 06:34 AM 2/6/96 -0500, Nathaniel Borenstein wrote:

>1.  He doesn't explain how he's going to spot the VirtualPIN in the
>outgoing stream.  Given the non-structured nature of the VirtualPIN,
>this alone probably requires more sophistication than our entire attack
>program.
>
>2.  He acknowledges that this approach will miss anyone who isn't buying
>things from the machine that actually composes his mail messages.  What
>he doesn't seem to realize, however, is that this means that any
>automated attack will cause "fraud" to be called as soon as it hits a
>user of AOL, Compuserve, etc.  Jeff's approach would last a bit longer,
>but is also vulnerable to heterogeneous mail environments.  The real
>point is that an automated attack like this one is undermined by email
>heterogeneity, which will cause FV's fraud department to be alerted
>quite quickly & trace things down.  In contrast, the attack we've
>outlined on credit card numbers is simple, single-step, and has no
>obvious "misfiring path" that would lead to quick detection.  It could
>do its dirty work for a long time.  
>
>
You missed my point.

1) hook into the winsock and look for an FV message in the web data stream,
save the ID.

2) now look for an approve/deny/fraud, when you see one you know that the
user uses an IP connection for mail and web.

3) only now does the attack begin.

The attack does not trigger until it *knows* that both FV orders and
confirms are moving via winsock - I.E. it does not report back the FV ID of
the victim until it sees the victim use FV and *knows* it can intercept the
reply.  The key  here is not breaking all cases just a significant number
and not setting off too many alarms.

This significantly lowers the fraud detection risk, now the fraud does not
get noticed until the card statement shows up, the same as with a card
number snooping attack.

Yes it will miss a large group of FV customers who use AOL, CI$ etc
(although a similar hook in the common serial port code on Win95 could catch
most of them).

The basic point is if the achine is not secure then no data on it is either.


John Pettitt, jpp at software.net
VP Engineering, CyberSource Corporation, 415 473 3065
 "Technology is a way of organizing the universe so that man
  doesn't have to experience it." - Max Frisch






From lunaslide at loop.com  Tue Feb  6 10:40:26 1996
From: lunaslide at loop.com (lunaslide at loop.com)
Date: Wed, 7 Feb 1996 02:40:26 +0800
Subject: Why am I wrong?
Message-ID: 


I think there is a middle ground that you may have missed.  Let's see...

The cypherpunk view seems to be that eveyone *should* use forms of
encryption for passing packets along on the internet.  It works best when
the majority of people are using, but no one is forced to encrypt their
email.  People still send postcards, right?  No matter what percentage of
users on the net use encryption, there will always be those who will
exercise their right to send open, plain text messages.  It is our right to
choose *to* encrypt that we are fighting for, not a general mandate that
all use crypt.

As for the law's take on this matter, under the constitution, they have no
right to tell us that we cannot use encryption in sending our messages.
They also have no right to tell us that we cannot teach others how to use
it, develop easier ways to implement it so that eventually it will be a
no-brainer to use, say that we are criminals because we opt for our right
to privacy, or ask us to give up that right to privacy because we are using
a new medium.  One issue that may come up is that the law cannot make us
give our passwords so that they may use our keys to open our documents
because it would be self-incrimination, however, they can serve warrants to
search our software and documents.  In their search, they will be able to
try and break our passwords to gain access to the files.  If they cannot,
it is their tough luck.

I don't think that I am stating a position of cypher-anarchy, but
advocating a position of personal privacy guaranteed by the Fourth
Amendment.  I don't think that wide-spread use of cyptography would cause
anarchy.  Would foreign govt. be able to slpi stuff by our govt. because
they can use encryption?  Sure, like they aren't already doing that right
now.  The US govt. seems to be saying "Hey, no fair!  I can't see your
stuff anymore.  You can't do that!"  when all along, no one has been able
to see their packets because they are encrypting it.

There are still ways for them to gain access too.  Don't tell me they can't
set up peeping toms to record keystrokes.  Certainly they can do this on
ppl's machines.  It would be more difficult, but that is the whole point.
It should be sufficiently difficult for them to tap so that to tap freely
would be infeasable for them to do, just like steaming open every envelope
that comes through would be infeasable.  They can only go after the real
suspects because it is feasable to do only that.

In essence, what I am saying about the govt. is that thy are crying wolf.
They can still be efficient in their duties without wholesale access to all
the data streams.  They want the power to monitor far more traffic than
they could ever get warrants for and they know it.

I likewise invite you to chip at the cracks in my reasoning as it will
improve our arguments in general.  Freedom is power.  God save the Citizen!

Jeff Conn

lunaslide

On the meridian of time there is no injustice, only the poetry of motion
creating the illusion of truth and drama.
                                                Henry Miller

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQBvAzD3EHEAAAEDAMVwZzXozPjX18mCenA5fJsdWZXcrhJCxPR+SoVCmR7d4ZVU
mwITzPTHo/GyLvJrWyk5YdhheczyY2VSawaMrCN/nWA7K9lwAylbKyPxqBhRYJ3C
2wi2uD5LY2wypNOQyQARAQABtB5KZWZmIENvbm4gPGx1bmFzbGlkZUBsb29wLmNv
bT6JAHUDBRAw+1bqS2NsMqTTkMkBAQkTAwCersFbCyk8O0MbGlNcZDAe24CLEWQ0
0C5EHni33W76UsG1bybcLsuMH6HVwLF7IqZivnzc7wkujYPQvCqn8HEYYTld8V9V
Cou4dOvA8kV7rHvAn/LuLx7DRruLFrRoPSk=
=OIT9
-----END PGP PUBLIC KEY BLOCK-----







From lunaslide at loop.com  Tue Feb  6 10:45:26 1996
From: lunaslide at loop.com (lunaslide at loop.com)
Date: Wed, 7 Feb 1996 02:45:26 +0800
Subject: Likely application for high-bandwidth proxies (fwd)
Message-ID: 


>It would appear that a potentially very popular application for high-
>bandwidth anonymizing proxies has arrived:
>
>Forwarded message from list-managers-digest:
>> From: Project Genesis 
>> Date: Mon, 05 Feb 1996 02:42:13 -0500
>> Subject: Speaking of spams...
>>
>> Did I mention that Project Genesis is an organization specializing in
>> religious education?  The message below explains why all of our public lists
>> are moderated. I value privacy and have grave doubts about things like the
>> Exon amendment (which may make Internet providers liable), but I also think
>> that we need to ensure that the Internet not become one big red-light
>> district. Spams like this are a step in the wrong direction. It hit several
>> of our religion-oriented lists.
>>
>> Ken

I don't think that you understand one thing.  If we (the users of the
internet) say that X-THING is unacceptable on the internet, we open up the
floodgates for everything else that ppl what to censor.  There are better
ways to keep children from looking at sites and spams like the one you
posted.  Parents.  It's their responsibility to keep their children from
getting into this stuff on the net.  If we allow the govt. to take care of
our issues and do not take responsibility for them ourselves, we deserve to
have a big brother who can take care of us (see what I mean?)  No control
can be given to the govt.  If it comes down to it, we can have a rating
system like the movies and music.

Our lists are moderated, BTW, so that we don't have to wade through a bunch
of irrelevant data while trying to read about the lists/newsgroups topic.
Some of my favorite groups are alt groups, and as much as I hate having to
read about Grubor all the time (please ship him off to a dessert isle), the
moderation would limit the scope of the groups and interesting, sometimes
relevant pseudotopics would be gone.  I want the psudotopics!  That's where
some of the best threads get started!  But moderated groups have their
place too.  Who wants to read a bunch of trolls while trying to read a
science group.  And soc.support groups would not be of much use if flamers
and lusers kept posting disruptive and disturbing articles.  But in all the
cases here, it is we, the users, who decide what stays and what goes.

Peace to all.
Jeff Conn

lunaslide

On the meridian of time there is no injustice, only the poetry of motion
creating the illusion of truth and drama.
                                                Henry Miller

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQBvAzD3EHEAAAEDAMVwZzXozPjX18mCenA5fJsdWZXcrhJCxPR+SoVCmR7d4ZVU
mwITzPTHo/GyLvJrWyk5YdhheczyY2VSawaMrCN/nWA7K9lwAylbKyPxqBhRYJ3C
2wi2uD5LY2wypNOQyQARAQABtB5KZWZmIENvbm4gPGx1bmFzbGlkZUBsb29wLmNv
bT6JAHUDBRAw+1bqS2NsMqTTkMkBAQkTAwCersFbCyk8O0MbGlNcZDAe24CLEWQ0
0C5EHni33W76UsG1bybcLsuMH6HVwLF7IqZivnzc7wkujYPQvCqn8HEYYTld8V9V
Cou4dOvA8kV7rHvAn/LuLx7DRruLFrRoPSk=
=OIT9
-----END PGP PUBLIC KEY BLOCK-----







From printing at explicit.com  Tue Feb  6 11:35:18 1996
From: printing at explicit.com (William Knowles)
Date: Wed, 7 Feb 1996 03:35:18 +0800
Subject: OCAF White Paper on porn on the net
Message-ID: 


Hello all,

With the passing of the CDA recently, The first wounding of the rights
of free speech online, The Oklahomans for Children and Families are going 
in for the kill.  A WWW  site has been set up with a HTML version of what 
the autoresponder sends out.

http://www.bway.net/~dfenton/noporn.html

This is a scary document, and was originally written as a prosecution primer
for law enforcement. 
 

-William Knowles


..

//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\ 
  Graphically Explicit                     
  Printing - Advertising - Graphic Design  
  1555 Sherman Avenue - Suite 203          
  Evanston IL., 60201-4421                 
  800.570.0471 - printing at explicit.com
  Accept, Embrace, Adapt, Create     
\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//!\\!//






From arromdee at jyusenkyou.cs.jhu.edu  Tue Feb  6 12:00:16 1996
From: arromdee at jyusenkyou.cs.jhu.edu (Ken Arromdee)
Date: Wed, 7 Feb 1996 04:00:16 +0800
Subject: RC2 protected by copyright?
In-Reply-To: <199602050211.SAA18120@hammerhead.com>
Message-ID: <4f8a81$opp@jyusenkyou.cs.jhu.edu>


>RC2, though, as 256 bytes of seemingly random data at the head of it,
>in a permutation table.  This is clearly not any idea, but a bit of
>text.  This text would have to be copied to any interoperable RC2.
>(You could surely use some different permutation, and probably most
>of the 256! permutations would be equally secure, but would not
>interoperate with RC2).  I would expect that this copying of text be
>held to be a violation of copyright.

What about "merger"?  If there's only one way to write a table to make it
interoperable, could it be ruled that the idea has merged with its expression
and thus be legal to copy?
--
Ken Arromdee (arromdee at jyusenkyou.cs.jhu.edu, karromde at nyx.cs.du.edu;
    http://www.cs.jhu.edu/~arromdee)

"Snow?" "It's sort of like white, lumpy, rain." --Gilligan's Island





From zinc at zifi.genetics.utah.edu  Tue Feb  6 12:57:47 1996
From: zinc at zifi.genetics.utah.edu (zinc)
Date: Wed, 7 Feb 1996 04:57:47 +0800
Subject: The OCAF's White Paper on Internet Pornography
Message-ID: 


-----BEGIN PGP SIGNED MESSAGE-----

cpunks,


regarding this paper;  it's sent out by an autoresponder.  is it illegal 
to make excessive use of the autoresponder?  this would be a type of 
denial of service attack.

i'm wondering if i set up a cron job to request a copy every 5 or 10 
minutes and just send it to /dev/nul, could i get in more trouble than 
say, someone just telling me to cut it out?

opinions?

- -pjf


"Those that give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety." -- Benjamin Franklin (1773)
			  finger for PGP key
zifi runs LINUX 1.3.57 -=-=-=WEB=-=-=->  http://zifi.genetics.utah.edu 


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by mkpgp1.6, a Pine/PGP interface.

iQCVAwUBMRe7B03Qo/lG0AH5AQF6KwP/XAQq4yoi0Ytetl6rUnnCJBvbNktRmSEP
3D+ILw4+qn4YDQX96Q6+SoGYD/9zHu59ywFWk42hYCXYNhOpo+GBTF9uGWIb5lD6
/DdzSLDpCKUvggmI395STqoEBuKj5ILSGBzDZGfnw6g6IAcJIRwnwiE/MhLjgKof
2S0mWLFc4aQ=
=+twb
-----END PGP SIGNATURE-----





From jimbell at pacifier.com  Tue Feb  6 13:21:53 1996
From: jimbell at pacifier.com (jim bell)
Date: Wed, 7 Feb 1996 05:21:53 +0800
Subject: [noise] Re: Crippled Notes export encryption
Message-ID: 


At 02:11 PM 2/6/96 +1100, Jiri Baum wrote:

>Forget about Jeff, how about PGP? Put it on a rocket (I'm *sure* there's
>an amateur rocket club conveniently located near the border), and off
>you go! (I guess you'd want to check @ 126.1 first, though).
>
>Have I missed anything?


Another question is this:  Would the point-to-point (USA to USA) 
transmission of PGP by radio (say, a satellite telephone bounce) that is 
"inadvertently" intercepted external to the US qualify as a violation of 
ITAR?  It would be hard for the NSA to criticize this, as this is their main 
operations area.  Besides, if anybody was prosecuted, they'd presumably be 
able to subpoena the NSA about their monitoring operations, to determine if 
the NSA was violating any OTHER country's anti-export laws, etc.






From geoff at commtouch.co.il  Tue Feb  6 13:23:34 1996
From: geoff at commtouch.co.il (geoff klein)
Date: Wed, 7 Feb 1996 05:23:34 +0800
Subject: Release of Pronto Secure first Beta
Message-ID: <9602061652.AB19328@commtouch.co.il>

-----BEGIN PGP MESSAGE-----
Version: 2.6

owGtVc9vG0UUbopoiyVXQkKCiKq8FKkkKP6V2E7sU+s0CVFlcLEhcOAw3h3vDt6d
WWZm7bhFUCQkiEQFioQ4gqgqxKEgJFSJY08V/AlwgqbqqUVUPVAOwJuxNzVB4VL2
4vHOm+997/vem93c9/H+hycKj38wWft1+/oTj11enph4//eH/qoFZ79+b/+hp366
e+vTu5tPn61sH7v0Jzl34/Dg9Pnm0Yvnyls3ave2FmpbZ45uL320eO/S6uS16+n4
yfOvfK7fPPLbnR/fvT09dfPL7cKVM788cvuTUwcnjj16p/b21IWDr7ov/vHdz4e/
v3D1m8qRD9lXr129+dbFHzaP37p+oPbtxhefvTOYfPbKgcuHjuspt5qLhI5CwoKc
iLUnGPdyofLKhfniXBYX+/Cps5BmXqZSMcGrUMjm06klwTXlOtMaRLQKmm7oXBQQ
xsd2JOGqQ2VmmTvCRdgqLLSZTqfSqZaogjOIfCqjmHfVCS2Im3VEmE6dIhrhWjGF
FdqGfBkKlWphrloyi0rZnF0SYahF7PjgEwUudZhLXdACRAeTAQEH80sR4EtJA0oU
xR1oSHwroEmdWFITrX0KCLZDAo+FYcyZHmRhnUIbj7IeRvpEg3JkrBkfGCBzLpLC
jR0N7QGENGyjLmYnndI+UxAwpaHPggB8GkQQK5MtYUJAkQ7+cBfUkMpyxkgPTsBQ
s6wp8J9UEZFwWENJJacaw+v3w6EjJKwz7oq+moW+z1CUWFEF6AaGkwA52TRYlSHd
Q6mk5UO5T7hDgQ6z95n2wZGDSAtPkgiBYOdchxKNRFQWwVpYPL6WJnebagK9YU+Y
+hjmxdVInx7lYxDEYQHTNgKtWG0YCunUiBGSsakRZxZIjABcM4cM/zMs3LMgRrMu
RcUJJx4NbfkJtXRqJTarhI8aGsC4E8SYoJkzDWwR6i80m8bqKGBGgERwa6ekb8RM
WmhVRX4ZqDczI3lhPluAXCL2UHghu54UcWQ3x3crpbE/z7cMEv5TwukOI5P8Gkvv
MbTbVjPdWmrk1hqgNHG6M+bQGsd1YDo50Xkon2WNTYoDx42UIenSXR1OeugraQco
CSOw0moA9rHxhqIIto2xsfqUdo2tDSKtOUZslFNjQsbhdbwKcGrtKWN2RuOW8RZb
JARiehPZ6+HwKYMbmpGKvCijmMfx/ai7jK541GChIjzAYcejSksU3ZpljBGxhChu
B9h6xmUjcDo13g0jJiMlslBLKJmW7vsiaXAzcbafO5S6mTZqOWyGdKqN1QfMY0YV
O5OOHXECHUkpdJgZmGRQd9I0hZQD4AJaGeUzqXHQ2rFGtD4FLyZmFOjomhiI+BlM
5OGYhgLl6VMisS797/unOmMtRI8f9EmnVilefHAarysOez7UGFFFahh7wkluULxy
syy4PwB1O1oSMrvo2sfXOqqaRS7X7/ez4yDh/1KIudhb9mJvrmPrO7MAL2Wbe9e0
Ez8La0oSGgC6UpjDb8Z6Fp5Dy5VL0Ola0HP3BinkoUUdn4tAeAM4ie2AIE0cqzp+
iMSszXMSKsVifn5vkGWUHr+O1MX4Yr5cKRuQFg2sXNPFQmkGSguLmXJpMb83iI2v
LMxNV2Yq5flisWRAVsjGLpDF/wSx8QlIIV+aNyAP7M3f
=64dh
-----END PGP MESSAGE-----




From PADGETT at hobbes.orl.mmc.com  Tue Feb  6 13:52:26 1996
From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson, P.E. Information Security)
Date: Wed, 7 Feb 1996 05:52:26 +0800
Subject: Why am I wrong?
Message-ID: <960206160510.20215305@hobbes.orl.mmc.com>


>I don't think that I am stating a position of cypher-anarchy, but
>advocating a position of personal privacy guaranteed by the Fourth
>Amendment. 

Don't forget the other side of the conversation. While the government 
cannot (notice I did not say they might not try) effectively control
communication, there are other points at which control may be exerted:

1) communications *with* the government (IRS, Social Security, etc).
2) communications using someone else's equipment/network (university,
   employer, etc)
3) communications with anyone (Internet merchant, etc) who says "this
   is not what  approves..."

Each of these may have compelling reasons for complying with what the
government wants even if it is not law. IMNSHO "law" is just a means
for exacting retribution/revenge - if you have to resort to it, you
have already lost.
						Warmly,
							Padgett

					





From decius at montag33.residence.gatech.edu  Tue Feb  6 13:59:52 1996
From: decius at montag33.residence.gatech.edu (Decius)
Date: Wed, 7 Feb 1996 05:59:52 +0800
Subject: Why am I wrong?
In-Reply-To: <960206100646.2021253f@hobbes.orl.mmc.com>
Message-ID: <199602062107.QAA30185@montag33.residence.gatech.edu>


> OK you is wrong.
:)
> No, most in law enforcement at the working level have no opinion one way 
> or the other. Many I talk to know what it is but few have ever seen 
I should have been more specific, I was thinking about Louis Freeh, et all...
> 
> >The law is often very wrong, and even our lofty constitutional values 
> >do not prevent bad laws. When the law is wrong, the law's enforcer is 
> >the criminal.
> 
> Dangerous attitude to take. The law is never wrong because it is the law.
> The fact that a law exists may be wrong but that has nothing to do with the
> law itself, it merely is. The law's enforcer would be derelect in his/her
> duty if she/he did *not* enforce the law.
> That is the definition of natural law, 
I don't agree. The theory of natural law is basically that when people 
come together to form a society and create a government, they enter into
a social contract. If a member of the society breaks the contract (by, 
say, blowing someone's brains out) that member has breached the contract and
can be punished by the government. Similarily, when the government breaks 
the contract (by say, killing off an ethnic minority, or maybe banning 
indecent speech) the government has breached the contract and the 
government may be destroyed. To say that the law is always right because it
is the law, is to defend ethnic cleansing, book burning, detention camps, 
taxation without representation, slavery, and all the other evils 
governments have done, while condeming those who would free slaves or 
fight in revolutionary wars. Making something a LAW does not make it 
right. 
> Is the great strength of the US.
Agreed. Though we must fight to preserve it. 
> >That is why law enforcement is very restricted in the Constitution. 
> Law enforcement is not restricted by the constitution, law *enactment*
> is ("Congress shall make no law...").
Read the fourth amendment. :)
> 
> "Libel" also carries very specific  specifications that must be met. Does 
> anyone here think that a libel suit is a restriction on free speech ?
Most legal limitations (outside of indecency/obsenity) on speech are 
concerned not with the speech itself, but when speech becomes an action.
Yelling fire in a crowded theater is NOT A CRIME. Insiting a riot in 
which hundreds are killed, just for the hell of it, is a crime. 
(Just clarifying)
> 
> Thus it would seem to me to be (not a lawyer or a politician so what do I know
> - we used to have an ordinamce near here requiring alligators to be leashed)
> very difficult to legislate anything concerning crypro since first crypto
> would have to be defined and second it would have to be able to be detected -
> a requirement for all text to be in third-grade flat ASCII won't fly.
A good point, but I don't know if those who want to ban crypto will think 
about it that way. They will assume that it will be obvious who is using 
crypto and who is not. They will leave it to the courts to determine 
what is crypto and what is not. Obviously they are wrong, but thats not 
gunna stop them from enacting laws. Of course, as another person 
responding to my post pointed out, *good* stenography cannot be 
identified, so laws are not gunna stop people from encrypting, it will 
just make it kinda difficult to get away with. 


-- 
        */^\*  Tom Cross AKA Decius 615 AKA The White Ninja  */^\* 
                    Decius at montag33.residence.gatech.edu

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzA6oXIAAAEEAJ6ZWl7AwF9rDZhREQ2b9aPxJKL7dxQNx6QQ0pB5o9olvNtG
tIjA47KxWmZAx47m2JEWRgAIaiDHx00dEza5GX4FuFHL7wSXW7qOtqj7CmVLEg4e
0F/Mx0z7Q/aNsn34JrZUWbMLKkAOOB9sJARRynPRVNokAS30ampImlrLbQDFAAUT
tCZEZWNpdXMgNmk1IDxkZWNpdXNAbmluamEudGVjaHdvb2Qub3JnPg==
=0qgN
-----END PGP PUBLIC KEY BLOCK-----






From daw at dawn7.CS.Berkeley.EDU  Tue Feb  6 14:05:09 1996
From: daw at dawn7.CS.Berkeley.EDU (David A Wagner)
Date: Wed, 7 Feb 1996 06:05:09 +0800
Subject: RC2--Some very preliminary analysis
Message-ID: <199602060250.VAA11055@bb.hks.net>


-----BEGIN PGP SIGNED MESSAGE-----

In article <01I0SDBW5VYY984JFR at delphi.com>,   wrote:
[ ... 1/4 of a cycle of RC2: ... ]
> A = rotl(A + f(B,C,D) + sk[i], 1);
     [...]
> Has anyone looked at this cipher with regard to linear attacks?

A little bit.

>           However, it's not clear to me how to build linear
> characteristics that will make it through more than a few rounds of
> alleged-RC2.  Linear characteristics that are spread across many
> subblocks (i.e., partly in A and partly in B) seem to get messed up
> quickly by the rotations.

Hrmm, I'm not convinced that it's so hard to build a linear characteristic;
there are plenty of 1/4-cycle characteristics that don't spread out very
much.  The problem is that I can't find any approximations with high enough
bias to be useful.

So here's some information on the (useless) linear characteristics I've been
thinking about; maybe this will prompt some clever improvement from someone
else.  They're all based on two observations: first, the addition operation
	Y = A + X
has linear characteristics of the form
	Y[i] = A[i] + X[i,i-1]		bias 1/2
	Y[i] = A[i,i-1] + X[i]		bias 1/2
and second, the bit-multiplexing function
	X = f(B,C,D)
has linear characteristics of the form
	X[i] = B[i]			bias 1/2
	X[i] = C[i]			bias 1/2
	X[i] = B[i] + D[i]		bias 1/2
	X[i] = C[i] + D[i] + 1		bias 1/2
	etc.
(A note on notation: X[i] denotes the i-th bit of X, and
X[i,j,k] = X[i] + X[j] + X[k].  If an approximation holds with probability
p, then I say it has bias b = 2 |p - 1/2|; note that adding two approximations
multiplies their biases, and that one needs about 1/b^2 known plaintexts
to take advantage of a linear characteristic for the whole cipher.  Next,
let K denote the 1/4-cycle subkey, and let A' denote the new value of A
after the 1/4-cycle is applied to it.  Also, + denotes xor in approximations.
By 1/4-cycle, I mean something of the form A = rotl(A + f(B,C,D) + K, 1);
so RC2 has 16 full cycles, and each full cycle has 4 1/4-cycles.)

Now given those building blocks for linear characteristics, you can combine
them to get various linear characteristics for 1/4 of a cycle, like this:
	A'[i+1] = A[i,i-1] + B[i] + K[i,i-1]	bias 1/8
	A'[i+1] = A[i] + B[i,i-1] + K[i,i-1]	bias 1/8
	A'[i+1,i] = A[i,i-2] + B[i,i-1] + K[i,i-2]	bias 1/64
	A'[i+1,i] = A[i,i-1] + B[i,i-2] + K[i,i-2]	bias 1/64
	A'[i+1] = A[i,i-1] + C[i] + K[i,i-1]	bias 1/8
	A'[i+1] = A[i] + C[i,i-1] + K[i,i-1]	bias 1/8
	etc.
These don't spread out too well; I haven't completely worked out how to
do many-cycle linear approximations, but I think they shouldn't be too hard
to find.  (For instance, keep only A and C active, or somesuch.)

The real stumbling block is the lack of high-bias linear approximations for
a 1/4-cycle, not the difficulty of combining them, IMHO.  For instance, if
you supposed that there was just one 1/8-bias linear approximation active
in each full cycle, we get a total bias over 16 cycles of 2^{-48}, which
would imply something like 2^{96} known plaintexts for a linear attack.
This is an overly optimistic estimate, since any full 16-cycle linear
characteristic which I can imagine will probably require more than one
linear approximation per cycle.  (It also ignores the non-iterative rounds;
but I think they'll be easy to deal with if you can handle everything else.)

What makes the 1/4-cycle linear approximations have such a low bias is RC2's
extensive use of addition mod 2^32 instead of bitwise xor.

So anyhow, the final word is that I don't see how to do linear cryptanalysis
of RC2, but maybe someone else will have some insights.

P.S. There is an analogue of differential cryptanalysis where we consider the
difference measure as addition mod 2^32 instead of bitwise xor.  Is there
a similar generalization of linear cryptanalysis?  I don't know any, offhand.
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMRbB/CoZzwIn1bdtAQEKEAGAujcKp6aM4OV9AoveQaFQdEpQi/hQTSK/
YoMEkSKYtt+aq0Usv5nMHB7ikEflmGak
=TYbl
-----END PGP SIGNATURE-----





From decius at montag33.residence.gatech.edu  Tue Feb  6 14:06:36 1996
From: decius at montag33.residence.gatech.edu (Decius)
Date: Wed, 7 Feb 1996 06:06:36 +0800
Subject: Why am I wrong?
Message-ID: <199602060254.VAA26091@montag33.residence.gatech.edu>


I am posting this pondering to cypherpunks in hopes that it will be refuted.
Although these ideas are obviously in opposition to those held by 
Denning and the law enforcement community, they are also in opposition to
those held by the Cypherpunks. This idea is bothering me because I cannot 
refute it, although it goes in opposition to many people whom I respect 
greatly. Please tell me why I am wrong about this. (Sorry for the US-centric
perspective, but I think the arguments here apply regardless of what your
system of government may be.)

         	            Crypto-Absolutism
			decius at ninja.techwood.org

	One of the largest problems in the debate over public access to 
cryptography is the fact that both sides of the issue hold absolute beliefs.
They are unwilling to compromise, and often seem unwilling 
to decide on a solution which is anything but a total win for their side.
Many of those who are opposed to cryptography have proposed 
what they claim is a compromise, when in reality these suggestions often 
change the issues instead of addressing them. However, in all conflicts 
there is a middle ground. The answer to the whole crypto debate may be 
in finding it. Nothing ever works in absolutes.
	On one side of the debate we find the law enforcement community. 
This group is totally opposed to the concept of public access to 
cryptography. Although they claim this to be false, the reality is that 
these people think its ok for anyone to keep a secret, as long as no one 
is keeping secrets from them. This belief is founded upon the principle  
that the law is absolute. They believe that the law is always right and 
always good. As Jim Kallstrom, assistant FBI director, put it, "unless 
you're a criminal, you have nothing to fear from the government." 
However, history has proven this philosophy to be totally flawed, time 
after time after time. The law is often very wrong, and even our lofty
constitutional values do not prevent bad laws. When the law is wrong, the 
law's enforcer is the criminal. That is the definition of natural law, 
the philosophy upon which our system of government is based. People MUST 
have the right to dissent. People must have the right to oppose bad 
laws, and in many cases people must have the capability to violate bad 
laws with impunity. It is necessary for the survival and health of our 
society. If people's right to dissent is taken away and bad laws are 
passed, we move immediately into war. Peace is the definition of a 
healthy society. Furthermore, it cannot be assumed that if people can 
commit crimes with impunity that they will. If murder became 
legal, I do not think you would see much of an increase in the murder 
rate. As Socrates would say, if people know the what is good and what 
is bad, they will always choose the good, because the good is what is 
most desirable. That is why law enforcement is very restricted in 
the Constitution. The "compromise" the law enforcement community has 
suggested, key-escrow, is not a compromise at all, because it makes it 
impossible for people to keep secrets from the government. It removes
the people's right to dissent, presumably the very right cryptography 
allows us to protect. The law enforcement community is wrong.
	On the other hand, we have the crypto-anarchists. They believe 
that the existence of anonymous transactions will naturally lend itself 
to a situation where everyone is anonymous, no transaction can be 
tracked, no communications can be monitored, and basically, no 
government can possibly control the transactions and interactions of its 
citizens. They support the broad use of military grade cryptography and 
anominity. Let no message be crackable or traceable. This, also, is an 
absolute belief and it is also flawed. We have governments for a 
reason, we came together and founded societies for protection, and if 
we tore apart our current social structure and created an anarchy, 
people would immediately form small societies for their own fiscal 
protection. Creating an anarchy is a massive step backward in social 
development, not a step forward. Furthermore, PEOPLE WANT TO BE 
ACCOUNTABLE FOR THEIR ACTIONS. No totally anonymous society will 
ever exist in the re